Oversighting

Discontinued

2012-07-25T15:54:00.001-07:00

After 2 years, I'm convinced I will not get back to posting to this blog. Accordingly, Oversighting is now officially discontinued. I'm leaving the article online as they might be useful for someone in the future, but won't post any more updates.

Online Mockup Solutions

2010-08-24T12:39:00.000-07:00

The more I dwelve into the world of quick development (be it a Metasploit plugin or a proof of concept website) the more I feel the need to be able to quickly sketch what's in my mind.
Ok, this might have something to do with the fact that I try to delegate coding, but still, I'm always positive that shipping is a feature. Accordingly, being able to ship a design and sketch idea is better than nothing. Maybe there will be a social network one day for aborted design and ideas...

In the meantime, I've explored online solutions which lets you build a sketch (or mockup, or wireframe). I've been focusing on tools to build web sites/web applications, not binary interfaces, able to work with Chrome under Linux (or Firefox, if needed). And no lenghty registrations or lame trials.

So, here is my personal top 10 (9, ok) of mockup software

Lumzy is 100% free, and it only took me 10 seconds to sign up and be able to save projects. It can export in various format, it is easy to share projects, has a big library of ready-made objects and does even support a basic scripting language which can make the mockup browsable and actionable!

IPlotz takes a more integrated approach, providing very basic project management features which "real" designers will love. Anyway, even in its free mode where you only have one project it is as good as Lumzy

balsamiq.com, an Italian (!) startup provides very professional-looking mockups: unfortunately, they focus on the desktop version of their application. The web based editor would be superior to anything else, but it is apparent it is a demo and lacks feature such as saving or sharing.

Pencil project is a bit out of scope here: it requires a Firefox addon to be used in the browser: as such it is similar to a desktop application in the fact that it runs completely on the local machine. However, since it is embedded in the browser once it has been installed, I'm considering it here. Overall, the user experience is inferior when compared to the other solutions, even though I do appreciate the presence of various types of the same control: from a prototyping app I expect a lot of readymade components, otherwise I will just go for a standard "paintlike" software.

I appreciated Mockingbird for its great library of icons and web-oriented stuff. However, it will be non-free starting form the 1st of September, and that puts it off our competition.

In my opinion MockFlow doesn't really add anything from a tool perspective. However, it is still worth mentioning thanks to its wonderful store! Great idea.

ForeUI also only has a demo online, and in Java too. Doesn't meet the requirements, just like Inpreso which nags you with a billion popups even while you're testing it.

Fluidia looks promising but it's still in early alpha.

So, what did I like the most? In the end, I went for iPlotz: the rest are presented in my personal ranking.

PS: obviously, for the color palette I went for Kuler !

Unconfirmed technologies

2010-01-30T08:51:00.000-08:00

Sometimes you see a technology which looks like magic. Happens all the time in security, more often in IT, not so often in real world.

Steorn, for instance, just demonstrated Orbo, its new free energy technology. Violating one of the core principles of (not so) modern science. However, the demo itself was nothing worth of note. It's the tiny, small quote at the end "next week, come and try: measure with your own equipment".

The trick is not showing some magic. It's having people actually use it. It's one of the oldest techniques in the world, and made fortunes in IT (remember? Shareware). Any product has to learn from that: put down the barrier, release "easy to try at home" products, have people see for themselves. A video won't do it, nor will a live demo. OpenSource developers (including me) should learn it.

You get what you pay for

2010-01-13T11:02:00.000-08:00

As you might know, since the news made its way to Slashdot, Moscow cameras streamed false pictures for a while.

Citing from the article:

According to the contract with StroyMontageService, the Moscow government only paid for working cameras. Dumalkina said the company unreasonably received around one million dollars for the northeastern district alone.

This is a very well-known problem: if you measure performance of a given service (and pay according to performance) the way you choose to actually perform the measurement changes the service itself. If you measure the number of calls which get out from the call center, people will do a lot of very short and possibly useless calls... and so on.

