Sunday, February 25, 2007

There's a new batch of pictures

There's a new batch of pictures. This batch is with my uncle Sabi and with my cousin Selim. Of course, the kids play a key role in the pictures :-)


Negative Security and Positive Security

I find myself a lot lately explaining the difference between positive security and negative security.

Positive Security: a security policy based on modeling of the application or the system that is being defended. Things that agree with the model are considered legal while all other things are suspicious to be illegal.

Negative Security: a security policy based on modeling of the malicious things (e.g., attacks, worms, viruses, and so on). So that things that agree with the model are considered suspicious to be illegal while all other things are considered as legal.

Warming liquids for babies in a microwave oven

I saw a discussion in a Tapuz forum about heating baby liquid food in a microwave oven.

One person claimed that this is forbidden, and I got curious and started asking questions.


Monday, February 19, 2007

Should XML parsers know anything about XML namespaces?

I asked a question about XML namespaces on the xml-dev mailing list

The resulting discussion yields that:

* xml parsers know nothing about namespaces
* namespace processing should be done by the application that uses the XML parser
* a validating XML parser should be namespace aware

Saturday, February 17, 2007

Today while walking and touring in a field we saw mating Coccinella septempunctata beatles

Today while walking and touring in a field we saw mating Coccinella septempunctata beatles.

Aviv was enjoying himself not only with his new discoveries in the field, but also by stepping into every possible puddle we came across.

A few flowers from my garden after the last rain

See the new Hyacinthus flowers in my garden moments after the recent rain.

A new niece was born on the 15th

My sister in law, Irit gave birth to a healthy baby girl two days ago. The name of the new-born baby is still to be determined.

Wednesday, February 14, 2007

Some of my reading for today

Wei Zhang and R. van Engelen: "A Table-Driven Streaming XML Parsing Methodology for High-Performance Web Services". ICWS '06. International Conference on Web Services, 2006. September 2006. pp 197-204

David F. Bacon. Realtime Garbage Collection. IBM Research. ACM Queue Vol 5. No. 1 - February 2007.

Automata theory for XML researchers. F. Neven. ACM SIGMOD Record. Volume 31 , Issue 3 (September 2002). Pages: 39 - 46. 2002.

Bryan Ford. Packrat Parsing: a Practical Linear-Time Algorithm with Backtracking. Master's Thesis. Massachusetts Institute of Technology.

Cool link preview addon


Sunday, February 11, 2007

Planting in my garden

I spent an hour on Friday in the Meltser nursery and filled up my Ford Connect with dozens of plants, among them were:
begonia plants
Fuchsia plants
Viola hederacea plants
Hydrocotyle ranunculoides
and a few more types.

I'll try and place some images of them soon.

The garden in front of the entrance to our house is now fully planted.
The garden in the back still needs a lot of work:
* removal of many branches that I pruned from the neighbors' trees which invaded our garden while casting shade -- too much shade
* re-new the grass: replace the al-toro grass with a derben grass
* continue planting in shaded places.

Friday, February 9, 2007

Finally, a picture of my family

I took today a picture of my family (using timer...).
Finally, all 5 of us in the same time in the same picture.

Wednesday, February 7, 2007

About monthly meetings

I replied on the mailing list and explained about the monthly meetings.

My parents got back from Thailand

It seems that they had fun.
I'm looking forward to looking at the few thousands of pictures that they took and to listen to them describing their experiences.

Tuesday, February 6, 2007

Monday, February 5, 2007

We bought Purim (פורים) outfits for the kids

We bought Purim (פורים) outfits for the kids:
Aviv will dress up as a pirate.
Sivan will dress up as Snow White.
Nir will be dressed up with the kids' stuff from previous years :-)

I just submitted another patent idea to a patent committee at work

I have just sent another patent idea to the patent committee at work. The idea is about automatic detection of zero-day-attacks and automatic creation of signatures from the resulting examples.

Let's wait and see what the verdict will be...

Sunday, February 4, 2007

Swimming lessons

Lately, I'm thinking about a swimming course for Aviv. Last year he really enjoyed attending swimming classes.

As soon as the season starts, I'll check the local swimming pool for possibilities.

In the picture you can see Aviv in a swimming lesson. This picture was taken last June.

Two new recruites

Two people that I recommended for work have been found qualified and wanted to come work with us in Tel-Aviv. Hurray!

I was very impressed with them and I'm sure they will be great.

It turns out that with these two, 10% of the workers in our R&D center were recruited through me :-)

I'm trying to get at least 3 additional people in the following weeks.

A discussion about my picture of the Cyclamen persicum in the photography forum in Tapuz

My photograph caused a bit of discussion.


Saturday, February 3, 2007

It's my birthday today!!

Happy birthday to me!!
I'm 31 years old today.

Cyclamen Persicum

Among the hundreds of bulbs that I places in many locations in our garden, I also placed 100 or so bulbs of Cyclamen Persicum. All from the "wild" kind. I bought all the bulbs from יודפת.

In the picture you see the first blossom.

Anemone coronaria

There are many blossoms of Anemone coronaria in our home garden. I placed many bulbs in several locations in the garden. I placed them in layers and during a period of a few weeks.

You can see in the picture some of the first blossoms.

Friday, February 2, 2007

A mushroom

Here's a mushroom I shot this morning at dawn in a field just next to our home.

Dawn in Kfar-Yona

I went today a few minutes before dawn to setup my camera and take a few shots.
While today was clear, since this evening it begun to get more and more gray and rainy. Tomorrow is expected to be accompanied by heavy rains.

Thursday, February 1, 2007

Compress/Decompress all frequently used formats using 7-zip

Check out:

XML processor attacks continues

Following my blog post from yesterday about XML processor attacks, I'd like to add additional information based on a discussion which I started on the xml-dev mailing list.

David Megginson says that:

* XML REC does not specify or limits any name, literal lengths, number of attributes, depth of nested elements and so on. As a result these are a target for DoD attack on the XML processor. He suggests a few tests that can be used on an XML processor to make sure whether or not it can terminate processor prior to running out of its resources and make a graceful exit rather than crash. He states that any XML parser should have built in limitations on such properties.

* He also lists the risks in allowing processing of external fragments.

* He explains how access to an external resource, e.g., a schema or DTD, can be subject to a DoS if the location has been compromised.

derek denny-brown says that:

* a naive implementation of duplicate attribute detection or a namespace prefix lookup, e.g., using a stack implementation where the Nth string is being matched against the other N-1 strings, has an O(N^2) complexity. He also suggests that if the implementation is hash based and the attacker can guess your hashing algorithm, then the O(N^2) complexity for processing time can also be imposed on the parser.
* he also estimates that it would be quite hard to craft an attack that leverages these vulnerabilities to do much damage since the scan is extremely fast, so by limiting the size of the accepted document such attacks can be practically blocked.

Richard Salz says that:

* it should be pretty easy to cause a DoS with short messages with a very large (he gives 1 million as an example) elements depth. Another example would be badly fragmented nested elements. He further gives examples of very long element names, attribute names, namespace prefixes, and excessively long attribute or namespace declarations values.
* he states that the a-symmetrical nature gives advantage to the attacker as producing an attack is as simple as printing text while processing the received documents in such cases yields expensive computation.

I'm still collecting material and organizing it, and I hope that I will be able in the next few days to write a detailed and more organized summary on the subject. I'll post it here on my blog and will probably also announce its availability on xml-dev at least to be polite and write back my conclusions and contributions to the discussion.