Historic on Software Engineer and Hobbit

Human Versus Machine Code Analysis

Thu, 17 Dec 2009 08:12:00 +0000

I see human code reviews as one tool in the quality toolbox. My opinion is that to keep code reviews interesting and engaging, humans should be the last link in the chain and get the most interesting problems. What I mean is that if the code review is burdened with pointing out that an opened resource was not closed or that a specific path through the code will never happen, code reviews become draining and boring. I also believe that code reviews need to scale up to teams that are not co-located. That might mean using an asynchronous process, like a workflow system or using collaboration tools to do the code review through teleconferences and screen sharing. A workflow system can prevent code from promotion into the mainline build until one or more reviewers have accepted it.

To keep the code reviews interesting and challenging, I give the grunt work to the machines and use static analysis and profiling tools first. Before you can involve the humans, your code needs to pass the suite of static analysis tests at the prescribed level. This will weed out all the typical mistakes that are larger than what a compiler finds. There are many analysis and profiling tools available in open source and commercially. Most of my development work is in server-side Java, and my analysis tools of choice are FindBugs, PMD and the profiling tool in Rational Software Architect. FindBugs is a byte code analyzer, so it looks at what the Java compiler produces and is less concerned with the form of source code. PMD analyzes source code. Both tools have configurable thresholds for problem severity and they can accept custom problem patterns. PMD has a big library of problem patterns, including things like overly complex or long functions or methods. The RSA profiling tool only tests timing down to the method level of classes. It can quickly help a developer focus on where the sluggish parts of a system are hiding, which is valuable information going into a review. Once the code makes it through this array of automated tests, bring the humans in to look at it and get their input. I have found this approach in our case changes the review from a potentially adversarial situation into one with an educational tone. The review meeting, if it happens synchronously, is not overtaken by the small problems and pointing out basic mistakes. It is concerned with making recommendations at a higher level to improve the larger design.

FindBugs, U. of Maryland, http://findbugs.sourceforge.net/

PMD, SourceForge, http://pmd.sourceforge.net/

Rational Software Architect for WebSphere Software, http://www-01.ibm.com/software/awdtools/swarchitect/websphere/

Recent AWS Certification

Sun, 17 Sep 2017 12:00:00 -0700

Here are links to my official AWS certification records.

AWS Certified Developer - Associate

AWS Certified Architect - Associate

My Dog's Microchip is 4723381A49

Sat, 24 Nov 2012 16:26:00 +0000

Eventually, this unique ID will be indexed by the various search engines on the Internet. My dog is not lost, but I see this as a form of insurance in case he ever does go on walkabout without my permission.

Testing the Proximity Sensor of iPhone 4

Thu, 23 Sep 2010 17:01:00 +0000

The proximity sensor problem with iPhone 4 is a topic of much debate on discussion boards, blogs and news sites. The proximity sensor is used by the phone to determine if the user is holding the phone to her ear during a call. The phone uses input from the proximity sensor to decide whether to activate the screen and allow touch input. Many owners of the phone have reported the screen re-enabling while holding the phone to their ear during a call, while others have reported no problems. I am one of the unfortunate owners of the phone that has inadvertently placed a caller on hold or interrupted other callers with touch tones emanating from my end of the call. As of today I am on my second iPhone 4 and disappointed to report my experience has not improved. There are plenty of emotional calls for Apple to quickly address this problem. I want to take a different approach. In this essay, I will provide a discussion about testing approaches and what that means for complex systems. I use the proximity sensor as a real-world example to demonstrate the problem many have experienced and the difficulty involved in testing for it.

Inside iPhone is a complex hardware system arranged in a hierarchy of command and control: a microprocessor, memory, storage, transceivers for wi-fi, cellular, and bluetooth networks. It has touch, light, sound and proximity sensor input. It has external interfaces for the dock, a headset, the SIM card. It has a single display integrated with the touch sensor input. The software distributed through these components is a system of collaborating state machines, each one working continuously to keep the outside world pleased with the experience of interfacing with the phone. It is not just a single human the iPhone must keep satisfied. The cellular networks, wi-fi access points, bluetooth devices, iTunes and other external systems are part of this interactive picture as well. This is oversimplified, but you can begin to appreciate the enormous burden of testing such a small, complex device used by millions of people.

How does a team even start to tackle such a problem? Meyer (2008) presents seven principles in the planning, creation, execution, analysis and assessment of a testing regimen. Meyer writes, above and beyond any other reason for the testing process “is to uncover faults by triggering failures.” The more failures are triggered and fixed before delivery of a product to the end user, the less expensive it will be than to fix them later. Humans are a required yet flawed variable in the planning and execution of test suites for complex systems like iPhone. Identifying all possible triggers for failure can be nearly impossible. Savor (2008) argues that, “The number of invariants to consider [in test design] is typically beyond the comprehension of a human for a practical system.” How do we test the multitude of scenarios and their variations in complex systems without fully comprehending usage patterns and subtle timing requirements for failure in advance?

Meyer (2008) argues that testing time can be more important a criteria than absolute number of tests. When combining time with random testing, also called test escapes, there is a possibility of uncovering more faults than just using a huge, fixed suite of tests continuously repeated without deviation. Test escapes as defined by Chernak (2001) are defects that the fixed testing suite was not able to find, but instead found later by chance, an unassociated test, or by an end-user after the project was delivered to production (e.g. introduction of randomness). Now that we have some background information and terminology, let’s design a test that could make iPhone’s proximity sensor fail to behave correctly.

Consider an obvious test case for the proximity sensor:

Initiate or accept a call.
Hold the phone against ear. Expect the screen to turn off and disable touch input.
Hold the phone away from ear. Expect the screen to turn on and enable touch input.
End call.

This test case can be verified in a few seconds. Do you see a problem with it? It is a valid test, but not a terribly realistic one. The problem with this test case is that it does not reflect what really happens during a call. We do not sit frozen with all of our joints locked into place, refusing to move until the call has completed.

To improve the test case, we add some physical action during the call:

Initiate or accept a call.
Hold the phone against ear. Expect the screen to turn off and disable touch input.
Keep the phone still for 30 seconds.
Change rotation, angle and distance of phone to ear while never exceeding 0.25 inches from the side of the caller’s head. Expect the screen to remain off and touch input remain disabled.
Return to step 3 if call length is less than ten minutes.
Hold the phone away from ear. Expect the screen to turn on and enable touch input.
End call.

Now the test case is reflecting more reality. There are still some problems with it. When I am on a call, I often transfer the phone between ears. Holding a phone to the same ear for a long time gets uncomfortable. During lulls in the conversation, I pull the phone away from my ear to check the battery and signal levels, and then I bring it back to my ear. These two actions need to be added to the test case. Additionally, all of our timing in the test case is fixed. Because of the complex nature of the phone, small variations in timing anywhere can have an impact in successful completion of our test case. Introducing some variability to the test case may raise the chances of finding a failure. In other words, we will purposely create test escapes through random combinations of action and timing.

Initiate or accept a call.
Hold the phone against ear. Expect the screen to turn off and disable touch input.
Keep the phone still for [A] seconds.
Randomly choose step 5, 6 or 7:
Change rotation, angle and distance of phone to ear while never exceeding 0.25 inches from the side of the caller’s head. Expect the screen to remain off and touch input remain disabled.
Pull phone away from ear for [B] seconds and return phone to ear. Expect the screen to turn on and then off at the conclusion of the action.
Move phone to opposite ear. Do no exceed [C] seconds during the transfer. Expect the screen to turn on during the transfer and then off at the conclusion of the transfer.
Return to step 3 if call length is less than [D] minutes.
Hold the phone away from ear. Expect the screen to turn on and enable touch input.
End call.

There are four variables to this test case. It is possible that certain combinations of [A], [B], [C] and [D] will cause the screen to re-enable during a call and cause the test case to fail. Have fun with this one. There are in fact combinations that induce proximity failure on iPhone 4 regardless of the version of iOS, including 4.1.

Finally, an important part of test design is the inclusion of negative test cases. Chernak (2001) writes, “A test case is negative if it exercises abnormal conditions by using either invalid data input or the wrong user action.” For a device like iPhone, tapping the screen constantly while it is disabled, making a call while holding it upside down, or using a faulty docking cable can all be considered negative test cases.

Testing complex systems, regardless of physical size, is an incredibly difficult task. Some of this can be performed by humans and some through automated systems. Finding failures in highly integrated systems requires a combination of fixed test suites, test cases that reflect real usage scenarios, and the introduction of test escapes through creative randomization.

References

Chernak, Y. (2001). Validating and improving test case effectiveness. IEEE Software, January/February 2001.

Meyer, B. (2008). Seven principles of software testing. Computer, August 2008.

Savor, T. (2008). Testing feature-rich reactive systems. IEEE Software, July/August 2008.

AT&T's HSPA in Denver is Fast

Sat, 26 Jun 2010 05:05:00 +0000

The following measurement was taken today with Speakeasy’s speed test page while connected to the Internet over AT&T’s HSPA network in Denver. My system was using a Mercury USB adapter in a notebook PC running Windows 7. I am about a mile outside of the downtown area and the speed is good. The following screen-snip represents the best of about five runs while trying to time the image capture. Each run had inbound speed at 3.5 Mbps and faster. I also believe doing this test early on Saturday morning helped avoid some network congestion and get me favorable results.

From at&t

At about 11 AM, I checked the speeds again this time with speedtest.net.

From at&t

Here is the general location for these results.

View Larger Map
My testing conditions are a stationary location in a second floor office of a 100+ year old brick structure.

XML's Role in Creating and Solving Information Security Problems

Sun, 14 Mar 2010 15:52:00 +0000

XML provides a means to communicate data across networks and among heterogeneous applications. XML is a common information technology acronym in 2010 and is supported in a large variety of applications and software development tooling. XML’s wide adoption into many technologies means it is likely being used in places not originally imagined by its designers. The resulting potential for misuse, erroneous configuration or lack of awareness of basic security issues is compounded by the speed and ease with which XML can be incorporated into new software systems. This paper presents a survey of the security and privacy issues related to XML technology use and deployment in an information technology system.

The XML Working Group was established in 1996 by the W3C. It was originally named the SGML Editorial Review Board. (Eastlake, 2002). Today XML has ten working groups, focused on areas including the core specifications, namespaces, scripting, queries and schema, and service modeling. XML is an ancestor of SGML, and allows the creation of entirely new, domain-specific vocabularies of elements, organized in hierarchical tree structures called documents. XML elements can represent anything related to data or behavior. An XML document can represent a customer’s contact information. It can represent a strategy to format information on a printer or screen. It can represent musical notes in a symphony. XML is being used today for a variety of purposes, including business-to-business and business-to-consumer interactions. It is used for the migration of data from legacy repositories to modern database management systems. XML is used in the syndication of news and literary content, as in the application of ATOM and RSS feeds by web sites.

The flexibility and potential of XML use in information technology received increasing attention when web services technology was introduced. Web services communicate using XML. They can be queried by client programs to learn their methods, parameters and return data. They are self-describing, which means the approach of security-through-obscurity cannot apply if a web service is discovered running on a publicly accessible server. An attacker can ask the service for its method signatures and it will respond with specifications of how to invoke it. This does not mean the attacker will have the necessary information, such as an authentication credential or special element of data to gain access to the web service. Treese (2002) summarizes the primary security concerns involved with deploying any communications system that must transmit and receive sensitive data.

Confidentiality, to ensure that only the sender and receiver can read the message
Authentication, to identify the sender and receiver of a message
Integrity, to ensure that the message has not been tampered with
Non-repudiation, to ensure that the sender cannot later deny having sent a message
Authorization, to ensure that only “the right people” are able to read a message
Key management, to ensure proper creation, storage, use, and destruction of sensitive cryptographic keys

Web services are a recent technology, but fall prey to similar attacks used in past and current Internet technologies. Web services are vulnerable to many of the same attacks as browser-based applications according to Goodin (2006). Parsing and validation of data provided inside a transmitted XML document must be performed regardless of the source of the transmission. DTDs or XML schemas that are not strict enough in their matching constraints can leave an open path for parsing attacks. Goodin (2006) details the primary attacks on web services as:

Injection attacks that use XML to hide malicious content, such as using character encoding to hide the content of strings
Buffer overflow vulnerabilities in SOAP and XML parsers running on the system providing the web service
XML entity attacks, where input references an invalid external file such as a CSS or schema, causing the parser or other part of the application to crash in unexpected ways

Lawton (2007) details a similar problem with AJAX technology. AJAX stands for Asynchronous JavaScript and XML. It not so much a specific technology, but a technique to reduce the number of whole page loads performed by a browser. An AJAX-enabled application can update portions of a browser page with data from a server. The data transmitted between browser and server in an AJAX communication is formatted in XML. The server-side of an AJAX application can be vulnerable to the same attacks described for web services above - overflows, injection of encoded data, and invalid documents. Goodin (2006) recommends IT staff scan the publicly facing systems of an enterprise periodically for undocumented web services, and scanning known web services and applications with analysis tools such as Rational’s AppScan (2009). Lawton (2007) also recommends the use of vulnerability scanners for source code and deployed systems.

A common mistake made even today in the deployment of web services or web applications is a lack of use of HTTPS or TLS protocol in securing the transmission of data between the client and server. All data transmitted across the Internet passes through an unknown number of routers and hosts before arriving at the destination. The format of an XML document makes it easy for eavesdroppers to identify and potentially capture a copy of this data as it passes through networking equipment. The easiest solution to this problem is to host the web service or web application over the HTTPS protocol. HTTPS is HTTP over SSL, which encrypts the data during transmission. HTTPS will not protect data before leaving the source or after arriving at the destination.

Long, et al. (2003) discusses some of the challenges of bringing XML-encoded transactions to the financial services industry. Privacy is a primary concern for electronic financial transactions. Long states that simply using SSL to encrypt transmissions from system to system is not enough to satisfy the security needs of the financial sector. There also exists a need to encrypt portions of an XML document differently, so that sensitive content has different visibility depending on the system or person accessing it. The XML Encryption Syntax and Processing standard allows any portion or an entire XML document to be encrypted with a key, and then placed within an XML document for transmission or storage. The encrypted document remains a well-formed XML document. Eastlake (2002) describes the Encryption Syntax Processing and Signature Syntax Processing recommendations for XML. Using the ESP recommendation, portions of the document can be encrypted with different keys, thus allowing different people or applications to read the portions of the document for which they have keys. This approach provides a form of multi-level security within a single XML document.

With web services comes the problem of knowing which ones to trust and use. Even more difficult is the problem of giving that determination to a computer. Carminati, Ferrari and Hung (2005) describe a problem of automating the evaluation of privacy policies of web services in today’s world of data storage, cloud, banking and financial institutions and multi-player gaming businesses that exist entirely on the Internet. They reason that systems discovered in web services directories may not operate with compatible privacy policies required by the consumer’s organization or local laws. They propose three solutions for handling this problem. The first is basic access control from a third party that evaluates and quantifies the privacy policy for a service provider. The next is cryptography in the services directory so that the consumer decodes only compatible services. The final solution is a hash solution, which looks for flags supplied by the web services provider describing their support of specific aspects of privacy policy.

As with the problem of transmitting sensitive XML data across the Internet unencrypted, there is also a problem of authenticating the source of an XML document. How does a person or system verify the document’s originator? The Signature Syntax Processing recommendation briefly mentioned above provides a method to enclose any number of elements in a digital signature. This method uses public key cryptography to sign a portion of the document’s data. The originator of the document provides a public key to the recipient through a secure channel (on a flash drive) in advance of transmitting the data. The originator uses their secret key to sign the document data, which produces a new smaller block of data called a digital signature. The signature is embedded in XML around the protected elements. The signature and the XML data are used by the recipient to determine if the data was changed in transmission. The signature is also used to verify the identity of the signer. Both authentication steps require the recipient to have the sender’s public key.

The problem of securing documents through path-based access control was addressed early in XML’s lifetime. Damiani et al (2001) describe an access control mechanism specifically designed for XML documents. Their Access Control Processor for XML uses XPath to describe the target location within a schema for access along with the rights associated to groups or specific users of the system. Additionally, Böttcher and Hartel (2009) describe the design of an auditing system to determine if confidential information was accessed directly or indirectly. They use a patient records system as an example scenario for their design. Their system is unique in that it can analyze “[…] the problem of whether the seen data is or is not sufficient to derive the disclosed secret information.” The authors do not discuss whether their design is transportable to non-XML data sources, such as relational databases.

In 2010, we have technologies to use with XML in several combinations to secure document content during transmission and in long-term storage. The use of SSL, Encryption Syntax Processing and Signature Syntax Processing recommendations provide a rich foundation to create secure XML applications. The maturity of web servers, the availability of code analyzers and the increasing sophistication of IT security tools decreases the risk of infrastructure falling to an XML-centric attack. With the technical problems of securing XML addressed through various W3C recommendations, code libraries and tools, a new problem of education, precedence in use and organizational standards for their application becomes the new security issue in XML-related technologies. This is a recurring problem in many disruptive technologies called awareness. Goodin (2006) says, “[…] the security of web services depends on an increased awareness of the developers who create them, and that will require a major shift in thinking.” XML has introduced and solved many of its own security problems - through application of its technology. It becomes important now for the industry to document and share the experiences and practices of deploying secure XML-based Internet applications using the technologies recommended by the W3C and elsewhere.

References

Böttcher, S., Hartel, R. (2009). Information disclosure by answers to XPath queries. Journal of Computer Security, 17 (2009), 69-99.

Carminati, B., Ferrari, E., Hung, P. C. K. (2005). Exploring Privacy Issues in Web Services Discovery Agencies. IEEE Security and Privacy, 2005, 14-21.

Damiani, E., Samarati, P., De Capitani di Vimercati, S., Paraboschi, S. (2001). Controlling access to XML documents. IEEE Internet Computing, November-December 2001, 18-28.

Eastlake, D. E. III., Niles, K. (2002). Secure XML: The New Syntax for Signatures and Encryption. Addison-Wesley Professional. July 19, 2002. ISBN-13: 978-0-201-75605-0.

Geer, D. (2003). Taking steps to secure web services. Computer, October 2003, 14-16.

Goodin, D. (2006). Shielding web services from attack. Infoworld.com, 11.27.06, 27-32.

Lawton, G. (2007). Web 2.0 creates security challenges. Computer, October 2007, 13-16.
Long, J, Yuan, M. J., Whinston, A. B. (2003). Securing a new era of financial services. IT Pro,
July-August 2003, 15-21. 1520-9202/03.

Naedele, M. (2003). Standards for XML and web services security. Computer, April 2003, 96-98.

Rational AppScan. (2009). IBM Rational Web application security. Retrieved 14 February 2009 from http://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html.

Treese, W. (2002). XML, web services, and XML. NW, Putting it together, September 2002, 9-12.

Automated Dynamic Testing

Wed, 23 Dec 2009 10:54:00 +0000

In researching some testing solutions for my own work, I found an article in the IEEE library from a group of Microsoft researchers about automating the software testing process. (Godefroid, et al, 2008). They are taking the concepts of static analysis to the next level by researching and prototyping methods of generating harnesses for automated dynamic testing. They discuss four different projects for test automation, but the most interesting one for me in the article was a project called SAGE (scalable, automated, guided execution). The SAGE project is based on white box fuzz testing and is intended to help reduce the number of defects related to security. “Security vulnerabilities (like buffer overflows) are a class of dangerous software defects that can let an attacker cause unintended behavior in a software component by sending it particularly crafted inputs.” The solution is white box because the program under test is running under a debugger-like monitor. The monitor observes and catches runtime exceptions generated by the program as the testing suite is exercising it with a variety of dynamically generated invalid input data. The tester and monitor programs are able to record, pause and replay for engineers the history of events up to the exception causing the program to crash.

An early version of SAGE was able to find a defect in a Windows kernel-level library responsible for parsing animated cursor image files. The tool generated over 7,700 test cases based on sample input data from testers and exercised the library for a little more than seven hours before the defect was uncovered. After analysis of the SAGE data, a fix for the defect was released as a out-of-band security patch for Windows. The authors write, “SAGE is currently being used internally at Microsoft and has already found tens of previously unknown security-related bugs in various products."

Reference

Godefroid, P., de Halleux, P., Levin, M. Y., Nori, A. V., Rajamani, S. K., Schulte, W., Tillmann, N. (2008). Automating Software Testing Using Program Analysis. IEEE Software. 0740-7459/08.

Easing into Agile

Wed, 23 Dec 2009 10:48:00 +0000

The article I found this week was written by two individuals working for Nokia Networks. They were involved in training product development staff in agile practices. Vodde and Koskela (2007) discussed Nokia’s environment for the past decades and their experiences in introducing test-driven development into the organization. The implication in the article is that because of the size and amount of retraining necessary to move toward agile development, Nokia is adopting agile practices a piece at a time (small bites) versus dropping the waterfall approach entirely and throwing the development teams into a completely new and unfamiliar situation. Vodde and Koskela also point out the benefit they found in using hands-on instruction for TDD versus lecture-based education.

The authors make a few observations during the time they were teaching TDD to experienced software developers. One important observation was, “TDD is a great way to develop software and can change the way you think about software and software development, but the developer’s skill and confidence still play a big role in ensuring the outcome’s quality.” The exercise the authors used in their course was to develop a program to count lines of code in source files and tests to verify the program’s operation. Each session would add a new requirement in the form of a new type of source file. The students were forced into an evolutionary/emergent situation in which the design had to change a little as the current and new problems of each requirement were solved. What the students’ speculated as a design at the beginning and what they actually ended with were different. The authors conclude with some recommendations for successful TDD adoption with other agile practices or as an isolated practice in a legacy environment:

Removing external dependencies helps improve testability
Reflective thinking promotes emergent design
A well-factored design and good test coverage also help new designs emerge

Reference

Vodde, B., Koskela, L. (2007). Learning Test-Driven Development by Counting Lines. IEEE Software. 0740-7459/07.

