Polyphemus' List

I love lists and always have.  When I was a young kid, my parents gave me “The Book of Lists” and I spent days reading it.  So this time of year is one of my favorites because everyone is sharing their lists.  The end of a decade is even sweeter for list readers like me.  I’ve been reading everyone’s top 10 music lists, inventions lists and top sports plays (ESPN listed their top 10 plays of the decade and two involved the Patriots – Thanks Adam, they’re great memories).

Everything was wonderful in list land, until I ran across Paul Krugman’s opinion “The Big Zero” in The New York Times; “the decade in which we achieved nothing and learned nothing”.  Pffst. When Odysseus and his men blinded Polyphemus by stabbing him in his eye, Polyphemus screamed that he was blinded by οὔτις (“no man”).  The other cyclops took this to mean that Polyphemus was being punished by the gods, so they did not help him.

I think we should help Polyphemus escape his punishment by the gods and list some of this decades marvelous achievement, especially on the technology front, in no meaningful order:

• Gmail
• YouTube
• RSS
• GPS handheld devices
• Google Maps
• Amazon Web Services
• Podcasts
• Skype
• BitTorrent
• Blogs

There.  I always want to publish my own end-of-year list.

HDZune

A couple of days ago, I got a HDZune.  It has come a long way since the original Zunes introduced in 2006.  The design, form factor (5.27 × 10.21 × 0.89 cm), weigh (73.7 g) and usability (multi-touch screen, twist interface) is fantastic.  I really wanted this gadget because of the 8.4 cm video display; clear and crisp 480×272 pixels.  I also like to listen to the radio and this gadget delivers crystal clear HD radio which is not your father’s radio.  I love the on device user interface – very simple and makes pinning favorites easy to get to and better than routing around on iTouch menus.  The battery life is solid – about 8 hours of video play, 30 hours otherwise.  There is social interface that allows you to collaborate with your Zune/XBox360 friends including wireless music sharing, providing you have appropriate digital rights.

The out of box experience was not so great.  Step 1.  Go to your computer, download and install the client application.  Oops, I’m a Mac and I guess Microsoft is conceding that market to the Apple/iTouch kingdom.  No problem, I also use Ubuntu.  Nope, just Windows.  Not great, but I’ll press on and load this up in my VMWare instance which is typically running on my Mac.  I spent a fair amount of time adjusting my VMWare configuration to share media in such a way that I didn’t need to duplicate hefty media data for the HDZune client application to auto detect and import – allowing me to keep the HDZune in sync while sometime streaming the same media from the host Mac.  Also, I had to make additional adjustments to the VMWare network and firewall configuration to open a path for another HDZune features – wireless sync.  While I figured this out, clearly your average Mac user isn’t going to chase all this down; insert typical Microsoft rant here.

I’ve also spent a fair amount of energy building a media center in my house – dedicated wireless network, servers, etc… Naturally, I need to incorporate my new gadget.  I picked up the AV-Dock that includes a cradle, remote and two cabling paths.  The cabling is supports both HDMI and component output.  Unfortunately, you’ll only get 720p HD output via the HDMI and standard 480 through the component path – so I stuck with HDMI.

I’d like the Zune device to support more native media format so I can spend less time converting media:

• JPEG for images;
• WMV(.wmv), ASF (.asf), MPEG4 and H.264 (in .mp4, .m4v and .mov containers) for video. The MPEG-4 and H.264 formats are automatically transcoded to WMV.
• MP3, AAC (.aac, .mp4, .m4a, .m4b, .mov), WMA Pro (2-channel), WMA Standard, WMA lossless for audio.

The online store, Zune Marketplace, is not nearly as good as Apple, but I don’t care about other applications or buying media from the store – this is strictly a portable media gadget and I get most of my media via my home media center.  The Marketplace uses a subscription model – download as much as you want every month, permanently keep 10 tracks per month.

Some guys don't make turns

This is a picture of my friend, we started our friendship after calling a truce during a rock fight when we were both 5 years old. Many years later, I took this picture during a spectacular day of helicopter snowboarding near Whistler. In the background, you can see that my friend rode straight down from the peak – a little game that we’ve been playing for years.  In four feet of powder, it is relatively risk free; a different game on the icy blue slopes of New England.

