The Community for Technology Leaders

From the Newsstand

Alison Skratt

Pages: pp. 11-13

Programming and Development

IT Architect

November 2005

"AJAX Bubbles, Can it Shine?" by Andy Dornan

Dozens of start-ups are poised to launch a new wave of Web-based applications in 2006 that are eerily reminiscent of failed attempts in the mid-1990s to, for example, replace operating systems with browsers for desktop applications or deliver software as services. However, unlike earlier proposals that used "bloated Java applets or slow server-side scripts," these applications will use Asynchronous JavaScript and XML (AJAX). The start-ups claim the applications load the same way as any Web page in any standards-compliant browser without the need for plug-ins; AJAX allows the client and service to communicate via short messages, eliminating the need to reload the entire page each time a request is sent to the server.

In an effort to reassure critics, some start-ups have posted early versions of their products for testing. Applications include, for viewing and editing .doc files;, for a Web-based spreadsheet;, for a calendar and contact database;, an interface to all four major instant messaging networks;, groupware that behaves like Outlook; and, which gives users an office suite compatible with Microsoft.


PC Magazine

8 Nov.2005

"New Tactic for Fighting Malware," by Sebastian Rupley

Most businesses shield PCs from malware by installing software patches and rebooting. However, that can mean costly downtime for businesses with numerous PCs to patch. Determina, a security software firm, recently announced LiveShield, technology designed to eliminate the need to reboot after applying software patches. Instead of patching programs on disks, LiveShield inserts replacement code for programs running in memory. Consequently, the application holds down the "digital fort until a convenient patch time arises" and rebooting is more convenient.

IT Architect

October 2005

"How Bad Is Intrusion Detection?" by Gary McGraw

McGraw asserts that neither of the current network-based approaches used in intrusion-detection systems works very well. The more common approach uses signatures of known attacks to root out new ones. As a result, McGraw says, the newest attacks easily avoid them. The much-rarer anomaly-based approach learns what "normal" system behavior is, and then finds anything on the network that doesn't fit the norm. The anomaly-based approach is seldom used because there usually aren't "normal" system users, so such a system often mistakenly targets and inconveniences legitimate users as a result. McGraw suggests that the answer lies in shifting attention from data packets to "worrying more about the behavior of the applications that eat the data." He claims that using intrusion-detection technology to monitor what's happening inside an application itself provides a more useful paradigm. However, the primary drawback to that strategy is that it can't be applied to off-the-shelf applications, so its use is limited to customized applications.

Web Services

IT Architect

November 2005

"Which Web Services Protocol?" by Eric A. Hall and Peter Saint-Andre

Today, most Web services are designed with some kind of XML over HTTP. The most common alternative to HTTP is the Extensible Messaging and Presence Protocol (XMPP), also known as Jabber. Given that Web services are becoming more ubiquitous in enterprise applications and that HTTP might not be the right choice for every job, the magazine asked Hall and Saint-Andre to debate the relative merits of using HTTP and XMPP.

Hall, president of the Network Technology Research Group, went to bat for HTTP. He says it's "lightweight, fast, efficient, and has a whole universe of infrastructural support behind it." HTTP is especially useful for Web services that need to support large numbers of lookups over public networks, he says, but it also meets the needs of most public services.

Saint-Andre, executive director of the Jabber Software Foundation, suggests that XMPP is the better choice. Although he acknowledges that XMPP won't replace HTTP anytime soon in most service-oriented architectures, he argues that it would work better for next-generation Web service applications because of its unique set of abilities — strong client and server authentication, built-in compression, and fast message exchange over long sessions.

Dr.Dobb's Journal

December 2005

"Amazon Web Services,"by Ashish Muni and Justin Hansen

ScanZoom, an application from the firm Scanbuy, lets camera phone users launch on-the-spot price comparisons and product reviews by simply taking a photo of a barcode.

Muni and Hansen, the application's developers, explain how Amazon's freely available Web services API helped make ScanZoom a reality. They used Amazon's E-commerce Service (ECS), which provides access to all its product pages as XML. They found ECS simple to integrate into their system because Amazon provides a Web Services Description Language (WDSL) that they connected to their C#.NET development environment. Muni and Hansen also explain that for consistency across different applications, they opted to use SOAP rather than Representational State Transfer (REST) — the architectural style used on the World Wide Web and various other distributed hypermedia systems.


Dr. Dobb's Journal

December 2005

"XML-Binary Optimized Packaging," by Andrey Butov

Although XML is undoubtedly a success as a metalanguage, the difficulty of encoding XML documents with binary data remains a significant challenge because not all data domains are suitable for XML's text-based requirements.

Several approaches exist for addressing the problem of including binary data in XML documents. Butov claims that one of the most interesting is "XML-binary Optimized Packaging" (XOP), which the W3c published as a recommendation in January 2005. He describes the method, which involves placing an XML document inside an XOP package, as well as explains some common arguments against it, including that it optimizes only Base64-encoded data. He ultimately concludes that XOP is a worthwhile approach, in part because it puts the burden of dealing with binary data inclusion into the XOP specification rather than keeping it at the application level.

