About Me

My photo
PhD Candidate at Purdue University, Computer Science.

Thursday, May 24, 2007

Agile Process

My first reading about Agile was the Agile Manifesto. I think this was enough to get the whole picture of the agile philosophy.
I really don't recommend that you get a book to read about the agility; it will be a contradiction to read a book as long as the Agile methods emphasize working software as the primary measure of progress. It is better you spend the time understanding your working environment and maturity to apply the best process that can fit with it.
I lived a similar experience with eSpace when they were aiming to get a CMM certificate, CMMI or whatever they will call it after couple of years.
I think that finally the people here got the good decision by putting this plan away, and put their own standards, the standards best fitting with their teams and their environment. I doubt their was a need to some white collar guy to supervise our documents and our working styles to decide whether we fit to Mr XYZ standards or not. I also got the chance to meet some guys from another company having this certificate. What I found is that they modified their hierarchical structure just to accommodate the standard although their team wasn't capable at all to support this hierarchy.

Anyway, let's move to another point...
When we talk about the agile process we should identify very well any possible limitations before adopting it. It is very clear for me that it needs mature people, and this can be considered as one of the limitations.
Another factor that may limit the agile adoption is the "distributed software". Lately all our projects are distributed. Customers are from Europe, USA, Gulf. Developers are working remotely from different areas.
What are the challenges behind such distributed agile work???

The answer of this question can be summarized in knowing that agile methods mainly rely on informal processes to facilitate coordination while distributed software development typically relies on formal mechanisms.

Challenges in Agile Distributed Development
  1. Communication need vs. communication impedance: How can we achieve a balance in formality of communication in agile distributed environments?
  2. Fixed vs. evolving quality requirements: the Agile relies on ongoing negotiations between the developer and the customer while Distributed Development often relies on fixed, upfront commitments on quality requirements.
  3. People- vs. process-oriented control: We appreciate the people-orientation the most.
  4. Lack of cohesion: Generally speaking about the distributed environment, people may feel In distributed development, participants are less likely to perceive themselves as part of the same team when compared to co-located participants. the agile adds some more excitement to it :)
  1. Process Refactor: Continuous process adjustments instead of following strictly the agile practices. It is also recommended to document the requirements at different levels of formality.
  2. Knowledge Spreading: the team should share their knowledge regarding different domains(business, code, test cases..etc). Alot of tools were developed to reduce the overhead of knowledge-sharing activities. Code/process Repository is a must. the Wiki also is a very important way to share the How-Tos between members. I can't neglect the Bugzilla with its role in creating database to help teams report issues and assign priorities.
  3. Short Iterations: any iteration should not exceed 2 weeks. short iterations help to detect any misunderstandings for the project business and prevent any time waste.
  4. Start with well-understood functionalities: In order to create the best atmosphere for developers there should be a solid sand to start to be familiar with the processes, tools, and the application. this can be some kind different that the agile which advocates the development of features prioritized as critical by the customer.
  5. Improve Communication: Synchronized work hours are very important for the team. Also try to make the informal communication be done through formal channels. for example, let it through the emails so that it can be archived. In the distributed Projects it is recommended that the project leader/manager should be involved in the communication and the synchronization process than the Agile practice. finally, some daily mechanisms should be done to maintain minimal communication like morning online meeting.
  6. Building Trust: trust involves both the team and the customers.
1. Ebert, C. and Neve, P.D. Surviving global software development. IEEE Software 18, 2 (Mar./Apr. 2001), 62–69.
2. Highsmith, J. and Cockburn, A. Agile software development: The business of innovation. IEEE Computer 34, 9 (Sept. 2001), 120–122.
3. Matloff, N. Offshoring: What can go wrong? IT Professional (July/Aug.2005), 39–45.

Saturday, May 12, 2007

Web Antivirus

Web Services are increasingly becoming an essential part of your everyday life. How much time you spend surfing the internet pages?
To be more specific how much you feel now that Google is too much involved in your daily routine? Can you imagine your life without Google? your search, your Calendar, your email, your blog, ...etc

Well, it seems that you will look for Google to be your web antivirus. Before you access a page, type the url in google search and pray that you won't get "this site may harm your computer".
you have just to obey, otherwise your PC will be affected.

the story begins with researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to "in-depth analysis". Actually they found 450,000 pages guilty.