This is a very interesting point when applied to modern IT services. What are you going to measure? Availability of the application? Sure, a Cloud (citing an interesting, new topic) will give you more of that. But how are you measuring the tradeoff in security here?
Are you taking into account know-how your administrators are not building for themselves, when you outsource?

You get what you paid for: if you're just paying for your machines to be 100% available on a remote Cloud, that's exactly what you get. The more your infrastructure gets fuzzy - or "cloudy" - the less you know about it. The less you measure, the less you get (and hopefully pay, but that's not the point).

But hey - I can hear you think - weren't you an advocate of virtualization and cloud-based-stuff? Sure I am, but I really do think that we have to understand what we're doing. We have not built, yet, any meaningful measure of virtual-cloud-fuzzy efficiency: what we do have is some vendor-biased and -piloted accounting methodology, if we're lucky.

Think about what you're asking, what you're stating and what you're losing when you think about outsourcing. Maybe even virtualizing your hardware is outsourcing it in some way...

Hyped technologies

2009-11-03T00:24:00.000-08:00

Infoworld just published a nice article (which got Slashdotted) about technologies which get too much hype when they were launched and failed to deliver what they promised.
Since in this blog we try to speak about oversighted technologies - that is, technologies delivering far less than what they could - I think you will find this reading very interesting.
You can find the article here.

Phones as a key to the cloud realm

2009-09-27T18:43:00.000-07:00

While everyone is busy discussing the Tablet Wars, which will undoubtedly break out soon enough, I think we are approaching faster than ever to what everyone already know is the next step in computing.

It's not far from what Microsoft named "Three Screens and a Cloud": the central hub, the Cloud, is the place where the data actually is. The user is able to access the data using either a PC, a TV or a Phone, either at home, work or in the metro.

What the tablet wars (or the phone wars, for that matter) are trying to determine is "how" is the user going to access the data. The concept, however, is already being sold as something certain, regardless of Stallman's opinions.

If we take it for granted, then what are the phones - or the PCs, or the TVs - good for? If we start reasoning in term of anything as a service, it doesn't really matter if your phone or your pc has 1Gb or 512 Mbs or RAM, as long as it is able to stream you multimedia representations somebody computed somewhere. Try OnLive to get an exact idea of what I'm speaking about.

This said, it seems to me this OS-Hardware war should transform itself in a form-factor war, which is most likely going to end up with some degree of flexibility for the mobile end (someone will prefer smaller factors, like phone, while someone will still like the larger screens laptops can offer and so on), and pervasive docking stations everywhere. Once you plug your phone on the dock you get access to a larger screen and to all your data and software in the cloud. Maybe your local-office cloud, maybe your personal cloud or maybe even some sort of "service provided customized cloud", it doesn't really matter.

However, phones will still play a critical role as KEYS. If we want to think about secure cloud computing we have to think about pervasive, high security encryption. Phones and other devices, then, will just become our personal wallets, storing access data we can unlock with a password which in order will unlock all our cloud stored data. That is, until we start to actually use biometrics... but that's another post.

Virtual appliances forensics

2009-09-22T16:56:00.000-07:00

In the last months I've been most busy exploring virtualization security issues,

Classy SMB Wireless hotspots

2009-09-22T16:25:00.000-07:00

I recently got a request for an advice about building a wireless hotspot for a luxury cafeteria. The Pisano law in Italy enforces a set of rules on public shops providing free internet access, as customer identification (through ID) and access logging. Like it or not, this poses some challenges to the standard "Open WiFi" configuration you usually see around the world in such places.

In an enterprise environment, the solution would be to implement a proper Wi-Fi access infrastructure with a partial self-service procedure to enroll, get the certificate and thus create usernames and access logging. However, such a procedure is not really viable in a single shop. A luxury place, however, requires any solution to be easy to use for the customers and somehow classy: no on-demand generation of keys, no ugly panels and so on.

