Sunday, August 30, 2009

Clean desk policy

Started the new clean desk policy at home again for my own working area. Every now and then, specially on a rainy sunday, I get the idea that a clean desk is perfect for me. Today is such a sunday and I started cleaning my desk again. Somehow I do get a lot of paper mail from all kind of vendors and I do collect books and magazines arround my working area.

Most of it contains some interesting information and I would like to post some of those things here before dumping the magazines and such into a dumpster (that is a paper recycle dumpster).


efresh.com
Just found a item on efresh.com and a interview with director Hans Robben. efresh.com is the ebay.com for fresh food. Ever in need to buy a shipload of shellfish, you can check efresh.com and bid on it. This is where you as a farmer, fisherman or company can place your goods and people can start placing bids. The magazine where I found it is not that old and so is efresh.com. I am wondering to see how this open marketplace will hold. The idea is great and i hope to see more initiatives like this.

Cool looking workplaces.
I recently changed my workspace to a new office. it is very modern and very nice looking. A real nice and cool working environment with a lot of open spaces. It really gives me a vibe in a good way. However I am still wondering how it is to work a for example at Google. Google is still on my list of companies I want to work for one day. That can be as a employee or as a hired consultant. Anyway I want to work at google maybe one day. Why, have a look at the one of the offices on this website. However, talking about a nice working environment. I think that the office of Wieden+Kennedy in Amsterdam is a really really nice place to work. The way the design of the office is done is great. You can find more information at this website including some pictures nextarchitects.com.

Space Barley
Most likely you never have heard from it and most likely you have never tasted it. Space barley is a beer that is made of barley grown in the ISS space station. Scientists have tested what grows in space so that when we try to colonize space one day we know what to grow. Barley can be used for this and one of the great things is you can make beer from barley. Well it was a test and most likely it will never become a mass product so if you had the pleasure of drinking a bottle of it.... to bad for you!!! you should have kept it and sold it in 10 years and made a fortune of it.

Building a house?
Thinking about building a house? Well have a look at the solardecathlon.org website. You can find a lot of great pointers on how to make your house green and energy efficient. And building something green is something hippy like? Forget it, green is cool and it gives you a great extra benefit in the costs when living in your house when it is done.

Tuesday, August 25, 2009

Python if elif else


In almost every programming language you have some basic commands and functions, basic construction options so to call. "if" is one of those, "the if statement is used to check a condition and if the condition is true, we run a block of statements (called the if-block), else we process another block of statements (called the else-block). The else clause is optional." So we can have a check and if this check is returning a true we can take some action. Lets see in a very basic example how this works, I will show this with a very small python script.

#-----------------------
#!/usr/bin/python

#set some variables
var0 = 2
var1 = 1

if var0 > var1:
print "var0 IS larger than var1"
elif var0 < var1:
print 'var0 IS smaller than var1'
else:
print 'var0 is not larger or smaller than var1, maybe they are the same?'

print 'and we have left the if elif else'
#-----------------------

Sow with this very simple script we can show what action is taken, or what text is printed to the console. You can test this by playing with the values of var0 and var1 and see for yourself what the result is. Basically I do not want to spend to much time on the "if" part as this should be a very basic part of programmers knowledge. The only part that can be tricky is that in some languages elif is written as "els if" or "elsif" or even "if else". In Python it is if, elif and else. Just something you have to know when you start with Python.

So as you can see making decisions with if statements is a very basic way of making decisions. Another thing which is good to know is that you can nest if statements. So if you come into if-block you can create inside this block another if-block to make your decision even more precise. In the script below I first determine if var0 and var1 are equal. If this is not the case we "open" a new if-block to see what is exactly the case. Is var0 larger or smaller than var1. Just play arround with the values of var0 and var1 and you will see what it can do.

#-----------------------
#!/usr/bin/python

#set some variables
var0 = 2
var1 = 2

print 'starting some nesting'

if var0 != var1:
print 'var0 is not the same as var1'
if var0 > var1:
print 'var0 is larger than var1'
elif var0 < var1:
print 'var0 is smaller than var1'
elif var0 == var1:
print 'var0 is the same as var1'

print 'done with the nesting'
#-----------------------

Also something that you might know from other languages is that the content of if-block should be within brackets and that it is constructed something like below:

#-----------------------

if(condition){
action
}
else if (condition II){
action
}
else{
action
}
#-----------------------

In Python this is not used, you might like it or you might not like it that this is not in place however the people who developed the Python language did not see the need of it. I personally think it is a missing part, this is simply because I am within the group of bracket lovers who like to have it nice and tidy inside a couple of brackets. If you are in the same group.... you will get used to it finally.. I did also. Upside, you will never have to count opening and closing brackets again... remember those long nights of debugging a bracket problem?