Software Engineering

Sun, 25 Oct 2009 17:41:00 +0000

Many of us in the IT industry aspire to create a Software Engineering discipline. We work continually to mature our understanding of what it is and should become, and work to increase the external trust of the profession. Are we there yet in relation to other engineering disciplines? Probably not. Whether or not it is there today does not matter as much to me. What matters to me is that at this time we are trying to take it there. My feeling is that Software Engineering is a pursuit, not an endpoint. I also believe software craftsmanship exists, but there is a place for it. I do not want a craftsman designing my antilock brakes, getting creative with my future (hopefully distant) artificial heart, liver or whatever code, or the algorithm for measuring the carbon monoxide levels in my home. I would like an engineer knowledgeable in precedence and predictability to create these things. Denning and Riehle (2009) point out some interesting areas where Software Engineering is weak compared to other disciplines:

Predictable outcomes (principle of least surprise)
Design metrics, including design to tolerances
Failure tolerances
Separation of design from implementation
Reconciliation of conflicting forces and constraints
Adapting to changing environments

I think an additional challenge we deal with in developing a Software Engineering discipline is that software - code - is unlike any material previously available to us. Add to this the various forms and structures the material can take changes every five to ten years - Java, C#, client/server, web services, hosted, distributed, etc. We are trying to build a stable practice around an unstable material. For example, our environment is beginning an architectural shift toward large multi-core processors. (Merritt, 2008). Our tools, thinking and education may require a refresh to adapt our software design approaches to deal with this change. (See http://clojure.org/state). In short, I believe in Software Engineering. It is out there and we are chasing it down. We make some right and wrong turns along the way. Each time we get a little closer to it, our world of technology changes dramatically and it just slips out of our grasp. The longer we hunt for it, the more mature, disciplined and predictable our profession becomes.

References

Denning, P., & Riehle, R. (2009). The Profession of IT: Is Software Engineering Engineering?. Communications of the ACM, 52(3), 24-26.

Merritt, R. (2008). CPU designers debate multi-core future. EE Times. Retrieved 24 October 2009 from http://www.eetimes.com/showArticle.jhtml?articleID=206105179

Creating Tools that Create Art

Sun, 23 Aug 2009 05:50:00 +0000

I recently developed and installed a creation called Short Attention Span Collaborative Imagery in the Annex at Core New Art Space in Denver. Some people have called it art, while I call it a tool for generating art. The SASCI piece runs on two Internet-connected computers in the gallery. It uses Twitter trends and specific search terms to drive the continuous creation of collages of images and text on two wall-facing projectors.

Input from Twitter, specifically the current and daily trends and a search for the words Denver and Art is the source of the imagery. It uses the Stanford Natural Language Parser, Creative Common-licensed images from Flickr and text from Wikipedia. I wrote the programs in Java and JavaFX. About every 30 minutes, background tasks collect the latest terms and matching messages from Twitter. A different program using the Stanford NLP parses the messages looking for interesting nouns, and collects images and text associated with the source words from Flickr and Wikipedia. Each collage takes anywhere from 2-5 minutes to build in front of the audience. It is never the same. The collages abstractly reflect people’s conversations on Twitter as recent as the last 30 minutes.

If you are in the area, please check it out. Core New Art Space is located at 900 Santa Fe Drive in Denver. Call or browse the web site for gallery hours. 303-297-8428. http://corenewartspace.com.

Follow-up: Qwest VDSL2 Service in Denver

Sat, 15 Aug 2009 08:58:00 +0000

Rock solid, fast, affordable, get it if you can.

I had VDSL2 installed by Qwest this past August 3rd. I am a work-at-home IT Specialist. This means I live and die by my Internet connection to communicate with co-workers, gain access to the corporate network, design software and deploy it to servers in different parts of the country. Since the VDSL2 installation almost two weeks ago, the service has been used for web browsing, email, connecting to work through my employer’s VPN service, screen sharing with co-workers, backing up computers via Jungle Disk and Tivoli Storage Manager, listening to Pandora Radio, watching some TV through our Roku player and playing a couple of games of BZFlag.

To recap, we are getting 20 Mbps downstream and 5 Mbps upstream. Our residence is in the 80205 zip code and less than 0.5 km from the fiber node. We are qualified for 40 Mbps downstream in this location. The connection has been up continuously since installation and we have yet to experience any network congestion during the day or evening. Here are some metrics from the Q1000:

From Jim’s Software Engineering Blog

Today I performed a new speed test from Denver to Dallas:

Privacy Issues Related to DNS and Service Providers

Sat, 15 Aug 2009 08:53:00 +0000

This research paper details some recent concerns regarding DNS services and consumer privacy. This paper summarizes the concepts of DNS. IT discusses how DNS is used on the Internet. It discusses how DNS services are provided to consumers and what types of entities provide the service for daily use. This paper continues with a discussion of how DNS has been and is currently being used as a mechanism to collect and profile the behavior of users on the Internet and how these mechanisms can be abused. The alternatives available to consumers for DNS are presented in closing and suggestions for methods for finding a balance to privacy and utility Internet service are made.

DNS is an acronym for Domain Name System. It is one of the most fundamental and important services provided throughout the Internet. Nearly every networked client that uses a symbolic name to access a web server, email server or any other service depends on DNS. The domain name system translates symbolic names like www.ibm.com or mail.google.com into 32-bit Internet Protocol (IP) addresses. DNS also translates IP addresses back into domain names. The translations process from a name to an address is called forward lookup. The translation process from an address back into a symbolic name is called reverse lookup. Forward lookup is used more often than reverse lookup. The DNS concept dates back to 1987. RFC 1034 and RFC 1035 define the concepts, specification and implementation of the domain name system and protocol we use today on the Internet. According to (RFC1034, 2009) the DNS has three major components:

domain name space and resource records, which are specifications for a tree structured name space and data associated with the names,
name servers are server programs which hold information about the domain tree’s structure and set information and
resolvers are programs that extract information from name servers in response to client requests

In the simplest form, the servers providing resolution of domain names and addresses are organized into a hierarchy. Resolving a name to an IP address may take many queries across several domain name servers located in different places on the Internet to complete the process. Resolving a domain name to an IP address happens from right to left. For a name such as www.gap.com, the server or servers handling the root domain for .com are queried first. They are queries for the servers of the next component to the left. The .com root servers are queried for the .gap name. The .com servers will return one or more servers that handle the sub-domains for the gap.com domain. The gap.com servers are queried for an address of www within the domain. Through recursive querying of servers from root domain to specific sub-domain, the IP address of www.gap.com is found. Some details have been left out in this example, but this is in essence what happens. Performing this query each time a client asks for the IP of www.gap.com would place too much burden on the communications infrastructure of the Internet, so caching of DNS information happens as well. Domain resolution includes the amount of time from a few seconds to days for that information to remain current. Clients and servers can retain this resolution data in memory until it expires, and then query for it again from the source servers. Caching allows repeated queries for the same domain name to resolve almost instantaneously. Caching of DNS information can happen at several levels of scale, starting at the workstation, the local network and up to the Internet service provider.

As mentioned above there are nameservers and resolvers. Nameservers are queried that provide translation from name to address or from address to name. Resolvers are built into our workstations and other Internet-capable devices. A resolver knows the client-side of the DNS protocol that can ask a nameserver to perform a translation. Caching nameservers are a hybrid server that includes both the ability to provide services to resolvers - DNS clients - and act as resolvers to query servers upstream from them to perform forward or reverse resolution. Caching nameservers can be found in consumer firewall devices we use in our homes. They are very often used by large organizations, including Internet service providers as a convenience to their subscribers. The main purpose of caching nameservers is to provide a resolution service closer to the client and reduce the number of queries traveling across the Internet. Caching nameservers are a performance optimization.

Internet service providers are the most common providers of caching DNS services that consumers use to query and resolve domain names to IP addresses. You employer, if they have a large enough IT department, may elect to run their own caching DNS system for performance reasons. Your workstation or notebook at the office may be using a DNS server that runs on the local area network. That server queries other servers on the Internet as needed to perform forward and reverse resolution. Recently, several alternative, value-added DNS providers have increased their presence. One of the more popular services is called OpenDNS. In addition to providing name and address resolution services for free, they maintain a system that prevents name resolution of sites known to distribute malware and viruses. They also allow a customer of OpenDNS to tailor what categories of sites on the Internet they will resolve. For example, a parent of a family with young children can elect to prevent OpenDNS from resolving sites with violent or sexually explicit content. Instead of providing an address for the objectionable site, the user’s browser is redirected to page within OpenDNS’ network explaining why they have arrived there. What is important to note here is that a consumer must elect to use OpenDNS and it is implied they understand how the service will behave. Not all consumers are informed or understand how their provider’s DNS service will perform for them.

Most consumer DSL and cable routers will pull their configuration from the service provider. That configuration will include one or more addresses of DNS servers. DSL and cable routers will also act as Dynamic Host Configuration Protocol servers for internal networks. The router will provide IP addresses to each client. The router will also do one of two things: provide the DNS addresses to each client that it was provided, or the router will act as a caching nameserver and provide its address to each client as the DNS server. Unless you have taken action to use a different DNS server, there is a good chance you are using the DNS servers supplied by your Internet service provider.

The privacy issues for DNS are different depending on whose services are used. Let us assume in a consumer is at home and their default configuration for their Internet connection uses the DNS servers provided by their ISP. The ISP may also be the telephone company and television company of this user. The ISP issues the IP address to the consumer’s cable or DSL router. When queries are made to the ISP’s DNS servers, the source IP address will be that of the customer’s router. Using relational database technology, the sites queried from the home router can be stored and analyzed to form a behavioral profile of this customer’s interests. That information can be used to market new telecommunications products to them, or it can be sold to other businesses or potentially provided to government entities to help understand this family’s patterns of Internet usage. This is possible because of the ability to relate key elements of information - DNS queries, router address, and existing personal data on file - back to a customer and others in the customer’s home. Recently Internet service providers have tried a new approach in using DNS to help generate revenue streams. “Several consumer ISPs such as Cablevision’s Optimum Online, Comcast, Time Warner, Rogers, and Bell Sympatico have also started the practice of DNS hijacking on non-existent domain names, for the purpose of making money by displaying advertisements. This practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting attacks.” (HIJACK, 2009). This technique redirects a user’s browser from an error page to a search page or advertisement page when a non-existent domain name is requested through DNS. There have been documented cases of redirecting legitimate addresses to an alternate web site as well. Most of these approaches require the manipulation of established Internet protocols such as DNS. Not surprisingly, they are met with consumer hostility. According to Kirk (2009), “ISPs are trying to find revenue streams other than simply providing Internet access to subscribers for a monthly fee. Some have investigated behavioral advertising systems, which monitor a person’s Web surfing in order to deliver targeted ads. Those systems have largely failed to take hold due to privacy concerns.” Because the deployments of these DNS and web-based redirection systems require the manipulation of Internet protocols on several levels, some have been found to be vulnerable to manipulation for client exploit and attack. “Kaminsky demonstrated [a] vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains. But a black hat hacker could instead embed a password-stealing Trojan. The attack might also allow hackers to pretend to be a logged-in user, or to send e-mails and add friends to a Facebook account.” (Singel, 2008).

The unfortunate reality is that there are not many alternatives for DNS available to consumers. The most complicated and method of least disclosure is to run a professional caching DNS server on your local area network and have it query root domains directly. Software such as BIND under UNIX, Linux or BSD, or Microsoft’s domain name server as part of IIS on Windows Server can provide this solution. This approach would eliminate all third-party DNS services from the hierarchy of queries. The next alternative is to research and find the least offensive DNS provider for your needs. This may in fact be your Internet service provider. Research their privacy policy. Test your ISP’s DNS resolution behavior. If you enter a bad domain name in your browser and you are redirected to a “suggestion” page, be suspicious and find out more details. As mentioned above, OpenDNS generates revenue from the profile data it collects from its customers’ use. Their privacy policy (OPENDNS, 2009) is documented on the web site. Additionally, they provide customizable filtering services to protect your network from malware or offensive content.

This paper detailed some recent concerns regarding DNS and privacy. In addition to discussing the concepts of DNS, it detailed how and who provides DNS services to consumers. A discussion of how DNS can be leveraged as a mechanism to collect and profile consumer behavior followed with alternatives available to consumers to limit the collection of their behavioral data. Internet service providers are under pressure to increase and discover new avenues of income. Consumers are likewise under constant pressure to maintain their guard against subtle privacy violations. Consumers maintain the ability for now to limit manipulation of Internet standards to prevent unknowingly leaking personal and behavioral information to a wider audience. As discussed in this paper, methods are available to reduce the risk of privacy invasion of consumers without their complete knowledge.

References

HIJACK. (2009). DNS hijacking. Retrieved August 9, 2009 from http://en.wikipedia.org/wiki/DNS_hijacking.

Kirk, J. (2009). Comcast Redirects Bad URLs to Pages With Advertising. PC World, Business Center. Retrieved August 8, 2009 from http://www.pcworld.com/businesscenter/article/169723/comcast_redirects_bad_urls_to_pages_with_advertising.html

RFC1034. (2009). Request for Comments: 1034, DOMAIN NAMES - CONCEPTS AND FACILITIES. Retrieved August 8, 2009 from http://www.ietf.org/rfc/rfc1035.txt.

RFC1035. (2009). Request for Comments: 1035, DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION. Retrieved August 8, 2009 from http://www.ietf.org/rfc/rfc1035.txt.

OPENDNS. (2009). OpenDNS Privacy Policy. Retrieve August 7, 2009 from http://www.opendns.com/privacy/.

Singel, R. (2008). ISPs’ Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses. Privacy, Crime and Security Online. Wired. April 19, 2008. Retrieved August 7, 2009 from http://www.wired.com/threatlevel/2008/04/isps-error-page/.

Quantifying Risk and Return for IT Security Investments

Mon, 10 Aug 2009 17:32:00 +0000

This research paper explores the issues related to defining and quantifying risk and return for capital investments in security solutions for information technology. This work begins by defining some of the most common types of attacks and breaches occurring against commercial and institutional information technology systems. It follows with a discussion of approaches to analyze and estimate the level of financial, legal and reputation risk around IT security events. Finally, the paper concludes by providing guidelines for estimating a budget for IT security initiatives, reporting results and relating the security initiatives to the strategic goals of the organization.

There are several types of common security breaches and events in commercial and institutional IT systems. Defacement of web sites involves the compromise of servers responsible for providing web pages. This breach can be caused from improperly configured web server software or flaws in the software responsible for generating dynamic web pages. Web page defacement is often in response to a corporate or political policy. A denial of service attack does not cause of breach in systems, but floods the resources of the target organization. The result of a denial of service attack is to prevent legitimate users from accessing the target’s network and services. A denial of service attack can occur against the networking infrastructure, web servers, database servers or any other finite resource of the organization. A distributed denial of service attack is a network attack that floods the target organization’s network with packets. Like web page defacement, this attack is often in response to a corporate or political policy. Systemic malware attacks involve the spreading of a virus, worm or other malware throughout the workstation resources of an organization. This type of attack is less likely to be directly targeted at a specific organization. It may occur because of a “zero day” vulnerability in workstation software that has not yet been patched by the vendor or blocked by the security software provider. Corruption of information, theft or accidental release of information has the potential for the most attention and the most liability for an organization. This type of breach may involve the release intellectual property, private information about individuals working for the organization, or customers of the organization.

Several factors contribute to the decision or requirement for publicizing a security breach. If personal information of employees or clients was released, the organization may be legally required to notify the individuals affected by the breach. In the case of a denial of service attack, customers or business partners of the organization may not be able interact with the IT systems as expected. “[…] unless there is some publicly observable consequence such as shutdown of a Web site or litigation, the press may not become aware of a breach. Thus, some breaches with the most potentially severe economic consequences (such as employee initiated breaches that may compromise proprietary information) may not be reported in a timely fashion.” (Campbell, 2003).

There is no established formula and process of determining in advance the amount of risk potential or financial exposure for a security breach. Braithwaite (2002) contrasts the traditional loss estimate model for replacement or recovery of resources with that of today. There is much higher dependence on information technology systems today. In many cases, those systems are the business. The loss from downtime or breach is much larger than the just replacement cost of the physical systems and their corresponding software. It was estimated in 2002 that losses to an online brokerage system could be as high as $6.5 million (US) per hour. A credit-card service bureau could lose as much as $2.5 million per hour. Garg (2003) estimates financial losses to a publicly traded company through decreased trust could be from 0.5 to as much as 1.0% of annual revenues. Based on this simple formula, a company with $1 billion (US) in annual revenues could experience as much as $10 million in loss from a single incident.

The cost of a security-related event is far reaching. Repair of the organization’s reputation, legal responsibilities and hardening of IT systems addresses only the issues at the surface. Garg’s estimate includes the cost of the breach plus the resulting impact to the perception of trust by partners, investors and customers. The additional risk to publicly traded companies is the spillover effect to the company’s stock price and long-term investment outlook. Cavusaglu (2004) estimates that an organization can lose as much as 2.1% of its market value on average within two days of reporting a breach to the public. For example, a company with a market capitalization of $100 billion (US) could lose as much as $2 billion in value within a few days after reporting the theft of customer personal information. This amount does not include follow-on investment in technology and process development to remedy the problem, legal costs and investments to repair damage to the organization’s reputation. “These potential costs include: (1) lost business (both immediate and long term as a consequence of negative reputation effects), (2) activities associated with detecting and correcting the breaches, and (3) potential legal liability.” (Campbell, 2003). Publicly reporting a breach in general is not something that negatively influences the view of the company or institution. There is a significant negative response from consumers, partners and investors when the security event is related to the release of confidential information.

The estimation of risk related to material, legal and market image damage helps scope the problem of determining budget for information security expenditures. There are several areas of investment to reduce security risk. Braithwaite (2002) describes a security investment approach based on a balanced strategy of prevention, detection and response. A recent trend related to prevention and response is the cyber-insurance policy. These policies provide financial relief to an organization following a security breach. Providers of larger policies often require regular security audits by third parties to help establish the level of risk of a future security problem. “According to the 2006 C5I/FBI Computer Crime and Security Survey, 29 percent of U.S. companies say they have external insurance policies to manage cyber security risks, up from 25 percent in 2005.” (Brody, 2007). However, John Pescatore of Gartner states, “[…] the price of the policies is too close to the cost of an actual event. You may be better off just spending the money to avoid an incident."

In determining a budget for IT security expenditures, it is important to identify and place a value on non-quantifiable assets and processes such as intellectual property and customer data. The executive staff needs to be involved in this process and help adjust and agree on the valuation. The valuation needs to be revisited as the organization changes scope and size. Additionally, it is important to identify and place a value on the company’s reputation from a security and trust standpoint. Braithwaite (2002) recommends two areas for consideration that include the adverse impact of publicized incidents involving the company, and how the organization is judged by its involvement in support of national and industry security concerns. As mentioned earlier, Garg’s (2003) estimate of potential revenue loss to the business can be used as a coarse-grained starting point to gauge financial commitment to IT security initiatives. Brandel (2006) makes several recommendations on how to present and maintain funding levels for an IT security budget. Avoid scare tactics with executives. Use past security incidents as reference points within a business case for funding. Plan the organization’s funding requirements for 12 to 24 months into the future. Avoid repeated tactical requests for each security project as that could give an impression of reactionary versus proactive planning. Explain the investments in terms of the business goals and initiatives versus the technical language of security.

Estimating and reporting the results of security initiatives can be difficult to articulate. Benefits from security expenditures are indirect. There are no revenue streams from installing firewalls, compartmentalizing network segments or auditing workstations for compliance to IT policies. Brandel (2006) claims, “Investing in security rarely yields a return on investment, so promising [a] ROl will sound ill-informed to a senior executive. […]It’s possible to discuss other benefits of security spending, such as protecting the company’s ability to generate revenue, keep market share or retain its reputation.” Reporting on benefits from past security investments maintains the attention of executive sponsorship. Consider developing metrics using measurements like attacks stopped at the firewalls, viruses scrubbed from inbound emails, the ratio of an outbreak of malware on the Internet compared to the corporate Intranet. Choose metrics carefully and be sure they reflect the business’ goals and language. Investing in and reporting on IT security does not need to be solely focused on preventing exploits, spread of malware or unintended release of confidential information. It can also include high-availability of IT systems, reliability of communications and ensuring integrity of critical business information for ongoing operations. According to Drugescu (2006) metrics must measure organizationally meaningful things, be reproducible and consistent, be objective and unbiased, and measure some type of progression toward the identified strategic goal.

This paper analyzed the issues, recent opinions and research related to estimating and quantifying risk and return for IT security solutions. The most common types of security attacks and breaches against commercial and institutional information technology systems were described. A discussion of approaches to analyze and estimate the level of financial, legal and reputation risk around IT security events was provided. This paper provided guidelines for estimating a budget for IT security initiatives, and recommended regular reporting of security metrics and relating those metrics to the business goals of the organization. Day-to-day industry is becoming more dependent on information technology. As each year passes, the transformation of worldwide business to a platform of high-speed connectivity, data storage and Internet service exchanges expands the need to accurately quantify risk from downtime and loss. It is vital to gauge the level of investment in security prevention, detection and response for an organization’s survival in the online, interconnected world.

References

Brandel, M. (2006). Avoid spending fatigue. Computerworld. April 17, 2006. Pg. 34.

Braithwaite, T. (2002). Executives need to know: The arguments to include in a benefits justification for increased cyber security spending. Security Management Practices. September/October 2002. Pg. 35.

Brody, D. (2007). Full coverage: how to hedge your cyber risk. Inc. Magazine. April 2007. Pg. 47.

Campbell, K., Gordon, L. A., Loeb, M. P., Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security. 11 (2003) 431–448.

Cavusoglu, H., Mishra, B., Raghunathan, S. (2004). A model for evaluating IT security investments. Communications of the ACM. July 2004/Vol. 47, No. 7.

Drugescu, C., Etges, R. (2006). Maximizing the return on investment of information security programs: program governance and metrics. Information Systems Security. December 2006. Pg. 30.

