Friday, May 11, 2012

Are we post PC?

By:  M.K., Senior Software Engineer @ G2

Apple made a big deal about the "post-PC" world with the new iPad announcement.  My question to G2 is what does "post-PC" mean to you and are we entering the "post-PC" world with the current/immediately upcoming generation of phone and tablet devices (iOS 5.1, Android 2.3/4.0, Windows 8)?
To me the term "post-PC" means a time when full blown desktop/laptops are relegated to special purpose and hobbyist/enthusiast endeavors.  The needs of 80% of an average home or business users can be met by a mobile device.  I know there are some arguments that phones/tablets are also PCs, but I am choosing to ignore those, and am using the term "PC" to refer to a combination of  mindset, behavior, and interations that encompasses multitasking, potentially limited connectivity, and a need for local resources (memory, space, processor).
Based on that definition I think we are getting close to a "post PC" era, but aren't quite there yet.  I think the biggest inhibitors right now are UI and connectivity.  UX designers are still trying to work out some of the interactions and standards for the interfaces, and until those are fully worked out some tasks are just better on traditional PCs.  The other roadblock is connectivity, I can't get reliable high speed access to all of the resources online that I would need to totally abandon a pc with local storage and the abilitiy to do almost any task I want with or without connectivity.
The other things I use a PC for, primarily software development and gaming, would fall into the "special purpose/enthusiast" category.  It's possible that once someone comes up with the right interface that gaming,for me, could move onto the tablet. I already work around some of the development issues using code editors on  the iPad, LogMeIn, and Dropbox so that I can develop on the iPad in an emergency but it is not a very productive way to work.

Which Browser is the most secure?

By:  S.S., Senior Security Engineer @ G2

It seems like every few weeks you see some supposed authority claiming that this web browser is the most secure, only to be refuted the next day by another supposed authority that says another is clearly the best. I was reminded of this the other day when I saw that Google was backing out of this year's Pwn2Own contest (rightfully so) and putting up their own challenge with more money on the line. Chrome has come away unscathed over the last few years at Pwn2Own, so clearly it must be the most secure browser, right?
While there are many ways to define "secure", with the Pwn2Own goal being just one, I thought I'd take a look at some data. One way to measure the security of a browser might be to count how many vulnerabilities have been reported. Conveniently we can consult the NVD  to find how many CVEs there have been for each browser. Let's take a look at the CVE count for the last 4 years:

2009 2010 2011 2012 Recent history total
Chrome 39 152 270 41 502
Firefox 126 107 101 11 345
IE 27 59 48 4 138
Safari 72 122 49 0 243
Raise your hand if that's what you expected. Now put your hand down, you look silly with your hand raised.
Is Google overly confident given the track record of Chrome? Are these numbers a reflection of the relative maturity of each browser? Are they related to rapidly the browser changes and thus open to the introduction of new vulnerabilities? What does it all mean? I don't know, but I did find the numbers to be somewhat surprising.

