Tech – Page 5

DHS Warning About Java: Update

Several days ago I wrote a blog post about the warning from the U.S. Department of Homeland Security (DHS) about the use of Java. DHS had gone so far as to advise users to disable Java in their browsers.

A few words of clarification: as many of you surely know, Java is not JavaScript. Those are totally different and unrelated languages, in spite of the unfortunately similar wording.

Second, by warning users to turn of Java in their browsers, DHS is essentially telling them to disable Java applets, which are the only form of Java programs that can run in a browser. Applets are small programs that exist on websites, and that download to your browser, and execute on your own local computer, all within a container that is intended to prevent it from doing anything to your computer without your express permission. Generally the only thing an applet is allowed to do is present data visually and accept typed or other forms of input from the end-user. Frankly, that’s not how most Java-based systems work today. Most Java-based systems consist of Java programs that run elsewhere – within mobile devices, or on servers in all sorts of forms. Lots of websites use Java on the server side and never send applets to their end-users browsers. So you may still be visiting a website that runs Java on the server side, and that never sends executable code to your browser, it probably only serves up completed web pages, and that’s fine, you’ll be safe insofar as the DHS warning is concerned.

So now it’s February 3, 2013 (Super Bowl Sunday incidentally), and yet – still no apparent conclusion to the Java situation.

Technology News Logo

The most recent article I can find right now is Taking the Java Bull by the Horns by Patrick Nelson at Technology News, published Jan. 31, 2013, and it says this:

even though Oracle has made some efforts to patch the flaws, DHS hasn’t lifted its warning … As of Jan. 22, 2013, the current version of Java is Version 7, Update 11. The latest version includes fixes for issues raised by DHS as well as other issues. It also sets security settings to “High.” … You may decide that it’s prudent to switch off Java altogether. New Java vulnerabilities are likely to be discovered, according to DHS’s Computer Emergency Readiness Team.

The article also includes step-by-step instructions for performing upgrades and adjusting security settings in your browser.

We’ll keep an eye on this. I think many of us are so busy working in non-applet areas that we’re not all that concerned. However, I know firsthand of one company that internally uses an applet-drive software tool for internal corporate communications, and they’ve recently made the call to shut it down until this issue is resolved. It’s disruptive for sure.

Stay tuned.

DHS Warns About Java; Red October Connection?

A few days ago, the U.S. Department of Homeland Security issued a warning to temporarily disable Java on your computers, warning of:

A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.

Now this morning we have this from ARS Technica: Red October relied on Java exploit to infect PCs

Attackers behind a massive espionage malware campaign that went undetected for five years relied in part on a vulnerability in the widely deployed Java software framework to ensnare their victims, a security researcher said.

And:

Oracle developers patched the bug in October, 2011, the malicious Java archive file was compiled the following February.

Be warned.

The Skin Gun

And now for something completely different.

As you probably know, I generally use this blog to talk about entertaining and fun and unusually talented people, many of whom are friends of mine, and some of which you may not know about. I generally stick to anything involving the creative arts, but am open to anything that’s interesting and perhaps a bit unusual.

This is one of those posts, and it’s not just fascinating, it represents a significant medical breakthrough. And it’s a bit serious, so brace yourself for the subject matter.

Below is a video on YouTube that is a snippet of a National Geographic piece about something new they’re calling the “Skin Gun”. The idea is that if someone is a burn victim and has lost a relatively large area of skin, this spray gun, which is sort of like a spray paint device, can be used to apply a solution to the burned area and allow the patient to heal quickly.

And “quickly” is an understatement. In the video, you’ll see the first patient on which the device was used – Matthew Uram, described in the video as a Pennsylvania state police officer. After experiencing second-degree burns, his doctor asked him if he was interested in trying this device, and he did. It took 90 minutes to prepare the solution and apply it. “They did it on a Friday, my follow-up was that Monday and … it was healed.”

Amazing.