I googled around, and found some commercial solutions to the issue, each one proposing some sort of Captive Portal and monitoring solution. While I've not performed any comparative analysis of the commercial solutions, there was really nothing which make me "go wow", or that is really missing from the opensource solutions I will describe in a moment.

Why OS solutions for any high-level environment, you might ask. For once, customization.
There's only so much you can do with closed-source, commercial software, without great economical efforts. However, since we are sensible administrators and managers, we want something we don't have to tweak, something which "just works". And it seems there are a lot of free, working alternatives in the market.

ZeroShell is the first to come to mind, perfectly capable of doing everything we need. My friend Luca Carettoni performed some auditing on the platform some time ago, discovering some bugs which were promptly patched: this is not a life insurance, but it means that the level of security is at least able to pass a "free audit", which is more than most commercial solutions can guarantee.
Chillispot is another well known player of this market sector: it is able to run on any standard server, providing integration with a RADIUS server - however, the project is now dead and its most likely successor is Coova. Coova's aim is to create a firmware (based on OpenWRT) for a number of devices, which includes a web based panel and a powerful captive portal. Documentation is not as complete as it could be, but the project has an active community and can be tested in few minutes.

In the end, my pick was: start from either ZeroShell or Coova, and customize the captive portal interface and user management panel. Enrollment is "manual", since customers have to present their ID. Once their used has been created, it can be reactivated logging in the captive portal on future dates. In the end, the entire project would cost less than 200 EUR in hardware and a couple of days to configure and setup.
The results? A stable, completely custom - and most likely secure - hotspot.

Update: I've just come across Sputnik and the project seems to be vastly superior compared to the competitors!

How to choose a web application

2009-08-28T07:38:00.001-07:00

More and more often, friends and colleagues are asking me "Which CMS should I use?" or "What is the best document manager/webmail/twitter clone?".
In the end, my answers always follow the same patterns, so here you are my tips on choosing the right web application. What should you evaluate when you choose a web application?

Features

I know, the KISS (Keep It Simple, Stupid) unix paradigm would suggest to have a web application which only does a single task - a best of breed, if you wish. However, while we do have software management tools in Windows or Linux which can somehow keep application proliferation at bay, we don't have such tools when it comes to web applications. Managing 5 or 6 web applications is a real burden when compared to handling just one: updates, dependencies and so on, everything (or almost everything) has to be managed by hand. And don't even make me start with application servers. So, definitely go for more features than you even need. Just watch out for the Notepad effect: while Notepad can edit ANY document and an XML editor will only edit XML documents, you should use it anyway...

You should not stop ad data sheets or feature lists: install the product if you can, or try it on a virtual machines (most vendors are now shipping demo virtual appliances) and try to build up an idea of the actual features. There's always some gap between what's on paper and what's in the code!

Community

A strong community is really a must have for any web based product, no matter if it is open or closed source. In the opensource world, having a strong community means the product will unlikely die out, while for a proprietary apps it means you will have more than just the official documentation.

A community also means addons and plugins which almost any modern web product will support. Just watch out, because you should evaluate addons one by one in the same way you evaluate your application.

Browse the forums, noting the date of the last posts, try to find active sites or blogs about the products and take note of who's using it. Do not trust the "BigCompanyX is using our product" claims, since especially in opensource software, given a large enough company any software is bound to be used in some department.

Security

Security is always an issue when it comes to web applications. You should check the application history (try for a Google query like "YOUR.APP.HERE exploit" or "YOUR.APP.HERE security advisory") to get a rough idea of how many issues the application had in the past. Note that no issue is maybe even worse than a lot of issues: it likely means that no independent reviewer ever took a look at the application...

Take care, when you assess a CMS: you will find a lot of security issues on external or third party components, and it's often hard to tell if they are there due to the lack of security of the component or of the platform itself.

