Wednesday, July 30, 2008

IBM to buy ILOG for US$340m

IBM has just officially announced that they have signed an agreement with ILOG regarding a proposed acquisition by IBM of ILOG to be implemented by way of concurrent cash public tender offers in both France and the United States.

Through this proposed transaction, IBM will combine its business process management, business optimization, and service oriented architecture (SOA) technologies with ILOG's Business Rules Management Systems software (i.e. JRules).


Comments:

This news came as no surprise to me, if not a little overdue. Why do I say this?

In terms of enterprise middleware offerings targeting application development, IBM has all the major pieces (EIP, BPM, ESB/EAI) except for a BRMS. It has a rather basic and crude implementation of a "rules engine" embedded in the WebSphere Process Server (WPS) product but I would hardly call that an "engine". Plus you cannot possibly use that to manage your business rules in the other areas like ETL or as a central, reusable rules repository for the enterprise (er... SOA anyone?).

ILOG, on the other hand, realized that it has a winner on its hand (which company does not have business rules?) but needed to latch on to players in the platform (e.g. WebSphere) and other verticals with complex business rules such as BPM (e.g. FileNet) and ETL (e.g. DataStage) in order to spread its wings. So rather than spreading itself thin by trying to support the myriad of vendors out there, why not stick with just one and do it well? Guess what? It appears that they may have been doing just that all along. FileNet, DataStage and WebSphere are all products under the IBM family and what do you know.... ILOG has out-of-the-box support in JRules for them all!


Questions:

  1. Given the way the press release was written, it is clear that the golden boy here is JRules. So what will happen to the other products in ILOG's family? Like the CPLEX constraint-based optimization engine and visualization toolkit JViews? Will they end up as just another faceless product in IBM's vast array of offerings? Personally, I've used CPLEX and JViews before and it will be sad to see them flounder under new management.
  2. And the million dollar question (or should I say a few million dollars question)... Will this acquisition prompt Oracle (now owner of BEA) or SUN to make a bid for Fair Isaac for its Blaze Advisor BRMS?

Sunday, July 27, 2008

Kids and their sleeping postures

This is Joel, fast asleep at grandma's house. I find it intriguing that he can be sound asleep in such an awkward position; Chest flat on the floor, arms wide open, head turned at right angles to one side and bum lifted a couple of inches off the ground.
And this is Jarrett... Sound asleep with his arms and legs sprawling across the width of his cot. Check out the way his legs are spread wide open and even perched high on one side of the cot. How is that even humanly possible?

Yep, one of the little wonders of kids ...

Wednesday, July 23, 2008

Web application security testing tools

Ever heard of XSS and/or SQL Injection? How about CSRF? You should if you are a web application developer. In fact, beyond just knowing what they are, you should be well versed in its countermeasures and make them a part of your day-to-day coding routine.

Unfortunately, these are just a tip of the iceberg and there are many more exploits and vulnerabilities that exist today as web technology advances and attack surface increases. It will not be feasible and practical to know them all, not to mention ensuring every single line of your code to free from them; Just like it is not possible to write code that is bug free.

Web application security is no longer an area that can be ignored or treated as second class citizens. Given the exponential growth of online applications that deal with valuable data (e.g. B2B marketplace, partner self-service apps, consumer ebanking and ecommerce, webmails, online docs and spreadsheets, even online data backup services, etc), the implications (usually financial) of losing them to hackers are not to be taken lightly.

Even if a company's web applications do not contain personal and private data, any defacement due to web exploits can cause loss of customer confidence and/or negatively affect the branding, all of which will ultimately hurt the business.

Having established the need for more emphasis on web application security, what can one do about it? Well, you can:

  1. include the skillset as a requirement in recruiting your development team,
  2. skill up your development team in this area,
  3. create development guidelines/policies that encourage/enforce exploit-safe coding practices,
  4. setup regular peer reviews focusing specifically on web application security,
  5. develop test cases that attempt to flag out possible vulnerabilities.

OR

You can look into acquiring some web application security test tools to offload your development team from some of these worries.

Generally speaking, here are some key benefits that you can hope to reap from using such tools:

  1. Consistency in overall quality of code produced as you no longer depend on skill levels of individual developers.
  2. Quickly and easily satisfy regulatory compliance to well known standards such as SOX, PCI, HIPAA, etc as most tools can run tests against the standards and generate the necessary reports.
  3. Keep up with the latest threats via the auto update feature in the tools.
  4. Include the security tests as part of the QA cycle (test planning, execution, even defect tracking).