Patch HP-UX UNIX


For a internal project I just became somehow the admin of a couple of HP-UX
servers. Those servers are used in a previous project for some time and are behind on patching. Now we would like to install Oracle E-Business Suite R12 on it. To be able to do so we have to patch the boxes before we can use it.
So I have downloaded the patches in a bundle from the HP website and unpacked them in a location from which I like to install them.

According to the README_hp-ux file you should take the following steps:


1. Move the patch download file to a file system with enough free space. These instructions assume "/tmp/patches".

2. Run the create_depot script as user "root". create_depot_hp-ux_11 must run on a 11.X system. The create_depot_hp-ux script unpacks the patches, and uses swcopy to create the /tmp/patches/depot directory.

3. After the depot is created, remove the individual patches, .text, and .depot files.

4. If you are creating more than one depot, rename the /tmp/patches/depot directory, and remove /tmp/patches/depot.psf.

Installing the depot
--------------------
1. On the target system, run swinstall. Enter the Source Host Name. The Source Depot Path is "/tmp/patches/depot".


2. Further instructions are available on the swinstall man page. Type "man swinstall"

I encountered the first problems when I tried to create the depot for the patch bundle. It returned a couple of times errors with a error text like this:

You do not have permission for this operation. The depot owner, system administrator, or alternate root owner may need to use the "swreg" or "swacl" command to give you permission. Or, to manage applications designed and packaged for nonprivileged mode, see the "run_as_superuser" option in the "sd" man page. WARNING: More information may be found in the daemon logfile on this.

After some reading in HP documentation and forums it turns out that this error can be the result of a changed hostname and/or IP address while the swagentd is still running on the old IP / hostname. So to stop/start it you can do a:

/sbin/init.d/swagentd stop
/sbin/init.d/swagentd start

After this the create_depot_hp-ux script is working without any error.

Sunday, August 23, 2009

Ashley Schwartau

Someone asked me what the hackers scene is and what to expect on a hackers convention. Well, the only way to get the correct view is to visit one, however as we just finished har2009 we all have to wait for some time for the next big event. However I could advise them to watch the documentary made by Ashley Schwartau. Just watch the interview with Ashley Schwartau below:

Ashley Schwartau - Hak5 Interview - Hackers Are People Too from Ashley Schwartau on Vimeo.



Python, comparing variable values

I have started some time ago with the Python cover to cover serie on this weblog however for some reason, namely, working on other projects I have not posted a Python cover to cover for some time now. So time to pick it up again and to all who like to follow the Python cover to cover... I will keep working on it more as I have finished some of the projects that where holding me back.

The past posts on Python I have been explaining about variable types. Now we will look on what we can do with variables on the comparing part. First we define some variables to play with:

var0 = "a"
var1 = "b"
var2 = 100
var3 = 50
var4 = float(1.1)
var5 = float(50.0)

So now we have some variables to play with. First we will use the string variables var0 and var1 . Lets compare if they are the same, to do this you use == so in this example we will be using the expression var0 == var1 which will return a boolean value which in this case this will be false. so as a small coding example you can check the code below:

>>> var0 = "a"
>>> var1 = "b"
>>> var0 == var1
False
>>>

we can also some other types of compare. For example the "not like" compare can be done by a using != as can be seen below:

>>> var0 != var1
True

And now something that you might expect on float and int values only maybe a greater or smaller than compare on a string which takes the alphabet into account:

>>> var0 > var1
False
>>> var0 <>
True
>>>

When you are comparing String values in python with greater than or smaller than functions you have to take into account that you might run into troubles because of upper and lower case characters. So it is a good thing to make sure that when you compare like this you make all characters upper or lower case before you start comparing. for this you can use the upper() and lower() functions. So if you want to turn a string into uppercase in Python, or lowercase you can use the following:

>>> "THIS IS A TEST".lower()
'this is a test'
>>> "ThIS Is A TeSt".lower()
'this is a test'
>>>


Basically all can also be done on numbers and not only on strings, Al Lukaszewski has also written some about it for about.com which you might want to read.