Nonetheless, a OneBugAMonth history is definitely a warning sign..

Vision and people

This is very important when it comes to large projects, like Content Management Sytems. Where is the software going? What the company will do with it? This is the most hard part to judge, since you will most likely not have any resource. My advice: go for the people. Search the web for the coders, take a look at their tweeter accounts and their other projects, if any.

Should you need a way to retrieve some email address, try FOCA: it will automatically fetch email addresses from any document on the company's website.

Standards and integration

Look for proper standards. "We're using Java so we are standard" is one of the most widely heard of claims, and doesn't make any sense. Look for actual interoperability: open source code, web services, open and well documented data format.

Even the most well guarded, proprietary application can have well documented standards, saving everything in XML and thus being much more easier to integrate in your environment. Remember integration is a must.

Requirements

Last but not least, look at the requirements and the technology the solution has been built around. Deploying a Zope based solution today might not be a great idea from a strategic perspective, no matter how much I like Zope. On the other hand, using a technology you're completely unfamiliar with can slow down deployment and makes management much more difficult. This said, you should reiterate the analysis on the underlying component as well: maybe the application will require Tomcat, maybe Oracle Application Server.

It really does make a difference: choose the wrong technology you and you will end in a cul-de-sac in no time.

The web is in realtime

2009-08-24T06:43:00.000-07:00

You know a technology has really became upstream when you see client-side attacks to that technology.

That's exactly what's happening with real-time information flows: even black hat hackers are using real time technologies.

Whike the most well known real time application out there in the internet is twitter, as you most certainly know by now, it's not just tweeter anymore. Users are becoming more and more adept to retrieve data in real time and are actively starting to look for it. Even search giants like Google are getting more and more "real time" search results in their results-set.

However, this comes with a price: real time information is nowhere near as accurate and as deep as "old school" batch produced information. You cannot post an in-depth review on tweeter, so you're most likely going to just write "it works" or "it sucks" and that's it. This is not the sort of clean information organizations want to provide their users. However, and that's exactly the key to understand what's happening on the web, they are forced to do so. Users work and think in real time; your customers are using a real-time web, and you must do so as well, like it or not.

The "real-time revolution" is not a technological one. We've had forums and bb even before the internet as we know it now was born. However, it is a strong change of paradigm: users are now all of a sudden looking for those "contact me in real-time" boxes, they are asking questions expecting answers in real time. Email is just too slow for that.
At the same time, once you write something you've written it, you can't just deny it. So, we're facing a world where you (as a company representative) are expected to answer fast and do so correctly.

This I think, is one of the most important issue. To react, in a world where "when" is always "now", you have to be faster than yesterday, and the first thing you have to cut are decision times. Have the managers, the ones who can actually make a statement, interact with the web in real-time.

Need a good training on the whole real-time stuff? Maybe you should seriously ask your organization whether you understand what's going on in the internet or not. However, you can start by trying Yammer and see that (not if) it makes a difference.

A lesson from Chrome

2008-09-03T03:37:00.000-07:00

As you will surely know by now, Google launched its own browser, Chrome.

I won't discuss how it is only available on Windows (guys, most people see you like a "Microsoft alternative", wake up!) or if it makes sense or not to have another browser.
I'd like to elaborate a little on a very nice article on TechCrunch.

Chrome does not support Lively (remember? Google's Second Life). Google analytics does not know about Chrome.
If you look for chrome into Google you don't get it as a first result (ok, we know it's google's policy but yet..).

There's something we should learn from that. We have a huge company, building dozens of products at the same time, but we can see similar things happening in smaller companies with just half a dozen products. It's about development awareness: what's the rest of the company doing? How will my new software integrate with what we already have?

You cannot afford to have a "standalone solution with is somehow integrated with the rest but still" - well, unless you're Google of course. It's exactly what just happened to Google, and what keeps happening everytime a new software is launched.

