Older blog entries for bjgm (starting at number 4)

I agree with jtansen in regards to SOAP / Security discussions, and CGI (and JSP / Servlet, etc) developers have had to deal with this for quite a while now. It all comes down to the fact that, as always, software developers need to be aware of the security issues involved in their work, and to take that into account when writing their code.

Every week it seems a good half dozen security bugs are reported that involve buffer overflow / mishandling of user input! The fact that you must very carefully validate and manage all information which is input into your program / system should be common knowledge to everyone by now. At what point are people going to start using this knowledge, as a whole.

I guess it all comes down to education, and that I don't think a single Java book I have read has done a good job of talking about security issues in relation to Java programming (and I don't mean the security APIs, which are a different issue altogether). It is a mindset that must be explained, a certain level of paranioa or mistrust which the programmer must have towards the users and external data sources which come into their system.

I apologize if I digress, but to summarize, I don't feel that SOAP security is anything new / different from the same kinds of issues that most programmers don't deal with well / at all, and cause the kinds of insecurity that we see in most systems.

I have been reading the last few evenings (and Sunday), rather than working on Symbiosis, but I keep to come up with / document ideas I have to work on. I have been reading "Nothing on My Mind", which is a book about a Man's journey through life at Berkely in the 60's, doing lots of drugs, and eventually discovering Zen meditation.

I am not sure, as I am not done the book is, what the "point" of the book is, or perhaps it doesn't even have one, as is true with a lot of these kinds of books. I am at least happy, based on the author's experience, that I didn't experiment with drugs in my youth, and I have never heard of extreme drug use causing someone to be "enlightened". I think I will stick to the slow and steady approach.


I have had it with forgetting things (usually passwords), and I want a better mechanism to keep track of the work I do on a daily basis, and to document all of the interesting things I learn every day. I am quite sure that I have forgotten at least 20 times as much as what I know right now, and some of that information that I forgot would most likely be useful to know in the future.

Because of this (and a lack of reasonably good XML-RPC APIs for Advogato), I have put Javagato on the back burner, and am back onto Symbiosis, however with a slightly different twist of my previous priorities. The 1.0 plan was mainly Identity Management capabilities for storing / sharing / migrating PKI information, however I will now be concentrating on knowledge management.

I had put together my own simple MD5/DES based encrypted data store, but it isn't very efficient for large data sets (which wasn't needed for small PKI key rings), but as KM is now the 1.0 primary goal I am going to look at some Java ODB / RDB solutions that have fairly small footprints.

Each piece of knowledge in the system will be the member of a particular security realm, even for the 1.0 release, so my post 1.0 plan of allowing remote access to the knowledge system should be a lot simpler. Security and flexibility is the focus, and I am tired of worrying about the security of my data, and now that more and more people are doing things on the net, exclusively (like banking, for example), security should be an important part of all software, IMHO. In symbiosis, all data (including preferences) will be encrypted when it is persisted.

The Javagato Adventure

I spent some time last night working on Javagato, my Java front end to Advogato, using the XML-RPC interface. Come to find out, like cmacd I found that I had fogotten my password, as I wasn't really in a password remembering "mode" when I created the account. I found this out while I was going to test the UI login screen, but I was very happy that I had my own UI to the XML-RPC interface, because I could keep easily changing the password, and hitting the OK button, rather than having to click on back, modify it in the html field and submit, etc. So I find the first undocumented feature of Javagato is to figure out what your password is a bit faster than through the Web UI.

These password issues finally led me to do some looking into some password "tracker" utilities out there, and my biggest problem with all of them is, I don't trust them, so I may put together an nice Java password tracker after I am done with Javagato, and I already have an encrypted storage mechanism written for Symbiosis, which I can easily re-use.

Because of the painful XML-RPC interface I have decided to make Javagato extremely cache oriented, with some options on diary retrieval depth. As some folks post daily (like myself, thus far), I don't want to pull down all 200 posts if the user is only interested in the last 10, so this value will be either a) configurable through a preference b) configurable at run-time or c) both, and I am leaning towards c.

It is a fun little project to throw together, and I hope someone here finds it useful, and it is refreshing to get my mind off of not only work, but also Symbiosis for a while to fiddle with some new ideas, but I am starting to see Symbiosis more as an ideal than a piece of software, and as such, no matter how much work I do on it, I don't think I will ever be "finished with it". It reminds me a lot of Xanadu in that way.

To finish up, let me thank tk for being the first one to give me a rating, and I agree that at this point, from an Open Source standpoint, Apprentice is about right. I hope after I retire from "real work", that I can spend more time on Open Source software development, and perhaps be a Master before I die (and possibly even finish Symbiosis!), but for now I am stuck to only working on it at night and on weekends.

16 May 2002 (updated 16 May 2002 at 21:52 UTC) »
Web Services, where are they hiding?

I was very happy to stumble upon the XML-RPC interface which is available for Advogato, as I generally hate to use a web browser for things that I feel can be done better programatically (like the functionality on this site). I therefore began working on a Java program to interface with this site, using the XML-RPC interface.

The Apache XML-RPC libraries for Java seem quite nice so far, and I tested out all the methods in a hard coded way already to see how well they work. Due to the speed of Advogato, and the type of XML-RPC calls that were implemented, I think I will need to do a great deal of caching to make the program work well, and even with that in place there is a lot of site functionality that isn't available over XML-RPC

Since this site is certainly not add-driven, I would like to propose / suggest some additions / modifications to the XML-RPC interface of Advogato to allow for more robust / pleasant to look at clients to be written against it's functionality. Then again, feel free to blow me off as well :)

I suggest the following additions to the Advogato XML-RPC interface =>
1) As with the diary, methods to get / post articles.
2) Bulk methods, to get a number (X) entries / articles, rather than the one at a time current implementation.
3) A way to interact with the certification system.
4) A way to access the "recent posts" functionality, which I must say is most excellent.

And now relating to the topic of this diary entry, the XML-RPC implementation here got me into "research mode", and I wanted to see what other sites / services on the net had these (or SOAP) interfaces to their functionality (other than Google, which I had heard about weeks ago, but they have that "search limit", which it probably necessary from a resource standpoint, but rather bogus from a programmatic standpoint.

I looked through the IBM UDDI directory, and also another SOAP / XML-RPC service registration site, but over 50% of the stuff in there was complete garbage, and of the stuff that was there, I didn't find anything at all that was interesting enough to spend my time implementing a client that worked against it.


Symbiotic Thoughts

I felt a good first post would be to describe my project, and get some of the concepts / ideas related to it explained a bit, for my own good as well as others, and if nothing ever comes of this project, I hope at least that others are given ideas which come to fruition from this.

Problem set =>

1) Systems which are secure are rately easy to use. As the use of technology grows it will become more important that information be secure / encrypted, not only for network transmission, but also for local persistence. This needs to occur with little to no impact on the user.

2) Authentication is also related to #1, but deserves a number of it's own. There are currently a large number of different authentication mechanisms, but again they are often not simple to use, from either a programmatic or a user perspective, and the lack of a single standard causes problems with system interoperability.

3) Information Management / Sharing is another problem, which a lot of people try to solve by having web pages for everything. This approach really isn't that horrible, as HTML is a decent data display mechanism, but some areas that need improvement there are the ability to add ACL type security to information, and also a good rating system to make it easier to find "good" information.

This is just for starters, and I would love to hear about other people's thoughts on not only this problem set, but related problems which need to / can be addressed programatically.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!