It is sufficient only one visit from you to make the attacker able to detect and exploit a browser
vulnerability. Therefore, the goal of the attacker becomes identifying web applications with vulnerabilities that enable him to insert small pieces of HTML in web pages.
An example for this is iframes, which can successfully install a malware binary "drive-by-download".
Are the web masters, or the site creators are responsible for this?
The answer is, it is not always the case.

User Contribution

Many web sites feature web applications that allow visitors to contribute their own content. This is often in the form of blogs, profiles, comments, or reviews. they usually support only a limited subset of the hypertext markup language, but in some cases poor sanitization or checking allows users to post or insert arbitrary HTML into web pages.

Although web masters have no direct control over the ads themselves, they trust advertisers to show non-malicious content. Sometimes, advertisers rent out part of their advertising space; in this case the web master needs to trust the ads provided from a company that might be trusted by the first advertiser. And so on, you may find nested relations which considered as pitfall in the trust relation by making it a transitive one.

Third-Party Widgets
A third-party widget is an embedded link to an external JavaScript or iframe that a web master uses to provide additional functionality to users. Example for this, Google Analytics :)

Webserver Security
The contents of a web site are only as secure as the set of applications used to deliver the content, including the actual HTTP server, scripting applications (e.g. PHP, ASP etc.) and database backends. If an attacker gains control of a server, he can modify its content to his benefit. For example, he can simply insert the exploit code into the web server’s templating system. As a result, all web pages on that server may start exhibiting malicious behavior. Although we have observed a variety of web server compromises, the most common infection vector is via vulnerable scripting applications. We observed vulnerabilities in phpBB2 or InvisionBoard that enabled an adversary to gain direct access to the underlying operating system. That access can often be escalated to super-user privileges which inturn can be used to compromise any web server running on the compromised host. This type of exploitation is particularly damaging to large virtual hosting farms, turning them into malware distribution centers.

Exploitation Mechanisms
A popular exploit we encountered takes advantage of a vulnerability in Microsoft’s Data Access Components that allows arbitrary code execution on a user’s computer.
Typical steps taken to leverage vulnerability into remote code execution:
  • The exploit is delivered to a user’s browser via an iframe on a compromised web page.
  • The iframe contains Javascript to instantiate an ActiveX object that is not normally safe for scripting.
  • The Javascript makes an XMLHTTP request to retrieve an executable.
  • Adodb.stream is used to write the executable to disk.
  • A Shell.Application is used to launch the newly written executable.
Another popular exploit is due to a vulnerability in Microsoft’s WebViewFolderIcon. The exploit Javascript uses a technique called "heap spraying" which creates a large number of Javascript string objects on the heap. Each Javascript string contains x86 machine code (shellcode) necessary to download and execute a binary on the exploited system. By spraying the heap, an adversary attempts to create a copy of the shellcode at a known location in memory and then redirects program execution to it.

Detecting Dangerous Pages
Simply, by monitoring the CPU and the processes executed on accessing the page. When some unknown processes are added to the list, this will be a strong sign that a drive-by download has happened.

Google will be more and more involved in our life, it will report to you malicious sites for free....
anyway, it is not a big deal, you can do it yourself for some levels. but there a little bit sophisticated cases when you need multilevel reverse engineering...

source: Google Research Paper

Update: Google online security blog, the latest news and insights from Google on security and safety on the internet.

Wednesday, May 09, 2007

Upgrade your Experience with Google Analytics

Few days ago Google Analytics has released a new version. The new user UI enables easier use of the reports and metrics within the data sets,

New Google Analytics Visitor Overview

  • Email reports and improved clarity of graphs allow users to explore and discover new insights
  • Customizable dashboards ensure the right data gets to the right people at the right time
  • Plain language descriptions of the data allow users to take action to improve their web site
This is awesome :)

Attitudes for Creativity

I just remember the Bernards Shaw's quote:" You see things, and you say, "Why?" But I dream things that never were, and I say "Why not?"
I am sure if the creativity can be learned anyway, a lot of people just born to be creative...
maybe someone can see this link listing 9 attitudes for creative people, and tell me if creativity can be learned or not.
the attitudes as listed by the link are as follows:

1. Curiosity

"What if?", "Why?", "Why Not?"...