You're not developing for Mainframe anymore! Start thinking about the environment. Build your external API before even finishing your GUI, think about integration before completion.

Trojanize yourself for deniability

2008-08-24T13:27:00.000-07:00

I know this has been discussed a thousand times before (since 2003 at least!), but a recent assignment has made me think again about this. Let's just presume you're on a forensic task, and you're surfing through the suspect's computer. You end you finding the contents you were looking for, but meanwhile you start the routine antivirus scan. Ding, you hit a well known trojan.

It's password protected, and was obviously installed before the data you were looking for were downloaded.
You dig deeper, and discover the trojan will actually start at boot and be exposed to the internet.

That's it, the suspect has not lowered its security level during normal operations - assuming the trojan is actually safe and the password was hard enough to guess - and you are left wondering who has actually put that data into place. How can you tell it wasn't the remote aggress controlling the suspect's computer?

Sure, you can try to retrieve some more data to uncover the truth, but carefully leveraging this trivial issue (think about actually giving it encryted commands from time to time using a different account to confuse even a 100% sniffed wiretapping) is enough to obtain plausible deniability.

It seems too easy: I'll keep thinking about that, but any idea is really

Understanding High Availability

2008-08-04T09:15:00.000-07:00

I've just finished a course on High Availability, more of an overview on different HA technologies on various platforms.
What I have noticed is that is really, really hard to have people understand that you cannot plan high availability as a "one night affair". Most organizations have their border routers under VRRP, and their Oracle database running on application cluster, but yet they seldom have layer 2 redundancy ( the "oh my god, a loop! kill it, kill it!" syndrome) or any redundancy on "less-important" systems.

Like an old friend said, "if it's worth having it, it's worth having it all the time". With the new virtualization techniques available there's really no excuse for not achieving HA on most of your infrastructure.

Need an easy to manage yet featureful HA firewall? Go for pfSense. You can name almost any software, an HA solution is there for free or for the time you need to build it: if it's running on Linux, then you have DRBD (150-160Mb on two bonded nics) and Heartbeat and many others, if it's under Windows you have tons of choice - not to forget a scheduled VMware converter run which might not be HA but yet it's far more than most organizations actually have.

One of our clients had an hardware failure last Friday, which resulted in a complete halt of business for the weekend. Hard to tell how much damage was actually done, but does it make any sense to work in such a way when HA solutions are so cheap?

Yes, you need skills to do HA. But what we don't need anymore in our business is IT people without skills: we already have far too many.

PS: As you might or might not have noticed, this is the first post since a lifetime. Long story short, more posts will come from now on ;)

Location aware social networks

2008-04-12T01:37:00.000-07:00

Yet another step in the direction of tight realworld-internet integration: the number of startups proposing cell-phone based location aware software is skyrocketing. We've already discussed linkedin going mobile and the current problems of actually using cellphones to do social networking, but now the market is getting crowded.

The most straightforward use of such a network, and probably the one with the best ROI as of today, is the "Mobile dating" slice. MeetMoi and limejuice are doing it right now, but more will surely join in the future.

While some other startups are going in a "one network fits all" approach, like MobiLuck, Imity,Loopt), there is space for more specialized networks.

Think about a gaming platform, think about hobbists who seldom meet each other and so on. While a clone of facebook would likely result in a huge mess in any city as soon as it reaches critical mass, a focused application only connecting some kind of people could do the job: meeting even one new person into the "70s-singers-wearing-only-black-shirts-from-Losanna" fanclub could easily

Meanwhile the first IPhone powered social network is almost ready.

Monitoring Software

2008-04-06T08:55:00.000-07:00

Zabbix Nagios & Zeus

Memory overcommitting and virtualization

2008-04-03T17:39:00.000-07:00

During March the virtualization scene, or at least the most technical part of it, discussed about memory management. What does it mean?