Friday, August 21, 2009

Basic network security for Oracle Developers


I just recently came back from a 4 day hackers convention in the Netherlands, har2009, and have been talking to a lot of people. One of the things that came up during some of the discussions was security and the time a vendor needs to patch some things. In most cases a exploit is found and used in the field before the vendor (for example Oracle or a firewall vendor) is aware of it. After it is made aware of the fact that a security issue is available it will take some time to fix it and make sure a patch is available. After the patch is available administrators still need to apply the patch.

So even do vendors are working on making the systems as secure as possible and developers who are developing on those platforms are trying to develop the code as secure as possible you will still see that security breaches will happen. You can simply not find all the errors in the code even if you test, test, retest and retest you will still have bugs in your code and ways the code can be used you never ever have been thinking about.

So simply to say, it is almost impossible to create a system that is a hundred percent secure. So if you as an oracle developer develop a system, think about it as an architect or are responsible as a project manager you will have to know at least some of the basics of security. I will not go into all kinds of coding examples to make your code as secure as possible I will however provide some best practices on mainly network security and architecture.

As an example I will use the below image I found in a blogpost by Steven Chan on “Loopbacks, Virtual IPs and the E-Business Suite”. Now for the this document we are not going into the fact this is a Oracle E-Business Suite setup we just take it for granted that web nodes that are used are just simple web-nodes and we are unsure of what they do, it is not really important for the examples as you should harden en secure every system as much as possible without looking at what the system is doing.

This statement can create already some questions, why should I harden a system which is not holding any mission critical information, is “normal” security not enough? Simply put, no. why not, if you “lower” security on non mission critical systems you have a weak link in your security. Possibly an attacker can compromise this system and use it as a foothold and starting point for future attacks. You should protect every system as was it the most important system in your entire company. Never compromise on security for whatever reason. Budget, time, deadlines, policies not in place,… none of this can ever be a excuse to “lower” security on a system.


In the above picture we see the network as shown in the blogpost of Steven Chan. In basics nothing is wrong with this approach and the network diagram is not intended to display security it is used to explain another issue. We will however use it as the basis of explaining some things. When reading the rest of this article the question might arise that you as a developer will not have the “power” to request all the things I will state. However, in my opinion you should mention them and ask about them when developing a system because you simply would like to have the most secure and stable system possible.

External firewalls:

With external firewalls I mean non local firewalls, so all firewalls which are in place somewhere in the network. I will make a point on internal firewalls later is this article where I will be talking on the subject of firewalls on your Oracle server. As we can see in the network drawing we have 3 firewalls. A firewall on the outside of your network, a firewall between DMZ0 and DMZ1 and one between DMZ1 and DMZ2. DMZ0 holds the reverse proxy, DMZ1 holds a loadbalancer and 2 web nodes. DMZ2 is not really a demilitarized zone because it also holds clients in it as the internal users. Possibly the network drawing is showing another firewall which protects your database server.

However the setup looks to be valid and is protecting you with a layer of firewalls from the external network (the internet in this case) it not complete. You should have another firewall in place to make this more secure. You should place a firewall between the internal users and the rest of DMZ2 which contains web-nodes and a load balancer.

Reasons for this, (A) even do most companies try to trust the users you can never be sure. It is even so that a large portion of the hacking attempts is done from within the company by for example disgruntled employees. (B) The users will most likely have access to internet and so can be compromised by malware and rootkits which could potentially become a gateway into your company. So you cannot trust your users (or the workstations they are using) and you should at least have a firewall between your servers and your clients. It is even advisable to secure your servers from your internal users in the same way as you would do to protect them from the internet.

Internal firewalls:

So as we stated in the firewall section it is great to have firewalls in place to make sure intruders cannot enter your DMZ without any hurdle however when thinking about security and your DMZ you have to keep one thing in mind. What happens if a intruder gets access to your DMZ, what happens when an intruder has compromised a server in your DMZ without you knowing. With the setup as it stands now all other servers are now wide open.

To prevent this it is advisable to have internal firewalls on your servers to harden them for attacks from within the DMZ. So you will have secure islands within the secure DMZ sector. This will make it harder for an attacker to take over multiple servers before being spotted. You can use for example iptables to harden your servers with internal firewalls. The setup of iptables rules can be a little hard if you do this for the first time and even if you have a long history of working with iptables it can be hard to maintain all local iptables settings when you have a large amount of servers. For this it can be handy to use tools like fwbuilder or kmyfirewall.

When setup an internal firewall you can make sure only the ports are open per interface that are needed for a minimum service on this network segment. I will explain more about network segmentation in combination with internal firewalls in the next topic.

