More Parallelism Support in upcoming IDE version

The October issue of the MSDN magazine contains an article on the improved support for parallelism in the next version of Visual Studio [v. 10] as well as in .NET 4.0. Stuff from the Parallel Extensions (TPL, PLINQ) to the .Net 3.5 Framework (available as Community Technology Preview) went in as well as new features to support parallelism in native code. In addition, testing tools to cover parallelism in code are in the pipeline too. Most of these new features were presented at this year’s PDC in Los Angeles (slides are available for download). This is definitely a step in the right direction but a long road to go until writing parallel code is daily business for mainstream programmers. I got still concerns if existing programming languages, libraries, frameworks and compilers can deliver the final answer to cope with the complexity of expressing explicit parallelism.

New Music on my turntable

Talking about the stock market, the October was a nightmare; everything went south. Fortunately, there is still Rock’n’Roll (“There is noting conceptual better than Rock’n’Roll!”, you remember John Lennon saying this in an Rolling Stone interview? It is so true, so true!). Well, the October was not so bad in terms of new releases. Here are my new acquisitions:

• Metallica - "Death Magnetic" [****]
• Oasis - "Dig Out Your Soul" [***]
• ACDC – "Black Ice" [*****]
  Please note, ACDC gets five stars [*****] by default.

Mauerfall und Schwarze Schwäne

Heute vor 19 Jahren ist die Mauer, ein Symbol von Unfreiheit und Unterdrückung, gefallen. Momentan lese ich gerade „The Black Swan“ von Nassim Nicholas Taleb. Wie passt das zusammen? Für mich ist der Mauerfall ein typischer Schwarzer Schwan, der alle Eigenschaften erfüllt, die Taleb in seinem Buch beschreibt: selten (rare), mit extremen Auswirkungen (extreme impact) und rückblickend vorhersehbar (retrospective predictable), ein so genannter Outliner. Natürlich ist das eine theoretische, fast schon philosophische Sichtweise, die die emotionalen Gesichtspunkte eines solchen Ereignisses (das extreme Leid vorher und die überschwängliche Freude beim Fall der Mauer) nur ungenügend berücksichtigt. Sie birgt aber auch die Hoffnung, das es in Zukunft ähnliche Schwarze Schwäne geben kann, die unterdrückten Menschen in Not endlich Freiheit und Demokratie bringen werden.

Autumn in Germany

autumn impression - webduke pics 2008

Concurrency Aspects

The new issue of the ACM Queue got the “The Concurrency Problem” on the front page. One article is about the programming language Erlang which has the ability to solve parallel problems by design. Another excellent contribution (Real World Concurrency) is about the why and when and tries to nullify any taste of black magic. I totally agree that developers should not feel forced to use parallelization by implementation in any scenario. Performance is the main objective when parallelization is considered. But there are different ways to achieve this (and not just by using threads and locks [lets call this multithreaded code] within one process). The author calls this approach concurrency by architecture. I can live with that perception perfectly. Furthermore, a lot of hints and pitfalls are listed in order to handle locks, threads, mutexes, semaphores, and debugging in the correct way which includes good advice how to identify the right code segments for parallelization. Must read (*****)!

A brief history of Access Control

Access Control is an important part of the computer security realm. It is complex, hard to achieve in a robust and bullet-proof manner and it will always screw up ordinary users that want to surf and play around without being confronted with nasty restrictions, decisions and limitations. Is this realistic, achievable? Well, everything seems to be a big loop in the computer and software industry [a reference to the good old times :-)]. Take the cloud-stuff as example. Sharing resources and deploying thin clients is not that new. Its just branded (and pushed) like a new hype. Where is the relation to access control? Access control can be implemented in the operating system (OS) as well as in other layers of the application stack. I’m gonna focus on the OS level here. I remember times [aka as the good old times :-)] where user-rights in terms of access control were very limited. The change came with the advent of personal computing. Everybody wants to be an admin (and can be an admin) very easily, even programmers. In case of a disconnected, single-user machine, it might not be a problem. But this is not a valid scenario. We want and need the Internet. Yes! But beside all the cool stuff, male-ware is everywhere, and needs our machines as host or target. We are easy prey when running everything as admin. So we need to get back to the good old times [in order to complete the loop:-)]. In Vista, a serious attempt has been started. It might be boring to get asked all the time when feeling like an admin (but just being a standard user for the process in execution which is the parent process for later stuff). And, it might be cumbersome to maintain the virtualized registries for the old programs. Security versus usability and maintainability, this is the battle that it is raging. It should be fought and security must prevail (in the era of identity theft, male-ware and root-kits); especially when everything is running in the clouds. Hopefully, smart people will come up with some smooth solutions that make limited user-rights in terms of access control more acceptable.