Imagine you are going out for a picnic with 10 friends. You could choose 3 cars or a small bus. You go for the bus so you can save a little on fuel, just like you could install 10 virtual machines on a single hardware server and save power. So far so good: but now, let's take the metaphor further: since you are going to have a picnic, you need some tools, like a barbecue, a blanket, a basket and so on. Once again, you could have one item for each person, or you could share it. In virtualization, this is called page sharing: virtual machines share memory pages with the same contents.

Page sharing is a (big) part of the memory overcommitting in virtual environment. The next part is the balloon driver. Image you have to take your coat off in your car: you take a little more space on the backseats and your friend tries to get out of the way, since he's not doing anything important. The same goes for the balloon logic: if a virtual machine is not actually using the RAM it was allowed to, it gets "preempted" and memory is assigned to another machine.

VMware, in an attempt to show how its own overcommitting is far better than the rest (say, for instance, XEN's) has shown us some tests where various instances of Windows are running various applications. Virtualization.info covered the story as well.

So, why am I writing about that? Well, as always with tests, we have to think about them, otherwise we just oversight their real meaning. Repeat with me: overcommitting has to be tested in my environment before I can judge it and do proper capacity planning.
Why? 178 virtual machines all running up-to-date Windows and (almost) the same services will leverage page sharing! And a lot of it, I shall add. So you cannot really do capacity planning considering memory overcommitting if you, like 90% of the companies I know (and that's a lot) run different operating systems,applications and so on.

We could wonder why VMware is not showing some tests with different OSes and services.. and by now you probably can answer yourself to this question.

why linux?

2008-03-18T17:25:00.001-07:00

Multimonitor

2008-03-18T06:46:00.001-07:00

The best online CRM, intro

2008-03-11T03:08:00.001-07:00

A CRM software (where CRM stands for Customer Relationship Management) is one of the central software package of any business.
What we once did by bare memory and "the human touch", today we do by using very very complex softwares (actually CRM is a strategic approach, but nowaday when we say CRM we mean just the software). Web oriented CRM are growing bigger and bigger: their ubiquity, low total costs of ownership and all the usual pros associated with web applications are very important factors when choosing a new CRM.

A lot of free or low-cost CRMs surface every day, and some are gaining a good degree of popularity. In these articles, I will discuss some of the most used CRMs, examining both the technical and the business facts, from the perspectives of both an SMB and a Freelancer.

The first one will be the VTiger / SugarCRM couple, coming tomorrow.

Can you trust a replicant? Virtualization and model checking

2008-03-07T16:05:00.000-08:00

Nowaday it's almost impossible to be in the IT business and not be involved somehow with virtualization. Snapshots and complete control over a machine are able to speed up development and testing by orders of magnitude and are unvaluable tools in the hands of sysops and developers as well.
Tonight I've come across Virtutech, a company doing emulation of various hardware platforms. Using their words, they do virtualized software development.
Their products had me asking myself a question: can we really trust virtualized environments as being significant for our tests?
Last week I had a discussion with a colleague about building an exploit-testing machine where we should run new exploits, a simple sandbox for our lab. My colleague was arguing that using a virtualized solution could have a significant impact on tests involving direct access to memory at ring 0. I've not been able to find an answer to this argument (feel free to comment if you did) since technical insights on these details are somewhat lacking.
Model checking is a difficult discipline, seldom used in real world. Virtutech solution seems to be based on SimICS, a virtualization platform originally from SICS. SimICS is around since 1995 as a full platform emulation aimed at virtualizing embedded systems, and as such seems to be a rather reliable solution: inside its framework hardware vendors have to develope an emulation layer representing their hardware (a virtual platform).
One could ask how much reliable the framework is, and how much reliable the virtual platforms actually are. From Virtutech website:

It is important to note that a Simics Virtual Platform is a representation of the physical board/system. Virtutech does not warrant that all aspects of the physical hardware have been modeled. Consult the documentation accompanying the Virtual Platform for additional details regarding actual implementation.