Garg, A., Curtis, J., Halper, H. (2003). The financial impact of IT security breaches: What do investors think? Information Systems Security. March/April 2003. Pg. 22.

Roberds, W., Schreft, S. L. (2009). Data security, privacy, and identity theft: the economics behind the policy debates. Federal Reserve Bank of Chicago. 1Q/2009, Economic Perspectives. Pg. 22.

Qwest VDSL2 Service in Denver

Mon, 03 Aug 2009 11:32:00 +0000

Today our home Internet service was upgraded to VDSL2 from Qwest. We are located in the Whittier neighborhood of Denver - specifically in the 80205 zip code. I was told by Qwest this area is qualified now for up to 40 Mbps downstream and 5 Mbps upstream VDSL2 service. I started with ADSL service about 2 months ago at 7 Mbps downstream and 896 Kbps upstream. I chose to move to the 20 Mbps downstream and 5 Mbps upstream tier. The ADSL service was cut off this morning while work was performed at the fiber node and before 3 PM the installer came by to hook up the new modem. The Qwest installer said my home was less than three blocks from the cabinet.

From Jim's Software Engineering Blog

The modem connected at the correct speed immediately. Below is a screen snip of the SNR numbers from the Q1000 modem. These numbers are more than double the SNR reported by the M1000 ADSL modem. The ADSL link had a much longer haul over copper than the VDSL2 link. I was surprised to see the 0 dB attenuation in both directions. I had 20-30 dB attenuation with ADSL.

From Jim’s Software Engineering Blog

The final step before letting the installer loose was to speed test the link back to Qwest. I would call it a success.

From Jim's Software Engineering Blog

Security Benefits and Liabilities of Virtualization Technology

Sat, 01 Aug 2009 08:12:00 +0000

This paper provides a broad discussion of the security issues related to virtualization technology, such as the offerings by VMware, Microsoft and IBM. It presents an overview of virtualization, the various types of virtualization, and a detailed discussion of full computer virtualization technology. The benefits of virtualization technology are provided from a position of security, convenience and cost. The paper continues with a discussion of the security liabilities of virtualization. It provides examples of recent attempts by security researchers to design attacks directed at the virtual machine manager also known as the hypervisor. A look at trends in the application of virtualization technology concludes the discussion.

Virtualization is a type of abstraction of resources. In computer technology, virtualization can be used to simulate the presence of memory, disk, video or entire computers where they exist partially or not at all. The first virtualization technology dates back into 1960, when IBM and other computing pioneers created operating systems and storage systems that presented an isolated environment to the user that appeared as a single-user system. Today our desktop operating systems use memory virtualization to provide a larger runtime space for applications than there is random access memory. Our operating system uses a combination of solid-state memory and a paging file on disk to move data blocks between to two media depending on their frequency of use. Enterprise storage virtualization, such as solutions provided by IBM, EMC and Sun create an illusion of massive consolidated storage space available from solid-state, magnetic disk and streaming tape into a single logical direct access image. Less frequently accessed data blocks are migrated to slower media while often-accessed data blocks are maintained on faster access media. All storage appears online and ready to access. The recent the popularity of virtual machines for running Java and .NET software allow a common runtime environment regardless of the actual hardware and operating system hosting the virtual machine. This approach reduces the work required by the software provider to create a solution capable of running on a variety of platforms.

Cardwell (2007) defines computer virtualization as a computer within a computer. Virtualization software simulates a computer, including the processor and hardware components, and BIOS to the guest operating system. The guest operating system running within the virtualized environment should not know or care that its hardware resources are not physical resources, but instead simulated through software. The two types of computer virtualization are called full virtualization and para-virtualization. Wong (2005) discusses the differences of full virtualization and para-virtualization. Full virtualization does not require changes to the guest operating system. Products such as VMware provide full virtualization. This type of virtualization requires support in the host system’s processor to trap and help emulate privileged instructions executed by the guest operating system. Para-virtualization requires modifications to the guest OS to run on the virtual machine manager. Open source operating systems, such as Linux can be modified to support a para-virtualized environment. This type of virtualization often performs better than full virtualization, but is restricted to guest operating systems that have been modified to run in this specific environment.

Today there are many popular, contemporary and affordable virtualization products on the market. VMware is the most widely known, but IBM has the longest history with virtualization technologies. As mentioned previously, virtualization for mainframe systems dates back to 1960. VMware has targeted Intel platform virtualization since the 1990s. Microsoft acquired Virtual PC as the market for virtualization grew from VMware’s popularity. Xen is an open source virtualization solution. Xen supports full and para-virtualized systems. It is popular with Linux distributions, which often provide para-virtualized kernels ready to deploy as guest operating systems. IBM’s two primary virtualization platforms are the System-z mainframe and Power systems. “The latest version of z/VM […] will now support up to 32 processors and offer users 128 GB of memory, which will allow the software to host more than 1,000 virtual […] Linux servers.” (Ferguson, 2007).

Virtualization technology, which was originally used on centralized systems to share resources and provide a partitioned view to a single user, is popular on server and workstation platforms running Intel x86 hardware. Cardwell (2007) presents several use cases of virtualization benefits, including consolidation of servers, quick enterprise solutions, software development, and sales demonstrations. Separate physical servers running periodically accessed services can be virtualized and run together on a single physical system. Short-lived server systems, such as those for conferences, could be created as virtual machines without the need for acquiring physical servers to host the solution. Software developers often need multiple systems to develop server-based solutions, or they require several versions tools that may conflict when installed together. Sales demonstrations can be configured and distributed to customer-facing staff as virtual machines. Many different configurations can be created and options demonstrated to customers on demand to see how various solutions can apply to their environment. As processing capability increases on the desktop and virtualization providers offer cost-effective software to create virtualized environments, this is a primary growth area for the technology. Burt (2006) says the benefit of mobility of virtual machines for users is a huge benefit of desktop virtualization. Virtual machines stored on portable media such as USB hard disks or flash storage. They can be paused on a host system at an office, taken on plane to the customer’s location and then resumed on a new host. This can happen while keeping the virtualized operating system completely oblivious to its actual location and host hardware. Testing and quality assurance has had large adoption of virtualization technology. According to Tiller (2006), the benefits of virtualization include the ability to react and test vulnerabilities and patches in a much shorter timeframe. Single virtualized systems can be dedicated to an individual task in a network of systems. Upgrading or relocating any virtualized system can be performed without affecting other parts of the entire solution.

There is a large benefit to security and availability with virtualization technology. Virtual machines are separated from the host operating system. Viruses, malware and software defects that affect the virtualized system are restricted and, in most cases cannot spread to the host operating system. Disaster recovery planning has the potential for simplification under a virtualized infrastructure. Virtual machines images, such as those used by VMware, are stored on the host operating system as files. Backing-up or relocating virtual machines from one host to another can be as simple as suspending the running virtual machine, moving the set of files across the network and resuming the virtual machine. Virtual machine images can be shortly suspended and stored to tape or mirrored to a remote location as a disaster recovery process. Duntemann (2005) points out that a virtual machine with the operating system and installed applications are commonly stored as disk files and can be archived, distributed, or restored to an initial state using the virtual machine manager. These files are also subject to attack and potential modification if the host system is compromised. A successful attack against the host system can make the virtual machines vulnerable to modification or other penetration.

Virtualization is also known as a system multiplier technology. “It is very likely that IT managers will have to increase the number and expertise of security personnel devoted to security policy creation and maintenance as the percentage of VMs increase in the data center.” (Sturdevant, 2008). Where a virus would previously attack a single operating system running on a physical host, a virus can land on the host or any of its virtualized guests. The potential of creating an army of infected systems is possible now with just a single physical host. A Windows operating system running in a virtual machine is just as vulnerable to flaws and exploits as the same operating system running on a physical host. “At a broad level, virtualized environments require the same physical and network security precautions as any non-virtualized IT resource.” (Peterson, 2007). “[…] because of the rush to adopt virtualization for server consolidation, many security issues are overlooked and best practices are not applied.” There are fundamental problems for IT administrators adopting virtualization technology within their labs and data centers. Products such as VMware have internal virtual networks that exist only within the host system. This network allows the virtualized systems and the host to communicate without having the use the external, physical network. The difficulty is that monitoring the internal, virtual network requires the installation of tools that are designed for virtualized systems. Edwards (2009) points out the need for management tools to monitor communication among virtual machines and their host operating system in detail. Each host would require monitoring tools versus a single installation on a network of only physical systems. Discovery and management of virtualized systems will place more burdens on IT staff according to Tiller (2006). The ease with which virtual machines can be instantiated, relocated and destroyed will require a “quantum shift in security strategy and willingness to adapt."

As the popularity of virtualization on a smaller scale has increased, a new class of attack on virtual machines and their host virtual machine managers has received more attention. Virtual machines have unique hardware signatures that can be used to identify them and help an attacker tailor an exploit. “As it is, virtualization vendors have some work to do to protect virtual machine instances from being discovered as virtual.” (Yager, 2006). The CPU model and various device drivers loaded by the operating system can identify a virtualized system. In fact, many virtualization vendors supply device drivers for guest operating systems to take better advantage of the virtualized environment. These device drivers are just as susceptible to flaws and vulnerabilities as their non-virtualized counterparts are. The host virtual machine managers, also known as hypervisors are being targeted as well by new types of attacks. Vijayan (2007) points out that dedicated hypervisors, running directly above the hardware of a computer can be used to attack the operating systems and applications it hosts with little or no possibility of detection. The SubVirt research project by University of Michigan and Microsoft uses virtual machine technology to install a rootkit to take control of multiple virtual machines. Finally, attacks using virtualization technology does not require hypervisor or virtual machine manager software at all. Technology present in today microprocessors that is utilized by hypervisors can also be utilized by malware, such as rootkits and viruses to take over a machine at the lowest level of control possible. “Security researcher Joanna Rutkowska presented a proof of concept attack known as ‘blue pill’ in 2006, that she said virtualized an operating system and was undetectable. […] Rutkowska and other have continued with such research, and this year she posited a new attack focusing on hypervisors.” (Bradbury, 2008).

Virtualization is not a new to information technology. It dates back to over four decades to the early mainframes and large storage systems to protect and better utilize available computing resources. As this paper discussed virtualization technology, it detailed the kinds, benefits and security liabilities of the technology. Information about the nature of attacks against hosts and guests in a virtualized infrastructure was presented. New virtualization products for modern powerful servers and desktop hardware are helping satisfy the renewed interest in making better use of resources during tightening budgets. The benefits of this updated technology must be weighed against the challenges of securing and protecting the proliferation of virtual machines. Adaptation and transformation of policies and approach within IT organizations must be proactive to stay ahead of the disruptive change currently taking place with virtualization.

References

Bradbury, D. (2008). Virtually secure? Engineering & Technology. 8 November - 21 November, 2008. Pg. 54.

Burt, J., Spooner, J. G. (2006). Virtualization edges toward PCs. eWeek. February 20, 2006. Pg. 24.

Cardwell, T. (2007). Virtualization: an overview of the hottest technology that is changing the way we use computers. www.japaninc.com. November/December, 2007. Pg. 26.

Duntemann, J. (2005). Inside the virtual machine. PC Magazine. September 20, 2005. Pg. 66.

Edwards, J. (2009). Securing your virtualized environment. Computerworld. March 16, 2009. Pg. 26.

Ferguson, S. (2007). IBM launches new virtualization tools. eWeek. February 12/19, 2007. Pg. 18.

Peterson, J. (2007). Security rules have changed. Communications News. May, 2007. Pg. 18.

PowerVM. (2009). IBM PowerVM: The virtualization platform for UNIX, Linux and IBM i clients. Retrieved July 25, 2009 from http://www-03.ibm.com/systems/power/software/virtualization/index.html.

Sturdevant, C. (2008). Security in a virtualized world. eWeek. September 22, 2008. Pg. 35.

Tiller, J. (2006). Virtual security: the new security tool? Information Systems Security. July/August, 2006. Pg. 2.

Wong, W. (2005). Platforms strive for virtual security. Electronic Design. August 4, 2005. Pg. 44.

Yager, T. (2006). Virtualization and security. Infoworld. November 20, 2006. Pg. 16.

Vijayan, J. (2007). Virtualization increases IT security pressures. Computerworld. August 27, 2007. Pg. 14.

Use of Cryptography in Securing Database Access and Content

Wed, 22 Jul 2009 08:21:00 +0000

This research paper explores the use of cryptography in database security. It specifically covers applications of encryption in authentication, transmission of data between client and server, and protection of stored content. This paper begins with an overview of encryption techniques, specifically symmetric and asymmetric encryption. It follows with a specific discussion about the use of cryptography in database solutions. The paper concludes with a short summary of commercial solutions intended for increasing the security of database content and client/server transactions.

Whitfield Diffie, a cryptographic researcher and Sun Microsystems CSO says, “Cryptography is the most flexible way we know of protecting [data and] communications in channels that we don’t control.” (Carpenter, 2007). Cryptography is “the enciphering [encryption] and deciphering [decryption] of messages in secret code or cipher; the computerized encoding and decoding of information.” (CRYPTO, 2009). There are two primary means of encryption in use today. They are symmetric key encryption and asymmetric key encryption. Symmetric key encryption uses a single key to encrypt and decrypt information. Asymmetric key encryption, also known as public key cryptography uses two keys - one to encrypt information and a second key to decrypt information. In addition to encryption and decryption, public-key cryptography can be used to create and verify digital signatures of blocks of text or binary data without encrypting them. A digital signature is a small block of information cryptographically generated from content, like an email message or an installation program for software. The private key in the asymmetric solution can be used to create a digital signature of data, while the public key verifies the integrity of data and related digital signature that was created using the private key. The main advantage of public key cryptography over the symmetric key system is that the public key can be given away, as the name implies - made public. Anyone with a public key can encrypt a message and only the holder of the matching private key can decrypt that message. In the symmetric system, all parties must hold the same key.

Public key cryptography can be used to verify the identity of an individual, application or computer system. As a simple example, let us say I have an asymmetric key pair and provide you with my public key. You can be a human or a software application. As long as I keep my private key protected so that no one else can obtain it, only I can generate a digital signature that you can use with my public key to prove mathematically that the signature only came from me. This approach is much more robust and less susceptible to attack than the traditional username and password approach.

Application of cryptography does not come without the overhead of ongoing management of the technology. In a past interview (Carpenter, 2007), Whitfield Diffie, a co-inventor of public key cryptography says the main detractor from widespread adoption of strong encryption within I.T. infrastructures is key management - the small strings of data that keep encrypted data from being deciphered. Proper integration of cryptographic technologies into a database infrastructure can provide protection beyond username and password authentication and authorization. It can absolutely prevent anyone from reading sensitive data during transmission or stored on media.

Some U.S. government standards require the use of encryption for stored and transmitted personal information. Grimes (2006) details the recent laws passed in the United States requiring the protection of personal data. These laws include the Gramm-Leach-Bliley Act for protection of consumer financial data, the Health Insurance Portability and Accountability Act for personal health-related data, and the Electronic Communications Privacy Act, which gives broad legal protection to electronically transmitted data.

As discussed above, public key cryptography can be used to authenticate a person, application or computer using digital signature technology. A database management system enhanced to use public keys for authentication would store those keys and associate them with specific users. The client would use their private key to sign a small block of data that was randomly chosen by the server. The client would return a digital signature of that data, which the server could verify using the stored public keys of the various users. A verification match would identify the specific user.

The second application of encryption technology in database security is used to protect transmission of data between a client and server. The client may be a web-based application running on a separate server and communicating over a local network, or it may be a fat-client located in another department or at some other location on the Internet. A technology called TLS can be used to provide confidentiality of all communications between the client and server, i.e. the database connection. “Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over networks such as the Internet.” (TLS, 2009). Web servers and browsers use the TLS protocol to protect data transmissions such as credit card numbers or other personal information. The technology can be used to protect any data transmission for any type of client-server solution, include database systems. TLS also has authentication capability using public key cryptography. This type of authentication would only allow known public keys to make a connection. This approach is not integrated at a higher level in the solution, such as the application level.

Finally, cryptography can be used to protect the entire content of database storage, specific tables or columns of table data. Encrypting stored content can protect sensitive data from access within the database management system, through loss of the storage media, and an external process that reads raw data blocks from the media. The extent to which stored content is encrypted must be weighed against the overhead of encrypting and decrypting data for transaction-intense systems. Britt (2006) stresses the importance of selectively encrypting only those portions of the content that are evaluated to be a security risk if released into the public. He says a “[…] misconception is that adding encryption will put a tremendous strain on database performance during queries and loads.” This type of protection often uses symmetric key encryption because it is much faster than the public key solution.

Marwitz (2008) describes several levels of database content encryption available in Microsoft SQL Server 2005 and 2008. SQL Server 2008 provides the ability to use public key authentication directly in the access control subsystem. Additionally, the entire database server storage, individual databases and table columns can be encrypted using public key encryption. (SQLS, 2009). Table columns, such as those used to store social security numbers, credit card number, or any other sensitive personal information are a good choice for performance sensitive systems. Use of this capability means that the only way to obtain access to the unencrypted data within a column of a database table protected in this manner is to use the private key of an individual who has been granted access. The user’s private key is used to authenticate and gain access to information in the database. Extra protection is gained since the private key is never co-located with the encrypted data.

IBM’s DB2 product supports a number of different cryptographic capabilities and attempts to leverage as many of those capabilities that are present in the hosting operating system - Intel-based, minicomputer or mainframe. Authentication to the database from a client can be performed over a variety of encrypted connection types or using Kerberos key exchange. DB2 also supports the concept of authentication plug-ins that can be used with encrypted connections. After authentication has succeeded, DB2 can provide client-server data transmission over a TLS connection and optionally validate the connection using public key cryptography. Like Microsoft SQL Server, the most recent releases of DB2 can encrypt the entire storage area, single databases, or specific columns within the database. (DB2, 2009).

This paper provided a broad survey of how cryptographic technologies can raise the security posture of database solutions. Cryptography is becoming a common tool to solve many problems of privacy and protection of sensitive information in growing warehouses of online personal information. This paper described the use of cryptography in database client authentication, transmission of transaction data, and protection of stored content. Two commercial products’ cryptographic capabilities were explored in the concluding discussion. There are more commercial, free and open source solutions for protecting database systems not mentioned in this paper. As citizens and government continue to place pressure on institutions to protect private information, expect to see the landscape of cryptographic technologies for database management systems expand.

References

Britt, P. (2006). The encryption code. Information Today. March 2006, vol. 23, issue 3.

Carpenter, J. (2007). The grill: an interview with Whitfield Diffie. Computerworld. August 27, 2007. Page 24.

CRYPTO. (2009). Definition of cryptography. Retrieved 18 July 2009 from http://www.merriam-webster.com/dictionary/cryptography.

DB2. (2009). DB2 Security Model Overview. Retrieved 18 July 2009 from http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.admin.sec.doc/doc/c0021804.html.

Grimes, R. A. (2006). End-to-end encryption strategies. Infoworld. September 4, 2006. Page 31.

Marwitz, C. (2008). Database encryption solutions: protect your databases - and your company - from attacks and leaks. SQL Server Magazine. September 2008.

SQLS. (2009). Cryptography in SQL Server. Retrieved 18 July 2009 from http://technet.microsoft.com/en-us/library/cc837966.aspx.

TLS. (2009). Transport layer security. Retrieved 18 July 2009 from http://en.wikipedia.org/wiki/Transport_Layer_Security.

Application of Formal Methods in the Design of Reliable and Secure Software

Fri, 17 Jul 2009 04:49:00 +0000

This research paper explores the use of formal methods in software engineering to design reliable and secure software systems. Formal methods are mathematically focused languages or visual notations to specify behavior, algorithms or other types of program execution while remaining technology independent. This paper provides a brief overview of formal methods and several of the more popular implementations of formal methods in use today for software and systems development. It presents the benefits and drawbacks to formal methods, including reasons why formal methods are not commonplace for all software development. The precision of formal methods provides some opportunity for automation in the software development lifecycle including code generation and automated testing. An exploration of several problem domains where formal methods are often applied is provided. The paper concludes with discussion on the viability of formal methods as a continuing tool of software engineering.

Hinchey (2008) defines formal methods as “[…] a specification notation with formal semantics, along with a deductive apparatus for reasoning, is used to specify, design, analyze, and ultimately implement a hardware or software (or hybrid) system.” Formal methods have a relationship to some of the earliest research in algorithms and automated computation. Pure mathematics and symbolic languages were the sole means of algorithmic expression before general-purpose software languages and microprocessors. One such early incarnation of a language for computation was the Turing machine, conceived by Alan Turing in 1936. Turing machines are “[…] simple abstract computational devices intended to help investigate the extent and limitations of what can be computed.” (TM, 2009). Before automated computation was truly possible, many scientific minds were working on ways to direct a computational machine in precise ways.

Traditionally, formal methods are used in the specification and development of systems requiring high dependability, such as communication, flight control and life support. Something is dependable if its performance is constant. Reliability is the degree to which something is accurate, stable, and consistent. Security is a guarantee against loss or harm. Hanmer (2007) discusses the relationship between security and dependability, and the common quality attributes of the two when developing a system. He states that something is dependable if it exhibits reliability, maintainability, availability and integrity. Something is secure if it exhibits availability, integrity and confidentiality. The commonality between the two sets is availability and integrity. In the information technology world, the opposite of these two qualities are downtime and inconsistency - something we often see today resulting from informal software specification and lackluster development processes.

As mentioned above, formal methods can be applied in the phases of specification, design, implementation or verification of software systems. There is potential use for formal methods throughout the entire development lifecycle. Requirements for software systems typically come from stakeholders in the domain in which the software is used, such as aerospace or finance. Those requirements are provided in human-readable form and need an initial transformation into a more precise language. Software designers can refine the formal specification through a series of iterations and deliver them to developers for implementation. The architecture, functionality and quality attributes of the software can be checked against the formal specifications during peer reviews with other designers and developers. Finally, the teams responsible for testing and verification of the system’s proper operation can use the formal specifications as scripts in developing test suites for automated or manual execution.