Security and Virtual Machines, Part II

I announced lately to get back to this virtual thing and the ramifications when talking about security. Here we go. Identity and ownership are important factors in the security realm. Both attributes are often handled different in the world of Virtual Machines (VM). The owner of the real box might not be the owner of the VM. Identifiers (port number, MAC address) can differ and old-fashioned identity-schemas can not be applied anymore. Another side-effect coming with VM’s is an increase of complexity for the patch and update management. This is because of the broad variety of operating systems and versions that can be installed (and that will be installed) on the top of VM’s. All of them got their own life-cycle and their security-patches that must be applied. The VM life-cycle which can be characterized by snapshots and rollbacks is definitely helpful for testing and other evaluation purposes. But there are operations in the area of cryptography that could suffer. Time, random numbers, seeds, initials vectors, transaction states – just to name a couple of potential vulnerabilities. I see some room for improvement, especially for randomness in a virtualized environment. This must be addressed in the scope of the security architecture for a given system.

Detroit in October

Detroit in late October 2008
- webduke pics

Book Recommendation

This is the perfect time to read "The Black Swan", a book written by Nassim T. Taleb. The current financial crisis might be such an event (or might be not). Anyway, the book is fascinating, intelligent and funny. The - scalability of today's jobs - is an approach I have never thought about a profession. This is just one of many new perspectives. Another one is the turkey and what we can learn from him (and his destiny).

Dresden Moritzburg

schloss moritzburg 2008 - webduke pics

It's already autumn

October 2008 - webduke pics

... Real Nature is much more inspiring than anything else ...

... forget about buggy systems ...

Surf Globally, Store Locally?

The era of clouds (see my post on that) comes along with a lot of options to outsource data processing, storage and integration. Well, using external processing power is definitely a good idea, and this service is already accepted and used. Also the integration scenarios offer a lot of chances (beyond the market place and b2b capabilities). But storing data on external machines is a different thing. Security (privacy) concerns exist and should be taken seriously. Incidents (just see what happened to customer data of a big German telecom / mobile phone company) are no exceptional cases and the most spectacular are probably just the tip of the iceberg. Bullet-proof security architecture does not come for free. It’s expensive and a never ending process. Richard Stallmann (RMS) published his concerns last week. He called cloud computing a trap. His view is more about the fact that user might loosing control when running there applications in the clouds. This implies the security aspect. So, should the slogan of the environmentalists “buy locally” a little bit adapted in order to recommend a “store locally” approach?

Late Summer Impressions

Dresden, September 2008 - webduke pics

Security and Virtual Machines

A lot of rumors are circling around that Virtual Machines (VM) could pose another threat to IT-Systems which use hypervisor-technologies extensively these days. Unfortunately, concrete facts on implementation issues are not available. This discussion is probably a little bit misleading. From the security perspective, Virtual Machines are an approach to realize Access Control on an Operating System level. This comes along with data isolation. Sandboxing is another option but on a higher layer in the application stack. Sure, security is not the main objective when applying solutions based on Virtual Machines. But these objectives, like flexibility and mobility, are topics we should take in account when talking about security in the scope of Virtual Machines. Why is that? Traditional security mechanisms were developed to protect non-virtualized systems (or real hardware in a broader sense). But Virtual Machines (better: systems based on it) behave different. They are mobile and highly dynamic (people do copy, move, switch on, switch off, change ownership), and follow different life-cycle patterns. This is not good news for firewalls, existing policies, access control within the scope of the VM, as well as for forensic analysis. Beside the technical issues, processes are not ready to face these challenges in many cases. Security folks and administrators should be aware of this and must update their instruments (tools, policies).
Other areas of security are affected as well. Cryptography is just one example. I’m gonna cover this fascinating topic in my upcoming posts. And, virtualization has started to exist in the clouds. How is security performing high above us in totally virtualized solutions? Mmmh.