Network Segmentation:

As stated in the previous topic of internal firewalls one has to minimize the open ports and services per network segment so only the ports are open that are needed for this segment. With network segmentation you will make use of all network interfaces in your server to create multiple networks. For example you will have a customer network, a data network and a maintenance network.

Users for example will only use the customer network as we know the servers are webnodes so we will only have to use TCP port 443 for HTTPS traffic over TLS/SSL. Users will most likely have no need to access anything else so no need to provide them the option to connect to those ports.

The data network can be a separate network running over a different NIC which can be used to connect to the database from a web-node or connect storage appliances. This will most likely only be used for server to server connections so most likely no real-life users have a need to access. So people who are working on the customer network will not be able to connect to ports on the data network. First because of they are not on the same physical network and even if you have some vlan configuration mistake or something like that you will have your iptables firewall which will restrict them based upon the source IP address. On this network you do NOT have to open for example port 443 or a port for for example SSH or telnet.

The maintenance network will be used by administrators and on this network you can close for example direct access to network storage appliances, web applications and such. You have to open ports like SSH on this network so administrators can access the servers by secure shell and do their work. This network will be the most wanted by attackers because it will have ports open that can be used and exploited to gain access to the console of the severs.

So by physically have some network segmentation you can separate services and groups of users based upon their role. Are they users or are they administrators of the systems, based upon this you can provide them access to a certain network segment with its own routers, switches and entire network topology.

Encryption:

We have talked about firewalls on the outside and in the inside, we have discussed separating networks. However, even if you have done all this you cannot feel secure. When thinking about security you always have to consider the network compromised. So if you consider the network compromised someone can sniff all the network traffic by using a network sniffer. So you should state, very strongly, that you can only use encrypted network connections.

This means, never use telnet and only use SSH, Never use FTP use SFTP or SCP. Never use HTTP use HTTPS instead. Use encrypted SMTP when you are sending out mails. So you can make your network even more secure by making only use of encrypted connections. By using only encrypted connections a possible attacker who is using a package analyzer on your network traffic cannot sniff cleartext passwords.

You should restrict users from using open services like telnet, ftp and such by simply closing the ports with iptables.

So coding a custom application can be a little harder when using a secure and encrypted connection however it will not be so much more work and the benefits are huge. As this post is intended for Oracle developers it might be good to have a look at the Oracle Application Server Administrator’s Guide, Overview of Secure Socket Layer SSL In Oracle Application Server. So huge that if you implement it correctly a possible attacker will only be able to see scrambled data and not a single useful packet of information.

Patching policy:

So we have setup external and internal firewalls, encrypted the network traffic and separated the network into parts, can we feel save? No, not really. Even do we have taken all those steps we have to take into consideration that we still have to open some ports and very open port is a possible point of entry for a attacker. If you are for example running a web node you will have to run a webserver and as this post is intended for Oracle developers you will most likely be running a Oracle Application server which uses Apache. Even do Apache is a really good and secure webserver still it has its security issues. So if the vendor, Oracle, releases a patch you need to give this a very good look and I advise to apply it after testing it and reading the specs a couple of times.

The patch is released for a reason, this reason is solving bugs. Not always security related bugs however they solve some issues. As you will see most exploits are up and running for old versions and systems who are not being patched are getting more and more vulnerable for a attack every time they miss a patch. It can be that your server can be compromised or services are disturbed, in all cases it is not desirable. So again, my advice, whenever a patch is released, give it a good look and if it is not causing a major problem you will have to apply it as soon as possible.

If a patch is giving a real problem with your custom code for example you should not simply decide to not apply the patch. You should solve the problem which is holding you back from applying the patch and after that apply the new code and the patch on the systems. If you decide to not apply a patch you can have the situation that some time later a critical patch is released and you still have to apply the first patch as it is a prerequisite for the second patch. Then you still have to do the code fixing. Or you can decide also not to apply the second patch and…… you are simply making your system more and more insecure by every patch you miss.

Securing code:

This post is about network security and no so much about code security. However, you vendor (oracle) will provide you security patches, on your own code you (and your team) will be the only one who will be able to release security patches so it is important to not only test the standard things in your code. Also have a look at for example SQL injection, buffer overflows, incorrect error handling…. Etc ect.