The specifications from formal methods can be used for more than documentation of a system’s requirements and behavior. The precision in many formal methods allows the utilization of automation to reduce human error and increase consistency in the delivery of the final product. Translation of some or all of formal method languages into general-purpose computer source languages is possible, freeing the developers to concentrate on interesting refinements and optimization of the code, versus laboriously writing every line by hand. Stotts (2002) describes their project in which JUnit test cases were generated from formal method specifications. The automated approach enabled them “[…] to generate more test methods than a programmer would by following the basic JUnit practice, but our preliminary experiments show this extra work produces test suites that are more thorough and more effective at uncovering defects.” The formal methods research team at NASA Langley Research Center has developed a domain-specific formal method language called Abstract Plan Preparation Language. The research team focus and creation of the language is, “[…] to simplify the formal analysis and specification of planning problems that are intended for safety-critical applications such as power management or automated rendezvous in future manned spacecraft.” (Butler, 2006).

There are economic disadvantages of applying formal methods in software development projects. Formal methods are typically more mathematically intensive than flowcharts or other modeling notations. They are also more precise and rigorous which result in more time spent expressing the solution using a formal method notation than a visual modeling language. A developer experienced in application-level design and implementation may have less education in computational mathematics required to work with formal method notation. A primary complaint from designers and developers is that the solution must be specified twice: once in the formal method notation and again in the software language. The same argument persists in the visual modeling community, which does embrace the use of model transformation to source code to reduce the duplication of effort. The availability of formal method transformation tools to generate source code helps eliminate this issue as a recurring reason not to use formal methods.

Several formal methods are popular today, including Abstract State Machines, B-Method, Petri Nets and Z (zed) notation. Petri nets date back to 1939, Z was introduced in 1977, abstract state machines in the 1980s and B-Method is the most recent from the 1990s. Petri nets are found in the analysis of workflows, concurrency and process control. The Z formal method language is based on notations from axiomatic set theory, lambda calculus and first-order predicate logic. (Z, 2009). It was standardized by ISO in 2002. Abstract state machines resemble pseudo-code and are easy to translate into software languages. Several tools exist to verify and execute abstract state machine code, including CoreASM available on SourceForge.net. Finally, B-Method is a lower-level specification language with a wide range of tool support. It is popular in the European development community and has been used to develop safety systems for the Paris Metro rail line. (BMETH, 2009).

The use of formal methods as a way of increasing software dependability and security remains strong in industries where even partial failure can result in unacceptable loss of money, time and most importantly, life. The choice of applying formal methods in a development project is often an economic, risk-based decision. There will continue to be application programs without the budget or convenience of time to add the extra process and labor required to transform requirements into formal method specifications and then into source code. However, the pattern of formal method use remains consistent in safety and security critical systems. The development and refinement of formal methods continues into this decade, most recently with the standardization of the Z method by ISO. The activity surrounding tooling and automation to support formal methods in during the development lifecycle appears to be growing. Perhaps the software industry is closing on a point of balance among formality in specification, time to market and automation in solution development.

References

ASM. (2009). Abstract State Machines. Retrieved 11 July 2009 from http://en.wikipedia.org/wiki/Abstract_State_Machines.

BMETH. (2009). B-Method. Retrieved 11 July 2009 from http://en.wikipedia.org/wiki/B-Method.

Butler, R. W. (2006). An Abstract Plan Preparation Language. NASA Langley Research Center, Hampton, Virginia. NASA/TM-2006-214518. Retrieved 11 July 2009 from http://shemesh.larc.nasa.gov/fm/papers/Butler-TM-2006-214518-Abstract-Plan.pdf.

Hanmer, R. S., McBride, D. T., Mendiratta, V. B. (2007). Comparing Reliability and Security: Concepts, Requirements, and Techniques. Bell Labs Technical Journal 12(3), 65–78 (2007).

Hinchey, M., Jackson, M., Cousot, P., Cook, B., Bowen, J. P., Margaria, T. (2008). Software Engineering and Formal Methods. Communications of the ACM, 51(9). September 2008.

TM. (2009). Turing machine. Retrieved 11 July 2009 from http://plato.stanford.edu/entries/turing-machine/.

Stotts, D., Lindsey, M., Antley, A. (2002). An Informal Formal Method for Systematic JUnit Test Case Generation. Technical Report TR02-012. Department of Computer Science, Univ. of North Carolina at Chapel Hill. Retrieved 11 July 2009 from http://rockfish.cs.unc.edu/pubs/TR02-012.pdf.

Z. (2009). Z notation. Retrieved 11 July 2009 from http://en.wikipedia.org/wiki/Z_notation.

Research Project Proposal: Model-Driven Information Repository Transformation and Migration

Wed, 10 Dec 2008 11:54:00 +0000

This project will apply Unified Modeling Language for the visual definition of data transformation rules for directing the execution of data migration from one or more source information repositories to a target information repository and will result in a UML profile optimized for defining data transformation and migration among repositories. I believe that a visual approach to specifying and maintaining the rules of data movement between the source and target repositories will decrease the time required to define these rules, enable less technical individuals to adopt, and provide a motivation to reuse these models to accelerate future migration and consolidation efforts.

Problem Statement and Background

My role in this project includes project planning and task management, primary researcher and developer of the deliverables of the project. My technical background includes being a certified OOAD designer in Unified Modeling Language by IBM and a software engineer for nearly two decades. I recently have been involved in the migration of several custom knowledge data repositories to an installation of IBM Rational Asset Manager.

This project will use a constructive ontology and epistemology to create a new solution in the problem space of the project. This is the most appropriate research ontology and epistemology because there is little precedence available in the exactly this area of research. Visually modeling program specifications have been studied in other problem domains and continue to be an area of interest. This particular problem space is unique, relatively untouched, and in an area of considerable interest to me. A possible constraint of the project includes shortcomings of the UML metamodel rules to allow the extension and definition of an effective rules-based data transformation and migration language. A second constraint of the project may be identification of one or more source repositories as candidates for moving to a new system. For the second constraint, one or more simulated repositories may need to be created.

This study is relevant to software engineering practitioners, information technology professionals, database administrators and enterprise architects who wish to consolidate data repositories to a single instance. Unified Modeling Language (UML) is primarily used today in information technology to visually specify requirements, architectures and designs of systems, to verify and create test scenarios, and to perform code generation. The UML metamodel was designed to make the language extensible, with the ability to support profiles that allow the language to be customized to support specific problem domains. Researchers and practitioners are finding innovative uses for UML as a visual specification language. Zulkernine, Graves, Umair and Khan (2007) recently published their results in using UML to visually specify rules for a network intrusion detection system. Devos and Steegmans (2005) also published their results in using Unified Modeling Language in tandem with Object Constraint Language to specify business process rules with validation and error checking.

This project will contribute to at least two fields of information technology: visual modeling languages, and information consolidation and management. This project will make a unique contribution to the subject area of domain-specific visual languages for the definition of rules. Additionally, a successful outcome from this project will contribute to knowledge in the area of lowering complexity of consolidating repositories to save operations costs and increase modernization of data access systems. An opposing approach to this project would be a federated solution to data consolidation. A federated solution would continue to maintain multiple data repositories and connect their operations via programming interfaces so that clients could access them and combine their data to create the appearance of a unified source.

The project area of focus was motivated by my desire to create a visual system for complete migration of a source repository of technical data, such as a technical support knowledge base, to a new product called Rational Asset Manager. My overall goal was to drive the entire migration visually using a single model specification. This specification would visually specify the rules in migrating and transforming data from one system to another as well as visually select the technical mechanisms used to communicate with each information repository, such as SQL databases, web services, XML translation, etc. In addition, I wanted to generate some executable code from the models that would carry out some or all of the movement of data between repositories. In scaling this broad problem area down, I decided to focus on using the model as a specification that would be read by an existing program to carry out the instructions in the model. This program already exists, but does not yet know how to read models. Finally, in focusing on a specific part of the visual specification, I decided to focus on an aspect of the model that locates data from one system, potentially re-maps it or transforms it, and places it into the target system. The final initial research focus would take the form of a UML profile that could be used to specify this aspect of the solution and extend the existing migration program to use the model to perform its work.

Project Approach and Methodology

This project will use a design science methodology to iteratively create, test, and refine the deliverables of the project’s outcome. The design science methodology defines five process steps in achieving the outcome of a research project: awareness of problem, suggestion, development, evaluation, and conclusion.

This project is currently at the awareness of the problem phase. The inputs to this phase have been my experiences in working within the problem space for the last several years and the secondary research into the problem area performed thus far. I have encountered shortcomings in automation to help accelerate solutions in this problem space. At the same time, I have observed closely related problems overcome using visual and declarative technologies. Additional secondary research is being conducted to understand the body of knowledge associated with this area of visual modeling. The output at this phase is this proposal for a project to develop a visual language to help accelerate solutions in this problem space. Significant elements of the proposal include the overall vision of the project, the risks of the project, tools and resources required to carry out the project, and the initial schedule to complete the project.

Following an accepted proposal, the next phase of this methodology is the suggestion phase, which involves a detailed analysis and design of the proposed solution. During the suggestion phase, several project artifacts will be created and updated with new information. Updated artifacts include the project risks and a refined schedule for completion of the project. New artifacts produced at this phase include early UML and migration tool prototypes to explore various technical alternatives, detailed test and validation plans, and most importantly the design plans for the following phase of the project. A significant activity performed at this phase is the acquisition and readiness of the project resources, such as physical labs, input test data from candidate repositories, access to networked systems to acquire the test data, and installation of hardware and software tools.

The development phase of the project uses the design plans established in the suggestion phase to focus on construction of the first iteration of the solution. Experiences during this phase also drive refinements to the project schedule, detailed test and validation plans, risks, and the design plan of the solution. The deliverable of this phase is the first generation of the UML profile and extensions to the existing migration tool to support parsing and using models created with the profile. The test specification models are used to move a larger portion of the candidate source repositories to the target repository. After conclusion of this phase, the project may return to an earlier phase to refine plans or project scope based on what is learned during the development of the solution. If acceptable progress is demonstrated at the conclusion of this phase, the project will continue to the evaluation phase.

The evaluation phase focuses most of its effort on formal testing and validation of the solution produced in the development phase. The evaluation of the work against the thesis includes working with specific individuals to determine if this is indeed an approach that will save time and simplify the specification of data migration and transformation rules. Documentation of the testing outcome and comparison to the anticipated outcome may cause the project to return to an earlier phase to adjust scope or expectations. If it is decided the project has met its goals, or the goals are not achievable by the project’s approach, the effort will conclude.

The conclusion of this project will involve final documentation of the outcome and packaging of all the project’s artifacts for future research studies. The project’s artifact package will be placed in the public location for others to review and use.

As mentioned above, this project will require several physical resources and cooperation from technical experts. The study will require access to two or more legacy data repositories as sources for information. The source repositories should ideally utilize different underlying database technologies and implement different information schemas to test variations of the proposed modeling language as it is developed and tested. Access to the technical administrators of the source repositories will be necessary to understand the repositories’ schema and obtain read-only access or a copy of their information. It would be preferred that the repositories be accessed read-only and utilized via a network, or the information is relocated to a computing system directly available to the research project. The study will require at least one server system running IBM’s Rational Asset Manager. This system will act as the target data repository. Data transformed from the source repositories will migrate into Rational Asset Manager, driven by a migration application that uses the visual specifications as direction. The study will also require a single workstation with IBM Rational Software Architect for development of the visual modeling language and extension of the existing migration programs to read the visual models and perform the migration work from the source to target repositories.

A requirement of the project’s determination of success is the need to measure the savings in the time to build a migration solution with and without visual specifications. The migration problems need to be varied as well, from simple one-to-one mappings from a single source repository to a single target repository, to more exotic migration scenarios, such as consolidating multiple source repositories to a single target repository and re-mapping values from the source to the target. Additionally, the reusability of previous solutions will be measured as well. This aspect of the project’s outcome will quantify how easily a specification model can be reused from a previous solution.

Definition of the End Product of Project

This project will produce several artifacts during the project’s life and at conclusion. Most importantly, a UML profile will be developed that can be imported into Rational Software Architect or Rational Software Modeler. The profile will include usage documentation and example models that demonstrate various types of rules that may be specified in a visual model and how that model is read and executed by the migration program. The migration program will be a reference-implementation of an existing tool program that can read the model configured with the UML profile and generates events for extension points on which to act.

In addition to technical deliverables, all project planning and process artifacts, such as the project plan, design plan, risks and mitigation notes, test criteria and test result data will be made available. The project will conclude with the development of at least one article or paper for submission to a research journal to document this project’s challenges and achievements, and an annotated bibliography of secondary research related to the project will be provided.

If successful, this project will contribute to simplifying part of the process of developing a migration solution without having to recreate the existing tool used today. The project will add a new component to the migration tool and consumers of the tool can choose to use this new component. An assumption made in this research project is that the UML profile developed as a deliverable will be an approachable alternative for less experienced IT professionals and software engineers. This will be a challenge for the project’s results.

References

Devos, F., Steegmans, E. (2005). Specifying business rules in object-oriented analysis. Softw Syst Model (2005) 4: 297–309 / Digital Object Identifier (DOI) 10.1007/s10270-004-0064-z.

Zulkernine, M., Graves, M., Umair, M., Khan, A. (2007). Integrating software specifications into intrusion detection. Int. J. Inf. Secur. (2007) 6:345–357. DOI 10.1007/s10207-007-0023-0.

Reducing Adoption Barriers of Agile Development Processes in Large andGeographically Distributed Organizations

Sun, 12 Oct 2008 13:15:00 +0000

Agile software development processes have received much attention from the software development industry in the last decade. The goal of agile processes is to focus the importance of people as primary contributors of the project and reduce the administrative overhead of producing working code for the stakeholders of the project. This paper explores some of the explicit and implied constraints of agile software development processes. It focuses on several common practices of agile processes, particularly those that might limit their adoption by large and geographically distributed organizations. This paper makes recommendations to reduce the barriers to adoption of agile processes by these types of organizations. It attempts to answer questions such as:

Is it possible for a large organization with many established business and development processes to incrementally adopt an agile process?

Is it possible to adopt agile development processes to work for many individuals who are physically isolated, such as work-at-home software developers?

Is it possible to adopt agile development processes to work for a large team, divided into many sub-teams that are geographically distributed and possibly working in different time zones?

Extreme Programming is probably one of the most recognized agile software development process today. It was introduced in the late 1990s by Kent Beck and eventually published as a book (Beck, 2005). Beck’s approach documented the values, principles and practices necessary too deliver lower defect, working software with less formal process and more focus on the skills of people and community that produces it. Extreme Programming is targeted to small, collocated teams of about twelve people. Other proponents of agile software development processes understood the increasing interest in their approaches by the software industry and followed with the Manifesto for Agile Software Development. The contributors of the Manifesto were the creators of many different agile, iterative and incremental software development processes. Their goal was to unify principles they shared in common. The work was authored by “[…] representatives from Extreme Programming, SCRUM, DSDM, Adaptive Software Development, Crystal, Feature-Driven Development, Pragmatic Programming, and others […]” (Manifesto, 2001).

Beck and Andres (2005) present the primary practices of Extreme Programming in their book. Two practices stand out as a limitation of scaling Extreme Programming to teams in multiple locations, or even work-at-home employees. They are Sit Together and Pair Programming. Sit Together is a practice that encourages the team to work in a unified area, such as a large, open room that promotes easy communication. Pair Programming is a technique where two developers sit together at a single workstation and take turns designing and writing code. As one developer is writing code, the other is observing, asking questions and offering suggestions as the current piece of work progresses. The goal of these two practices is to lower the defect rate through a constantly available communication and collaboration of developers sharing the same physical space. Beck and Andres (2005) also discuss the importance of team size in a project that uses Extreme Programming. They recommend a team size of about twelve people. The reason for this size has as much to do with coordination of development activities as it does with psychological needs of being a part of a team. The larger a team grows, the less personal the connections between team members become. Faces are more difficult to remember and communication among all members gravitates toward infrequency. These challenges with team size become amplified with work-at-home software developers who may only be in the physical presence of other members of the team a few times a year at specific events such as all-hands meetings.

Active and regular communication is a requirement with agile software development. Ramesh (2006) describes the perceived advantages of teams distributed across time zones and continuous development, e.g. as one team ends for the day and goes to bed another is coming to work to pick up where the last left off. However, there is actually a communication disconnection between the geographically distributed team in this situation, and the teams are forced into a mode of asynchronous communication, potentially slowing down progress. This problem relates to two principles of the Manifesto for Agile Software Development (2001) that presents a challenge to geographically distributed teams. The first is “Business people and developers must work together daily throughout the project.” The second is “The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.” Both principles are related to communication among developers, management, stakeholders and users of the project.

Lindvall (2004) points out that incremental adoption of agile practices into an existing large organization can be challenging. An existing organization typically has the expectation that existing business and development processes are followed regardless of project size and the process used. Educating those outside of the agile pilot project and resetting their expectations for following the established processes can create tension. A specific example is that development in agile-driven projects usually starts with a subset of the requirements set. This is a quality of agile development processes and has to do with working on what is understood to be the goal of the project today. As working builds are created and delivered to stakeholders the requirements set can be appended and refined until there is agreement that a reasonable goal has been established. Murthi (2002) documents a case of using Extreme Programming on a 50-person development project and cites the ease of starting early with a partial requirements set, and using the subsequent working results for two goals: show stakeholders working software to build confidence in the development team and giving stakeholders something to help refine their own understanding of their needs.

Incrementally developed requirements, constantly refined budgeting and burn rate of finances that are typical of agile development process management can present a unique challenge to a project that is completely or partially outsourced. Cusumano (2008) details the need for an iterative contract between the customer and outsourcing provider. A fixed-price contract can be nearly impossible to design when agile development processes are in use by either party. Boehm (2005) also discusses the problem of using agile processes within the realm of contracting to the private and public sector. Problems can be encountered when measuring progress of a contract’s completion. As a consumer following an agile process, the requirements can remain a moving target well into the project’s life cycle. As a provider following agile development processes, it can become nearly impossible to provide final system architectural details early in the life cycle to the consumer for review. Boehm also points out the difficulties to overcome by providers utilizing agile processes when seeking certification for CMMI and ISO-related international standards.

The barriers of agile development process adoption by a large or geographically distributed organization can be reduced by a combination of two approaches. The first approach is the application of tooling and technologies to support the practices of agile software development that scale to an organization’s needs. The second approach is to continuously refine the practices in conflict with the organization’s existing mode of operation over time.

An example of practice refinement through technology adoption is The Sit Together and Pair Programming practices from Extreme Programming, and working together daily and face-to-face interaction among customers and developers as recommended principles of the Manifesto of Agile Software Development. These practices and principles are the most obvious barrier to adoption of pure agile development processes within a large or geographically distributed team. The essence of the Sit Together practice is to provide a means to communicate at-will among team members. Technologies that help support this practice in distributed environments include instant messaging systems that can provide a mechanism for short question and answer sessions for two or more participants in the project at once. Longer conversations among the team can be supported through VOIP solutions, reservation-less teleconference solutions, Skype and XMPP-based messaging solutions that can allow several team members at a time impromptu contact and discussion opportunities for project issues. Speakerphones allow collocated sub-teams to participate in conversations about the project across geographic locations. In all the examples cited, full-duplex voice communication is essential for effective discussion among several team members at once. This type of communication allows the audio channels to work in both directions simultaneously, which means someone can talk and interrupt someone speaking as they could when they are in person. Many inexpensive speakerphones are half duplex. These types of devices block the receiving audio channel when the person is speaking. Someone wanting to stop the speaker to clarify a point is unable to do so until the person speaking pauses. Background noise, such as a loud computer fan or air conditioner can cause similar problems for half-duplex communication systems. Pair Programming can be performed through a combination of voice communication and desktop screen sharing technology. Individuals working within the same network or virtual private network can use solutions like Microsoft NetMeeting or Virtual Network Computing (VNC) to share, view and work within each other’s development environment and perform pair programming over any distance.

Web-based and wide-area-network tooling to support the incremental development and tracking of plans, requirements and defects is available from several vendors such as IBM and Rally Software Development Corporation. Gamma (2005) presented The Eclipse Way at EclipseCon several years ago. The motivation behind his presentation was the many requests he received from users of the Eclipse environment to understand how a team distributed throughout the world could continue to release as planned and with a low defect rate. The Eclipse Foundation has a centralized data center in Canada for several of its activities including continuous integration and automated testing of nightly builds. The build and testing process of the Eclipse environment is fully automated for each platform it supports. Additionally, end-users are encouraged to install and use nightly builds after they pass the automated suite of tests.

Other barriers to adopting agile development processes cannot be solved with tooling alone. Ramesh (2006) found that the solution to working across multiple time zones is to synchronize some meetings, and rotate the time of the meeting so that each group takes turns in suffering from an extraordinarily early or late meeting so that everyone on the project can communicate live. Solving the opposing forces in contract negotiating requires creativity. Boehm (2005) recommends disbursing “[…] payments upon delivery of working running software or demonstration of progress rather than completion of artifacts or reviews.” According to Boehm there is not yet a well-defined compatible solution to agility in process and certification of ISO or CMMI related certifications. Lindvall (2004) concluded that adoption of agile development processes by large organizations is best accomplished through hybrid integration with the existing processes, particularly the established quality processes. With this approach, the existing quality processes can be used to measure the effectiveness of the agile software development process under pilot.

This paper described several of the qualities shared by different agile software development processes. It focused on those aspects that potentially limit agile process adoption by large and geographically distributed organizations. The recommendations made in this paper include technology solutions to improve collaboration and communication among distributed developers and consumers of the project. The technology considerations also help alleviate management concerns such as incremental planning and budgeting of agile projects. Recommendations were also provided for large organizations with established processes and approaches pilot projects utilizing agile development can take to leverage those processes to demonstrate their value. It is possible to adopt agile software development processes for large and geographically distributed organizations. Adoption requires thoughtful and careful application, integration and refinement of the practices at the core of these agile processes for a successful outcome.