Note: I generally embed videos into my blog posts, but the video below is not embedded. It looks like it is, but when you click on it, you’ll see how it reacts and you’ll be able to tell that it’s not embedded, it’s actually a link to the YouTube site, so you’ll see it over on the YouTube site. The reason I set it up in this unusual way is simple: if I embed a YouTube video, the video automatically incorporates the “splash” screen chosen by the YouTube user who uploaded the video. For this video, the user apparently chose a somewhat shocking “splash” image from the video of a burn victim. It makes sense over at YouTube, he was clearly trying to get attention and convey that it’s a burn victim video. And you’ll see that image in the video below. It’s not completely revolting – I’m sure you’ve seen worse – but it’s a bit shocking in the context of Skere9, which is a fun and entertaining site. I wanted a chance to say “brace yourself” first. So consider yourself warned!

The video is below, and highly fascinating.

Social Media Rock Stars Jon Ealy and Jeremiah Anthony

In October 2011, two students at Iowa City’s West High decided to use social networking to complimenet and encourage fellow students, as something of a counter to the practice of cyber-bullying that’s been reported in various news articles lately. The students are named Jon Ealy and Jeremiah Anthony. The practice has attracted a good amount of notice, particularly from Skere9. There’s a photo at Pinterest of Jon and Jeremiah working together on the sites. Their sites include a Twitter account named @WestHighBros.

And here’s a video – that only mentions Jeremiah for some reason, but – see below.

Security Inside The Perimeter

A key in a keyboard lock

One of the issues that was being discussed at this past Oracle Open World 2012 was the importance of considering security during the design stage of a system development effort. Technology journalist Michael Lee wrote about this issue last fall in a piece titled Developers ignore their security responsibilities: Oracle. In it, Lee addressed the observations of Oracle Chief Security Officer Mary Ann Davidson:

Marines don’t consider perimeters to be completely unbreachable, and hence, need to be prepared to defend themselves from attack from the inside … Davidson said that many organisations still assumed that attackers won’t get inside their perimeter …^[1]

Davidson is totally right, but it is starting to change. An increasing number of the customers I work with are starting to operate on the assumption that security perimeters will be breached. Security measures are no longer limited to protection at the perimeter.

This is one place where analytics can play a role. I’m not just talking about security information and event management (SIEM). Through data collection and pattern analysis, an alert system can proactively monitor for aberrations in the data flows and process flows within a system, and can help identify probabilities of a possible intrusion and take actions accordingly. But the point is that most security starts with a healthy dose of common sense, applied at all levels of a system’s operational capabilities.

I live in the suburbs of Washington, DC, but recently attended an NFL football game in Philadelphia, and afterwards was having dinner in downtown Philly, when I received a call on my mobile phone from Visa. They said it was a courtesy call regarding my credit card, and offered some proof of who they were and how they knew my account, and then asked a few questions to confirm who I was. The exchange was professional and left me confident of the authenticity of the call. They then asked if they could review a few recent purchase requests on my credit card, and I said – sure. Sitting there in the restaurant, I listened as they asked me if I had authorized a purchase of gasoline in Pennsylvania that morning? I said well yes, as a matter of fact, and feeling comfortable that they were who they said they were, I offered that I was heading to the Redskins-Eagles game that day, and was intending to use the same card to pay for the dinner I was eating as they were speaking to me.

They then asked if I’d attempted to purchase a washing machine at a Target department store in Washington, DC on that same afternoon.

I said – uh – no. I was sitting in the Eagles stadium in Philadelphia about that time.

What about a refrigerator at a second location, also in DC?

Definitely not.

They then said well, you probably didn’t authorize these additional six or seven attempts to purchase large appliances at five different department stores in Washington, DC this afternoon, if you’re in Philly at a football game. I said – no, not at all.

Thank you, they said, we rejected all of those attempts and just wanted to confirm we did the right thing. And should you use the card to purchase your dinner tonight, it will be approved with no problem. But we’re going to cancel this number and issue a new credit card to you, you’ll not be charged.

I said – thank you.

I enjoyed the rest of dinner, paid for it with no trouble, and two days later I had my new credit card with the new number. I was never charged anything inaccurate or fraudulent. It all worked out remarkably well.

