David Van Couvering 's Blog

July 2006 Archives

Security, AJAX, and Java

Back from OSCON, it was a very good, enlightening trip. I have a stack of things I want to learn and experiment with now. I went to Simon Phipps and Tom Marble's talk about Sun's open source strategy, where for the most part they focused on Java. Tom talked about getting Java into GPL distributions of Linux like Debian and Ubuntu – quite a success story and a great example of a distributed, multi-company team working together to solve a real problem. Simon talked about open sourcing Java – where Sun is, where we hope to get to and by when. He said that there are a lot of constituents, some who want to see Java open sourced in August, and others who are looking at, say, 2008 :). He said he expects it to happen in incremental phases, with the majority of Java being open sourced by this time next year.

Speaking of Java, I just read this article about security teams uncovering a major JavaScript security hole that allows a script in a browser to scan your network without restraint, from finding and modifying your router configuration to discovering internal network resources and sending commands to them. This is on the heels of a nasty Yahoo! Mail worm that took advantage of AJAX.

Now, I love what AJAX can do for improving the quality of web-based applications. But I feel a bit heretical here to suggest that perhaps there is value in the Java sandbox model, and the fact that with Java you can control which providers are granted access to your system. It is not to say that the Java security model can not be compromised or improved, I suspect it probably can. I am just saying that with JavaScript and AJAX you really have no control at all – you can either enable JavaScript, or not, and that's about it. Disable JavaScript, and a whole suite of very compelling applications, such as Google Maps, are disabled. Enable it, and you expose yourself and your company to serious security risks.

When I talk to people about running Java on in the browser, the common complaints I hear about are the extra step of having to install the plugin, issues around version management, the overhead of having to obtain a certificate from a CA, getting your apps signed, and getting users to press OK when presented with a signed applet. I'm sure there are others and if I asked I'd get a whole litany. I think Java Web Start solves some of these issues, but I think we can continue to improve upon this.

The other complaint of course is that the Java programming language is not for everyone, particularly those used to the fast turnaround and simplicity of dynamic languages like Perl and Ruby. But I am seeing a very interesting trend of using Java as the runtime environment for scripting languages like JavaScript and Ruby.. It would seem to me if you could take advantage of the Java runtime's security, ubiquity, and rich set of APIs, while being able to pick and choose the right language for the job, you get the best of both worlds.

So, we can spend who knows how long trying to solve the security issues of JavaScript and AJAX. But maybe, just maybe, we should take another look at running Java in the desktop and the browser... Now that Java's being open sourced, perhaps this is something we can all work on together, so that our users can have both power and security

Portland walkabout

None of the tutorials at OSCON interested me this afternoon, so after a brief look at OSCAMP (interesting, but no topics that pulled me into a circle), I took a walk across Steel Bridge into downtown Portland. The walk was great. I walked along Park Street, which is a double street with a long aisle of green, shaded in beautiful tall elm trees. Such quiet walks are a great antidote to the hubbub and crazy energy of technical conferences. Whenever I go to Trondheim, Norway for work, I make sure I get out of the office and walk around. I remember those walks fondly, they still bring a certain stillness to my mind (well, except for the ones at night with the sleet pouring into my face and soaking my jeans – those I still remember too, but not really fondly).

I must not be a “real” hacker, and I'm sure I'm losing out on “networking” opportunities, because to be honest I much prefer these quiet walks around town to bar crawls and late-night drunken parties. Although I wonder how much networking you can get done when your companion's eyes are glazed over and they're stumbling over their words as they spew out tirades about open source licenses and corporate backing and why Java is such a stupid language.

Right now I'm at a little local coffee shop at SW Broadway and Washington enjoying an iced latte. It's a great little coffee shop, with funny bits of art (including a painting with the word “fuuuck” delicately painted in pastel colors – sorry, no camera). The guy serving my coffee has a shirt saying “still fighting corporate coffee.” There's a Peet's just down the street, and in Berkeley Peet's is David fighting the Starbuck's Goliath -- we Berkeleyans have a certain passionate loyalty to Peet's. But compared to this place Peet's is definitely corporate coffee, so in the spirit of supporting the local merchant here I am.

Feeling very “think globally act locally” I smiled happily as this homey little place charged me $1.50 for my latte, and I commented to the guy how great it was to only pay $1.50 for a latte, in the Bay Area it costs $2.50 to $3.00. The woman making my drink stopped and asked the guy “what did you charge him for?” It turns out he had charged me for an Americano and I had to shell out another dollar. I should've kept my mouth shut.

Tomorrow things get crazy busy; I'll be spending lots of time at the Sun booth, and also at the Apache booth, as well as attending sessions and giving my own session. I'm glad to have this little break. Although while I'm down here I need to find a USB stick to give my demo. My own USB stick is part of my way cool Swiss Army knife. Since I can't carry that in my pocket on the plane, I had placed my USB stick in my suitcase pouch. Then realizing my suitcase was a tad too small I switched suitcases but neglected to pull out my pocket knife. Another blow from airport security. I'm glad this war on terror will be over soon....

Working from home, OSCON, AJAX, Groovy and global warming

I work from home most of the time. No sitting in a car in hours of traffic. Fresh organic food from my own refrigerator. A nice office with natural light, colorful walls, lots of space. And I forget how great this all is until I head off to the airport (this time to OSCON 2006 in Portland). Ugly carpets and fluorescent lights in the airport. Of course, the flight is delayed. I don't get into my hotel until 2am. The room smells of smoke, is tiny, and completely sterile, the AC barely works and I lie awake most of the night sweating in my sheets. “Interesting” breakfast at the hotel restaurants, more fluorescent lights in the tutorials all day, more interesting food for lunch, impossible network connection.

I can't imagine how road warriors do it. They must build some kind of mental, emotional and spiritual wall inside so it doesn't affect them. I am trying very hard to stay away from the TV so I don't turn into a pale, untanned mass of protoplasm.

Continue Reading...

This work is licensed under a Creative Commons License.