That is: you cannot trust the platforms, and we're speaking about rather simple environments when compared to full x86 server systems.
So, the question is: can we really trust virtualization from a formal, rigorous viewpoint?
Would you trust a life-support machine tested only on virtualized hardware, to cut time to market?

iPhone SDK is available, enter the App Store

2008-03-06T11:09:00.000-08:00

Hats off, this time. Engadget has blogged in real time for the whole day from the iPhone SDK press conference. The results?

Exchange on the iPhone. That's it, Microsoft has built direct access to the exchange server, bypassing the good old ActiveSync. I see troubles coming from this behaviour, very Apple-style, but time will tell. For now, it's a good thing.

The sdk. This is the news. Apple got the hint and released the complete SDK from cocoa up. We'll see how much open it really is (unlike what happened in the past). That's what community pressions are all about. Is that all, folks?

Enter App Store. I guess you all know iTunes. Ok, same idea but for applications. No charge for free applications, 30% of customer price for commercial apps, without any hint to entering fees. That's Apple for you: you don't just build a community, you start something bigger able to generate huge revenues.
I'm suspending further judgment until I can actually see the thing running, but feel free to comment: will App Store be able to change the way we use software on the mobile devices? Consider this: in Italy the entertainment contents market on mobile phones is greater than the good old music-on-cdrom market. Why? For many reasons, but

Cisco and KVM

2008-03-06T01:04:00.000-08:00

Virtualization.info published yesterday a breaking news: Cisco will use KVM on its brand new ASR 1000 router.
KVM is a virtualization technology included in modern Linux kernels: it is the virtualization platform supported by Ubuntu and ready to replace XEN in most opensource environments as soon as it reach enough stability and usability (and possibly an user interface).
The ASR 1000 is Cisco's highest end router, costing around 35k US$, and it's the first Cisco router using Linux instead of the proprietary IOS. The ASR 1000 will leverage on KVM to provide operating system redundancy without any dedicated hardware.
While Cisco has invested in VMware in the past, and they are collaborating on the VFrame technology, the message is clear: there's no space in embedded, low fingerprinting virtualization for VMware anymore. The possibility to fine tune the operating system to its maximum and the source code availability of KVM offer unmatched advantages in such challenging high performances environments as routers and embedded devices.
We can easily expect to see more and more virtualization embedded in appliances and hardware devices: what about an antivirus box able to trace the stack of malwares running them in a virtual box, instead of the

Web 2.0 IDEs

2008-03-02T04:13:00.000-08:00

How should we develope for the Web 2.0? That's an interesting question: as of today we lack methodologies,testing tools and a proper development environment for the web. That's it, if you go through the smoke: while any C developer can start coding and debugging in less than an hour from a clean system, most PHP developers are still stuck with echo and similar "debug stuff" from the 70s. If you look at java things get only slightly better: while you can have debugging for some part of the code, the ecosystem around J2EE is so crowded it's almost impossible to have proper methodologies.
But the real nightmare is the frontend. I know CSS/JS gurus coding with Emacs! While Emacs is a very nice operating system, it's unbelievable there's nothing better out there.
The idea of this post came from the recently announced release of the new version of WaveMaker visual studio, a "drag and drop" IDE for Ajax powered websites.
The arena of web 2.0 IDEs is full of competitors. Mind you, I will only name a few but feel free to drop me a comment if you know some more. I will do a little mixing between Ajax/Client oriented IDEs and IDES supporting server side languages, but that's exaclty the point: in the new Web 2.0 we need to use both! What's more, most IDEs are not just being, well, IDEs, but they're supporting their own framework with proprietary libraries, different standards and so on.