Oracle v. Google

By: S.S., Senior Security Engineer @ G2

If you're anything like me then you've been fascinated by the Oracle v. Google trial for the past few weeks, reading courtroom transcripts daily. If you haven't been following, you need to get up to speed on what has been happening - this trial has the potential for major impacts on everyone here.
The basic premise of the trial, at least in Phase 1, is that Oracle is claiming Google violated Java copyrights in Android. The basic claims Oracle is making is:
  • APIs are copyrightable, and they have legitimate copyright claims
  • 37 APIs from Java are implemented in Android and thus infringe on the copyright
  • There is some code in Android copied verbatim from Java, demonstrating that it was willful violation of copyright
  • Email traffic over the years indicates that Google knew it needed a license
  • Deviation from Java has caused fragmentation of Java and thus hurt Oracle.
Google's basic counter-argument:
  • Oracle can't make copyright claims to everything they're claiming, other parties have claims on some of it
  • Other projects, like Apache Harmony, effectively do the same thing as Android
  • A license is only needed if you want to validate against the TCK and call your software Java compatible
  • Sun was well aware of what Google was doing, and was supportive (remember - Oracle now owns Sun, thus Java)
  • Former Sun CEO says they didn't go after Google because they knew they didn't have grounds
  • What Android does falls under fair use
  • Android was developed in a clean room, but one of the subs apparently did copy some Java code despite being told not to use anything from Java. Oops, it has since been removed. And it was 9 lines.
The jury has reached a partial verdict, but more on that in a bit. What matters here is the idea that an API could be copyrighted. This case isn't about whether you can "use" the API - nobody is arguing that you can't write Java code that calls the things defined in the API. This is about whether you can do your own independent implementation of an existing API, or is the API protected such that you can't implement it?
If Oracle is right, and an API can be copyrighted, then this sequence of events could happen:
  1. I build a class that has a method called Add that takes 2 integer parameters A and B and returns the value of A + B
  2. I put a copyright on that class
  3. You implement a class with a method called Add that takes 2 integer parameters and returns the value of those parameters added
  4. You just violated my copyright - pay me lots of money
Seem crazy? Yeah, it is. The effects are so far-reaching that it is hard to comprehend. Here's a sampling of things that could be found in violation of copyright if Oracle is correct:
  • Samba, for implementing SMB
  • Jython, IronPython, and other other implementations of Python's API
  • Mono for implmenting C#/VB
  • Any web browser that implements Javascript
  • Any compiler, for daring to understand a language's API
  • C++, for extending C (maybe...) 
So it all seems completely wrong to everyone with a clue but Oracle, and they're obviously just looking for money. Now the question is whether or not the courts have a clue. Interestingly, the decision to this case is a mixture of the judge and the jury. Here's what the jury determined (paraphrased legalese):
  1. Has Oracle proven that Google infringed on the structure, sequence, and organization of the 37 APIs - YES
    1. Has Google proven that this infringement is fair use - TBD
  2. Has Oracle proven that Google infringed on the documentation of the 37 APIs - NO
  3. Has Oracle proven that Google has infringed on
    1. The rangeCheck method in 2 classes - YES (this was the copied code)
    2. Source code in some other files - NO
    3. Comments in a few files - NO
  4. Has Google proven that Sun/Oracle did things that reasonably led Google to believe that they did not need a license - YES
    1. Did Google rely on this to decide that they didn't need a license - NO (In other words, they had more reasons).
Both sides are publically claiming victory, but only the Google lawyers were laughing in court, while Oracle's lawyers were sad.
For question 3, the jury did decide that Google improperly copied some code. This is expected to be inconsequential. Oracle asked the judge for damages for that copied code. Here's the funny exchange:

Oracle: Separate damage calculation.
Judge: Do you want all their profits?
Oracle: No, Your Honor.
Judge: This borders on the ridiculous... Based on 9 lines of copying out of 15 million? That would ge a big, big stretch.

So Oracle probably shouldn't get their hopes up.
But what about question 1? The jury did find that Google infringed on the SSO of those 37 APIs, which is completely understandable - you can't have interoperability without using the same SSO. What the jury couldn't decide was if it was fair use, or in other words, is acceptable. Ultimately it doesn't matter too much that they couldn't decide, as the judge is going to make the bigger decision - can APIs be copyrighted or not?
During this trial a decision on a similar case came out of the EU, which declared that APIs could not be copyrighted. The judge in this case has read that decision and may follow it. Throughout this case it has looked like the judge is leaning toward the Google side, but maybe it is just him placing the burden of proof on Oracle. He certainly hasn't seemed terribly sympathetic to Oracle.
So who do you have in this case? If you like using computers, hope that Google wins...

Tuesday, May 1, 2012

Python, Data Structures, and XML

By: B. Y., SW Engineer @ G2
I recently encountered a problem where I wanted to deserialize XML into Python data structures to help parse host network and binary data.  Unfortunately every XML parser on the Internet was off just enough from what I needed that I realized I was going to have to "bite the bullet" and write my own version.  In doing so I created a very abstract class to help generate complex Python data structures that I thought I would share.
The jist of it revolves around the old CS stack.  If anyone ever had to implement one, you know there are two dominant methods; push and pop.  Lists in Python have the same concept with append and pop, but I wanted to incorporate values as data structures as well, plus the inclusion of dictionaries.  With that I created a class 'ds' that leverages the basic concept of a stack with added functionality of pushing and popping inner data structures.  It goes a little like this:
 $ i = ds()
 $ i.push(5)
 > [5]
 $ i.push(6)
 > [5, 6]
 $ i.pushl()
 > []
 $ i.push(7)
 > [7]
 $ i.drop()
 > [5, 6, [7]]
 $ i.push(8)
 > [5, 6, [7], 8]
 $ i.pop()
 > 8
 $ i.pop()
 > [7]
 Hopefully you can see with this little example it allows for inner lists (as well as dictionaries) to be created while maintaining the global data structure.  There are a few other methods (pushd, coalesce, and ret) that I didn't cover, but this gives a simplistic breakdown.
Anyways, I thought others who leverage Python could use this class so I've attached the source.  If you have any questions on it, or how I used this to deserialize XML, feel free to shoot us an email at