czwartek, 24 stycznia 2008

ePassport - intro

Mood: Wife does not sleep at home, husband rest in peace ;)

Note: All the materials available and provided below are publically available on the internet.

Introduction

The biometric passport is in general the passport with the RFID computer chip, which stores the data necessary to uniquely identify the person. Once per a while there are organized the Interoperability Test Events, where number of companies presents their passports and test them with various readers discussing and analyzing the results - one of them happened last time in Berlin. The well known deliverers of complex solutions are (among others):

The chip

The content of the chip is the top secret knowledge of any country and the specficiations for such processors (including the OS) are not publically available. You may split them on two subsets - the one, which have just OS and the one which has additional Java Virtual Machine. Some of the most known brands are (among others):

Of course except the processors, you need plenty of the other items and there is couple of other niches like "passport readers" equipments (Omnikey, 3M, Oce) , but the main trend is established be the ICAO norms - document 9303, which you must pay for.

BAC > EAC

The communication with a chip is specified by ICAO New Technology Working Group within two standards:

  • Basic Access Control (BAC) - it is already working in number of countries and it is mandantory in EU already
  • Extended Access Control (EAC) - it works just in Germany since Nov 05, but number of countries are preparing for that, as it is planned to be obligatory since 2009. (there is a couple of opened issues yet in specification)

BAC specifies mainly the fundamentals answering the questions, where chip should be wrapped within the passport, what data should be stored in processor (including the picture and digital signature to detect modification - the content of the chip should stay static from verification to verification) and how the data should be passed from the chip, including the encrypting mechanism based on MRZ - machine readable zone, which you can see in the passport as:

P<UTOERIKSSON<<ANNA<<MARIA<<<<<<<<<<

BAC is "criticized as offering too little protection from unauthorized interception" and it happens because the cryptography key are symmetric, they base on passport serial number, date of birth and exipry date (no infrastructure provided).

Lukas Grunwald demonstrated that it is trivial to copy the biometric certificate
from an open e-passport into a standard ISO 14443 smartcard using a standard
contact-less card interface and a simple file transfer tool. This is hardly
surprising, given that the certificate is simply stored as a file, and had been
obvious to those involved in the design of the ICAO e-passport standard
throughout its development. In particular, Grunewald did not change the data
held on the copied chip, which binds biometric data (e.g., photo) to identity
data (e.g., name and date of birth), without invalidating its cryptographic
signature
, which means at present the use of this technique does not allow
reprogramming of fake biometric data to match a different user. Grunewald also
did not clone the Active Authentication functionality, an optional feature of
the ICAO e-passport standard that some countries implement such that the
embedded microprocessor is not only a floppy-disk-like data carrier for a
biometric certificate, but also a tamper-resistant authentication token that can
participate in a public-key
cryptography
based challenge-response protocol. Nevertheless, Grunewald
created international media headlines with his claim that such copying of the
biometric certificate constitutes the creation of a "false passport" using
equipment costing around USD$200

The source

The EAC is a remedy for it and it includes additionally (among others):

  • the necessity of storing the finger prints (standard specifies which fingers but not the format of storing the data)
  • assymetric cryptoraphy based on secure communication based on the pair of keys - private in the passport and public one in the passport reader; both provided by the specific PKI infrastructure:

Picture comes from Crypthomatic sites

In fact, n case of passport where a cross-country authentication is required, the PKI is not so simple as it seems...

Original slide 25 comes from Kim Nguyen (Deutsche Drukeirei)

Conclusion

As you can see the ePassport is typical sample of two-tier architecture: the very thin client and huge back end ;)