Aptana is one of the best IDEs around, featuring an Ajax powered web server and supporting AIR too ( AIR vs Silverlight anyone?).Aptana is targeting PHP and ROR, two of the most popular languages in the internet, but... surprise, no support for PHP debugging, only Javascript. So even with the advanced Aptana you're cast to the stone age of echo $debug

Echo2 is a framework/ide aimed at Ajax and Rich Client development. It's obviously java based, and provides a nice and easy environment for the developer. I can't help but feel a "blackbox" look around echo-based applications.

qooxdoo is a complete framework for Ajax: it does not require any knowledge of html, css or whatever, being a huge juggernaut with its own libraries and a development environmente completely masquerading the underlying structure. Server side, it supports PHP, Perl and Java. Did I mention there's no debugging?

Morfik WebOS AppsBuilder is a another complete framework for ajax, featuring a visual environment for page building and browser side debugging via FireBug. And when I say complete I mean it: Morfik is a complete RAD tool, so you are either going to love it or hate it.

Eclipse PDT project is an Eclipse plugin powering the development of PHP code. It's still not very mature, but will eventually support complete debugging (it does, actually, by now, but it's a little tricky to setup) and it's my IDE of choice, by the way.

RDT is a complete Eclipse plugin for Ruby On Rails development.Nothing to say here, it's probably the IDE of choice of most Ruby developers.

Zend Studio should be a bigger player. It's Eclipse based now, supporting unit testing (finally!) and proper debugging. But yet, its relatively high price is a huge stop for buyers: most PHP guys nowaday were coding alone yesterday and could not afford Studio. The result is that they don't need it now, and they probably won't tomorrow. Bad move, Zend.

Netbeans has a surprisingly good support for Ruby on Rails, including debugging, semantic analysis and so on.

4D's ajax support is a nice addition to the 4D suite. I must admit I never quite got to know 4D, being it a little too "closed minded" for me, so I'm just mentioning it here.

But wait: how comes we are speaking about web 2.0 IDEs and we are not mentioning any IDE that is actually 2.0? Well, here you are:

Heroku is a feature-full, powerful and scalable ide for developing Ruby on Rails applications directly on the web. Heroku will take care of everything from giving you an IDE to actually running the applications in production. That's a tremendous improvement, but yet... you will be missing the most advanced features of a fulle IDE (debugging, call tracking and so on).

AppJet is a full-javascript solution: write your javascript code in their IDE and voila, it's up and running server side-.

Conclusions: while we have dozens of players and softwares, not only we're missing the ultimate IDE, but most environments don't support even the most fundamental features that programmers have became accustomed to.
Debugging, proper testing and continuos integration are nowhere to be found in the brave new web.
The next time your favourite web application goes mad, you know why.

Update: after a quick test, I've added 4D and Netbeans. Thanks go to freakface and Mickael (even if he is now using gedit).

How to use google analytics on soup.io

2008-03-01T12:32:00.000-08:00

I'm running a soup blog for personal entertainment: soup.io is a great service for fast, quick blogging and has a great team, but it's missing statistics.
So, I've used google analytics. Here's how:

Create a Google Analytics account

Copy the tracking javascript (new version)

Edit your soup description

Enter html mode

Paste the javascript code inside the description, then save.

Here you are, google analytics up and running.
I think you should not edit the description again, but I'm not sure.

Can we eat the apple?

2008-03-01T09:49:00.000-08:00

As IT professionals, we are used to love-hate relationships. We invented Perl and LISP, so we know what we're talking about. But it's seems Apple is a white cow in a black herd.
In a recent article on his blog (then blogged on Ars Technica) Vladimir Vukicevic revelead he found undocumented API in Apple's framework.
While I don't think this is malicious behaviour in itself, think for a moment about Microsoft doing the same thing, and the following reactions.
Instead, the thing went almost unnoticed.
It's hard to hate Apple, or even to be angry with that company: Apple is innovating every day, doing amazing research, and is cool whereas Microsoft is not. And I did not mention the iPhone, the iPod and so on.
But then, Apple is cheating,not releasing SDKs and in general acting like it could not care the less about fair play and the community.
How long before we realize