Preston L. Bannister { random memes }

Why you should always question authority – before they waste too much of your kids money.

Top 10 27BStroke6 Posts of the Year – 2006
27BStroke isn’t even a year old yet, but we’ve already fallen prey to the temptation to issue a top ten list.

Back in August 2005, a border-screening system supposedly unconnected to the internet was brought done by the Zotob worm, though Homeland Security denied it happened. Kevin Poulsen chronicled his attempt to get the proof through government sunshine requests here at 27B. The hilarity included government officials calling to ask Kevin to withdraw his request, then telling a judge they lost the paperwork several weeks before they called him.

When, last September, a spokeswoman for DHS’s Bureau of Customs and Border Protection (CBP) phoned me to ask that I voluntarily withdraw a month-old Freedom of Information Act request, I had to wonder why.

The request was for any documents pertaining to an earlier failure of a sensitive DHS system used to screen incoming visitors to the US. Called US-VISIT, the system is a network of Windows PCs and mainframe servers that takes fingerprints and digital photos of travelers as they enter the country, and checks each visitor against scores of national security and criminal watchlists.

The August computer failure led to long queues at airports across the country, but was only tersely explained to the public. The DHS initially said a computer virus had infected one of the mainframe servers — in Virginia. Later, the agency reversed itself and claimed there was no virus, and the outage was a normal computer crash.

We now know that neither version was entirely true. But I’m getting ahead of myself.

I declined to withdraw my request, and waited for DHS to produce some documents. And waited, and waited. Patience is a virtue when FOIAing a federal agency, and nothing is gained by jumping down bureaucrats’ throats when they invariably miss the (20 day) statutory deadline.

But six months later, agency personnel still hadn’t produced a shred of information, nor had they responded to an administrative appeal. That’s when I took them to court, wondering what they were hiding.

Now we know. According to documents filed (.pdf) in the case last Thursday, they’re hiding precisely 666 pages of documents about the virus infection that they’ve publicly denied ever occurred.

Yes, there are managers in government that will lie to protect their turf.

A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News.

The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists.

The Aug. 18 computer failure led to long lines at international airports in Los Angeles, San Francisco, Miami and elsewhere, while U.S. Customs and Border Protection, or CBP, officials processed foreign visitors by hand, or in some cases used backup computers, according to contemporaneous press reports.

Publicly, officials initially attributed the failure to a virus, but later reversed themselves and claimed the incident was a routine system failure.

CBP officials have released six pages of heavily redacted documents about the Aug. 18 computer failure. Click here (.pdf) for the inside story in black and white (mostly black).

But two CBP reports obtained under the Freedom of Information Act show that the virulent Zotob internet worm infiltrated agency computers the day of the outage, prompting a hurried effort to patch hundreds of Windows-based US-VISIT workstations installed at nearly 300 airports, seaports and land border crossings around the country.

Judge Orders DHS to Come Clean on Border Cyber Attack
A federal judge in San Francisco has ordered (.pdf) the Department of Homeland Security’s Bureau of Customs and Border Protection (CBP) to give me additional documents on a cyber attack that shut down portions of the national border screening system last year.

The government had argued that releasing more than six partially-blacked-out pages on the August 2005 incident would make the sensitive US-VISIT system vulnerable to computer intruders. After reviewing the 672 pages of documents the government has in its possession, U.S. District Court Judge Susan Illston is unconvinced.

I must be in the wrong part of the industry.

The $400 million US-VISIT program is a network of Windows PCs and mainframe servers that takes fingerprints and digital photos of travelers as they enter the country, and checks each visitor against scores of national security and criminal watchlists.

Heck, I try to make sure our small software group (costing maybe $1 million a year) returns at least equal value to the company. I cannot imagine burning $400 million and screwing up so throughly.

Between the preponderance of web crawler visits, the scarcity of meaningful Referer: links, and the use of aggregators (like Google Reader or Bloglines) – do the logs on the web server tell us very much?

There are of course hints … but I suspect the absolute numbers are no longer meaningful.