REFERENCES

Beck, K., Andres, C. (2005). Extreme Programming Explained. Second Edition. Copyright 2005, Pearson Education, Inc.

Boehm, B., Turner, R. (2005). Management Challenges to Implementing Agile Processes in Traditional Development Organizations. IEEE Software. 0740-7459/05.

Cusumano, M.A. (2008). Managing Software Development in Globally Distributed Teams. Communications of the ACM. February 2008/Vol. 51, No. 2.

Gamma, E., Wiegand, J. (2005). Presentation: The Eclipse Way, Processes That Adapt. EclipseCon 2005. Copyright 2005 by International Business Machines.

Leffingwell, D. (2007). Scaling Software Agility: Best Practices for Large Enterprises. Copyright 2007 by Pearson Education, Inc.

Lindvall, M., Muthig, D., Dagnino, A., Wallin, C., Stupperich, M., Kiefer, D., May, J., Kahkonen, T. (2004). IEEE Computer. 0018-9162/04.

Manifesto. (2001). Manifesto for Agile Software Development. Retrieved 2 October 2008 from http://agilemanifesto.org/.

Murthi, S. (2002). Scaling Agile Methods - Can Extreme Programming Work for Large Projects? www.newarchitectmag.com. October 2002.

Ramesh, B., Cao, L., Mohan, K., Xu, P. (2006). Can Distributed Software Development Be Agile? Communications of the ACM. October 2006/Vol. 49, No. 10.

Applicability of DoDAF in Documenting Business Enterprise Architectures

Sat, 09 Aug 2008 03:16:00 +0000

As of 2005, the Department of Defense employed over 3 million uniformed and civilian people and it had a combined $400 billion fiscal budget (Coffee, 2005). The war-fighting arm of the government has had enormous buying power since the cold war and the complexity of technologies used in military situations continues to increase. To make the most optimal use of its dollars spent, reduce rework and delays in delivery of complex solutions, the DoD needed to standardize the way providers described and documented their systems. The DoD also needed to promote and enhance the reuse of existing, proven architectures for new solutions. The Department of Defense Architecture Framework (DoDAF) is used to document architectures of systems used within the branches of the Department of Defense. “The DoDAF provides the guidance and rules for developing, representing, and understanding architectures based on a common denominator across DoD, Joint, and multinational boundaries.” (DODAF1, 2007).

DoDAF has roots in other enterprise architecture frameworks such as Zachman Framework for Information System Architecture (Zachman, 1987) and Scott Bernard’s EA-Cubed framework described in (Bernard, 2005). Zachman and Bernard’s architecture frameworks have been largely adopted by business organizations to document IT architectures and corporate information enterprises. Private sector businesses supplying solutions to the DoD must use the DoDAF to document the architectures of those systems. These suppliers may not be applying concepts of enterprise architecture to their own business, or they may be applying a different framework internally with an established history of use in the business IT sector. The rigor defined in DoDAF version 1.5 is intended for documenting war fighting and business architectures within the Department of Defense. The comprehensive nature of DoDAF including the required views, strategic guidance, and data exchange format also makes it applicable to business environments. For those organizations in the private sector that must use the DoDAF to document their deliverables to the DoD, it makes sense to approach adoption of DoDAF in a holistic manner and extend the use of DoDAF into their own organization if they intend to adopt any enterprise architecture framework for this purpose.

The Department of Defense Architecture Framework is the successor to C4ISR. “The Command, Control, Communications, Computers, and Intelligence, Surveillance, and Reconnaissance (C4ISR) Architecture Framework v1.0 was created in response to the passage of the Clinger-Cohen Act and addressed in the 1995 Deputy Secretary of Defense directive that a DoD-wide effort be undertaken to define and develop a better means and process for ensuring that C4ISR capabilities were interoperable and met the needs of the war fighter.” (DODAF1, 2007). In October 2003, DoDAF Version 1.0 was released and replaced the C4ISR framework. Version 1.5 of DoDAF was released in April of 2007. DoDAF solves several problems with the acquisition and ongoing operations of branches within the Department of Defense. Primarily it serves to reduce the amount of misinterpretation in both directions of communication by system suppliers outside of the DoD and consumers within the DoD. The DoDAF defines a common language in the form of architectural views for evaluating the same solution from multiple vendors. The framework is regularly refined through committee and supports the notion of top-down architecture that is driven from a conceptual viewpoint down to the technical implementation.

Version 1.5 of DoDAF includes transitional improvements to support the DoD’s Net-Centric vision. “[Net-Centric Warfare] focuses on generating combat power from the effective linking or networking of the war fighting enterprise, and making essential information available to authenticated, authorized users when and where they need it.” (DODAF1, 2007). The Net-Centric Warfare initiative defines simple guidance within DoDAF 1.5 to support the vision of the initiative and guide qualities of the architecture under proposal. The guidance provided within DoDAF includes a shift toward a Services-Oriented Architecture, which we often read about in relationship to the business sector. It also encourages architectures to accommodate unexpected but authorized users of the system. This is related to scaling the solution and loose coupling of system components used in communication of data. Finally, the Net-Centric guidance encourages the use of open standards and protocols such as established vocabularies, taxonomies of data, and data interchange standards. These capabilities will help promote integrating systems into larger, more information intensive solutions. As this paper is written, Version 2.0 of DoDAF is being developed. There is currently no timeline defined for release.

DoDAF defines a layered set of views of a system architecture. The view progress from conceptual to technical. Additionally a standards view containing process, technical, and quality requirements constrain the system being described. The topmost level of view is the All Views. This view contains the AV-1 product description and the AV-2 integrated dictionary. AV-1 can be thought of as the executive summary of the system’s architecture. It is the strategic plan that defines the problem space and vision for the solution. The AV-2 is the project glossary. It is refined throughout the life of the system as terminology is enhanced or expanded. The next level of view is the Operational Views. This level can be thought of as the business and data layer of the DoDAF framework. The artifacts captured within this view include process descriptions, data models, state transition diagrams of significant elements, and inter-component dependencies. Data interchange requirements and capabilities are defined within this view. Example artifacts from the operational view include the High-Level Operational Concept Graphic (OV-1), Operational Node Connectivity Description (OV-2), and Operational Activity Model (OV-5). The third level of views of Systems and Services View. This view describes technical communications and data interchange capabilities. This level of the architecture is where network services (SOA) are documented. Physical technical aspects of the system are described in this level as well, including those components of the system that have a geographical requirement. Some artifacts from the Systems and Services View include Systems/Services Interface Description (SV-1), Systems/Services Communications Description (SV-2), Systems/Services Data Exchange Matrix (SV-6), and Physical Schema (SV-11).

DoDAF shares many of the beneficial qualities of other IT and enterprise architecture frameworks. A unique strength of DoDAF is the requirement of a glossary as a top-level artifact in describing the architecture of a system. (RATL1, 2006). Almost in tandem with trends in the business IT environment toward Service-Oriented Architectures, DoDAF 1.5 has shifted more focus to a data-centric approach and network presence in the Net-Centric Warfare initiative. This shift is motivated by the need to share operational information with internal and external participants who are actors in the system. This need is also motivated by the desire to assemble and reuse larger systems-level components to build more complex war fighting solutions. As with other frameworks, DoDAF’s primary strength is in the prescription of a common set of views to compare capabilities of similar systems. The views enable objective comparisons between two different systems that intend to provide the same solution. The views enable faster understanding and integration of systems delivered from provider to consumer. The view also allows for cataloging and assembling potentially compatible systems into new solutions perhaps unforeseen by the original provider. The DoDAF view can effect a reduction of deployment costs and lower possibility of reinventing the same system due to lack of awareness about existing solutions. A final unique strength of DoDAF is that it defines a format for data exchange between repositories and tools used in manipulating the architectural artifacts. The (DODAF2, 2007) specification defines with each view the data interchange requirements and format to be used when exporting the data into the common format. This inclusion in the framework supports the other strengths, most importantly automation of discovery and reuse of existing architectures.

Some weaknesses of DoDAF can be found when it is applied outside of its intended domain. Foremost, DoDAF was not designed as a holistic, all encompassing enterprise architecture framework. DoDAF does not capture the business and technical architecture of the entire Department of Defense. Instead it captures the architectures of systems (process and technical) that support the operations and strategy of the DoD. This means there may be yet another level of enterprise view that relates the many DoDAF-documented systems within the DoD into a unified view of participating components. This is not a permanent limitation of the DoDAF itself, but a choice of initial direction and maximum impact in the early stages of its maturity. The focus of DoDAF today is to document architectures of complex systems that participate in the overall wartime and business operations of the Department of Defense. A final weakness of DoDAF is the lack of business-financial artifacts such as a business plan, investment plan and return-on-investment plan.

It is the author’s observation that the learning curve for Zachman is potentially smaller than DoDAF. Zachman’s basic IS architecture framework method is captured in a single paper of less than 30 pages, while the DoDAF specification spans several volumes and exceeds 300 pages. Zachman’s concept of a two-dimensional grid with cells for specific subjects of documentation and models is easier for an introduction to enterprise architecture. It has historically been developed and applied in business information technology situations. Zachman’s experience in sales and marketing at IBM motivated him to develop a standardized IS documentation method. There are more commonalities than differences in the artifacts used in both DoDAF and Zachman methods. Zachman does not explicitly recommend a Concept of Operations Scenario, which is an abstract flow of events, a cartoon board, or artistic rendering of the problem space and desired outcome. This does not mean a CONOPS (Bernard, 2005) view could not be developed for a Zachman documentation effort. Business process modeling, use-case modeling, and state transition modeling are all part of DoDAF, Zachman, and Bernard’s EA-cubed frameworks. (Bernard, 2005).

The EA-cubed framework developed by Scott A. Bernard was heavily influenced by Zachman’s Framework for Information Systems Architecture. Bernard scaled the grid idea to support enterprise architecture for multiple lines of business with more detail than was possible with a two-dimensional grid. The EA-cubed framework uses a grid similar to Zachman’s with an additional dimension of depth. The extra dimension allows each line of business within the enterprise to have its own two-dimensional grid to document their business and IT architecture. Cross-cutting through the cube allow architects to identify potentially common components to all lines of business - a way to optimize cost and reduce redundant business processes and IT systems. The EA-cubed framework includes business-oriented artifacts for the business plan, investment case, ROI, and product impact of architecture development. As mentioned above, DoDAF does not include many business-specific artifacts, specifically those dealing with financials. Both Zachman and EA-cubed have more layers and recommended artifacts than DoDAF. EA-cubed has specific artifacts for physical network level and security crosscutting components, as an example. The Systems and Services view of DoDAF recommends a Physical Schema artifact to capture this information if needed. In the case of DoDAF, vendors may not know in advance the physical communication medium deployed with their system such as satellite, microwave or wired networks. In these cases, the Net-Centric Warfare guidance within DoDAF encourages the support of open protocols and data representation standards.

DoDAF is not a good starting point for beginners to enterprise architecture concepts. The bulk of the volumes of the specification can be intimidating to digest and understand without clear examples and case studies to reference. Searching for material on Zachman on the Internet produces volumes of information, case studies, extensions and tutorials on the topic. DoDAF was not designed as a business enterprise architecture framework. The forces driving its development include standardizing documentation of systems proposed or acquired through vendors, enabling reuse of existing, proven architectures, and reduce time to deploy systems-of-systems built from cataloged systems already available. Many of the documentation artifacts that Zachman and EA-cubed include in their frameworks are also prescribed in DoDAF, with different formal names but essentially the same semantics. The framework recommends more conceptual-level artifacts than Zachman. This could be attributed to the number of stakeholders involved in deciding if a solution meets the need. DoDAF includes a requirement for glossary and provides architectural guidance with each view based on current DoD strategy. Much of the guidance provided in DoDAF is directly applicable to the business world. The Net-Centric Warfare strategy, which is discussed in within the guidance, is similar to the Service-Oriented Architecture shift happening now in the private sector. Lack of business-strategic artifacts such as business plan, investment plan, and ROI estimates would force an organization to supplement prescribed DoDAF artifacts with several of their own or from another framework.

The Department of Defense Architecture Framework was designed to assist in the acquisition of systems from suppliers. There are many point-in-time similarities between Zachman and DoDAF in terms of DoDAF’s level of refinement for use with large enterprises. DoDAF could potentially benefit from a similar approach as Bernard’s, in that the flat tabular view is scaled up with depth. A extension of DoDAF with a third dimension could be used to document the architectures of multiple lines of business within an enterprise with more detail than is possible with a single artifact set. With minor enhancements, the DoDAF is a viable candidate for business enterprise architecture efforts.

References

Armour, F.J., Kaisler, S.H., Liu, S.Y. (1999). A Big-Picture Look at Enterprise Architectures, IT Professional, vol. 1, no. 1, pp. 35-42. Retrieved from http://doi.ieeecomputersociety.org/10.1109/6294.774792.

Bernard, S.A. (2005). An introduction to enterprise architecture. (2nd ed.) Bloomington, IN: Author House.
Coffee, P. (2005). Mastering DODAF will reap dividends. eWeek, 22(1), 38-39. Retrieved August 3, 2008, from Academic Search Premier database.

Dizard, W. P. (2007). Taking a cue from Britain: Pentagon’s tweaked data architecture adds views covering acquisition, strategy. Government Computer News, 26, 11. p.14(1). Retrieved August 02, 2008, from Academic OneFile via Gale: http://find.galegroup.com.dml.regis.edu/itx/start.do?prodId=AONE

DoDAF1. (2007). DoD Architecture Framework Version 1.5. Volume I: Definitions and Guidelines. Retrieved 31 July 2008 from http://www.defenselink.mil/cio-nii/docs/DoDAF_Volume_I.pdf.

DoDAF2. (2007). DoD Architecture Framework Version 1.5. Volume II: Product Descriptions. Retrieved 31 July 2008 from http://www.defenselink.mil/cio-nii/docs/DoDAF_Volume_II.pdf.

IBM. (2006). An IBM Rational Approach to the Department of Defense Architecture Framework (DoDAF). Retrieved 2 August 2008 from ftp://ftp.software.ibm.com/software/rational/web/whitepapers/G507-1903-00_v5_LoRes.pdf.

Leist, S., Zellner, G. (2006). Evaluation of current architecture frameworks. In Proceedings of the 2006 ACM Symposium on Applied Computing (Dijon, France, April 23 - 27, 2006). SAC ‘06. ACM, New York, NY, 1546-1553. DOI= http://doi.acm.org/10.1145/1141277.1141635.

RATL1 (2006). An IBM Rational approach to the Department of Defense Architecture Framework (DoDAF) Part 1: Operational view. Retrieved 1 August 2008 from http://www.ibm.com/developerworks/rational/library/mar06/widney/.

RATL2 (2006). An IBM Rational approach to the Department of Defense Architecture Framework (DoDAF) – Part 2: Systems View. Retrieved 1 August 2008 from http://www.ibm.com/developerworks/rational/library/apr06/widney/.

Zachman, J.A. (1987). A framework for information systems architecture. IBM Systems Journal, Vol. 26, No. 3, 1987. Retrieved July 2008 from http://www.research.ibm.com/journal/sj/263/ibmsj2603E.pdf.

Issues of Data Privacy in Overseas Outsourcing Arrangements

Sat, 28 Jun 2008 07:11:00 +0000

Outsourcing is a business concept that has been receiving much attention in the new millennium. According to Dictionary.com (2008) the term outsourcing means to obtain goods or services from an outside source. The process of outsourcing a portion of a business’ work or material needs to an outside provider or subcontractor has been occurring for a long time. The information technology industry and outsourcing have been the focus of editorials and commentaries regarding the movement of technical jobs from the United States to overseas providers. The globalization of business through expanding voice and data communication has forged new international partnerships and has increased the amount of outsourcing happening today. Businesses in the U.S and Europe spend billions in outsourcing agreements with overseas service providers. According to Sharma (2008), spending for outsourcing in the European Union is almost $150 billion (GBP) in 2008. The overriding goal in outsourcing work to a local or overseas provider is to reduce the operations cost for a particular part of the business. Many countries, such as India and China have lower wages and businesses in the U.S. and Europe can save money by hiring an overseas contractor to perform a portion of their work.

Outsourcing is gaining popularity in the information age by assisting information technology companies in performing some of their business tasks. This can include data processing, and call routing and handling. With the growth of the technology industry also comes the problem of maintaining and protecting private information about the details of individuals, such as medical history or financial data. Many countries such as the United States and Europe have mandatory personal data privacy laws. These laws do not automatically translate to national laws where the outsourcing service provider is located, or potentially the service provider’s subcontractors. This paper discusses the issues of outsourcing work to an overseas provider when personal data is involved in the outsourced tasks. It presents several solutions to help manage the risk of data breaches caused by disparate laws in countries currently popular for information technology outsourcing. The most common types of work outsourced to overseas service providers include bulk data processing, call center handling, and also paralegal outsourcing. The last example of overseas outsourcing can include work such as legal research, contract and brief writing, and transcription. Outsourcing firms typically do not have a U.S. law license, which limits the extent of their involvement in legal work.

The United States is expanding national information protection laws. Two of the most common laws are the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB). The U.S. Congress enacted the HIPAA act in 1996. It is related to the protection of health information that can be used to identify someone or disclose a medical condition. “The data privacy and security requirements of HIPAA apply to health plans, health care providers, and health care clearinghouses. Among its many requirements, HIPAA mandates the creation and distribution of privacy policies that explain how all individually identifiable health information is collected, used, and shared.” (Klosek, 2005). U.S. Congress enacted the GLB act in 1999. The Financial Privacy Rule of the Act is related to documenting and auditing the processes used by an organization for assuring privacy of information that can identify persons, as in HIPAA, and private data about their finances. Both HIPAA and GLB require the organization to publish the information privacy policy and notify the consumer each time it changes. “[…] The GLB Act focuses upon privacy of the non-public information of individuals who are customers of financial institutions.” (Klosek, 2005).

The U.S. is not considered at the forefront of privacy protection laws. Likewise, many countries have absolutely no privacy protection laws for their citizens. The European Union is one of the strictest regions with respect to data privacy and outsourcing work that handles private information. The privacy directive for the entire EU was passed in 1998. It specifies a minimum standard for all member countries to follow in handling private personal data and transferring it between companies inside and outside of the European Union. “The EU privacy directive 1998 aims to protect the privacy of citizens when their personal data is being processed. […] One of the provisions of this directive […] addresses the transfer of personal data to any country outside of the EU.” (Balaji, 2005). In most cases, European companies transferring personal data to an overseas outsourcing provider would need to assure the contractor follows the EU rules for handling and processing the data. The EU is also in the process of pre-certifying certain countries for properly handling personal data according the directive standards. Businesses in the Philippines have been providing outsourcing solutions for information technology businesses for over a decade. Estavillo (2006) states the government has increased its focus on keeping the outsourcing landscape fertile in the Philippines. It has created an optional certification program for local businesses based on the government’s own guidelines for protection of information used in data processing and communications systems. The government hopes to continue to expand its reach into enforcing data protection by penalizing unlawful activities such as data breaches and unauthorized access to data intensive systems. Recently ISO has started an international certification effort called ISO 27001. The purpose of the certification is to prove a company documents and follows information security practices and controls. Ely (2008) points out that an ISO 27001 audit is against the processes of the outsourcing provider’s choosing, and to make sure the outsourcing firm follows the industry’s best practices and compliance guidelines of the home country and it deeply understands them. Often an overseas company will adopt HIPAA or Payment Card Industry (PCI) standards for handling of personal data and be certified against that standard for ISO 27001. Any size company can be certified under this standard, and there are no international restrictions regarding who may be certified.

Outsourcing work in the information technology industry almost always includes the access or transfer of data between the client organization and the outsourcing provider. Voice conversations and movement of data over an international connection can be subject to interception and monitoring by U.S. and foreign surveillance programs. Ramstack (2008) finds that “[…] paralegal firms in India are doing a booming business handling the routine legal work of American law firms, such as drafting contracts, writing patents, indexing documents or researching laws.” A lawsuit was filed in May of 2008 that requests a hold on new legal outsourcing work until outsourcing companies can provide assurances that data transferred overseas can be protected against interception by U.S. and foreign intelligence collection agencies. The fear is that private legal information about citizens could be transferred from intelligence agencies to law enforcement agencies in the same or allied countries.

The mix of international standards and laws offer little hope of legal action across borders when personal data is misused or illegally accessed. The flood of competition among overseas outsourcing companies does offer some hope that reputations are extremely important for sensitive outsourcing agreements. Once an outsourcing provider has been tainted with a bad reference for bulk data processing of foreign citizen’s medical information, for example, it will limit the firm’s financial upside until its reputation can be rebuilt. All of the focus should not be only on the outsourcing provider. It is important for an organization to define and understand its own processes involving data privacy internally before beginning an outsourcing agreement. People within the business who work around and regularly handle private data should be included early in the process of defining the requirements about outsourcing information-related work. These contributors can include the IT and business controls staff members and staff supporting the efforts of the CIOâ€™s office. A cross-company team should define the conditions needed to work with private data regardless of the outsourcing group - local or overseas. They can also help define constraints placed on the outsourcing service provider. “Ensure that the contractual arrangement covers security and privacy obligations. Include language in the contract to articulate your expectations and stringent penalties for violations. Review your provider’s organizational policies and awareness training for its employees.” (Balaji, 2004).

Large outsourcing providers may chose to outsource their work to smaller companies in their local country. It is important to be able to control the primary outsourcing company’s ability to subcontract work to other providers or to require that data handling standards in the contract are transitive to all subcontractors who may become involved, at the risk of the original outsourcing provider. In this case it is also important to have the outsourcing service provider identify in advance all or most of the subcontractors involved to obtain references. It is important to define in the outsourcing contract what happens when the relationship terminates. The transition plan for the end of the outsourcing agreement must include a process for obtaining control of data transferred to the outsourcing provider from the customer organization. There should be a way to return the data to the customer organization or assure its destruction on the outsourcing provider’s information systems.