Password policies:

Not really a topic on network security however something to mention, passwords. It will go without saying that your administrators will have to have some policy in place on passwords, how long it can be, what the strength should be, etc etc. However, a topic what I would like to mention is Public Key Authentication. In this case you “do not need” a password to login to SSH. You will use a public key to authenticate yourself to the server. The good thing about this is for example that you can grant users to login as root without them knowing the password. You add a key to the user root and based upon this key users can login. So if you want to revoke the rights you do not have to change the password and inform all who still have access to this account. You can simply remove the key for this person and for the rest of the users nothing will change.

Public Key Authentication is considered much stronger than password Authentication so it is advisable to use only Key Authentication. This can also be used for for example SCP when you move (automatically) files between servers you can also make use of Key Authentication. So give this a good look.

Monitoring and sniffing:

Now we are getting a save network. However, if we want to be sure that nothing “funny” is happening you want to monitor your network with a intrusion detection system. For example Snort, snort is a opensource IDS which can monitor and detect strange behavior. This way you can monitor anomalies and possible attacks on your network.

Also it can be good to have some log analyzers ready. All your systems will provide log files. Most administrators are only looking into the log files (and the mails to root) when a problem is found. However it can be very beneficial to write your own custom log analyzer and create some portal like environment where you consolidate the log files and analyze them. You can scan for specific error messages and for example failed login attempts. Use your creativity.

So with the combination SNORT and log analyzers you can keep a good look if someone still tries to do some damage in your network.

Wednesday, August 19, 2009

Twitter Spam Trust Model

Some time ago I signed up for a twitter account as you could been reading on my weblog some time ago. I started using twitter just for fun and try to find out what everyone is talking about on twitter. After some time I became quite happy with the service and the information which can be found on twitter and the way you can interact with people you never have spoken to before and who might be unavailable to reach if it was not for twitter.

However, as with every good service after some time it will also be used to promote goods and services you might not want. You will be contacted by people in such a way that you can consider it spam. Twitter spam is currently in my opinion the biggest problem and threat to twitter and its growth. If people are using it they do not want to be annoyed with all kinds of spam messages. Some time ago I posted a tweet stating that twitter spam will be the next big fight. On this tweet I got some reactions via twitter and also offline. Some people stated that if this was the next fight in my opinion I should make a point by thinking about the subject and creating some kind of approach on how Twitter should fight this fight.

As twitter is just a message service from a person to one or more other persons some of the approaches designed for fighting email spam can be applied. Even some in a more effective way as all communication is happening inside the twitter.com domain. For example a trust model can be very easily applied, already used for email it can be used to fight twitter spam.

Trust model:
A trust model against twitter spam should find the relationship you as a sender is having with the person you are sending the tweet to. A Tweet Spam Rank (TSR) could be calculated for the tweet and the higher the TSP the lower the trust between the sender and the receiver. You can send a message to someone you do not have a relation with, this will provide you a high TSR however will not make you a spammer. To prevent the effect that you will be banned as a spammer due to the fact you send a single message to someone you have no relation with you should have a average TSR over time which is below the threshold of being identified as a spammer. However, the TSR calculation will have a big role in the spam fighting. Before explaining the TSR calculation first some basics on the twitter relation model and the components inside this model.

You, or the sending part, will be represented in the model with as the green dot, as you can see you can have several relations (or non relations) with other hops. Hops are other twitter users you send a message to or who are a bridge to other hops. The model in its current version will only go for two hops. So max a connection hop and a destination hop. To be sure if this is “deep” enough one should run some calculations on the twitter data.

As can been seen in the picture above there are four types of connections that can be made:

- T1, a connection with a hop and a connection back. You follow the tweets of this person and this person on his turn is following your tweet. As you both follow the other you most likely will have a strong connection so sending a message over this connection will result in a low TSR.

- T2, a connection from a remote hop to you. This person is following you and you do not follow him. So for some reason this person is interested in you so if you send a direct tweet to this person he or she will most likely be wiling to accept this. It is not as strong as a double connection however still a low TSR.

- T3, a non connection. You have no connection whatsoever to this person, not even via a connection hop so this will result in a high TSR score.

- T4, you follow a person however this person is not following you. So for some reason you have interest in the tweets from this person however this person is not following you. So a direct tweet to this person will result in a higher TSR.

Now we have to connect some values to the parts of the trust model so we can calculate the TSR of a message. For this we refer to the model as it is shown below. As you can see all possible relations within the trust model are represented in this diagram.


We start with the sending party, a sending party will have for calculation reasons the value 2. T1 connections will have a value of 5, T2 has a value of 10, T3 has a value of 100 and T4 a value 15. A connection hub will have a value of 5.