Another acronym I had not looked at previously – WHATWG. A specification for web applications? Sounds unlikely. Between changing practices and adequate existing function, what value is there in freezing current thought into a specification? What is the real added value here?

Reading through the WHATWG draft, I kept wondering if (or hoping?) this were in fact some sort of elaborate joke. Posted on April 1? Nope.

To put this into context – after finally having reason to get thoroughly familiar with the HTML DOM (what a mess), I realize that ignoring the W3C standards process was a mistake. Put differently, if you were even remotely involved with picking client-side names like “getElementById”, or choosing to leave out “innerHTML” – that I would take as reason to doubt your judgement. You could say that the reverence with which I hold the past web standards process is somewhat limited. Thought briefly about joining the W3C, and trying to make a difference – then ran across the membership requirements. Seems your thoughts are only of value if sponsored by an organization willing to pay significant fees – an interesting (if dubious) selector.

Trying to get a handle on what motivates WHATWG, came across this gem:

Position Paper for the W3C Workshop on Web Applications and Compound Documents
Scripting is here to stay
But should be avoided where more convenient declarative markup can be used.

Which is pretty much what I expected – and I disagree. Having more than one way to do the same thing is not necessarily good. Can you define declarative markup for future dynamic behavior, or are you going to cast in stone a fraction of present behavior, which may be less used in the future? More crud in the browser code….

There is an enormous amount of churn in the surface presentation and underlying toolkits used to express web applications. This is good and healthy when current/best thought is changing rapidly. To pick some subset of this to cast into a specification, would seem to require more wisdom than I could muster. Given the past record of the folks involved in web standards … I do not expect them to do any better. This may all be very unfair to the folk involved in WHATWG. I cannot tell.

W3C Workshop on Web Applications and Compound Documents (Day 2) Jun 2, 2004
“Steve Zilles (Independent): To repeat my challenge, can we find the key 5-7 things to focus on and not try to solve all the world’s problems?”

An excellent question from Zilles. My impression of later work is an attempt “to solve all the world’s problems” (probably badly).

So, am I just a PITA, that doesn’t “get it”? Perhaps not. HTML pretty much works. Reading through the working group notes, felt as though I were spying on Douglas Adam’s hairdressers. (Maybe in context, it would all make sense? Or not.)

Part of my wariness comes from having worked with folk who like to “specify” everything – even when it doesn’t work. The sort of folk who prefer complex solutions over simplicity. Form over function. Who prefer a blizzard of words over clarity. They are always with us, the trick is to not be caught following.

Pulled up an article in Wired on The 2006 top ten mistakes in web design and the article text is in (tiny!) 7pt Times New Roman font. Um…..

If only they had posted on April 1.

The “technobabble” written by the “hacker” is (intentionally) hilarious … and the politician’s staffer has no clue.

Going Postal

From: Todd Shriber (nascar24_08530@yahoo.com)
To: lyger@attrition.org
Date: Wed, 9 Aug 2006 12:58:29 -0700 (PDT)
Subject: Question for you or other Attrition members

Lyger - I came across Attrition.org for the first
time. I enjoyed the site though I am not an expert
with computers. That brings me to my next point: I
need to urgently make contact with a hacker that would
be interested in doing a one-time job for me. The pay
would be good. I'm not sure what exactly the job would
entail with respect to computer jargon, but I can go
into rough detail upon making contact with a
candidate. Thanks for your help.

From: Todd Shriber (nascar24_08530@yahoo.com)
To: security curmudgeon (jericho@attrition.org)
Date: Wed, 9 Aug 2006 14:21:36 -0700 (PDT)
Subject: Re: Question for you or other Attrition members

I can supply all that. Forgive what I assume is dumb
question, but what are pigeons? I know you're not
talking about the bird.

--- security curmudgeon  wrote:

> : What would you or anyone else need from me to see
> if you could it?
>
> For starters, college name, full name, and whatever
> number they track you
> by. Student ID or SS# or whatever else.
>
> And, are there pigeons on campus?