Although it has been a part of business for as long as there has been business, outsourcing in the information age brings with it new risks as well as opportunities for business cost optimization and scaling. Risks in outsourcing information services for private data can be mitigated partially through a detailed contract in addition to outsourcing vendor transparency. The best way to ensure compliance to contractual terms is to be sure the customer organization understands their own data privacy standards and treats all outsourcing situations with the same requirements followed internally. The customer organization should perform or obtain third-party audit reports of the outsourcing provider’s processes and systems for ongoing reassurance of proper handling of private data.

References

Balaji, S. (2004). Plan for data protection rules when moving IT work offshore. Computer Weekly. 30 November 2004, Pg. 26.

Ely, A. (2008). Show Up Data Sent Offshore. INFORMATIONWEEK, Tech. Tracker. 2 June 2008, Pg. 37.

Estavillo, M. E., Alave, K. L. (2006). Trade department prods outsourcing services to improve data security. BusinessWorld. 9 August 2006, Pg. S1/1.

Klosek, J. (2005). Data privacy and security are a significant part of the outsourcing equation. Intellectual Property & Technology Law Journal. June 2005, 17.6, Pg. 15.

Outsourcing. (n.d.). Dictionary.com Unabridged. Retrieved June 23, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/outsourcing.

Ramstack, T. (2008). Legal outsourcing suit spotlights surveillance fears. The Washington Times. 31 May 2008, Pg. 1, A01.

Sharma, A. (2008). Mind your own business. Accountancy Age. 14 February 2008, Pg. 18.

Research Essay on Signaling System 7

Fri, 30 May 2008 11:45:00 +0000

This research paper describes a telecommunications standard called Signaling System 7 (SS7). This technology defines a signaling system for control and routing of voice calls between telephone switches and switching locations. SS7 uses out-of-band signaling to place and control calls. It replaces an older system of in-band signaling to control telephone equipment. In-band signaling means the audio channel is used as a control channel for telephone switches. Operators would use tones over the audio channel to connect switches and open paths to the call destination. The use of out-of-band signaling means that control of creating an audio path through telephone switches is performed through a separate data channel that connects the switches together. The caller does not have access to this signaling channel, as they do for in-band signaling. SS7 can also carry data to switching locations about the calls they route. This data can include information for purposes of billing network time back to the call’s originating network and the caller’s account.

“Signaling System 7 (SS7) is a set of telephony signaling protocols that are used to set up and route a majority of the world’s land line and mobile public switched telephone network (PSTN) telephone calls.” (Ulasien, 2007). SS7 provides more efficiency and reliability for call handling than in-band signaling. SS7 controlled calls can verify that the audio path for a call is ready to initiate, for example, and not create the audio path until the call is answered at the other end. Another example is if the destination phone number returns a busy signal, no audio path needs to be established and the switch directly connected to the caller can generate the busy sound. The strategy of delaying the creation of the audio path until the last moment prevents wasted bandwidth within the switching infrastructure. This scenario would not be possible with in-band signaling, since in-band signaling depends on having an audio path established prior to anyone answering the other end of the call. SS7 allows the creation of innovative customer features and the use of rules-based capabilities for call routing that were previously impossible with in-band signaling technology.

Signaling System 7 began development in the 1970s and saw wide deployment beginning in the early 1990s. The technology research and development was sponsored by AT&T and originally named the Common Channel Signaling System (CCSS). AT&T proposed it to the International Telecommunications Union as a standard beginning in 1975. SS7 was issued as a standard in 1980 and has been refined three times since. The ITU Telecommunications Standardization Sector (ITU-TS) develops global SS7 standards. The ITU allows different countries or organizations to make their own refinements and extensions to the global SS7 standard. The American National Standards Institute (ANSI) and Bellcore define a regional SS7 standard for North America and Regional Bell Operating Companies (RBOCs).

Before the adoption of Signaling System 7, the only path between telephone switches was the audio channel. Telephone operators would use in-band signaling to set up long distance calls, or route international calls over cable or satellite using touch-tones. Maintenance crews would put telephone switches into special modes using sequences of tones to turn off accounting or allow operations a normal user would not be able to perform. In-band signaling is not just used to control telephone switches. We encounter in-band signaling often through the use of telephone-based services from vendors. Call routing through most of today’s large corporate phone systems require extensive use of the touch-tone keypad. Most voicemail systems require us to enter our personal identification numbers using tones to access messages. Your bank might provide a system to check your balances or transfer money through a phone-based system that uses touch-tones to enter your account information and direct your choices. In-band signaling works well for low-bandwidth situations, such as entering an account code or choosing a menu. Routing instructions to telephone switches can result in a complex series of tones representing access codes and phone numbers. Although it is useful for vendors in providing self-service capabilities to customers, in-band signaling for mission-critical systems such as unprotected telephone switching networks, have been exploited. Exposure of the signaling channel meant that sometimes callers would discover and record the in- band signaling tones used to route calls and control switches. Sometimes the audio signals were discovered completely by accident. During the 1970s and 1980s people such as John Draper (Captain Crunch) were known for their little home-built boxes that could connect to telephone jacks and send sequences of tones to obtain free long distance calls. These were known as black boxes or blue boxes. A whistle that came as a prize in his cereal inspired John Draper’s blue box creation. “The box blasted a 2600-Hz tone after a call had been placed. That emulated the signal the line recognized to mean that it was idle, so it would then wait for routing instructions. The phreaker would put a key pulse (KP) and a start (ST) tone on either end of the number being called; this compromised the routing instructions, and the call could be routed and billed as a toll-free call. Being able to access the special line was the basic equivalent to having root access into Bell Telephone.” (Cross, 2007).

Signaling System 7 moves the signaling channel out of the audio channel, and is no longer is accessible to the parties participating in the call. SS7 specifies that telephone switches connect together using a dedicated digital network used only for signaling and managing calls. The signaling network among switches is similar to a traditional computer network. The signaling network can be designed for redundancy and does not need to take the same physical path as the voice data paths. In addition to relocating the signaling channel, the protocol allows for the creation of new and innovative features related to how calls are controlled and routed through the network. The Intelligent Network is a telecommunications industry term and described by Zeichick (1998) as having more reliance on digital technologies, more contextual information about calls in addition to the voice data, and more control provided to the end user for controlling how their telephone experience works. Caller ID works, for example, because the originating caller information is passed from switch to switch through the signaling channels. As mobile phone callers move around, SS7 signaling protocol helps switches find the proper route for calls to this person’s phone. The destination switch for a mobile phone moving in a train or automobile can change quickly. Call routing between switches is optimized with SS7’s definition of shared databases that are accessed through the signaling network. The databases contain rules about how calls should be routed to their destination. Switches on an SS7 network can query shared databases to find out which provider owns a phone number and how to route the call to that number. The databases can also contain feature-specific information. This aspect of the SS7 implementation has been characterized as client-server, meaning the switches act as clients to the shared databases with rules and other information for managing calls. “SS7 links the telephone system with a client-server computer architecture to create a distributed, efficient and easily modified telephone infrastructure. The computers use information from common databases to control call switching and to allow the transfer of messages within the system.” (Krasner, 1997).

New technologies are testing the longevity of the Signaling System 7 protocol. Packet switched voice over IP is causing some disruption in SS7 space. However, there is more emphasis on integration and signaling gateways than replacement of existing SS7 infrastructure with something more recent. Session Initiation Protocol (SIP) is a signaling protocol for controlling audio and video connections over Internet Protocol networks. It can be implemented in hardware or software. SIP can be used for voice, video conferencing, and instant messaging and other types of streaming multimedia. H.323 is another streaming multimedia signaling protocol used for audio and video over Internet packet networks. Microsoft’s NetMeeting application uses H.323 as its protocol to connect NetMeeting nodes together in a wide-area conference. H.323 is also a recommendation by the ITU-TS.

The business value of SS7 is that it provides opportunities for security, efficiency and optimization of call routing, and it provides the foundation to build innovative features for call handling using contextual information about calls and shared databases. It is a standards-based protocol and has been used throughout the world’s established telecommunications providers for over a decade. The protocol defines the means by which telephone switches exchange call routing and feature information - it does not assume voice data is carried on any particular medium as calls are transferred through the system. This simple abstraction with SS7 allows it to work with new technologies as they arrive in the mainstream. It is possible for SS7 to work within a mixed-technology environment including circuit-switched and packet-switched data networks. Ulasien (2007) says that the extensibility of SS7 allows the incremental migration of an organization from circuit switched to packet switched calls. The voice network is turning into the streaming media network and SS7 will continue to be tested in its role of connection maker and gateway to more recent communication technologies such as VOIP and video conferencing.

References

Cross, Michael. (2007). Developer’s Guide to Web Application Security. Syngress Publishing 2007. ISBN:9781597490610.

Hewett, Jeff. (1996). Signaling System 7: the mystery of instant worldwide telephony is exposed. Electronics Now. 67.n4 (April 1996): 29(7).

Krasner, J. L., Hughes, P. & Klapfish, M. (1997). SS7 in transition. Telephony. 233.n14 (October 6, 1997): 54(4).

Ulasien, Paul. (2007). Signaling System 7 (SS7) Market Trends. Faulkner Information Services. Document 00011475. July 2007.

Zeichick, Alan. (1998). Lesson 125: Signaling System 7. Network Magazine. December 1, 1998: NA.

Concepts and Value of the "4+1" View Model of Software Architecture

Fri, 30 May 2008 11:40:00 +0000

This essay describes the concepts and value of the “4+1” View Model of Software Architecture described by Philippe Kruchten in 1995. The purpose of the 4+1 view model is to provide a means to capture the specification of software architecture in a model of diagrams, organized into views. Each view represents a different concern and diagrams within each view use a diagramming notation suitable for that diagram’s purpose. The answers provided in each view answer questions related to the structure, packaging, concurrency, distribution, and behavior of the software system. The “+1” is a view of the scenarios and behavior of the software being described. This view drives development of the other views. The value the 4+1 view model approach brings to software architecture is that it is not specific to any class of software system. The principles behind the 4+1 view model can be applied to any scale of software system, from embedded software to web applications distributed across many collaborating servers. The software architecture of business IT systems can be represented using the 4+1 view model.

What is a model? “A model plays the analogous role in software development that blueprints and other plans (site maps, elevations, physical models) play in the building of a skyscraper.” (OMG, 2005) Software can be specified using just textual requirements or it can be shown as a model of collections of diagrams with textual notes describing specific details. Models provide a filter for humans to deal with a lot of information at one time. Models give us a big picture, just like a blueprint does. Diagrams within a model can be organized by subject, purpose, or locality within a system. For building construction, a single page in a roll of blueprints might describe the routing plan for plumbing or electrical conduits. A different page might detail the foundation. Likewise, a diagram within a model might show us the structure of the database. A different diagram will show where each piece of the software runs on a network. The content of diagrams in models can be at any level of “zoom” to describe parts of the software. Simple data structures can be described in a diagram, as can complex scenarios carried out by several servers in synchronization. Kruchten’s purpose in the 4+1 view model is to capture and document the software’s architecture using diagrams organized in several views.

What is software architecture? “Software architecture is the principled study of the overall structure of software systems, especially the relationship among subsystems and components.” (Shaw, 2001) I interpret the word “relationship” in this context to mean many possible kinds of relationships. One kind of relationship between subsystems is where one subsystem relies on the services of another subsystem. There can be a behavioral relationship among subsystems, where the protocol of messages between them must be documented. Another type of relationship among subsystems is collocation - how do they communicate? Can they communicate? What is the mechanism used to store transaction data and are the interfaces and support code packaged within each subsystem to allow data storage to happen? These are all questions answered by information at the level of software architecture. “Software architecture is concerned with the high-level structures of a software system, the relationships among them, and their properties of interest. These high-level structures represent the loci of computation, communication, and implementation.” (Garlan, 2006)

A driving force behind the 4+1 view model is that a single diagram cannot communicate information about all the different kinds of relationships within a software system. A diagram that showed all the different concerns of a software’s architecture simultaneously would be overwhelming. Each view in the 4+1 view model has a different concern or subject. Multiple diagrams can exist within each view, like files exist within a folder by subject. Modeling and diagramming tools are used to create diagrams and organize them when applying the 4+1 view model. Many tools exist to build diagrams, including Microsoft Visio (VISIO, 2008), Enterprise Architect (EA, 2008) and Rational Software Architect (RSA, 2008). Kruchten uses a notation called the Booch notation in his paper to capture information in his diagrams for each view. Since Kruchten wrote his paper over ten years ago, the Booch notation has been refined and was contributed into the Unified Model Language specification from the Object Management Group.

The 4+1 views are the logical view, process view, development view and physical view. The “+1” view contains the scenarios that represent the system’s interaction with the outside world. The scenarios are requirements. They drive the development of the other views of the architecture. The logical view contains the decomposition of the system into functions, structures, classes, data, components and layers. Kruchten points out that several different types of diagrams might be necessary within the logical view, to represent code, data, or other types of decomposition of the requirements. Mainly the scenarios, or “+1” view influences development of this view. The logical view is needed by the development and process views. The process view is concerned with the actual running processes in the deployed system. Processes are connected to each other through communication channels, like remote procedure calls or socket connections. Elements within the logical view run on processes, so there is traceability from the process view back to the logical view. Some projects, like the development of a code editor, will not require a process view since there is only one process involved.

The third view is the development view. The scenarios and the elements in the logical view drive the contents of the process view. The development view documents the relationships and packaging of the elements from the logical view into components, subsystems and libraries. Diagrams within a development view might show which classes or functions are packaged into a single archive for installation. The diagrams within the development view should allow someone to trace back from a package of code to elements in the logical view. Dependencies among packages of code are documented in this view also. The fourth view is the physical view and it is created from the scenarios, process view and development view. The fourth view shows the allocation of packages of code and data, and processes to processing nodes, e.g. computers. The relationship between nodes is also shown in this view, usually in the form of physical networks or other physical data channels that allow processes on different nodes to communicate. The final “+1” view is the scenarios, which represent requirements for the behavior of the system. Kruchten’s paper shows examples using object scenario and object interaction diagrams. One could also use classic flow charts, use cases or UML activity diagrams to capture the scenarios of the software system. At a minimum, the scenarios should document how the system behaves and interacts with the outside world, either with people or with other systems.

The information captured within a “4+1” View Model of Software Architecture is common to all software systems and can be applied as a general approach to document and communicate about information systems. Business information systems are very often database-centric, and use fat-client or web-based interfaces to enter, search, update and remove data. A business system can enforce a workflow of approvals before it allows a transaction to complete. Data warehousing solutions exist to archive, profile and find patterns in data for new. Many businesses are deploying self-service web sites for customers to interact with their business without constraining the customer to specific times a transaction can take place. Each of these qualities of business systems can be captured with one or more views of the “4+1” model. A logical view can be used to document the database schema, code modules, and even individual pages of content within a web solution. The development view for a J2EE solution would document how HTML files, JSP files, and Java code is packaged into archive files before deployment to the application server. The process view for a client-server database system would show code modules assigned to the user’s application process. The database schema and stored procedures would be assigned to the relational database server processes. Finally, a physical view of a web-based database application would show separate servers for the web and database. The web server process from the process view would be assigned to the web server node, as would the packages of HTML, CGI and other code in the development view. The physical view would also show a similar traceability for the database server node.

The value of “4+1” View Model of Software Architecture is that it serves as general guiding principles to answer the question of what needs to be documented at a minimum when describing software architecture. Each view within the model has a well-defined subject or concern for the diagrams that are organized within the view. All software can be described in terms of behavior, structure, packaging and where it executes. These are the basic qualities the 4+1 view intent to document for easier human consumption. There are no official constraints to the notation styles that can be used by diagrams in each view. When applied to larger systems the logical view will contain many types of diagrams. The notation independence makes it a very flexible approach to use for many styles of software. When it is taught to a team along with diagramming skills, it can be used as significant form of communication and provide clarity among software project team members when creating new or documenting legacy IT projects.

References

Garlan, D., Schmerl, B. (2006). Architecture-driven Modeling and Analysis. 11th Australian Workshop on Safety Related Programmable Systems (SCS â€™06).

Kruchten, P. (1995). Architectural Blueprints - The “4+1” View Model of Software Architecture. IEEE Software 12 (6), 42-50.

Object Management Group. (2005). Introduction to OMG UML. Retrieved May 10, 2008 from http://www.omg.org/gettingstarted/what_is_uml.htm.

Rational Software Architect product page. (2008). Retrieve May 10, 2008 from http://www-306.ibm.com/software/awdtools/architect/swarchitect.

Shaw, M. (2001). The Coming-of-Age of Software Architecture Research. IEEE. 0-7695-1050-7/01.

Sparx Systems home page. (2008). Retrieved May 10, 2008 from http://www.sparxsystems.com.au.

m0n0wall traffic shaping

Tue, 04 Mar 2008 02:55:00 +0000

In this article I will discuss my configuration for traffic shaping using m0n0wall. My goals for traffic shaping include giving priority for VOIP traffic leaving my network and limit the combined incoming traffic speed destined for my servers. Some of my assumptions are that you know how to configure your LAN and WAN networks in m0n0wall, you have NAT configured for your outbound LAN network traffic, and you are using the DHCP server for your LAN. The following image shows my LAN network configuration.

From m0n0wall

The DHCP server for my LAN network is configured to offer addresses from 192.168.85.100-192.168.85.199. I can’t ever imagine having more than 100 clients on my network. I use the addresses below .100 for static assignments on my LAN. My three servers are configured for static addresses on the LAN - they do not use DHCP. In addition to the three servers, the wireless access points are configured for static LAN addresses and the VOIP telephone adapter uses a fixed DHCP LAN address.

I use inbound NAT for my Internet services to redirect HTTP, HTTPS and SMTP from the public firewall IP address to the desired server on the LAN. The following image shows the inbound NAT configuration. You will see HTTP and HTTPS are redirected to one server and SMTP is redirected to another server. In addition to these rules, m0n0wall will add rules to the firewall to allow this traffic to pass.

From m0n0wall

The VOIP telephone adapter uses DHCP by default and I wanted to maintain the provider’s default configuration for the device. My strategy was to determine the network MAC address of the VOIP device and set the m0n0wall DHCP server to always offer the device the same LAN IP address. The following image shows the settings for the m0n0wall DHCP server for the VOIP adapter.

From m0n0wall

From this configuration, I can now create rules in the traffic shaper to manage inbound and outbound traffic speed based on the LAN IP address. The first task is to define the pipes that will control inbound and outbound traffic. I have two pipes defined - one for all outbound traffic and one for inbound server traffic. I was able to verify my outbound Internet speed at about 1.5 Mbit. I subtracted about 6% from that and came up with 1434 Kbit. I talk about why you should do this in a previous article. The basic idea is that you only want to queue packets in your m0n0wall and prevent packets from queuing in your ISP router or any other device before the packet leaves your location. The only way to be sure is to throttle-down your outbound speed by a few percent. Your connection may need more or less, and you should experiment and re-test your settings once or twice a year.

The second pipe is used to limit the maximum speed of incoming data to the servers. I want to limit the combined inbound traffic to all three of the servers to about 1 Mbit. The traffic that would pass through this pipe includes incoming mail delivery and incoming requests to the web server. This pipe will not impact web server responses, i.e. page content returned. Mail delivery between servers on the Internet happens asynchronously, so the client workstations will not care if a message delivery takes 1 second or 15 seconds to occur. Client workstations are interacting with servers on the local network, so they will not feel any of the shaping.

From m0n0wall

The strategy for outbound traffic is to give top priority for VOIP, second priority to workstations and last priority to outbound server traffic. To accomplish this I need three queues in the m0n0wall traffic shaper section. The three queues relate to the three outbound priorities previously mentioned. The first queue is for VOIP and has a weight of 50. The second queue is for workstation traffic and has a weight of 40. The last queue is for outbound server traffic and has a weight of 10. The total weight for all three queues adds up to 100 and the weights are completely relative. All three queues are connected to the outbound 1434 Kbit pipe. If there is no outbound VOIP and workstation traffic, the server queue with the weight of 10 will get the entire 1434 Kbit outbound pipe. See the following image for the queues.

From m0n0wall

The reality is that the VOIP traffic only takes about 100 Kbit of the outbound traffic when in use. Even though the weight of the high priority queue is set to 50, it will never use 50% of the 1434 Kbit outbound pipe, and all it does is guarantee that the VOIP service will get all the outbound bandwidth it needs.

The final piece of the traffic shaping strategy is the rules that place outbound packets in a specific queue, or place inbound server traffic into the server pipe. Inbound VOIP and workstation traffic does not get shaped. The rules I use are based on traffic leaving a specific interface. Traffic leaving the WAN interface is traffic sent out to the Internet. Traffic leaving the LAN interface is traffic received from the Internet. With that, see the following image.

From m0n0wall

The first five rules are for outbound traffic destined for the Internet. Rule 1 places outbound VOIP traffic in the queue with weight 50. Rules 2-4 place outbound server traffic in the queue with weight 10. Rule 5 is a catch-all and places all other outbound traffic in the medium priority queue with weight 40. Rules 6-8 are for traffic leaving the LAN interface, in other words, inbound traffic from the Internet. These rules place traffic destined for my three servers into the 1 Mbit inbound pipe. These rules will constrain the combined inbound traffic to these servers to 1 Mbit. Only the inbound server traffic is shaped.

With these pipes, queues and rules, I’ve accomplished my goal - VOIP traffic leaves first, workstation traffic leaves second, and server traffic leaves last, and inbound server traffic is limited to 1 Mbit. How can I tell if these rules are working? m0n0wall has a status.php page and you can see the byte and packet counts on these rules. To see these statistics, sign-in to your m0n0wall web console. Add status.php to the browser address. The page you will see is just a textual dump of various internal statistics. The statistic you want to review is the ipfw show listing. The following image shows the statistics for my traffic shaper rules.