Now lets say you want to send a message to the user in hop B we can calculate the TSR like {you * T1} which will be {2*5} so this message will have a TSR of 10 which is the lowest TSR you can get. Meaning you just sent a message with a very low Twitter Spam Rank. However, sending a message to B1 will have a calculation like {you * T1 * connection-hub * T4} which is {2*5*5*15} meaning you will have a TSR of 750 for this message.

For example you can be sending a message to C1. You have a very weak connection with D2 so you should get a high TSR. {you * T4 * connection-hub * T4}, this results in {2*15*5*15} which results in a TSR of 900. This is the most weak connection you can have with a connection hop and two times a T4 connection. However, one exception on the rule is a T3 connection which will result in TSR of 1000 without any calculation needed to be done.

The entire model would make sense if people would behave and only play by the rules of the model above. However in a normal world you will see that multiple routes to a person are possible and we have to take this into account. You can see a example of this below.


In this example you see two possible routes to hop B3. You can take the route to B3 via connection hub B or via D. Based upon the model we can not state if B3 will appreciate your message because if he is willing to follow you he could have made a direct relation. So to get a correct TSR we have to calculate the average TSR of both connections, meaning you will have to calculate {(you * T1 * 2 * T1) + (you * T4 * 2 * T1) / 2 } This will give you the correct TSR for this message. We only do a average TSR calculation in case there is no direct connection, so even if there are multiple paths and a direct connection we will ingnore the other paths and only use the direct connection to calculate the TSR.
Now we have a good way model of calculation the value of relations within the model, however scoring a high TSR every now and then is not making you a spammer on Twitter. Every now and then you like to contact people you do not know and maybe build a stronger relation later in time. So we have to measure the TSR score within a time and tweet frame. Based upon the number of tweets, the time and the TSR you can start to determine if a person if a spammer. In a normal world you will see that a spammer will hit a lot of high TSR scores and a lot of the same scores on arrow while a normal human user will hit mostly low scores and the TSR scores differ a lot. This is a way how you can identify a spammer.
This model and the calculations are raw and not based on actual research on the twitter data, however, if access to Twitter data could be granted someone could complete this model and do some test drives on this and see what the exact behavior of a spammer is. The model can be tuned and perfected. Also I would like to point out that for example the growth of connections can be used in combination with TSR to determine the intentions of a Twitter user. To be precise, a spammer would like to have a large network very quickly so he most likely will add hundreds of connections within a short periode of time while this is not the case for most human users. So this also can be used in combination with TSR to identify spammers. I hope this blogpost will come to the attention of some people at twitter and that they are willing to give this a thought because I would be very disappointed if Twitter collapses under its own success and the spammers it attracts with this success.

Friday, August 07, 2009

Oracle custom error message

When developing scripts and code with PL/SQL for a oracle database you always like to think that your code is the best in the world. You would like to think it will never result in an error. However, users who are using your code will find a way to crash it; you will have overlooked some possibilities. So even after you and several other people have tested the code you will find that in some cases a error will happen.

So you have implemented all kinds of error handling, the problem with “standard” error handling is that it will generate all kinds of user unfriendly error messages. For developers and DBA’s this will make sense however if you want it to be shown to your user community and make sure it will have some meaning it might be nice to have a custom error message.

In Oracle PL/SQL you can use the RAISE_APPLICATION_ERROR procedure. RAISE_APPLICATION_ERROR allows you to set a custom error message which will have more meaning to an end-user than the standard ORA messages. You will also have the option to attach a custom ORA number so you know where it has happened in the code so you will have some more useful information while debugging your code.

For example if I want to raise a error like ORA-60001: The value you entered is not a valid customer ID number I have to tell my code to somehow do this.

So let’s say you have some IF clause which checks the given value for the customer ID which is entered by a user. If the check ends in a successes there is no need to raise a error. If it fails you can use RAISE_APPLICATION_ERROR to show the error message. It is done as shown below:

RAISE_APPLICATION_ERROR(-60001,’ The value you enterd is not a valid customer ID number’);

It goes without saying that you can add some variables to the message so it might be nice to show the user for example the value he has entered. However you might in that case also consider having an alternative error message in case RAISE_APPLICATION_ERROR will be unable to handle the variable. Think about a customer ID which has a length beyond the length that can be shown… etc etc etc.

However, using custom error messages in your PL/SQL code is a good way of showing your users what is wrong. It is better than having the standard somewhat cryptic messages which are provided by Oracle.