Elsewhere in the IEEE Computer Society


November 2005

"Email Authentication Is Here, But Has It Arrived Yet?" by George Lawton

Email authentication efforts have been born out of the ongoing expense, in both time and money, of coping with spam and phishing attacks. Lawton explains, however, that both of the leading contenders for an authentication protocol have limitations and, at this point, look as if they'll simply be among several tools to fight the problem.

The first, Sender ID Framework (SIDF), combines Microsoft's Caller ID technology with Sender Policy Framework (SPF). With SIDF, ISPs and businesses register their mail servers' IP addresses with the Internet Corporation for Assigned Names and Numbers (ICANN), which stores them in DNS databases. Software on the recipient's client or email server authenticates messages by verifying the IP address with the DNS database. SIDF isn't in wide use because some ISPs worry that the technology will hurt their systems' email-forwarding capabilities.

The more popular alternative, Domain Keys Identified Mail (DKIM), combines two technologies based on digital signatures: DomainKeys, supported by Yahoo, and Identified Internet Mail, supported by Cisco. DKIM attaches encrypted digital signatures to outbound mail headers so that recipients' servers can verify them. Unlike SIDF, DKIM doesn't "break" email forwarding, although some mail programs will modify message headers and garble the information that DKIM uses. DKIM also means major software and hardware upgrades and can increase cryptographic processing overhead by 15 percent.

At this time, most experts seem to agree that the two proposals, rather than competing with one another, will actually complement each other because they have such different approaches.

IEEE Intelligent Systems

September/October 2005

"US Domestic Extremist Groups on the Web: Link and Content Analysis," by Yilu Zhou, Edna Reid, Jialun Qin, Hsinchun Chen, and Guanpi Lai

As the online presence for hate groups and extremists continues to grow in the US, in part by linking with one another, researchers and watchdog organizations are seeking better tools to monitor and analyze this content.

The University of Arizona's Dark Web, a project dedicated to studying the Internet activity of terror and hate groups, is trying to help address the problem via automatic and semiautomatic procedures and methodologies for collecting extremist groups' Web data for analysis.

The group first harvested information from extremist sites, and then used two kinds of analyses to study it; one looked at Web links and the other looked at Web content. The research found there's a "topological infrastructure" for extremist sites that seems to closely match domain experts' knowledge.

IEEE Multimedia

October–December 2005

"MPEG-21 Event Reporting: Enabling Multimedia E-Commerce" by Andrew Tokmakoff, François-Xavier Nuttal, and Kyunghee Ji

In an effort to promote multimedia e-commerce, the Moving Picture Experts Group (MPEG) is working to create a new portion of the MPEG-21 standard that outlines the creation and delivery of events tied to the use of digital content in a peer-to-peer environment.

Event reporting within the MPEG-21 standard is important because it provides digital rights holders with a way to monitor copyrighted content using a standardized method for detecting, categorizing, and acting on reportable events. The article gives an overview of MPEG's work so far on Event Reporter, describing the new portion of the standard and its relation to other similar efforts.

IEEE Pervasive Computing

October–December 2005

"Proximity-Based Broadcasting"

Filter UK, a firm that brings marketing to mobile devices, recently developed the BlueCasting broadcasting system, which uses directional Bluetooth transmitters to send content to nearby Bluetooth-enabled mobile phones.

When the BlueCasting server discovers a Bluetooth-enabled phone, it tries to identify the device's Bluetooth identification number. If it succeeds, it reviews the device's transmission history and transmits tailored content to it. Content can be audio or video clips, text messages, or even Java applications. Unless the phone is configured otherwise, the user is prompted to download the information. In one example of its use, a billboard that advertises a new album by the musical group Coldplay includes the phrase, "Bluetooth-enable your mobile to receive Coldplay music, pictures, & info."

BlueCasting, which is available now in the UK, can also be configured using a rule-based framework, allowing the server's owner to customize media delivery. It can currently transmit from 25 to 250 meters, but Filter UK is working to extend that to larger areas, such as an entire sports arena.

IEEE Security & Privacy

September/October 2005

"Exploring Privacy Issues in Web Services Discovery Agencies," by Barbara Carminati, Elena Ferrari, and Patrick C.K. Hung

As Web services continue to evolve, so do the discussions regarding privacy concerns and the confidentiality of business information. The W3C has put out a working draft on the issue, "Web Services Architecture (WSA) Requirements." However, the requirements don't cover all privacy issues. In particular, they don't address the issues surrounding discovery agencies that help users find appropriate services by managing the registries that keep Web services descriptions. As a result, the agencies are part of the foundation of the WSA and have special privacy concerns.

An all-inclusive privacy solution must consider the type of WSA, data sensitivity, and the trade-off between privacy assurance and efficiency. As such, Carminati, Ferrari, and Hung propose three solutions, and then outline how various universal description, discovery, and integration (UDDI) registries — the "Yellow Pages" of Web Services Description Language (WSDL) documents — can use them. One proposed solution would require the WSA to contain an access-control mechanism that acts as the trusted party and manages and specifies access-control policies; another possibility is a cryptography-based solution that also requires an access-control mechanism by a trusted third party, but doesn't require a trusted UDDI registry because it includes an encryption module. Finally, the authors consider a hash-based solution in which Web service providers publish "hashed" service descriptions in untrusted discovery agencies by using a standard hash function to publish everything except contact information.

About the Authors

Alison Skratt is a freelance writer based in Oakville, Conn.
130 ms
(Ver 3.x)