From: security curmudgeon (jericho@attrition.org)
To: Todd Shriber (nascar24_08530@yahoo.com)
Date: Wed, 9 Aug 2006 17:30:44 -0400 (EDT)
Subject: Re: Question for you or other Attrition members

: Wow, I feel dumb now. I honestly cannot rember if there were pigeons on
: campus or not. A lot of crazy squirrels, but I can't remember pigeons.
: Just for my own edification, why do you need to know that? I'll find out
: for you.

Hey, squirrels work fine. First, let's be clear. You are soliciting me to
break the law and hack into a computer across state lines. That is a
federal offense and multiple felonies. Obviously I can't trust anyone and
everyone that mails such a request, you might be an FBI agent, right?

So, I need three things to make this happen:

1. A picture of a squirrel or pigeon on your campus. One close-up, one
with background that shows buildings, a sign, or something to indicate you
are standing on the campus.

2. The information I mentioned so I can find the records once I get into
the database.

3. Some idea of what I get for all my trouble.

Frankly, I expect the FBI to come knocking at the “hackers” door, after some congress-critter calls for their arrest. This would be extremely silly, but the like has happened before.

Corona rival retires after facing demotion
SANTA ANA – Lt. Bill Hunt, suspended after challenging Sheriff Mike Carona in the June election, retired Friday as he faced a demotion that would have cut his salary nearly in half.

Today, San Clemente City Manager George Scarborough announced that Hunt had been demoted to deputy II and transferred to patrol in Stanton effective Dec. 29. The rank is one step up from entry level.

Hunt is a 21-year veteran who was chief of police services in San Clemente. He was placed on administrative leave hours after Carona won re-election in June. Carona has been vocal about his right to discipline Hunt for critical comments made during the campaign. The sheriff could not be reached today.

Hunt, also unavailable today, has said Carona was engaging in political retaliation and was infringing on protected political speech.

As a lieutenant, Hunt earned up to $123,905 a year. His new salary range would have topped out at $77,708.80.

Sheriff’s Department spokesman Jim Amormino confirmed that Hunt had retired but said he is barred by law from discussing disciplinary matters.

Wrote yet another script to install an ISAPI extension. Been through this before, for a work project, and for a personal project.

Ran across the announcement of an FastCGI extension for IIS from Microsoft. This is good news as I happen to believe FastCGI is an excellent way of decoupling application function from the web server specifics. It seems that Microsoft’s original aim is to improve PHP performance.

FastCGI for IIS : Microsoft Internet Information Services
Microsoft is excited to announce a technical preview release of FastCGI for IIS, a new component for Microsoft’s Web server platform.

BillS’ IIS Blog : PHP on IIS7 w/FastCGI
To make sure anyone can take advantage of FastCGI on all of our existing platforms, we’ve built an ISAPI version of it that can run on Windows XP and Windows 2003 (IIS 5.1 and IIS 6.0) as well as a new module version for IIS 7.0. Check out the IIS FastCGI page for more information.

Wanted to take another crack at this as:

• My familiarity using Javascript has improved considerably.
• The fcgisetup.js script from Microsoft offers perhaps additional clues as to the “right” way of doing things.
• Wanted to make better use of ADSI and WMI function for service control and configuration.

The fcgisetup.js script from Microsoft is a good example of Javascript written by a VBScript programmer, perhaps not the most brilliant use of Javascript.

By using Javascript more fully, was able to produce a slightly smaller fcgisetup.js script that does a bit more. The rewritten script runs on Windows 2003 Server, Windows XP Pro, and Windows 2000 (though Microsoft’s fcgiext.dll does not work on 2000). Changes include:

• Uses ADSI and WMI exclusively to configure IIS and control services.
• Eliminated use of external programs (iisreset and fcgiconfig).
• The /v option provides a fairly complete trace of script actions.

Of course, I will offer the usual programmer’s conceit – that the new script is also more readable.