In any case, I was thinking about this today. The irony is that my friend started working at Pfizer when he graduated college and never changed course until about 2 years ago when he took a severance package; two full years of salary – a very powdery departure that happens about as often as that crystal clear day in British Columbia.  On the other hand, I’ve made quite a few turns during my career on the cold icy blue startup mountains and I’m currently searching for my next opportunity.  I’ve taken a few spills, for sure, but I’ve also had some trilling rides that I don’t believe are available when you just blast through on the straight and narrow.

Now with my kids old enough that I’ve transitioned from survival mode to teaching mode – I’m trying hard to get them to try and make a few turns because they too, avid snowboarders and skiers, like to ride quickly top to bottom with no turns.  My daughter is in the chute now, college applications in and no idea what she wants to do – who really does, when you’re 17 years old.  I keep saying, how about a year in the Rockies as a ski bum (maybe I’ll visit a few times), some time in an Israeli Kibbutz or lend a helping hand in rebuilding New Orleans – grow up a bit, find your passion by trying stuff.

Make some turns, take some risks, even if the conditions are not ideal.

eBook effect

Image via Wikipedia

Awhile ago, I bought a Sony Reader, before Amazon’s Kindle was available.  For years this market place was bogged down with a classic chicken and egg problem or in this case, a content and device problem.  So I think Amazon deserves full credit for finally pursuing this emerging market, and of course their credit is coming in the form of outstanding revenue.

This reader has really made an impact on my reading experience.  I buy many books with real immediacy rather than deferring until I have time to go to the book store; I do a good amount of technology reading so going to Barnes and Noble has never really cut it for me.  I enjoy buying things to read at the moment I run across something I want to read, which typically comes from other online reading.

In addition to immediacy and easy online access, spontaneity has allowed me accumulate a broader range of reading material.  Certainly more during my different walks of life than while standing in a book store – my current collection includes HTML5, The Art of Capacity Planning, Playing Poker like Pros, The Iraq Study Group Report, Inaugural Addresses of the President of The United States and Victory Secrets of Attila the Hun.

While my collection habits have changed for the better, my reading habits have also been significantly improved.  I’ve never been the read a single book at a time guy, but I also wasn’t about to carry a backpack full of books on commuter rails or international flights.  With the reader, I can easily tote around a few dozen things to read at any given moment – so I can concurrently, and practically read many books as the mood strikes me.  This also means that I read much more because I have my current collection with me during short read times, while I wait for the kids’ practice to end, wait for appointments, etc.  The reader easily holds 75-80 reasonably sized books, so I collect things for my family to read too – and I often hand the reader to one of my kids when I catch them glued to the PlayStation.

I think I’m better off with this reader and while I’m certainly no political fanatic, I’ve really enjoyed reading things that I’ve always wanted to – like the Presidential speeches.  There are tons of really great things in there.  Here are a few of my favorites factoids…

Many of the earliest presidents though Theodore Roosevelt refer to our earliest government based on freedom, liberty, for the people, by the people as a “great experiment” that the entire world was watching closely.

Washington, taking his oath on Wall Street and learned of his election while on a well deserved vacation – a bit tired from fighting the revolutionary war, of course.  Near the very end of his speech, he states that the president should cost the people no salary, just small necessary expense reimbursements and he immediately transitions to the fact that he plans to return to vacation.  I think he was the first guy who accepted a new position and then notified his boss that had a previously planned vacation – so clearly one of the oldest tricks in the book.

Grant stated that “I know no method to secure the repeal of bad or obnoxious laws so effective as their stingent execution”.

Worth an eRead.

Easy hard, hard easy

Last year, I had a chance to work a little bit with a really senior product and operation manager who uniquely had the ability to quickly boil a complicated issue down to a simplified decision – what a great skill, and key to quickly moving onto solution building. The best product managers are not the technical muscle in the room, but are excellent at chasing the experts for the “Easy hard, hard easy” details before committing to key decisions. This simply means that sometimes the things that you think are easy to buid, turn out to be hard and of course, sometime the seemingly daunting stuff is really cake. Super simple – ask if you don’t know and sometimes you get a really important feature nearly free and sometimes you avoid the frustration of failure for seemingly simple little things. I liked it and added it to my experience collection to lean on in the future.