Here in Sony, I am leading the initiative to explore and evaluate the product landscape with the goal of creating a Centre of Excellence (covering both governance and service provisioning) for web application security to support our internal IT operations.

Over the next couple of weeks, I will be meeting up with the various vendors to understand their offerings as well as evaluate their strengths and weaknesses in depth via PoCs.

Friday, July 18, 2008

Stop Vista from messing up your display(s)... Part II

This is a follow up on the issue I had with Vista's multi-monitor support back in June. Just a recap, Vista tries to be smart by configuring your dual view displays (and their resolutions) automatically (unfortunately to its liking, not yours) upon certain triggers like when a user logs on.

After having done the fix described in my previous post, I managed to stop the screen flicking and screen reconfiguration at user log on and returning from a locked Windows session. But to my dismay, I was still getting weird behaviours with my dual monitor displays at times. i.e. changing my laptop display to secondary or even blanking it out completely.

After many hours of troubleshooting and googling, I think I have finally nailed the other triggers for the automatic configuration of dual view displays of Vista to the following:

1) If you have your external monitor plugged in (it doesn't matter whether the monitor is on or not) when booting Vista, it will assume that the external monitor is your default display (i.e. Display 1) and your laptop display is secondary (i.e. Display 2).

2) If your external monitor is plugged in and Vista is running, closing the lid of your notebook will cause the display configuration to change the default display to external monitor (if its not already default). Oh, and unfortunately, its not smart enough to switch back when you open the lid the next time.

If you have fiddled with "Display Settings" under "Personalization", you will have realized that you can change the default monitor back by checking the "This is my main monitor" checkbox. However, the setting will not stick and the next time one of the above happens, your external monitor becomes the primary display again.

The permanent fix I have found so far is to change the setting in the native display control panel provided by the hardware manufacturer instead. i.e. If you have a NVidia graphics card, use the "NVidia Control Panel" applet. If you are using the Intel embedded graphics card, then use the "Intel Graphics Media Accelerator" applet.

Hopefully, this will be the last time I'm going to blog on this topic. *fingers crossed!*

Tuesday, July 15, 2008

Byebye SmartFTP... Hello FileZilla!

I have been a long time user of SmartFTP (a fast and feature-rich FTP client) and were grateful that it was free for personal use. However, as of 7th July (version 3.x and up), it is no longer being offered free for personal use and the software is time-bombed so that you cannot continue to use the free version. I would love to support them by buying a license but unfortunately, their $36.95 pricing is just a tad too much to pay for my very basic and ad-hoc FTP needs.

So out it goes and within five minutes, I found its replacement; The open source project FileZilla. Apparently this is a very capable FTP client and has won top honours from download sites such as cnet, softpedia and snapfiles. I did a quick tour and found it more than adequate for my needs (side-by-side local/remote view, drag-n-drop from explorer, site manager aka favourite's list, concurrent uploads/downloads). Best of all, this is a sourceforge project so I can be pretty sure that I won't be getting any nasty surprises like its predecessor!

Sunday, July 13, 2008

Jarrett can climb stairs!

Check this out... our little boy can climb stairs even before he can walk!
video

Friday, July 11, 2008

Gsen - Auto-rotate ANY app in HTC Diamond!

The guys at SKKV (makers of the excellent SK Tools) have done it again. This time, they have released a new tool called Gsen which unlocks the hardware accelerometer for all applications running on the HTC Diamond! This means that you can now auto-rotate the screen layout of ANY applications just by turning the device to the orientation you want. Rotate it to the left or right and even upside down! One other nifty feature that is included in the tool is that it can optionally turn off the device (or screen) when you flip the screen facing down. Best of all , this is currently released as freeware so grab it while its hot! Check out the video demonstration below.

Tuesday, July 8, 2008

Understanding Defense in Depth

Some IT folks I speak with seem to think the phrase "Defence in Depth" in the IT context refers to how a computer network is segmented or zoned. For example, having demilitarized zones (DMZ) and secured zone, implemented via firewalls and routers constitute defence in depth.