To help put the incident in perspective, I had the correct physical credit card with me at all times, and the would-be scammer did not, but whoever it was had my credit card number, and he or she was attempting to use the number alone – without the card – to make these purchases. Visa rejected them all, and according to what they told me, it was in large part due to the fact that the purchases conflicted with my patterns. Also, this all happened right before Visa began issuing cards with an additional numeric code printed on the back of the card. That started immediately after these events, so it didn’t apply to these circumstances.

At the end of the day, security is not only about the latest technological breakthrough. It’s about a combination of two things:

A sound understanding of the how the fundamentals of technology operate
A common sense approach to defense against classic con games

Any system developer must keep these concepts in mind, and recognize them in securing perimeters, and in developing a solid plan of defense for those times when perimeters are broken. Perimeters will be broken. The only question is: how will you respond?

Footnotes

^[1]http://www.zdnet.com/developers-ignore-their-security-responsibilities-oracle-7000005808/

The Twitter Dress and Wearable Computers

If you’re looking for a great Christmas gift for a special someone, you might consider the new “Twitter dress”. The BBC did a three and a half minute video showing it in action. The “Twitter dress” displays an animated series of controllable lights in various displays of an LED style of lights, with the capability of displaying tweets or other messages received in real time. It also can take photos.

Nicole Scherzinger at the 4G Launch party of UK's Everything Everywhere.

The name “Twitter dress” comes from the London launch event of the new 4G service of UK mobile network Everything Everywhere. The launch event featured Nicole Scherzinger, the former lead singer of the Pussycat Dolls. (Some still blame Nicole for the breakup of the band, but that’s another story.) Scherzinger’s dress drew a great deal of attention at the EE 4G launch, with its flashing lights and ability to display tweets in real time, and triggered a lot of buzz in the Twitterverse during the live event. This all just happened in November, so we’ll see if the name “Twitter dress” sticks, but for now, that’s what it seems to be known as.

I first saw a wearable computer at COMDEX in the 1990’s in Las Vegas. A company called Xybernaut seemed to be leading the field. I remember exiting the COMDEX convention one night, and finding a “booth babe” standing just outside of the convention center. Imagine a vast concerete and stone patio, under the dark night desert sky, with the balmy warm breezes of Nevada gently blowing. In the distance were the lights of the convention center in one direction, the lights of the casinos in another direction, but standing between them on the patio, a surreal tall cylinder, about ten feet high, cut open on one side, and looking like a Star Trek-style teleporter device, large enough for only one person to stand in. A few dramatic beams of light shown straight down from the inside ceiling of the cylinder, down through the dark onto the person standing inside, who was just waiting there for whoever might happen to walk by as they exited the convention – as I was doing. She was a pretty model, of course, with long flowing hair, dressed in a form-fitting costume like Batgirl from the 1968 Batman TV series, complete with a utility belt to house her wearable CPU, as well as storage and other devices, with a fascinating monocle over one eye for her heads-up display (HUD), and a tiny joystick in her left hand, like something you might use to operate an old racing slot-car. I found the monocle a bit hard to use, I could tell it would take getting used to, but I thought the potential was fascinating. It was one of the more compelling displays I’ve seen at technical conference, as you may have surmised by now. But it was also the last time I saw anything about wearable computers at a technical conference. I think the rise of mobile devices made the wearable computer concept a bit irrelevant.

But is that changing now? With new advances in the miniaturization of cameras, displays, controllers, and other devices, and the widespread adaptation of hand-held devices – and therefore public acceptance of these products – we may soon see the “Twitter dress” and other developments gain traction with end-users. I think it’s inevitable that technology will merge with clothes, fashion, and other forms of personal expression and interactive communication.

Stay tuned!

Oracle TV: Meet The Author – Steve O’Hearn

Hello friends!

Here’s another video I did at Oracle Open World 2012, this is a “meet the author” piece:

Meet The Author: Steve O’Hearn from Oracle Certification on Vimeo.

Author Steve O’Hearn discusses his book, “OCA Oracle Database SQL Certified Expert Exam Guide”.

Announcing the winner of the Cartesian Product Challenge

Hello friends!