Cloudy with a chance of issues?

For a few years now, the technology meteorologist have been forecasting a heavy amount of cloud computing in our future.  The business side of the house has taken note, so the typical emerging technology questions have arisen from pundits and enthusiast alike.  Emerging technology is always challenged as it gains popularity and goes mainstream; great, these challenges often accelerate progress in response.

Over the course of the past 20 year, I’ve started a few technology based companies.  Almost all of them have offered at least some form of what is now called Software as a Service.  Up until recently, this always meant spending tons of precious capital on enough technology infrastructure for some number of production, staging, QA, performance and development environments.  Firewalls, load balancers, front end servers, databases, storage and backups, oh my.  And of course, there is the pleasure of the icy cold co-location environment – the cage assembly, power struggles and pipe installation delays – nearly as fun as short code provisioning.  Very expensive to do correctly, times the number of environments that we needed – sometimes I even needed more budget than marketing. Always a top 10 board meetings getting the buy in, often we had to settle on using less than sufficient gear for dual purposes – which to this day, I still content that we spent more on managing switch overs, fixing problems, recovering from mistakes and educating our technology teams on the rules of the jungle.

More recently, I used Amazon’s cloud environment for everything.  There were huge advantages and cost savings.  Most notably, we did not need to sink enough cash into technical gear to cover the peak traffic requirements of our product, especially since average requirements were almost always far lower than these peaks.  We built various types of environments, archived snap shots of the configurations, brought things up during transient needs and shut stuff down when we were finished  – saved enough cash for marketing programs.  The perfect example, Staging environments, are really only used as a final sanity check before we push product to production.  We saved cash, plus when the idle environment lay in steely cold snapshot storage, I rested assured that no midnight buckaroo is slipping quick configuration tweaks into our staging environment that never seem to make it all the way to our production environment.  I could go on and on about the advantages we reaped, the problems we avoided.  As a veteran startup guy, I field plenty of questions from others and I almost always rank using cloud computing as a must-do.

But, I’ve fielded plenty of healthy challenges too.  The two big ones have always focused on security and stability.  Stability usually means, what happens when someone like Amazon goes down.  Oh, it happens.  Not often, but everyone has their special day – Google, eBay, etc… My teams, all cracker jack technologist were startup budget magicians with vested interest in maximizing shareholder value, trust me.  But, I remember quiet a few more stability issues when we built our own product clouds – certainly never less than I experienced while using Amazon.  Some were mistakes, but most were simply because all we could afford still had a single points of failure or two – it is really hard to avoid and is usually cost prohibitive.  One time, our co-location provider fried both their OC-48 metro cards; their on-site replacement card failed and the card they flew in within 4 hours failed – a fun day of downtime for all was had in Boston.

In addition to stability, folks want to be assured that cloud computing security risks pale in comparison to our own security.  Security is one of those things in life that has an exponential cost compared to reducing risks beyond a certain threshold – take a look at how much money the Pentagon or every major financial firms spends on security, it usually appears in the same story about how someone has successfully breached their guard.  But the scenario at hand seems to be that the hacker makes it through Amazon’s security to gain unusual access to our data.  Is this more likely than making it through our cloud’s security measures?  I’m certain that Amazon has top-notch security infrastructure and numerous dedicated security experts diligently fighting the good fight to protect their multi-billion dollar buisiness.  So, I’ve always spent more of my time paying attention to our own configurations – ssh keys, port openings, software stack vulnerabilities and most worrisome, our own product which always seems riskier and more vulnerable to the likely interested culprit.

So don’t cancel your outdoor plans – the clouds are the high wispy, non-threatening type and you don’t have to spend all your cash on sun screen, umbrellas and air conditioners.

A concise guide to using a secure APR connector in Apache Tomcat

Apache Tomcat

I recently decide to reconfigure one of my Apache Tomcat instances to make use of Apache Portable Runtime connector and improve performance with native server technologies.  Haven’t you ever wondered what the very first Tomcat log entry was all about, it states:

“INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: …”

The official documentation was pretty sparse and some supporting topics are left for you to go hunt down elsewhere.  So I decided to write a more concise guide here to cover two main topics: the connector and the supporting Open SSL certificates.  Believe it or not, this is concise compared to documents that I needed to read to get this done.