BlackHat 2008 Revisited - this years location

Las Vegas, August 2008 - webduke pics

Web Browser, Web-OS and the Era of Clouds

The discussion about a “Web-OS” is alive and kicking. Some folks might call it Cloud Computing or Cloud*.*. However, new browser products and offline-gadget-frameworks are leading in this direction, and some blogs do emphasize this implicitly. Well, I don’t wanna spoil the party. Don’t get me wrong; I do not question the ideas of delivering software as a service or similar ideas. But my concerns about the underlying technologies like HTTP, HTML, JavaScript, AJAX and others still exist. Even simple applications (in comparison with a Web-OS) in the Web 2.0 environment are prone to security flaws. New threats pop up on a daily basis. Many web applications (> 90 percent) are vulnerable according to serious studies. Mail programs, automatic update services, browser plug-ins, communication services, all this stuff is affected. The Black-Hat 2008 sessions provide a decent overview on what is going wrong. Is this the right foundation to build a “Web-OS” based on? Not sure. In addition a “Web-OS” would increase our dependencies on the availability of the Internet; beside VOIP, television, mainstream Internet-Services and all the other stuff running over IP-Networks. On the other hand, today’s mainstream operating systems are making progress in terms of security, which is good news. Talking about client computing, I remember the times when a company came up with sleek, thin terminals (in blue color), and announced the end of the personal computer. Nothing really happened. Big fat machines (from different vendors running different big fat operating systems) still exist. And this is okay with me (as long as the multi-core issues will be solved). I do prefer a perfect symbiotic solution comprising a powerful and efficient machine and a fast web access with a lot of cool apps running in the clouds. And, I want to process my texts, spreadsheets and other documents locally. All of this should be working in a secure manner. And at the end of the day (when security concerns and paranoia prevail ;-)), I want to unplug the network cable without loosing the capability to work and to access my documents.

Buchempfehlung

Da ich die deutsche Ausgabe gelesen habe, möchte ich diese kleine Buchempfehlung auch in meiner Muttersprache verfassen. Amazon.com: Get Big Fast von Robert Spector beschreibt die Gründerjahre dieser unglaublichen Internetfirma aus Seattle. Wer die verrückten Jahre des Internetbooms miterlebt (und „mitprogrammiert“) hat, dem sei dieses Buch sehr empfohlen. Natürlich sollten es auch alle anderen lesen, die schon immer wissen wollten, was das Besondere an dieser Firma ist und was sie so erfolgreich macht. Eine Frage bleibt dabei offen – was wird Amazon.com in ein paar Jahren sein und womit wird dieser Pionier des E-Commerce, der heute über einzigartige und zukunftsweisende IT-Technologien und Services verfügt, sein Geld verdienen? Wahrscheinlich kann diese Frage nur ein Mann beantworten. Und auch über den gibt es diesem Buch viel zu erfahren.

A Tribute to Jim Gray

acm queue has started to publish a series of articles about computer-pioneer Jim Gray with the May/June issue. In January 2007, Jim Gray left the Bay Area with his sailboat heading for Faralon Islands and was never seen again – a tragic incident. The articles are absolutely worth reading, describing his work and the extraordinary personality of this famous computer scientist.

Ct - Parallel Extensions to C++

Intel has developed extensions to C++ supporting the optimization of serial code to be executed on multi-core processors. The research project is called Ct (t stands for throughput) and comprises language extensions as well as a runtime compiler, threading runtime and memory manager. Different sources on the web emphasize that the design goal to minimize threading/coordination overhead has been met. In comparison with OpenMP, fewer instructions are needed for parallelization.

No short term relief of multi-core programming issues available

Beside all announcements to tackle the multi-core programming challenges, no major breakthrough can be ascertained. The issues are especially relevant on the client-side in the domain of mainstream applications. I have already posted a couple of comments on that.
Even the business world has identified the current status as a problem. The Fortune magazine addresses the topic in the last issue with an interesting article - A chip too far? The article is about risks and opportunities, and a Stanford professor describes the situation as a crisis – probably yes, probably not. It is definitely a huge chance for skilled programmers and people with the right ideas. I do agree with one statement totally – after years of abstractions in terms of platforms and languages, the complexity and hardware dependencies of multi-core architectures increase the learning curve for an average programmer dramatically.