I announced the winner of the Cartesian Product Challenge at this year’s Oracle Open World 2012, here’s the formal announcement:

Steve O’Hearn – The Challenge from Oracle Certification on Vimeo

And yes, what I say above is true – this is the winner of the FIRST annual Cartesian Product Challenge! More on that soon, in the meantime, to all my American colleagues, a very happy Thanksgiving!

Here’s a little background on this video: this was shot at the Oracle Open World Certification Lounge, in the Moscone Center, on Monday, October 1, 2012. However – it wasn’t really planned. I was there to do a question-and-answer session with Oracle Open World attendees on issues pertaining to certification in general, and the SQL Expert exam in particular. The outstanding Carey Hardey made a lot of the arrangements, and the fantastic Harold Green of Oracle Corp. was there as well – he does Oracle TV spots for the company and had an impressive setup in the back of the room. I’d already brought up the idea of making the announcement of the Cartesian Product Challenge winner there, and Harold and Carey were both supportive of it, and when I was there, Harold had the idea of filming it. So I made some notes on my iPad (that’s what you see me glancing down to read) and grabbed some coffee, and with maybe five minutes of prep, we shot it. Harold is equipped with a tremendous portable recording system, complete with a high quality camera and excellent lighting system, and you can see the results above.

A few minutes later, we shot a second video for the Meet the Author series, which I’ll post tomorrow. After that, Harold folded up shop and was gone within about five minutes, to travel a few blocks and set up all over again for another shoot – I think that was scheduled to be at the nearby companion conference, JavaOne.

Stay tuned for more!

Report from Oracle Open World 2012 – Day 2

Oracle Open World, Day 2, in the bright sunlight overlooking downtown San Francisco:

TRANSCRIPT:

Hey! This is Steve, its Day 2 – actually, no, it’s Day 3 of the Oracle conference. But I’m going to tell you about Day 2, because it’s Day 3 in the morning, the sun’s just coming up, and it’s bright in here, I’m not blind, it’s just bright in here. So I thought I’d put on the sunglasses, because I’m really hip that way.

Anyway, good morning, this is Steve, and I’m on the 39th floor of a hotel in downtown San Francisco, here for the Oracle Open World Conference 2012. I’m overlooking the downtown area where most of the conference is taking place. So let me share with you something that you – that probably won’t make the news, you probably won’t hear about this, there’s a lot of talk about the keynotes, CNBC is interviewing folks here, you can see all that elsewhere, let me share something with you I don’t think you’ll hear anywhere else. The magic phrase is “software defined network”, or SDN. There is a lot of buzz about it here in Silicon Valley, and Oracle quietly is working away on this. I was in two separate meetings where this came up. And one person told me that recently VMware paid 1.2 billion dollars – billion dollars- for a company of 20 people with less than 10 million dollars in revenue. For this, VMware paid $1.2 billion, just to get the SDN assets. (Speaking of the bright sun – ) Wow, that’s bright. That’s bright!

Anyway, Oracle’s working away on this as well. And the idea is to create something of a hypervisor for networks, the same way a hypervisor works for virtualized operating systems. And I would say that the most important thing that I heard probably the whole day, was one key person told me – who’s involved with the effort, involved with the process at Oracle, said to a small gathering of us: “everyone is talking about it, nobody understands it”.

Anyway, there’s more to share, about the events, the presentation, the exhibit hall, the parties, uh, but, um, you can get that information elsewhere, and quite frankly, I’m working, I’ve been here working away, and so I haven’t participated in everything, and besides, there’s too much, there’s so much cool stuff going on.

That’s all for now, stay tuned for more later.

END TRANSCRIPT:

Report from Oracle Open World 2012 – Day 1

Here’s my video report from Oracle Open World 2012, Day 1. A full transcript follows.