Resources

Interesting

wtorek, 22 stycznia 2008

Surely You're Joking, Mr. Feynman! - Book review

Mood: Lack of sleep

There is a question, somewhere deep in my head: Is it possible that Leonardo da Vinci has bored just once per whole civilization? Is there truely no place nowadays for real "renaissance person", who has some achievement in more than two,three disciplines? The book is the answer for the question: definitely there is at least one such a person - Mr. Feynman.
The book describes the incredible life of open-minded person, who can during one life do the following:
  • learn to repair radio as a thirtenn years old child
  • how to learnd italian quickly :D
  • take a part in Manhattan project (atom bomb) - surprisngly he writes the most about how the life in Los Alamos looked like, than about his real work. It seemes like he worked more in nearby factory in Oak Ridge, than in Los Alamos ;)
  • open locker, wardrobes and safes (I need to remember 25-0-25 and 50-25-50)
  • how to make impression on women in bars (do not pay for them silly)
  • how to earn money in Las Vegas
  • how to be friend of big fish in Las Vegas
  • try to repair Brazilian schollar system
  • play on pandeiro and frigideira (whatever it is) and took a part in Carnival celebration as the samba school member. Hotel boy screaming - "O PROFESSOR!"
  • learn why you should not earn too much
  • paint
  • why to be in touch with people from other disciplines and not to go for the interdisciplinar conferences discussing general topics
  • get Nobel prize (it sounded like the ceremony was the worest challenge)go through the hell of scroing US school books
  • how to play hald-professionaly on the drum for the ballet

So when you read the list there may be the following feelings in your head.

  • Did he really do these things? Yes.
  • Is he a megaloman? A little.
  • Why I hear the surname for the first time? I was surprised as well :)

As you can see making the extract from the book, which is the extract from such a rich life, like the Feymann's one, gives the odd results. Nevertheless what was the most inspring in this all - Feynman has always very pratical approach and even when he speaks about VERY complicated things (including philosophy), everything is served in straightforward way (without a single formula).

  • You can not be the professor Mr. Feynman.
  • Why?
  • Because I understand everything what you are saying.

On the other hand the book is simply SMART. It contains plenty of tips&tricks including not only "uncommon integration" (how you can gain from possesing the other toolkit), but also "how to cut massive number of string beans" or "how to deal wit a women". What is truely inspring it desribes the things AS-THEY-ARE and not with rounded words, so you can find even once a crossword on f, when he speaks about the government :D

He was also the one, who reminded me that if you want to achieve something in long term, you need to be honest in front of yourself and when you present the results of your work you must present ups and downs.

And at least, but not at last - the book is hilarious, so you enjoy reading it. It will be definitely well spent 11$.

Score: 6/6 (very good)

poniedziałek, 14 stycznia 2008

Google Trends

Mood: The weekend with XBox 360 and Call of Duty 3 is truely the cure
Link: I would love to fix projects problems as he dances :D, but at the end there is usually blood :D :D

Intro
Google Trends is the set of services, which allows you to analyze through ALL the search requests send to Google and news appearing on the web by geographical region and by date (since 2004). There are the following services:
It is produced by Google Labs and it is still in Beta phase since may 2006. At the beginning, Google had some problems with data updates, but since 17 July, they started to provide the data on the regular basis - Google Trends daily and Hot Trends hourly.
Juice
The service is truely cool and you open mind has a play ground... staying focused on rather professional things:
Project management methodologies

  • South Africa turns on the PMBoK?
  • Prince2 is the winner in EU
  • RUP is very popular in Poland (polish language also)
Web languages

  • Polish language is the most popular generally and in HTML/PHP!!!??
  • There is HTML renaissance, when we speak about publications
  • Ajax gets the ground slowly
eCard

  • the e-cards become less and less popular year-after-year
  • they are the most popular in Viet Nam, Thailand and Honk-Kong (Viet Nam and Thai language), than in Belgium- Netherlands (Dutch language); is truely english 3rd the most popular language?! Probably not in greetings :D
  • they are the most popular in Christmas time and New Year (seasonal trends metioned by wikipedia)
Issues
I truely spend a lot of time just to produce these three, looks-like-quick analyzes as that is truely hard to find good set of keywords for search. Just as and example I have tried to compare the top three most popular business social network using the wikipedia list as primary resourse and I felt into XING trap, which is also the big Chinese teleco. There is plenty of similar cases - Java means also the island and Eclipse is mainly the astrology term.
Google Trends does not show the popularity, but just the number of searches and publications (whatever it means).

System bases on IP addresses wherever from the query was issued and it happens that pools of IPs are transferred from one country to the other by "smart" internet providers (I know about such pools hijacked from Finland to Poland) ;)

You may request up to five key words at once.