Building the connector from source (on Linux):

Of course there are a few simple prerequisites, I needed the typical Linux build tools (c/cpp compiler, linker, etc..) as well as Apache Ant on my machine.  In addition, since I’m planning on using SSL, I had already built and installed OpenSSL.

I needed to build the connector from source code, which just comes with the territory when using Java’s native technology (JNI).  The source code for the connector and the native library is included within the $CATALINA_BASE/bin directory.

To build the native connector:

# Untar the source and create a symlink
cd $CATALINA_BASE/bin
tar -xvf tomcat-native-tar.gz
ln -s tomcat-native-1.1.16-src native

# Build the native library with SSL support
cd native/jni/native
./configure --with-apr=/usr/local/apr --with-ssl=/usr/local/ssl/ssl-0.9.8g
make
make install

These commands have compiled, linked and installed several Tomcat files (libtcnative*.*) into my APR base directory’s lib directory (in my case, I specified /usr/local/apr during the above configuration command).  Now, I need to jar the Tomcat native file and move it to a place that Tomcat includes in its classpath.

# Using Ant, build the jar
cd ..
ant jar

# Move the jar to the Tomcat's library
mv dist/*.jar $CATALINA_BASE/lib

Since Tomcat doesn’t know to look for library files in the APR directories, I needed to let Tomcat know where to find the native libs (libtcnative*.*).  I added the following to CATALINA_OPTS

-Djava.library.path=/usr/local/apr/lib

Finally, I made a couple of adjustments to Tomcat’s server.xml file ($CATALINA_BASE/conf/server.xml):

1. I commented out the standard HTTP connector
2. I removed the SSLEngine=”on” parameter from the APR Listener configuration
3. I added a new APR connector configuration listening on port 443

These edits essentially resulted in the following:

<Listener className="org.apache.catalina.core.AprLifecycleListener" />

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
connectionTimeout="20000" URIEncoding="UTF-8"
SSLEnabled="true" SSLCertificateFile="server.crt"  SSLCertificateKeyFile="server.key" />

Creating the supporting SSL files using OpenSSL

I need the certificate and key files that I included in Tomcat’s server.xml configuration above.  I am using OpenSSL to create self-signed SSL files as opposed to just buying a certificate from a real root authority (like Verisign, Thwart, etc…).

First I created my own Certificate Authority.  I only need to create one of these snake oil Certificate Authorities to sign as many server requests as I need.

# Create a CA directory in my home directory
mkdir ~/CA
chmod 0770 ~/CA
cd ~/CA

# Generate a Triple DES encrypted key using 2K bits: my-ca.key
# This is going to prompt you for this key's passphrase
openssl genrsa -des3 -out my-ca.key 2048

# Generate my Certificate Authority certificate: my-ca.crt
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt

# Only allow me to read my CA key
chmod 0400 *.key

Now I’m ready to create some server keys and certificates.

# Changing to Tomcat's configuration directory
cd $CATALINA_BASE/conf

# Generate a Triple DES encrypted server key using 2K bits: server-secure.key
# This is going to prompt you for this key's passphase
openssl genrsa -des3 -out server-secure.key 1024

# Now create a version that does not prompt for a passphrase: server.key
# Otherwise, Tomcat will wait for this passphrase on startup
# which is not good if this is headless server startup
openssl rsa -in server-secure.key -out server.key

# Create a Certificate Signing Request: server.csr
openssl req -new -key server.key -out server.csr

# And finally, create a certificate: server.crt
# Signed by my own Certificate Authority, created earlier
openssl x509 -req -in server.csr -out server.crt -sha1 -CA ~/CA/my-ca.crt -CAkey ~/CA/my-ca.key -CAcreateserial -days 3650

# And of course, only the owner should be able to read the private keys
chmod 0400 *.key

That’s it, simple.  I also added my new certificate to my keystore so that running applications can use the certificate for other things.  When I ran keytool, I was prompted for a keystore password.  Since I had never changed the default keystore password, it was ‘changeit’.

keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -importcert -file server.crt -alias tomcat