From m0n0wall

In this image you can see the queue and pipe rules with their packet and bytes counts. Take note of the out via dc0 and out via dc1 parts of the rules, which are my WAN and LAN network adapters. The first two rules and very last rule are automatically added by the m0n0wall software. You can see the queue 1 rule for high priority outbound VOIP traffic, coming from a specific LAN address. The next three rules for queue 3 are for low priority outbound server traffic, again based on LAN address. The queue 2 rule is the catch-all rule for outbound workstation traffic at medium priority. The next three rules are for inbound server traffic that is sent to the 1 Mbit pipe. All other inbound traffic is not shaped and matches the last rule.

m0n0wall hardware and bootstrap

Sun, 02 Mar 2008 10:11:00 +0000

In this article I will discuss the hardware used in my home-brewed firewall and what I did to bootstrap the firewall with the m0n0wall software image. My m0n0wall firewall is based on an older Dell Dimension V400. To get an idea of the machine age, this photo shows the original stickers promoting the Pentium II, Windows NT and Windows 98.

From m0n0wall

This machine has a 400 MHz processor and 128 MB of RAM. I removed the hard disk and disconnected the floppy drive. The older CD-ROM drive was replaced with a spare Sony CD-RW. The tray on the original CD-ROM started to make grinding noises and stopped opening when the button was pressed. The machine started with one network adapter and I added two more Linksys LNE-100 PCI adapters. You can see all three 100 Mb PCI network adapters in the following photo.

From m0n0wall

The most educational part of the project for me was the installation of the compact flash IDE adapter and memory card. This device plugs directly into the IDE cable connector on the motherboard and can be used in place of a hard disk. A compact flash device won’t suffer a head crash or any other type of physical damage associated with a moving, mechanical hard disk. I wanted to eliminate the primary causes of a firewall crash, so it was this approach or a pair of mirrored hard disks. The memory card solution was much less expensive and provided me with some experience if I wanted to move to a Soekris or LogicSupply solid-state PC later.

I used a compact flash IDE adapter from StarTech, model IDE2CFINT. You can find them for less than $20. I bought mine from Amazon with a 2 GB memory card. StarTech’s site has several good close-up images of the adapter.

In the following photo, you can see the compact flash IDE adapter plugged into the PC’s motherboard IDE cable connector. Along the right side of the compact flash IDE adapter is the memory card, which is plugged into a pin header. Above the memory card is a floppy drive power cable. The power for the adapter can come from the motherboard or from a floppy drive power cable. There is a jumper on the adapter to specify the source of power. I set it up initially this way, and it worked, so I left it.

From m0n0wall

This machine has two IDE channels, the first is used by the compact flash IDE adapter. The second channel is used by the CD-RW drive. You can see in the blurry background of the above photo the CD-RW cable connected to the motherboard’s second IDE channel below the compact flash IDE adapter. The cable comes up to the left of the compact flash IDE adapter and continues up to the CD-RW.

The next step was to power up the machine and see what the Dell’s BIOS thought of these hardware changes. After I the powered the machine and entered the setup screen, the BIOS automatically detected the compact flash IDE adapter and memory card as a 2 GB hard disk. It also recognized the Sony CD-RW. That’s it! Save settings and exit.

The next interesting task was to write the m0n0wall software image to the memory card in the PC. I have the one compact flash IDE adapter, so my approach to load the software was somewhat improvisational based on the machine I was using and the resources I had available to me the evening I decided to take this on. For me to be able to load the m0n0wall software, I had to boot the machine with an operating system from the CD-RW and then transfer the m0n0wall image directly from some media to the compact flash IDE adapter. I decided the easy approach would be to boot a FreeBSD or Linux installation disk, enter a rescue mode and get to a command prompt where I would have the basic tools available. For example, the CentOS 5.1 rescue mode on disk 1 has the dd and gunzip utilities I need to write the m0n0wall software image to the memory card.

What media would I get the m0n0wall software image from? At this point it was sitting on my PowerBook’s file system after downloading it from the m0n0wall web site. The Dell PC I am using for the firewall has two USB connectors on the back. Since I didn’t want to create a custom boot CD, I decided to try to boot from the CentOS 5.1 disk in the CD-RW and use a USB memory stick with a FAT file system to contain the m0n0wall software image file. I formatted a USB memory stick with a FAT file system and simply copied the m0n0wall generic PC image to it. I plugged the USB memory stick into the back of the Dell and booted the CentOS 5.1 disk 1 from the CD-RW. I selected the rescue mode and made my way to a Bash command prompt after a couple of questions. Once at a command line, I used the dmesg command to see if the kernel had recognized USB memory stick during boot and if it had been assigned a device name. The kernel did find it and created it as a pseudo-SCSI device.

The next step was to mount the FAT file system of the USB stick into the rescue file system. The root of the CentOS rescue file system is a RAM disk so this was no problem. I created a directory called /tmp/usb and mounted the USB device there. I could see the m0n0wall image file now. Section 3.2.2 of the m0n0wall handbook provides the basic template for the dd command in Linux to write the image to the memory card. I needed to take note of the different device names and location of the file containing the m0n0wall image.

gunzip -c /tmp/usb/generic-pc-1.2XX.img | dd of=/dev/hdX bs=16k

This took just a few seconds to complete. During the transfer of data, I could see the activity light on the StarTech IDE2CFINT flickering, so I knew something was really happening. I got a prompt back and summary from dd of how much data was written. I pulled the CentOS disk from the CD-RW and removed the USB stick from the back of the PC, and rebooted.

I watched the Dell POST complete and soon after I saw the familiar spinning cursor of the FreeBSD boot loader, followed by kernel messages, and finally a m0n0wall console menu. The Dell PC booted from a compact flash memory card and m0n0wall was ready to be configured.

The Differentiator

Thu, 21 Feb 2008 03:18:00 +0000

Are you a software engineer? Today is a good day. Have you read the news? Read here for a quick review about the SM-3 missile versus the USA-193 satellite smack-down that took place over the Pacific Ocean.

This event was not exciting to me because it was a demonstration of American military capability - I mean, it was that, but my interests in the event have a different motivation. It was exciting to me because this was a hammering success for the software engineers that modified the Navy’s systems to pop that satellite over a hundred miles above the planet without a warhead. It wasn’t like the Navy had to get close enough to detonate the missile. They had to be dead on because this was a kinetic kill at closing speeds over 20,000 MPH. This event was a strong example of software as a differentiator. Missiles and rockets are becoming commodity items. Russia has them, China has them, and the Middle East has them or is testing them. In fact, most countries with a vowel in their name have missile capabilities. A missile is not a big deal - a tube with propellant. Light it off, it might go up, sideways, spin wildly or just fall over and explode. The SM-3 has been around for a few years, but the military has never admitted to trying to use it to shoot down a satellite in orbit. The SM-3 was originally designed to go nose-to-nose with incoming short and medium range missiles. The exciting story-behind-the-story for me is that software brought that satellite down and the SM-3 missile provided a reliable and high-performance lift for the software to find it’s target.

Today software is the key differentiator in a world of commodity technology. Think about it. A majority of us have cell phones. They are shrinking in size and expanding in capability. Where does that capability ultimately come from? Why would you buy one phone over another? I select a phone and carrier based on features. Where do the features come from? Is it in the case, the antenna, the battery, the screen, or the memory card? All cell phones have these in one form or another. What differentiates them from one another is the software. The phone’s software realizes the capability to share a chat in your social network, send a ring tone to a friend, find an archived text message from your sibling, and to learn about the latest discounts at the stores in your area reported by the GPS.

Have you seen Ford’s new commercials recently? They are touting the Sync system. In fact, they are spending a lot of money showcasing that and not MPG, crash tests, 60-0 stopping ability, etc. Whether or not that is a good idea is yet to be seen. The hardware that goes into Sync goes into a lot of in-car entertainment and phone systems: speakers, radio, CD, MP3 player, microphone, antenna, LCD screen and little buttons on the steering wheel. Big deal. Commodity items. What differentiates Sync is the voice recognition system and the integration of pieces inside and outside the system. So, what is Sync? It is the software that realizes the features and value proposal of the Sync concept.

Today software is what differentiates individual pieces and parts from something innovative that creates new value. My final example is the Toyota Prius. It has something called Hybrid Synergy Drive. It not enough to say it is a gas and electric hybrid. That wouldn’t do it justice. It is a drive-by-wire system, and at it’s heart: software making the decisions when to go electric, gas, recharge, and much more. A human tasked with driving and making these continuous decisions on how to generate power most efficiently from all the available choices would not be practical or possible.

Today is one more good day for software engineers - the people behind the Wizard’s curtain. Well done. I’ll see you at the bar for a toast. Without you, it’s just a box of pieces and parts.

VOIP and Traffic Priority

Sun, 17 Feb 2008 09:06:00 +0000

Some time ago my employer asked if I would like to participate in a pilot of AT&T CallVantage from my office. This service is a competitive offering to Vonage’s VOIP service. With CallVantage, you get to pick a phone number in an area code of your preference, they send you a telephone adapter in the mail and off you go. The telephone adapter connects over the Internet to the phone company, bypassing the local carrier’s wires. Within the week I had the telephone adapter. Getting the CallVantage service up and running was no trouble at all. There is a web portal to customize the service, like recording voice mail greetings and setting up a do-not-disturb schedule. You can review call history through the portal and place numbers into a phone book. You can also initiate calls from the web site. The service will ring your phone, wait for you to answer and then ring the other party’s phone.

The telephone adapter I received in the mail was manufactured by D-Link. It is actually a combination telephone adapter and firewall, if you choose to use it that way. The network here was already equipped with a firewall, so I decided to use up one of my static IP addresses and place the adapter outside the firewall. The first time the adapter connected over the Internet with AT&T, it spent a few minutes downloading new code and rebooted a couple of times, and when it was ready for service the phone connected to it rang once. The status lights on the adapter showed all green.

I had been using CallVantage for a few days and everything was working great until … one day I was on a VOIP call and hosting a screen sharing session with some of my co-workers around the country. I was doing a code review, paging through an editor, showing some diagrams and talking about the design. From the network point-of-view there was a large amount of constant outbound traffic, some consisting of the screen data and some consisting of my VOIP data. Every couple of minutes someone would ask me to repeat something I said, because my voice had broken up for a brief moment. They described it as sounding similar to a cell phone breaking up, and other times they said I just went to dead air for a few seconds. I knew exactly what was happening - there was competition between VOIP and non-VOIP traffic and there was no control over which would leave my network first at any given time. It was time to seriously consider a solution to prioritize network traffic.

The D-Link adapter has the ability to prioritize traffic if you use it as a pass-through device. You can configure the D-Link as a NAT router or a bridge, placing it between your ISP’s router and your private network or existing firewall. The D-Link adapter will give priority to packets for VOIP and slow down or drop packets from your network devices to accomplish a poor man’s QoS. I call it a poor man’s approach because I don’t actually think D-Link put a lot of thought and effort into it. I was always suspicious that the telephone adapter had a 10 Mbit network port on the WAN side. They put 100 Mbit ports on the LAN side. The WAN port speed was just a little too close to the upper bandwidth of the Internet connection here. There are days we get well over 10 Mbit on the inbound side of our connection, so this just seemed like a bad idea. In fact, it was a bad idea after I tried it. There was no improvement in the number of voice drop-outs. The next strategy was to move the D-Link adapter behind the firewall, reconfigure it for DHCP and use more robust approach for traffic shaping and prioritization. The D-Link adapter would only be the source and destination for VOIP traffic. No other traffic would move through it. The solution I eventually adopted is open source. I will talk more on the actual implementation in a future post.

The first thing to understand about VOIP audio quality is that you can only prioritize and shape outbound traffic. This is traffic leaving your network heading for your VOIP provider. I mean, you can prioritize inbound traffic on the receiving side, but by the time this happens, the traffic has already traversed your connection and has used up some portion of bandwidth. Prioritizing inbound traffic on the receiving side will rarely improve the audio quality you hear. There are reasons beyond VOIP to prioritize and shape inbound traffic on the receiving side, like slowing down the person downloading ISO files all day on Friday. A good example from the real world is highway traffic control. Traffic signals are placed at the on-ramps to the highway, not the off-ramps. Your Internet connection is like a point-to-point highway between your ISP and your site. If you want to prioritize inbound traffic for the purposes of VOIP audio quality, talk to your ISP (the on-ramp for the traffic coming to you) so they prioritize packets before sending them to your place. What about packets traveling between the VOIP provider and your ISP? Anything can happen there and it’s out of your control. Usually these interconnections are so fast, it’s not a significant factor in quality.

The next bit of knowledge about prioritizing network traffic is to have only one device at your end making the determination about which packets go out first. This means you don’t want to flood your DSL or cable router with packets, because it’s queuing strategy might undo the order of packets you send to it. The only way to be sure the packet order is maintained is to reduce your outbound bandwidth slightly to make sure only one device on your end is queuing packets in the order you specify. You want to send packets just a little slower than your connection’s upper limit, to keep all the other device queues empty. If your ISP router gets a packet and it’s queue is empty, it can send that packet right out.

We will use my office setup as an example. The outbound connection speed at my office is about 1.5 Mbit. We specify to our traffic shaping device to limit outbound speeds to about 1.4 Mbit. If you don’t do some amount of reduction and just blast packets to your ISP router at full speed, it may reorder them based on it’s internal rules, or it may just start dropping packets because the manufacturer designed it with a shallow queue. Because these are usually closed, proprietary devices, you just have to accept that you don’t know what it will do as packets queue up. For our case we have the traffic shaping device reduce our outbound speed by about 6.5%. You might need more or less of a reduction, and experimentation and tuning is a required step. Re-tuning should be done once or twice a year.

Next, you need a way to identify traffic from specific devices on your network and determine what the classes of priority should be. In our network we have three classes of priority for outbound traffic. The highest priority traffic comes from the VOIP devices. Medium priority traffic comes from workstations. Lowest priority traffic comes from servers. Remember these priorities are only for traffic leaving the network for the Internet. Our internal network is 100 Mbit wired or 54 Mbit wireless, so workstations connecting to the local SMTP server don’t feel any of this prioritization. The reason servers are at the lowest priority is because there are a few non-essential web sites hosted here and an SMTP server that relays outbound mail. We really don’t care if it takes 5 seconds or 20 seconds to relay an outbound email, because it is all done as background work. The VOIP devices and servers are given internal, static addresses by the DHCP server, so we can determine a packet’s priority by source IP address.

The device or software you choose to prioritize your traffic may have constraints on how traffic can be identified. For example, it may only be able to identify traffic based on source and destination IP port numbers, or protocol. A simple hardware device may prioritize traffic based on physical network port connections. I have a small consumer firewall that has five 100 Mbit LAN ports, and each port can be assigned a low, medium, or high priority. Do your research and work out your strategy before committing to a solution.

I decided on an open source solution called m0n0wall and a basic Dell PC with multiple network adapters. I stripped out the hard disk and floppy disk, kept the CD-ROM, added an IDE compact flash reader and a couple of extra fans just in case. I will go into details about my m0n0wall firewall and shaper settings in the next post.

Internet Service Provider

Sun, 17 Feb 2008 05:27:00 +0000

My ISP is Comcast and I couldn’t be happier. “What!?” you say. I know, I know. Realize that most people deal with Comcast as a residential customer and the horror stories I hear are typically related to that class of service. There is another Comcast - the business services group. I am not sure at what point in the corporate hierarchy the two groups separate.

Comcast provides an a la carte business service called Comcast Workplace. I have this service at my office. I pay monthly for two things: a connection that averages 10 Mbit inbound and 1.5 Mbit outbound, and a block of static IP addresses. Actually, the service agreement is for about 9 Mbit, but some days we get upwards of 12 Mbit. That’s it, no bundles, no block of useless email addresses, no free web storage, no browser toolbars, nothing. I am paying for exactly what is needed - bandwidth and addresses - no more. This is a business connection, and I run web and email servers here for a few low traffic domains. Inbound and outbound VPN is almost always running. The catch? In terms of paying for exactly what you need and obtaining a phone number directly to network engineers, expect to pay 2-3 times what you pay for residential cable Internet service. “What!?” you say again.

A positive example of the service I get was when I needed to change the reverse lookup on the IP addresses. The customer support person at Comcast knew exactly what needed to happen and replied, “Please hold while I transfer you to network engineering.” The process took about 10 minutes on the phone and about 6 hours later the changes were live. After having the service in place since January 2006, the connection has been down once for a total of about 2-3 hours. That outage was due to a deep freeze here in Denver and that impacted equipment at Comcast’s location. They were attentive enough to send someone to my office within 45 minutes of reporting the outage to work the problem back to their site.

For now, the office is happy and Comcast stays.

How I use m0n0wall

Sun, 10 Feb 2008 09:15:00 +0000

It really has been about 1.5 years since my last post. I have been busy and now have plenty to write about.

A few months ago I deployed a dedicated system running m0n0wall at the edge of my network. I needed to find a firewall and router that could do the usual firewally things. I needed support for inbound and outbound NAT, DHCP and DNS for LAN clients, and inbound VPN when I am away. I did not want the firewall to rely on any other system in the network aside from the ISP’s router. Last year a new requirement surfaced in that the office needed shaping and prioritizing of traffic to and from the Internet. There is a VOIP adapter here for AT&T CallVantage. Skype is also used periodically. Real time traffic needs priority over everything else. Traffic related to the web and email servers need to run at the lowest priority. Services like SMTP don’t need the full bandwidth of my connection here in either direction. I often find bursts of incoming SMTP can cause drop-outs on the VOIP calls. The several workstations on the network here need reasonable connectivity - high priority than the servers but less than the VOIP traffic. Finally, if a class of service is not competing with any other, that service should get the bulk of available bandwidth regardless of priority.

Here is a high-level diagram of my network.

From m0n0wall

With the next few postings, I will go into detail of how I successfully deployed m0n0wall on this network to satisfy these requirements.

PGP/GPG Keys

Fri, 02 Jun 2006 04:11:00 +0000

I recently updated my PGP/GPG keys. I uploaded the public key to the MIT key server and a Google Sites page.

MIT Server
Google Drive

Privacy and Search Terms

Sat, 08 Apr 2006 02:29:00 +0000

AOL, Google, and Yahoo have been in the news about their responses to a Justice Department request for search terms used by the worldwide Internet community. AOL and Yahoo have agreed, while Google has refused to hand over the information. A court battle is on the way.

I really haven’t given this subject much thought until the other night when I was looking for references to my family name using Google. I searched on my name, family member’s names, addresses and even phone numbers. Then it occurred to me - search terms do contain private data. How many times have I put someone’s name into a search engine to find out about them? By now, hundreds of times. The government has said repeatedly they are not interested in who is performing the search, but I also believe there is enough private data in search terms to restrict that data as well. Considering the amount of time Google and Yahoo have probably been archiving usage data for profiling and optimizing their services, there has to be mountains of search terms that would make an NSA analyst wet themself.

How many people have put their social security number into a search engine to see if it has been compromised? How many people have put a credit card number into a search engine for the same reason? How many times have you searched on something related only to you? Perhaps something private about you?

The more I thought about it, the more I believe that every bit of data related to Internet search should be maintained as private and should only be obtained through proper court authority.

Throughts on the relationship between Rational Method Composer and EPF Composer

Wed, 22 Mar 2006 14:09:00 +0000

This seems to be a topic of increasing discussion both inside IBM and within the Eclipse Process Framework community. Questions such as “Which offering will get feature XYZ first?” “Are they functionally equivalent?” “Should the customer buy Rational Method Composer or will EPF Composer do the same thing?” are asked weekly. To refresh everyone, Rational Method Composer is a commercial tool by IBM Rational Software for the authoring of method content and for publishing configurations of method content as processes. EPF Composer is a subset of RMC code and was donated by IBM to the Eclipse Foundation as open source. The idea over time is that EPF Composer will be a core component of RMC, while RMC will add value through proprietary features and support that might not be possible in a purely open source offering.

I would like to see the relationship between EPF Composer and Rational Method Composer develop in the same way the relationship of Red Hat Enterprise Linux and Fedora Core Linux has evolved. Red Hat Enterprise Linux and Fedora Core Linux are the result of Red Hat’s experience in developing, maintaining, and selling Linux distributions over more than a decade. Red Hat Enterprise Linux is a commercial distribution of Linux that is sold by Red Hat. You cannot download RHEL executable code for free. Each major release of Red Hat Enterprise Linux is stable, evolves conservatively, and this all works very well if you are an IT administrator who does not want to deal with constant architectural churn of your server operating system. Fedora Core Linux, on the other hand, is entirely open source and is available in source or binary form for download by anyone. Fedora Core Linux pushes the technology barrier to the bleeding edge. One could consider Fedora Core Linux unstable in terms of constant change, yet revolutionary in terms of the capabilities it incorporates with this regular cycle of change. An example would be the inclusion of Xen virtualization technology recently added to Fedora Core 5. Xen is developed out of University of Cambridge. Imagine having virtual machine technology, like what mainframes have had for decades, as a standard feature of your PC operating system. How would having the ability to partition the operating system into multiple, independent virtual systems change the landscape of data center design? It will. Once it is there, administrators will begin to count on it. Xen is not quite stable, yet adding it to Fedora Core 5 will push Xen toward stability by making it accessible in a highly popular Linux distribution. As cutting edge features are added to Fedora Core Linux and stabilized, they are eventually consumed by Red Hat Enterprise Linux and supported over the long term [years] by the RHEL teams. We will see Xen show up in a future release of Red Hat Enterprise Linux when it has stabilized enough for commercial adoption. Additionally, proprietary features such as hardware device drivers and other closed-source capabilities can be found in RHEL, but will never make it to Fedora Core Linux.