Monday, August 03, 2009

Instant messaging in 2011

We all use instant messaging nowadays, I have resisted against it for a long time and was a true believer that UNIX talk and IRC where more than enough to communicate with the outside world. However I also have now a skype account, a MSN messenger account and a corporate Microsoft Office communicator account.

All needed to keep in contact with people. The downside of this all is that you get more and more differentiation between the user communities. Some of use MSN others use Google Talk. Some make the decision because of what their friend’s use, some because of what is installed on the PC. Now if I wanted to talk to someone who is using for example MXit I have to create a account and I have to install a client to be able to communicate with this person.

Creating a account is already a hassle and then I have to hope I can install the software on the PC I am currently using. In some cases I do not have the rights to install the software so in that case I am blocked and cannot come into contact with this person unless he or she is willing to register to the same network and install the client I am using.

If we look at Wikipedia the number if instant messaging platforms is enormous and growing. Just to name some names; AIM, eBuddy, IBM Lotus Sametime, ICQ, IMVU,… the list can continue for some time.

What do we need in 2011?
What we need in 2011 as a new killer app for instant messaging is a instant messaging mashup in the form of a website. Think of it as a single location where you can login once and activate all your instant messaging channels. When you need an extra platform, like for example you need to talk to someone who has only MXit you now can register for MXit and assign it to your mashup profile and will be able to chat with them via the webinterface.


Next step is that you will be able to create a account with only a couple of steps using for example a OpenID. If you have a instant messaging mashup and are able to connect and create accounts using a OpenID you no longer have the need to do all the painfull registration steps, within a minute you will be able to connect to the person you want to talk to as long as his network can connect to the instant messaging mashup.

Another benefit of this is that you can manage your contacts within the mashup and will be able to add them or remove them from all your instant messaging networks. For example if I want to add my friend Tom to be able to talk to him via Skype and MSN I currently have to know what his username is to be able to add him. I also have to add him in both services. In case of a mashup he has registered his name in the mashup and set that he is using Skype and MSN. Now I want to add him I do not add his Skype and MSN account to my account, just add his mashup account to my mashup account. The moment he agrees the mashup application adds his name to my MSN and Skype network.

What will be the downside?
The downside will be that not all networks shall be willing to corporate with this. They will no longer be in the picture and they will become more of a network than a tool. Now they are a tool a application that is on your desktop. It is spreading the marketing for the company who developed it. When it is incorporated in a mashup they will not have the advantage of a dominant position on your desktop.

You will see that they will make it harder to communicate with the messaging servers without using the official client. So this can be a downside. Also some will quite the market and be pushed out of it by this. So you will have less to pick from. Even do I started this topic with the problem of having too many different instant messaging networks it is good that you have a choice. By improving the interoperability of the networks you will see that some will quit. Having a choice is always important so I see this as a real downside.

Mashup network?
Should it be a good plan to also have a mashup network like we have for google talk and MSN for example? Yes, this should be a part of the solution. The ideal situation is that we have a opensource mashup server who is able to also run its own instant messaging service network and connect to other mashup servers. So if you think you do not have to join a existing network you can just make use of the mashup network. If it is propperly designed you can even use it on websites as a sort of makeshift instant messaging chatroom which enables you to talk to people in this specific room and if you like them invite them to become part of your mashup network.

Privacy and security?
Privacy and security, beside the obvious that the security of the mashup has to be really really tight there are more things to consider. However, on the topic of the mashup security. As not all networks will work with OpenID you will have to store some of your passwords in the mashup to be able to a sort of single sing-on. So if the mashup server is compromised all your passwords will be compromised. There are ways and encryption algorithms that can be preventing this however they person developing the mashup server should be aware of this.

Privacy, you should be able to set your own security and privacy in such a mashup as fine-grained as possible. For example, if I get a invitation from Carla and I have a MSN, Yahoo!Messenger and skype account I want to be able to only grant here access to for example MSN because I know that if she gets my Skype account I will have to talk to here every night. Also I want to be able to say I am available on all networks however not on MSN for person X, Y and Z. even do I might be available for person Y on Skype. All these small fine-grained settings you should be able to to define.

Where are we?
Somewhere in the middle I think. What we currently see is that instant messaging networks are opening up. You already have desktop clients that allow you to interact with a number of networks from a single client.

We do have API’s for quite a lot of networks. For example for MSN Messenger we have a Python library; msnlib - a Python MSN messenger protocol library and client.