Conclusion
The service is defintely cool, but you need to use it VERY carefully and you probably need also some other resources, which proofs your hypothesis. Incoming popularity of Facebook (comparing to MySpace) is possible,
but XING comparing to LinkedIn or Plaxo? ;)

Anyway the incoming API for the service, will be definitly the cool thing to play with! What else will come up from these Labs? It seems like there is a lot of rocket science going on! ;)

poniedziałek, 7 stycznia 2008

UML, RUP, MSF and the others versus reality

Mood: Monday was not as horrible as expected
Link: I am not the fan of the serie, but the sounds keep pinging my mind ;)

"We need simply to use UML and it will fix all the problems" - I was quite surprised to see the idea in MY mind and luckily not in my mouth yet ;) I am quite sure you know also the people, who believes that particular approach like Prince2 or RUP will be the remedy for any diseas. The problem is that effectiveness of these solutions always depend on particular situation. That is always the most important to diagnose the problem first and then to find the medicine in various books ;) Sounds like the cliché, but there is still so many werewolf hunters fully equipped with silver bullets. I have made conscience-searching and here we are...

General
· None of these specify necessity of designing GUI, but usually when you start drawing how particular screens will look like you may gain a lot of information (unless you plan the prototype first or strictly agile, iterative approach)
· None of these (but Prince2 books mention it unofficially) specify necessity of hard-numbered profit versus cost estimation. Business analysis should include some predictions of key indicators like Net Present Value or Internal Rate of Return
· QA is different topic, which you need to have in back of your head regardless from everything else (RUP and Prince2 mention it just)
· No one below will remind you about the law issues and regulations (legal acts, being compliant with standards, corporate regulations)

UML
· UML diagrams are really cool, but THAT IS NOT THE METHODOLOGY – that is simply some set of boxes, which you may use in drawings. Nothing more, nothing less.
· Very many companies uses UML to attach some images to documentation (good), but unfortunately not too many generates even the classes skeleton from it; even less keep synchronization between the physical and logical model. Surprisingly I have never heard or read about any CMMI-like model, which would suggest it or score it!
· When we speak about Use Case diagram remember about drawing the border of the system and if necessary about the version of the system (quite often technical spec says about the subset of functionalities enlisted in business spec)
· Use Cases are also about identifying the type of users
· Apply packages to simplify Use Cases
· Always look for reuse of diagrams and avoid copy&pasting (eg. <>, <> in use cases)
· Think about Deployment Diagram and general plan on early stage; it is also a good moment to think which OSes and browsers might be used by final users (it is often forgotten and it blows out when the deployment truely starts)
· Sometimes it is quicker to scetch, scan and paste even sligthly against the rules, that draw the diagram with 100k EUR worth software beign strict; pretty-good is usually enough ;)
· UML is one of the best for desiging software, but it is not the only one - have a look here.

RUP
· That is quite cool approach, which nicely show 4 important stages of the project – preparation, analysis, realization and deployment, but there is no point where all the analysis is finished. It means that even when you start the 3rd Construction phase you do not have all use cases finished (just 80% is required)!
· Against RUP I prefer rather to start coding when I have complete set of uses cases and the range of first release fully established - I found too often one, nasty case, which caused total redesign
· Surprisingly RUP does not go deep within technical aspects - it mentions mostly use cases, business aspects and risk management.
· Martin Fowler in his book The New methodology says something like: “My experiences with RUP are, that you can customize it without the boundaries and it causes problems. I have met couple of RUP usages, starting from the cascade model with analytical iterations, finishing at the full Agile process. I was surprised that this promoting RUP as one process caused that people may do everything and call it RUP – it makes RUP the word without meaning” - I guess this happens because IBM strategy is to allow in the same time the marriage of it with SCRUM and Prince2
· You can quicker find interesting documentation about RUP outside IBM (like Wikipedia) than inside, where you must go through tons of commercial crap to get kilo of knowledge. The kilo is probably somwhere within 270 pages long red book.
· RUP defines couples of disciplines - among others Business Modelling, Requirements, Analysis & design. In situation, when you need to make the interview with clients (in order to specify the contract), it means that each specialty must be represented at each meeting.