Unfortunately, this is not entirely correct. The concept has a much larger scope than just network. Generally speaking, it refers to how one can use multiple methods at varying layers for a more comprehensive defence strategy. The layers (and corresponding methods) can be classified as follows:

  • Security Policies
  • Physical Security (e.g. dead bolt locks, biometrics)
  • Perimeter Security (e.g. Firewalls, Routers, VPN, RAS)
  • Network Security (e.g. IDS, IPS, Packet filters, IPSec)
  • Server Security (e.g. Antivirus software, access control at host levels)
  • Application Security (e.g. access control at app level)
  • Data Security (e.g. data encryption)
The good news is that in most circumstances, these folks are already using the strategy without knowing it. i.e. In a typical data center setup, you will have some form of security at each of the first five levels;
  • Some form of security policy governing access and use of your networks/servers/applications
  • Locked gates/doors in front of your data center building/room
  • Routers and Firewalls in front of your application servers
  • Intrusion detection/prevention systems monitoring the network traffic for abnormalities
  • Access control at the operating server level of the hardware boxes

For more information on this topic, you may want to check out Microsoft's Defense in depth security model in these series of webcasts.

Friday, July 4, 2008

Back in Istanbul again...

I'm back in Istanbul again for a 2 days workshop with our counterparts in Europe to discuss and confirm the architecture for Homepage Phase 2. This is a working level meeting and our main points of contact were Fabian and Fabrice from the GISS-E group.

For this trip, I am putting up at Conrad Istanbul instead of Radisson SAS (where I stayed previously) as it was full. Conrad is much bigger than Radisson in terms of hotel size and room size. The hotel is perched on top of a hill and offers a wonderful view of the city and the Bosphorus strait in most of the rooms (unfortunately not mine).

On the night of our arrival, our hosts took us out for dinner at an upmarket and classy joint called the Sunset Grill & Bar which is famous for its Japanese fusion cuisine (and sushi!) as well as its wine list. Apparently a popular dining destination with locals, I was told that this is the place to rub shoulders and mingle with the local celebrities and corporate head honchos.
Click to enlarge pictureAs luck would have it, Simon and Frank (the top guys in Sony Europe, on the left towards the end of the row) were in town and joined us for the welcome dinner.

The restaurant is perched on the hills of Ulus and overlooks the Bosphorus. The view is spectacular in the day and even more so at night when the city lights up.

Click to enlarge pictureI finally get to try a Turkish wine this time round (Turkey wine exports are limited in quantity and I don't think I have ever seen one in Singapore before) and it was a 2004 Kayra Buzbağ Rezerv Öküzgözü-Boğazkere. The taste is refreshing and I enjoyed it very much. Needless to say, I had quite a few to drink as I savored the excellent T-bone steak and talked shop with the hosts till late into the night. Side note: It's usually times like this, in a casual setting outside the office with lots of booze, that you get to have frank and honest discussions on work topics!

Tuesday, July 1, 2008

Diamond TIP: Word completion annoyance

It is nice of HTC to add a couple of its own SIP (i.e. Compact QWERTY, Full QWERTY and Phone Keypad) in the Diamond that even comes with word completion feature. But it isn't nice of them to do this at the expense of the built-in ones - Have you noticed that the word completion feature in the built-in SIPs (like keyboard and block recognizer) now no longer works?

What ticks me off most is that the settings for word completion for these stock SIPs still exist in the options screen hence giving the false impression that it must be something I did which caused it not to work. (That's a -1 for you HTC)

After countless futile attempts at configuring whatever options I can find related to word completion, I gave up. Did a google on this problem (should have done this in the first place) and found the cause as well as the not-so-perfect fix for this. Why not-so-perfect? Because its a case of one or the other; you can have word completion in either the HTC SIPs or the stock SIPs, but not both. (That's -2!)

Made your choice? If you are still keen on having word completion for the stock SIPs, follow the steps below:

IMPORTANT: be sure that HKLM\Software\Tegic\eT9\XT9SupportMSSip has a value of 0.

Change these two registry keys under:
HKLM\system\currentcontrolset\control\layouts\e 0010409
  • Value of Ime File from \windows\xt9ime.dll to \windows\compime.dll
  • Value of Layout Text from XT9 IME to COMP IME

And soft reset. To revert back, simply reverse the steps above.