For Google Talk we can also use Python
and as Google talk is based upon a jabber server we can talk to most of the networks which uses a Jabber server; Google Talk, Live Journal Talk, Nimbuzz, Ovi….. jabber is a XMPP server, you can even start your own server quite easily, just have a look at xmpp.org.

So we can have some bits and pieces now we have to create a mashup for it. Well there is work been done on this subject also. If we check the WSO2.org
we can already find some interesting things. So as you can see some people are working on parts that can be used. Now all we need is a person who will be putting the pieces together and create this mashup which can make all of our lives a lot easier. Never install a client again, always be able to quickly add all your new friends to all your instant messaging networks….. sounds like a good build for 2011.

Is it already their? Yes in some form, if you have a look at ebuddy you will see that something like the above is already available. So why still request a build2011? It is not completly the product as described above. Some of the real ebnifits are missing in my opinion and their is not a strong user communcity. Maybe some people will disagree with me and state that their is already a good working mashup. Well, that is great. however I find it still to little and I would like to opt for a build for 2011 which is also preferably aopensource project so you can download it and create your own spinoff of a mashup. Maybe even connect that mashup to some central mashups. So eBuddy is a great tool it is not (yet) what I am intending.

What about Google Wave?
When I was talking to some people about writing this post Google wave came up. What about Google wave. Well as Google wave is quite new and it still needs to get a good user community I am not sure. Also Google Wave is not a instant messaging client as such. However as from what I have been reading and from what I have seen I would say that also Google Wave should be incorporated to this mashup. Or…… Google Wave should become this instant messaging mashup. As Google wave and the wave protocol are opensource it might be that the community will be building a mashup around Wave or that Google itself will create the interoperability between the different networks. Might be a good hint to the guys over at Google labs. Please do forward a link to them so they might have a peak at this post.

Sunday, August 02, 2009

Oracle read only tables


Some time ago I was having a discussion with someone on making a table in Oracle read only. I was under the impression this was possible and he was under the impression it was not possible. While having the conversation we both used google to find something to show to the other. He came with a page stating that it indeed was not possible and you should arrange this by revoking write access to the table for a certain user. I however came up with a page stating that it was possible. As the proof is in the pudding we tried it out and yes you can make a table read only.

The function to make a table read only is available since Oracle 11G. If you look in the SYS.USER_TABLES table you will find a column named READ_ONLY. So if you query this for a "normal table" lets say table TESTTABLE the value of SYS.USER_TABLE.READ_ONLY will read "NO". Now we set the TESTTABEL to read only by executing the following SQL command:

alter table TESTTABLE read only;

query SYS.USER_TABLE.READ_ONLY again for all records having TABLE_NAME set to TESTTABLE and you will see that it is set to "YES". If you now want to do some insert for example on the table you will get a ORA-12081: update operation not allowed on table.

So yes, it is possible to make a table read only in Oracle database 11g. Also a good read on read only tables can be found on this website.



Legal Guide for Bloggers

This is a 1 on 1 copy of the original from the eff.org website. I think this should be placed on as many blog websites as possible to get this out into the world and to all the bloggers.

Whether you're a newly minted blogger or a relative old-timer, you've been seeing more and more stories pop up every day about bloggers getting in trouble for what they post.

Like all journalists and publishers, bloggers sometimes publish information that other people don't want published. You might, for example, publish something that someone considers defamatory, republish an AP news story that's under copyright, or write a lengthy piece detailing the alleged crimes of a candidate for public office.

The difference between you and the reporter at your local newspaper is that in many cases, you may not have the benefit of training or resources to help you determine whether what you're doing is legal. And on top of that, sometimes knowing the law doesn't help - in many cases it was written for traditional journalists, and the courts haven't yet decided how it applies to bloggers.

But here's the important part: None of this should stop you from blogging. Freedom of speech is the foundation of a functioning democracy, and Internet bullies shouldn't use the law to stifle legitimate free expression. That's why EFF created this guide, compiling a number of FAQs designed to help you understand your rights and, if necessary, defend your freedom.

To be clear, this guide isn't a substitute for, nor does it constitute, legal advice. Only an attorney who knows the details of your particular situation can provide the kind of advice you need if you're being threatened with a lawsuit. The goal here is to give you a basic roadmap to the legal issues you may confront as a blogger, to let you know you have rights, and to encourage you to blog freely with the knowledge that your legitimate speech is protected.

Please note that this guide applies to people living in the US. We don't have the expertise or resources to speak to other countries' legal traditions, but we'd like to work with those who do.