MSF
· Unfortunately since the new version (at least the document is ONLY 47 pages long ;) ), the split between logical and physical design is not bolded so strongly. You need to spend significant time to find the sentence like “There are three levels in the design process: conceptual design, logical design, and physical design”. I guess that is caused by the necessity of generalization caused by MSF for Agile.
· Good trade-off mechanism, which finally learned how to be agile, when customer wants something more :D
· User experience role, which you will not find in RUP.
· Practical bottom-up approach for estimation and no word about it in RUP

I was thinking for a sec to weight both RUP and MSF and put the score, but the truth is that the covarage which both companies for their development environment (IBM with Eclipse and Microsoft with VS.Net). There is couple of interesting places, where you can find deeper comparsion of both like even some Master Tesis prefering slightly RUP. At the end of the road, it does not matter what label you wear, but how you feel with it. Is it flexible? Can you show in the suite on the business meeting? Can you run to catch the cab? Do you buy clothes in regular market or you can afford the tailor? Do not you think you need to have couple of clothes? :D

środa, 2 stycznia 2008

Sources of knowledge

Mood: Just after straight-11 free days without ANY business phone call (can you imagine that?)
Link: Odd Christmas wishes

I have got some time ago the very good question: "Where from do I know, what I know?". I am the type of the guy, who asked about non expected thing, usually can not come up quickly with a clever answer, so I answer something not-clever-enough. The problem is that, this type of things keep staying in the darkness of my mind for some clever-enough story. The worst of all, the dark side of the soul wakes up usually 5' after I should be already sleeping and once per a while instead of behaving like the 31 years old man should behave I get to the laptop and write something like right now (tommorow morning will be truely a horrible intiation of the new year ;) ).


Anyway... lets do the home work.


I am the type of the guy who does not like to go to the courses, which I usually very expensive, time-consuming, borning and not-engouh related with the real life. This is way I usually prefer some self-pace paths, where books and web materials are the best, primary friends. In case of Microsoft certificates (MCSD.Net) I also convinced my boss to buy the examination training kit from Transcender (wow! they have a new web page) and I was very satisfied from it. I always focus myself and my subordinates to focus on some certificate. It is not to be some type of a label whore, who needs to have a jeans from Wrangler in order to feel better, but having a material goal is always a good motivator and the one, which you can set in time - usually the certain date and hour of the exam, when you shake like the leaves on a tree in autumn. Anyway I am crossing my fingers for you ;) and I give you one hint...


If you fails, there is always a possiblity to have a next shoot. I remember until today one exam at my university, when I had three make-ups; the most horrible was that each time I have spend doubled amount of time over the books and the result was doubled misrable :D The professor Jan Węglarz finally gave me the lowest possible note to pass, just to get my out of the range of his sight. Staying in front of him I truely considered to refuse the offer despite my desprate situation, but as usually my opprotunistic side has won ;) EVERYBODY has at least one story of this type - you must to set up and take a challenge.


The second and more interesting source of knowledge are people. There are two main figures who have been the sources and spiritus movens (surprsingly I could not find yet the english explanation of these latin words). One of them is positive and second one is rather negative.


The first one, was Clem Predergast who rather acts than publish and this why there is nothing about him on the web. He was though the one, true manager whom I met and whom I could watch managing and leading the people in software projects. It was more about the soft skills and possibility to motivate people in right direction, but there was also about the "know-how" import from Irish island and Performix company. How the support mechanisms works, how QA labs should look like, what road show is about, where there is a sense to pump the money and how to gain the support from executives. He had tones of his phresals, which I am sure, most of people who have worked with him, will remember for a long time like "all hands on pump". I keep catching myself on repeating them or doing some small things in the same why how he did it like learning first how "cool" and "shit" sound in foreign language, when I am in one these countries where german and english is not the mother tongue. Learning by the example is definitely the best possible method.


The second person is much more interesting and I have been growing up with this feeling for years. This person had probably better hard skills than I had on each, technical level - starting from code, through the architecture and finshing at methodologies knowledge (especially the agile once). I am quite sure that he still has these skills better, but he had some problems with soft skills. Unfortunatelly it has appeared after some time that we do not work together but against. Why I come up the situation? Because he was a perfect challenge, which (or rather who), I admit publically in this new 2008 year, still sits in my mind and keep challenge me in the ares, which about we had this short, usually intense discussions. Of course that is not my main or even secondary motivator, but for example it forces me to review once per a while all the existing methodologies and only the ones, which I prefer or can be useful.


Where books can be treated as hardware, people would be the software - you need both and you need to have some balance. You need to have hardware to load software, you should not have too much software on the weak machine and the most important... do you really need Vista? :D
 
web metrics