I did run into a couple puzzles. On Windows 2003 Server it is not possible to /install and /add in a single script invocation – some problem with ADSI (apparently). Not critical as you can just invoke the script twice:

cscript /nologo fcgisetup.js /install
cscript /nologo fcgisetup.js /add "c:\\program files\\php\\php-cgi.exe" php

Added NOTE: comments to the script to flag the troublesome bits on Windows 2003 Server.

Over the past couple years a large chunk of my time has gone into writing a web application to replace a desktop application. The application requires some clever interactivity, a bit beyond what you can do in HTML/Javascript, and so contains a small Java applet. On the back-end some fairly intense processing is required, and so makes use of a moderate-sized/heavily optimized C++ application. In between lies a custom Tomcat instance hosting server-side Java, and some moderately fancy client-side HTML/CSS/Javascript. Switching between all these different forms of programming is frankly exhausting.

Over the same period of time I have experimented with a good chunk of the new/popular/interesting toolkits, languages, and whatever – in search of the best tools to use in my craft. There are too many good but not overwhelming choices. Python or Ruby or Java or Perl or Smalltalk or Lisp or … at the end of the day I do not find any of the many choices especially compelling compared to the others. What is needed is some criteria filtering down the alternatives. The list boils down to some clear choices:

• On the server-side C++ is going to be around forever for whenever brute force processing is needed (not for many/most web applications).
• On the server-side Java is going to be around forever, has a huge collection of libraries covering almost everything needed by a web application, and can be quite efficient with all the work on the JVM.
• On the client-side we can count on HTML 4.01/CSS 2/Javascript 1.5, and can expect this set to stay pretty much fixed for years.
• Between the browser and server shipping HTML and JSON seems generally to make the most sense. Yes, I am mostly ignoring XML for in the client and on the wire.

What is missing is something a bit looser on the server. For many tasks getting lots of function written is more important than high levels of efficiency. This is where Lisp, Smalltalk, Perl, Python, Ruby, PHP, and shell-scripting came in. Which do you pick and why? They all have merits, but none seem like a clear winner.

For a cluster of reasons I am starting to believe that server-side Javascript is the logical choice. In the first place, as a web developer you pretty much have to get good at using Javascript for the client. With closures and prototype objects, Javascript is a very decent looser/higher-order language. While Javascript may not be quite as slick as Python or Ruby (pick your favorite language/feature), the difference is not enough to matter. Bits that add up in favor of Javascript:

• Using Javascript on the server means one less language for the web developer to learn. Should help productivity.
• As a scripting/higher order language, Javascript is good enough.
• When using Rhino (Javascript implemented in Java) you get immediate access and superb integration with all your server-side Java code.
• When using SpiderMonkey (Javascript implemented in C) (and/or Tamarin) you get immediate access to all your C/C++ code.
• Generating and consuming JSON data gets just a bit easier.

Turning theory into practice, found Helma as an interesting example using Rhino. Looks like there are others, and that Java-based server-side Javascript is relatively easy. The picture with C/C++ based server-side Javascript is a bit fuzzier, mostly as there are too many partial solutions.

The other piece of the puzzle is integration into IIS (for the Windows folk) and Apache (for the Unix folk). Personally I like the notion that the application/interpreter runs in a seperate process, lashed to the web server with something like FastCGI (or similar). There is an existing FastCGI extension for IIS, but new IIS versions tend to break extensions in interesting (not) ways. The news of late is that Microsoft is offering a FastCGI extension. This is very good news for folks deploying applications on Windows, as we hopefully should see fewer problems with new IIS revisions.

The other compelling variation is server-side Javascript for applications at web-hosting services. This is pretty exclusively the domain of PHP at present. My webhost (DreamHost) allows the use of FastCGI (originally for PHP and Ruby). A C/C++ based server-side Javascript interpreter lashed up via FastCGI could offer excellent performance. The same code and skills could be largely re-used when developing in-house applications (where the underlying implementation may be Java).

Starts to look like Javascript interpreters lashed to web servers via FastCGI, and integrated into existing applications is the best common path.