TRANSCRIPT:

This is Steve, it is Monday, October 1st, 2012, and I am here, at they uh – I’m in my hotel room, at the Oracle Open World conference here in San Francisco. Oracle CEO Larry Ellison made a big announcement last night at the keynote session opening the conference. It was about Oracle’s latest cloud computing offerings, and as I listened to him last night in Hall D of the Moscone Center, I was thinking – you know, I know the media is going to bash him for being a hypocrite. Sure enough, The Wall Street Journal this morning reported the following:

After once dismissing cloud computing as “gibberish,” Oracle Corp. Chief Executive Larry Ellison announced three new features for its cloud computing service at a customer conference in San Francisco.

And Doug Henschen at InformationWeek blogged about this today:

The irony of seeing Larry Ellison extol the virtues of cloud computing, in-memory computing, and multitenancy after so many memorable attacks on earlier versions of these technologies offered by rivals was indeed rich.

I don’t think the slams against Larry Ellison are warranted. It’s true that he’s bashed certain implementations of what we now call cloud computing, but I think his intent has been to warn against immature implementations of these technologies in services that didn’t offer the robustness, the security, the stability, the standards-based architectures and other kind of features that are typical with a more mature, professional platform along the lines of the Oracle relational database management system.

But one part of Ellison’s keynote on Sunday night really resonated with me. Ellison reminded the audience that he first advocated cloud computing in the 1990s. Well I heard some people in the audience snicker when he said that. But snickerers, I’m here to tell you – it’s true. He did advocate cloud computing in the 1990’s, I know he did. I wrote about it, in a publication that came out in 1998.

The publication was titled Oracle8 Server Unleashed. It’s a compilation work consisting of several dozen chapters contributed to by about 40 authors. My chapter was about Oracle’s Web Application Server 3.0, and a concept known as Network Computing Architecture, or NCA. The goal of NCA was to remove all software off of your computer, and put it into the network. This was consistent with a concept that was being advocated by Sun Microsystems. The phrase “the network is the computer” was the phrase that summarized this. In fact, I think it was even Sun’s official corporate slogan for a while. Friends, this was cloud computing, but the term “cloud computing” had not been coined yet. This was the 1990’s. In my chapter of Oracle8 Server Unleashed, I wrote the following:

Larry Ellison, the founder and CEO of the Oracle Corporation, has frequently mused at what life would be like if common household appliances had the same complexity of maintenance as a PC. For example, you never hear someone say something like “Sorry, I can’t go out tonight, I’m staying home so I can upgrade my TV to version 7.0”. Nobody has to go to training class to learn how to use their microwave oven. Nobody has to get a refrigerator adapter when they find out their latest leftovers aren’t compatible with their existing refrigerator. Yet computer users deal with these issues all the time. Software that runs on a Mac won’t run on a PC. Upgrading from one version of Windows to another is a significant effort. Ellison’s argument is that this is unacceptable, and that in order for computer technology to reach the masses, the PC must become as easy to use as any common household appliance.

And I continued:

In a recent presentation to a Japanese IT convention, Ellison was asked by a member of the audience if the network will be stable enough – won’t it crash from time to time? Isn’t it risky to place so much dependence on the network? Ellison’s response was to ask the audience member another question: what is the last thing that crashed on you: your telephone, or Windows 95? The audience roared with laughter, making the answer obvious. Yes, a network can experience problems once in a rare while, but when a network is maintained by a professional technical staff on a full-time basis, then the burden of the rote, technical system maintenance is lifted off of the consumer, who can spend her time focusing on her actual work…

The number of networks we already depend on is impressive: plumbing, electricity, highways, television, radio, — all networks professionally run by others, that consumers use frequently, yet do not worry about personally maintaining, upgrading, or troubleshooting. Why should a computer user experience anything different?”

So when Larry Ellison stood on that stage on Sunday night, and when he reminded his audience that he’s been long advocating utility computing – the old name for what we now call “cloud computing” – I knew exactly what he was talking about.

Today’s headlines should not have read that Larry Ellison finally embraces cloud computing. No. That’s not what it should’ve been. The proper headline today should’ve been:

Cloud computing has finally caught up to Larry Ellison, who has advocated the concept longer than anyone else in leadership in Silicon Valley today.

So folks, I’m here at the Oracle conference, I’ll have more information to share, we’ll see if we do some more later.