Let’s project this idea onto Rational Method Composer and EPF Composer. Imagine EPF Composer is where new experimental ideas are realized into the tool for authoring and publishing software processes. Risks would be taken here, changes happen quickly, and the essence of the tool represents the cutting edge of ideas in the IT process authoring space from experts in business and academia. As new concepts are stabilized in EPF Composer and deemed fit for commercial inclusion, they are consumed by Rational Method Composer and supported by the world’s largest Information Technology company and the service professionals behind it. This would not mean that Rational Method Composer would be behind the times in terms of features. It means those features taken from EPF Composer and added into Rational Method Composer would be supported over the long term [years] and allow for a predictable maintenance path for CIOs, on-site technical support and formal training professionals. Additionally, Rational Method Composer might get capabilities that are not applicable to an entirely open source tool. A partnership with another vendor might allow Rational Method Composer to import and export data with another commercial closed source tool. Such an agreement would not be possible in open source.

I think it is important to define the nature of the relationship between these two offerings and how they will benefit from each other’s existence. This is one possible approach for how that relationship might evolve.

Tater

Fri, 17 Mar 2006 01:15:00 +0000

After losing two dogs to completely different illnesses within one year, we recently adopted a new family member named Tater from New Hope Cattle Dogs of Colorado. He is about five months old now, and he appears to be mixed Cattle Dog and Pointer. We joke that he has a internal conflict of wanting to flush small animals out of bushes and then herd them back together.

Tater

OPEN Process Framework Repository

Fri, 17 Mar 2006 00:23:00 +0000

The following message was received today on the epf-dev mailing list for the Eclipse Process Framework. This is an exciting announcement from Donald Firesmith because it is another example of the process engineering community, both commercial and academic, bringing the content it has been developing for years to EPF to take advantage of the standardization of metamodel and tooling to author and publish the material.

On behalf of the OPEN Process Framework Repository Organization (www.opfro.org) and the OPEN Consortium (http://www.open.org.au/), I would like to officially announce that we will be donating our complete OPFRO repository of over 1,100 reusable, open-source method components to the eclipse epf project as an additional third repository. Currently, our repository is based on the OPEN Metamodel, but we will shortly begin translating it to fit the epf SPEM metamodel and
associated xml xsd. We will also be working over the next few weeks to determine what level of effort support we can donate to epf.

Donald Firesmith
Chair, OPFRO

Eclipse Process Framework

Wed, 15 Feb 2006 03:00:00 +0000

I am a committer on the Eclipse Process Framework (EPF) open source project. The code and content that makes up EPF was donated from the Rational Method Composer product and the Rational Unified Process. The open source version of RUP is called BUP, which stands for Basic Unified Process. Today you can download EPF Composer from the web site and begin authoring your own method content and publishing process configurations, or you can use the BUP method content and customize it for your own development project. There is also a published version of BUP available for download as well. EPF Composer and the published BUP web site are available from the EPF download page.

Rational Method Composer

Tue, 14 Feb 2006 06:00:00 +0000

This past year I joined the Rational Method Composer (RMC) team at IBM. Rational Method Composer is a tool to author method content and configure that method content into processes. RMC can be used for authoring software development processes, IT operations processes, or any complex business process that requires documentation and consistency. Processes can be published and distributed via HTML sites. What I like about RMC is that is brings the concept of knowledge reuse to process engineering. Method content can consist of the roles, tasks, and work products which are essentially smaller generic pieces of a process. Those pieces can then be assembled into a process configuration and published. Using the same library of method content, a process author could build a configuration for a new software project and also a configuration for product maintainance.

Tightening things up with DSHIELD

Fri, 06 Jan 2006 08:21:00 +0000

I was first introduced to DSHIELD last month. Particularly, my interest was in the textual feeds of recommended hosts to block at the firewall. The lists come in the form of a text file formatted with individual hosts and entire networks. The feeds are refreshed on a regular basis from community input. I wrote a small shell script to pull these recommended lists and create an iptables chain that is called from my existing server firewalling rules. The input, output and forwarding chains all call the DSHIELD chain. After about a month of use it seems to have paid off, because the DSHIELD chain in my firewall rules blocks many packets from these blacklisted hosts - and so far no one has complained. This script is run nightly to refresh the DSHIELD chain. If for any reason it cannot contact the DSHIELD site, it will keep the existing rules in place.

Here is the BASH shell script I use on Fedora and CentOS servers.

From history or current day society, select five famous people that you would use to build the perfect team.

Sun, 06 Nov 2005 08:38:00 +0000

For my perfect team I want to build a software development team and staff the lead roles. There are many roles involved with the creation and sale of a software product. I am going to focus on the team responsible for the creation of the solution. The roles I chose to staff are project management, requirements analyst, engineering, content and documentation, and customer support leads. Many people can share a single role, or each person can have multiple roles. For my case, each person gets a single role.

The project manager is responsible for monitoring the progress, time lines, budgets, and in general doing what needs to be done to see the project reach its conclusion. The project manager is often a central figure of communication between the development team and other groups. My project manager is Meg Whitman from eBay. [1] Meg has turned eBay into an online mainstay with $4 billion a year in revenue and a $60 billion market capitalization.

The requirements analyst uses a variety of techniques to understand the problem from first hand contact with stakeholders inside and outside the organization. Grace Hopper [2] lived from 1906 to 1992. She is responsible for such ideas as compiled source languages and was deeply involved in trying to make computers easier for developers and operators. She often placed herself in the problematic situation to understand it and help propose a solution.

The engineering lead is a broad role incorporating all of the technical aspects and control systems in place for the project. For this role I will choose Alan Cox [3] from the team of Linux contributors. Alan was responsible for many of the improvements to Linux that helped it gain respect as a reliable platform. Although a deeply technical person, Alan has an MBA that I believe gives him an insight to the economics of engineering problems.

The content and documentation specialist is responsible for all information included with the solution that is needed by the consumer. This role is also responsible for any included templates or other information that can jump-start the solution for the user. Carl Sagan [4] will be my content and documentation producer. Carl Sagan taught science and wrote about it his entire life. He contributed to the popularization of science in America.

Customer support provides help, receives and records defect reports and enhancement requests, and provides assistance with unique problems or environments. Blake W. Nordstrom [5] of the Nordstrom department stores will be in charge of my customer service organization. Nordstrom has a reputation of excellent service and has been aggressively applying technology to improve their customer’s experience.

[1] http://money.cnn.com/2005/10/31/news/newsmakers/top50_women_fortune_111405/?cnn=yes
[2] http://www.sdsc.edu/ScienceWomen/hopper.html
[3] http://en.wikipedia.org/wiki/Alan_Cox
[4] http://en.wikipedia.org/wiki/Carl_sagan
[5] http://www.referenceforbusiness.com/biography/M-R/Nordstrom-Blake-W-1961.html

What are the security risks associated with business-to-business e-commerce?

Mon, 31 Oct 2005 12:55:00 +0000

Risks associated with B2B e-commerce include the technical problems of creating an Internet-facing business system that enables you and your partners to save money and react quickly by doing all transactions electronically. Additionally, I found there is some concern about the antitrust risks of business-to-business exchanges. I initially started searching for technical risks, and came across this document about the business risks of competitors working closely in collaboration to negotiate prices.

http://mipr.umn.edu/archive/v2n2/gotfredson.pdf

Certain models of B2B exchanges would have the competitors in an open auction against each other to win the bid for some product or service. “In spite of the promises inherent in this new business model, B2B exchanges necessarily involve collaboration between competitors in a market, and thus raise potential antitrust concerns.” There is actually nothing new here about types of antitrust activities a company might undertake with B2B. I think the point of the paper tells us that the Internet potentially makes this easier to take place. Connectivity between competitors and collaborators over the Internet and the growing sophistication of software provides an atmosphere where antitrust activities can occur without immediate notice. “A second antitrust risk associated with B2B exchanges stems from the fact that the Internet allows for the aggregation and analysis of copious information concerning the exchange’s participants.” I was not able to determine if any company has had legal action taken against them for B2B-related antitrust activities.

The technical risks involved with B2B are typical for Internet-facing servers of e-commerce applications. For instance, Amazon uses a web front end to interface with their customers. The front-end of an application is one place vulnerabilities can be exploited to someone’s gain. Even though B2B exchanges may use a different kind of communication protocol, like a web-service or EDI communication, if there are weaknesses in the protocol, there is a possibility someone could use it to their advantage without immediate notice. An act that is as simple as transmitting illegal values for valid operations could allow unauthorized access because of a lack of sufficient defensive programming on the server-side. I found a PowerPoint presentation (link below) that listed some areas of potential loss from poorly designed e-commerce systems.

Theft of Intellectual Property
Theft of Proprietary Information
Sabotage of Data Networks
System Penetration
Insider Abuse
Financial Fraud
Denial of Service
Virus

http://www.business.duq.edu/BusinessSecurity/docs/mootcourt.ppt

What would the Web be like if there were no limit to bandwidth?

Sun, 09 Oct 2005 05:18:00 +0000

No limit to bandwidth means that it would be possible to send any amount of information across a network with no latency. Such an achievement would change more things than just the web. For instance, with the capability of limitless bandwidth, data storage and processing power would no doubt have made equivalent leaps as well. These are components of networking infrastructure as well as general purpose computers. So, networking equipment that provided limitless bandwidth would also include processing power to handle the load - processing power with no limits. Moving any amount of information with no latency also means you need some place to put it - data storage with no limits.

With these limits removed, there might be no need for a web at all. The ability to move any amount of information instantly might mean we keep a copy for ourselves of everything we interact with, continually accumulating and indexing data at a constant rate from other information providers for the rest of our lives. From this I can imagine having my own reference database of accumulated information that becomes our private web, or life encyclopedia.

What are the distinctions between Internet, Intranet, and Extranet?

Thu, 06 Oct 2005 12:54:00 +0000

The Internet is the worldwide network of networks, which is available to business, government, education, and individuals. Many different services are provided over the Internet, including electronic mail, instant messaging and web applications. Single devices and entire local networks can join the Internet and become connected worldwide at a variety of speeds. Many large telecommunications companies carry the backbone of the Internet. The Internet “provides, uses or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein.” [1]

An “intranet is a private network inside a company or organization that uses the same kinds of software that you would find on the public Internet, but that is only for internal use. An intranet may be on the Internet or may simply be a network.” [2] I have found that Intranet and internal web are often interchanged, as well as Intranet and internal network. I think in general it is safe to refer to the all services available within the private networking domain of the organization. The Intranet of a company is often available by plugging into the network at a business office or virtually plugging in to it through remote Virtual Private Network access.

I have found several overlapping definitions of Extranet, but in general they all refer to the same concepts. An Extranet is a company provided extension of its Intranet services to customers and business partners. [3] Using Amazon as an example, they do business over the Internet with the majority of people with a web application. They also have business partners that receive orders and provide special services to Amazon’s customers. Business partners have access to Amazon’s Extranet, which allows them to interact with the private portion of the business’ network services, but only those services Amazon allows.

[1] http://www.cs.columbia.edu/~hgs/internet/definition.html
[2] http://www.lib.berkeley.edu/TeachingLib/Guides/Internet/Glossary.html
[3] http://elab.vanderbilt.edu/research/studentprojects/extranet/execsumm.html
[4] http://elab.vanderbilt.edu/research/studentprojects/extranet/extranet.html

Explain the difference between logical design and physical design of a network

Sat, 03 Sep 2005 02:20:00 +0000

Logical design is, “The part of the design phase of the SDLC in which all functional features of the system chosen for development in analysis are described independently of any computer platform.” [1] A logical design for a network is an abstract functional specification for a telecommunications solution. A logical design lacks specific details such as technologies and standards and focuses on the needs at a general level. A logical network design can be a view of any part of a network. An entire enterprise educational network can be a composition of many logical designs. The lower level designs can be a university campus network that connects each building to the Internet, or it could be a view of the standard office telecommunications setup. The important quality of a logical design is that is communicates all needs in general terms.

Logical designs communicate with abstract concepts, such as a network, router or workstation, without specifying concrete details. A definition of abstraction that I like is, “the process of formulating general concepts by abstracting common properties of instances.” [3] Another is a “general concept formed by extracting common features from specific examples.” [3] Abstractions for complex systems, such as network designs are important because they simplify the problem space so humans can manage it. An example of a network abstraction is a WAN. A wide-area-network carries data between remote locations. To understand a WAN, you do not need to understand the physics behind fiber optic data communication, although WAN traffic may be carried over optical fiber, satellite, or copper wire. Someone specifying the need for a WAN connection on a logical network diagram can understand the concept of a WAN connection without understanding the detailed technical specifics behind it.

Logical designs are often described using terms from the customer’s business vocabulary. Locations, processes, roles from the business domain can show up in the logical design. An important aspect of a logical network design is that it is part of the requirements set for a solution to a customer problem.

The basic idea of physical design is that it communicates “decisions about the hardware used to deliver a system.” [2] A physical network design is created from a logical network design. A physical design will often expand elements found in a logical design. For instance, a WAN connection on a logical design diagram can be shown as a line between two buildings. When transformed into a physical design, that single line could expand into the connection, routers and other equipment at each end of the connection. The actual connection media might be shown on a physical design as well as manufacturers and other qualities of the network implementation.

The primary difference between logical network design and physical network design is that of iterative production of a solution from the identification of a problem. For example, when a business needs to share information in real time with remote offices, they are thinking in terms of business first and technology second. This is where identification of a problem begins, and as the problem is documented, it can be iteratively evolved from a logical solution into many possible physical designs. The logical design of a network can be re-implemented with new technology, and yet the logical design remains the same. Logical designs can span generations of technology, while a physical design is one realization of a logical design.

References
[1] http://myphliputil.pearsoncmg.com/student/bp_hoffer_modernsad_3/glossary.html
[2] http://lms.thomsonelearning.com/hbcp/glossary/glossary.taf?gid=21&start=p
[3] http://www.cogsci.princeton.edu/cgi-bin/webwn2.0?stage=1&word=abstraction

Dog Family Album

Wed, 17 Aug 2005 07:34:00 +0000

Morgan and Murphy

From Dogs

Morgan and Pablo

From Dogs

This Means “Excuse Me” in Dog

From Dogs

The Pack

From Dogs

Goodbye Pablo

Wed, 17 Aug 2005 07:28:00 +0000

Adios to the best damn tennis-ball-fetch dog ever. Get some rest fella.

From Dogs

Many businesses do not use the Software Development Life Cycle. What is a likely explanation?

Mon, 08 Aug 2005 00:21:00 +0000

I believe one of the reasons many businesses do not use the Software Development Life Cycle is due to lack of awareness that such a process exists. I have experienced this first hand from my own attempts at running projects early in my career. My first positions were in smaller companies where less formality was necessary. Those experiences with planning and running projects were for small tasks. I would do development for the solution, and I would work with at most three other people. The other technical people working on the task would test or help out in other aspects. Most decisions were made at the office kitchen table and little needed to be recorded in documents.

Once an awareness of the Software Development Life Cycle exists, the next problem is how to go about producing the artifacts that are necessary to project success. We have been given a very wide and shallow introduction to the System Development Life Cycle. This is good if you never have seen this before in your life. I have specific questions now about what is needed to be documented in each project phase. For instance, what do good requirements look like? Seeing templates or samples of existing project documents would speed an immature team’s understanding of where formality can stabilize a project and how much overhead formal process will add to the project time line.

The final possibility that may contribute to lack formal processes for development is that business management does not believe it brings as many benefits compared to the existing system of project management. The SDLC affects not only the Information Technology team, but the departments receiving and affected by the creation of an automated solution to a business problem. I found an article on the web, talking about formal methods of engineering. I think this paragraph brings some insight into the business decision of bringing formality to an existing business infrastructure:

“The decision to use a new methodology is driven by economics: Do the benefits of the new method exceed the costs of converting to it and using it by a sufficient margin to justify the risks of doing so?” [1]

[1] An Overview of Systems Design and Development Methodologies with Regard to the Involvement of Users and Other Stakeholders, SHAWREN SINGH AND PAULA KOTZ, University of South Africa

What is the most important phase of the Software Development Life Cycle (SDLC)?

Mon, 08 Aug 2005 00:14:00 +0000

In my experience developing software, I find the most important phase is the Elaboration phase. The reason I feel it is the most important is because it is the join point between the definition of the business problem and the construction of the solution.

During the Inception phase, you baseline your vision and solution to a problem and you make the business case for building it. At the end of the Inception phase you should have support and funding from the business to move forward. Everyone involved with the project should be in agreement about what the team is trying to build. If there is any misinterpretation, especially from your funding source, you need deal with it here.

The Elaboration phase is when the technical solution is determined - not actually built. This phase is the clarification phase. There is modeling, risk analysis, prototyping and refining of the requirements. This phase is when you find out if the solution can actually be built. You leave the elaboration phase with an architecture on paper (or in a modeling tool) and something that runs just enough that can prove the system can be completed successfully.

I believe this is the point where funding really needs to kick in. During Construction and Transition, headcount is being adding in the form of developers, testers, documentation writers, test engineering, release engineering, legal, etc. You are beginning to train the trainers, the sales staff, and the consultants. If the project is not going to succeed, it is in your best interest to kill it off before you begin construction phase.

Murphy

Sun, 07 Aug 2005 04:31:00 +0000

This is Murphy. He is a Rottweiler mix - mostly mixed with love and anti-seizure medication.

From Dogs

Photo by www.nicolehowardphotography.com

Cancun between hurricanes

Sun, 07 Aug 2005 04:25:00 +0000

Here is a small photo album from our trip.

Cancun 2005

What are the elements of a good Web page design?

Sun, 07 Aug 2005 04:16:00 +0000

I think this can be answered from the user’s perspective and from the developer’s perspective. I think a page can be considered well designed if it looks good, works with many browsers, and can be maintained by others than the original author. From the user’s perspective, I was able to come up with the following list:

Accessibility - the page is compatible with screen readers and alternate input devices. At work we recently went through a remediation process with one of our web sites. We needed to assure HR the site was compatible with accessibility utilities. I think about 75% of this can be handled by writing good HTML source. In addition to this, testing tools such as WebKing can help identify other problems that can prevent the web code from working in certain situations.

Navigation - the page is easy to leave. Another way to say it is the page should have the necessary links to navigate away to other major areas, if it is part of a larger web site.

Placement - the page is easy to find in the site and navigate to.

Compatibility - the page can be loaded and properly displayed in popular browsers. I think in e-commerce, it is important to give this item some amount of priority. You want to encourage visitors to browse and buy regardless of the specific brand or version of their technical resources. This is also important to consider if your viewer base consists of users with handhelds or Internet-capable cell phones.

Organization - information on the page is presented in a visually appealing way, including text style choice and page positioning.

From the developer’s perspective:

Documentation - comments in the code or a short design note helps the author remember what they did and helps other maintain the page later.

Organization - the page’s source is consistently organized and formatted into blocks. I think with today’s tools that can reformat source code, this is less of a problem.

Name two differences between designing for a Web page and for print-based media

Sun, 07 Aug 2005 04:15:00 +0000

The difference that draws my attention is that print media is static - ink or other compound is bonded to a page and is permanently fixed. Unlike a web site, there is no hope of that print jumping up and rearranging itself if the user wants to see a different layout. The first difference is that web publishing has the possibility of introducing dynamic content to the user in a number of different ways. Web sites used for e-commerce have the ability to show customized content based on the user’s past purchase history, or if they have a particular preference for how the page is arranged. My Yahoo is another example, where each user can have a customized view of information they choose.

The other primary difference I can think of between web and print media is that designing for a newspaper, for example, is a controlled process from end to end, unlike a web page in which the rendering and quality of the final product is out of the control of the publisher of the content. The newspaper publisher chooses layout, fonts and other aspects of style just list a web published would, but the similarity stops there. A print publisher also chooses the rendering mechanism and the paper it is printed on. In web publishing, that last step is somewhat variable in that browser differences have the possibility of producing different output with the same HTML code.

Self destructing servers

Thu, 09 Jun 2005 08:12:00 +0000

I had an idea today about how to make servers self destruct in case of some type of security breach. I guess this might be influenced by the Star Trek movie I saw the other night. They seem to blow up more Enterprises in the recent stories.

My idea is to keep a blank CD-R in the drive of the server at all times. On hard disk there is an ISO file that is written to the CD-R on demand and then the server is rebooted. The server will ignore the blank CD-R during reboots until it is written with a valid image. The contents of the ISO needs to be a boot loader and kernel, like Grub and Linux plus a file system with a wipe program. The wipe program is started once the kernel is booted and it iterates through the collection of hard drives, which the kernel found during the boot process, and writes over them with a pattern.

This kind of the self destruct sequence can be automated with a script and invoked through a terminal on the local network or through a VPN. It could also be loaded into cron and deactivated on a regular basis from going off.

So, if your servers are under heavy attack, and you have no other choice, start the count down. :-)

School work

Sat, 04 Jun 2005 23:10:00 +0000

I graduate in November and then I can grow up and get a job.

I have been attending a UNIX course in school the past few weeks. This week we have been studying some cost configurations in running UNIX and Linux for various network serving roles. A topic that came up was the benefit of using the free Linux distributions and related software for low cost server operations. I have a home network, and I think I count as a low cost operation. I will not spend excessive money on my network, and I have never felt compelled to spend money because software I need could be obtained for free.

For example, my primary server at home routes email, serves several web sites, and acts as a router between the public Internet and my home network. It is a big server. I run Fedora Core 3 as my operating system.

The email routing incorporates dovecot, sendmail, amavisd-new, SpamAssassin, and ClamAV. The last three of these programs working in tandem keep dangerous email for passing through my server. The spam analyzer learns the difference betweeen wanted and unwanted email, while the open source ClamAV scanner automatically checks for updated virus signatures every hour. The amavisd program acts as the mediator between the spam and virus services and my email server. The best part is that tainted email is rejected in real time while the sender is trying to move it to my server.

As a network router, my giant egg basket of a server watches both incoming and outgoing connections for suspicious activity on all network adapters using Snort.

What would I pay to recreate this configuration with commercial software?

Old pictures of a warm place

Sat, 04 Jun 2005 14:09:00 +0000

Jen and I spent our 10th Anniversary in Hawaii two years ago.

10th Anniversary in Hawaii

First entry

Sat, 04 Jun 2005 06:50:00 +0000

The first entry is dedicated to my big dog. We miss you.

From www.thario.net