2. Seeing Problems as Interesting and Acceptable

ChallengeCreative people see problems as a natural and normal part of life - in fact they often have a fascination with problems and are drawn to them.

3. Confronting Challenge

Asking ‘how can I overcome this’?

4. Constructive Discontent

Awareness of what’s wrong with the world around, then let it be a motivation to doing something constructive.

Friday, May 04, 2007

The 100 most Influential Personalities

Time magazine.....Created a list of the 100 most influential people in the world.
The Saudi monarch Abdullah bin Abdul Aziz was ranked 36 among the 100 most influential personalities on the political level in the world for 2007. The list included personalities from diverse backgrounds, including Sudanese President Omar Al-Bashir, along with Egyptian Islamic preacher Amr Khaled. It was striking absence from the list the name of the American President George Bush, leaving the place for Osama bin Laden and the Pope Benedictos XVI and Al Gore, Leonardo de Caprio and others. For the politicians, the list included the name of the American Secretary of State Condoleezza Rice, and the Supreme Leader of the Revolution, the Iranian Ali Khomini, and Raul Castro, brother of Cuban President, along with the Democrats, the main candidates to the American presidential elections of 2008, Hillary Clinton and Barak Obama, in addition to the Chairperson of the American House of Representatives Nancy Pelosi. The 34/39 former U.S. Vice President Al Gore in the category of "scholars and thinkers," along with the co-founder of Microsoft Paul Allen.
In the category of "heroes and pioneers," the name of the multi-millionaire Warren Bouvet, and French soccer star Thierry Henry and an activist in the issue of Darfur Representative George Cluny. It also named for the founder of the site "youTube" electronic videos on the list and the name of the founder of Apple, Steve Jobs.

The journal does not rank such personalities, not necessarily to justify why chosen figures, only saying that it wants to honor the "men and women who change the world using their talents, their authorities or their moralities"

This is a strike to the Egyptian system, choosing Abdullah is an indication of the absence of the Egyptian effect on the middle East, where Egypt has been always the most effective player. Currently, it is really obvious that Saudi Arabia stole this role from Egypt.
We don't forget picking Amr Khaled is also a big strike, there were rumors that Amr Khaled was forbidden from Egypt because of the worry of his effect on the Egyptian people, and he faced a lot of Media battles to deny his effect and his role in the islamic world.

Thursday, May 03, 2007

The BlackWater's Danger

I think the phenomenon of BlackWater is too dangerous concept...
The USA uses these kinds of gangs to fight for them instead of get involved in IRAQ, Afghanistan.
These gangs cannot be punished for war crimes, because they are not nothing actually. they are not a military, nothing except...........
They achieved numerous massacres in IRAQ and Afghanistan, wearing Navy Uniform.

Privatization in Egypt is totally different than privatization all over the world :)...This is about the privatization of war and how that subverts even basic notions of democracy. The blackWater is used as a mirror for "Radical Christian Right".

If we are still not aware of wt does this really mean...then here we are..
Blackwater is also the name of private company, formed by an ex-Navy Seal, which owns the training facility and sells "security" to countries or organization doing business in high-risk areas of the globe.

Blackwater's security services included making available - for a price - a small army of heavily armed, experienced mercenaries with access to their own helicopter gun ships, armored vehicles and war planes.
Some says that in 2006, Blackwater had 2300 soldiers deployed in nine countries with a database of 21,000 additional on-call mercenaries.
Where these soldiers come from?????
There are EX-Special Forces from US and UK. they simply can't find inner peace in thir civilian life, so they looked for wars in other countries (Islamic ones). We don't need to say that they r very cruel, experienced, commandos, seal...etc everythg we may think about.
the BlackWater can defeat a significant number of countries.

Some others confirmed that Blackwater has won - on a sole-source basis - more than $500 million of US government contracts, not including unlisted "black" contracts. In addition to Iraq, Blackwater has contracts for work in the Louisiana flood area and on the Mexican boarder. The total global value of private military security contracts is estimated to be $100 billion and rising.

Aren't these terrorist gangs?
they make me sick, that's enough for now :S