awprofessional.com · Domains

Mongrel Shortcuts

News · Bookreview · 2006-12-18 08:33 · posted by samzenpus · from the serve-it-up dept. · 53 comments

Simon P. Chappell writes "I'm not normally much of a one for reading and learning out of eBooks, but after a little gentle persuading from my regular contact at the publisher, I agreed to take a look at their Mongrel Shortcut eBook. Mongrel is a pure Ruby web server, and while it is normally associated in most people's minds with Ruby on Rails, it is actually possible to run it standalone, anywhere that you have Ruby. As one who is very firmly in the "dead tree" camp for my choice of reading media, I was surprised to find myself impressed with Addison Wesley's range of Shortcut ebooks; they really are close to the readability of regular books." Read the rest of Simon's review. Mongrel Shortcuts author Matt Pelletier and Zed Shaw pages 106 publisher Addison Wesley rating 8/10 reviewer Simon P. Chappell ISBN 0321483502 summary An excellent guide to configuring and using Mongrel.

The obvious market segment for this book is the Ruby on Rails developer who wants to understand more about the server that their application is running on and who would like to take more responsibility for it's installation and ongoing maintenance. A second target audience would be those who are looking for a small, efficient and robust web server. Mongrel, through strict adherence to the HTTP 1.1 specification has stayed small and very resistant to many forms of Internet attacks. There is a demand for that kind of server and this book will help those who need it.

Interestingly, these shortcut books are not available through the normal online bookstores. They are currently only available through www.awprofessional.com/ruby or www.informit.com/shortcuts. I'm not sure of the logic behind this and I wonder if that isn't going to hamper sales efforts.

At the risk of pointing out the obvious, this is an eBook and as such is supplied as a Portable Document Format (PDF) file. There are two big positives for me with this book. The first is that the file has no Digital Rights Management technology. This means that you are free to copy it to your computer, but you cannot share the file with anyone else. This is very reasonable approach for Addison Wesley to take and I applaud them for this. Now that they've shown their trust in us, I just hope that those who purchase this book will abide by those conditions. (Apparently, they don't trust me as much as they trust you, because my copy has "Review Copy Only" on the top of each page! :-)

The second positive with this book is that it's formatted with landscape orientation. This means that the long side of the page runs horizontally and thereby allows the whole page to fit nicely on a standard laptop screen with a very readable text size. Landscape orientation makes for very a clean page layout, a matter of vital importance if you're expecting folks to read it from a computer screen.

As far as the structure of the content, this book eschews chapters in favor of sections. Of course, with no section more than twenty pages long, calling them chapters would have been stretching a point. The nine sections cover about every aspect of using Mongrel that you could hope for in a short book.

The first section introduces the book and explains the formatting used as well as the special little sidebars called "Zed Sez". These are highly opinionated, but very insightful, asides on aspects of Mongrel; they cover reasons for writing it and why it was written the way it was. Section two is an introduction to Mongrel itself, the benefits of using it and the license that it is made available under. Section three works through everything you need to know to get started with Mongrel. Naturally, this includes installing it and basic usage.

Section four covers configuration and the array of command-line options available to the developer or administrator running Mongrel. Section five looks at production deployment and examines a typical deployment. Now, production deployments are an art in themselves, so not every aspect can be covered in a section like this, but it does get you started and presents a not unreasonable approach. Section six explores the options for extending Mongrel. Write your own commands, handlers and plugins; this section will show you how.

Section seven shows how to debug your Mongrel configuration and applications. Section eight looks at performance, another thing that's hard to generalize. Here the emphasis is mostly on gathering data so that you can make meaningful decisions for your own situation. Finally, there is a collection of resources; links for Mongrel, and frameworks that run on it.

In addition to the reasons to like the book that I mentioned back at the start of the review, the book is very authoritative. Having Zed Shaw, the primary author of Mongrel, as the co-author is a powerful help of course. Speaking of Zed, I very much enjoyed his little "Zed Sez" sidebars. To describe his style as "pithy" might be an understatement, but they are certainly very informative and they give interesting insight into the writing of a rising star open-source software package.

For all of the positives, there is no hiding the fact that this Shortcut eBook is only 106 pages long. One of the consequences of this is that there is reduced depth. The material that is in the book is very good, but I know that there were a couple of places where more material would have been very useful. So, if you normally look for vast tomes of ultimate completeness, this might not be a good selection for you.

In conclusion, this seems like a very useful guide for anyone who is starting out to configure and use the Mongrel web server for their Ruby projects.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Spring Into PHP 5

News · Php · 2005-08-11 07:00 · posted by timothy · from the bounder-of-adventure dept. · 229 comments

Michael J. Ross writes "A professional programmer could at any time be tasked with developing a nontrivial application using a language or Web technology with which he or she is unfamiliar. A common response is to quickly scan code snippets in Internet newsgroups and online tutorials, copy and paste code that looks applicable to the task at hand, and then lose valuable time trying to make it all work and control what was created -- not unlike Dr. Frankenstein's experience. A smarter approach is to learn the language basics in sequence as rapidly as possible, not getting bogged down in excessive sample code. For developers seeking to learn PHP using the latter approach, Steven Holzner's Spring Into PHP 5, published by Addison-Wesley, would be an excellent choice." Read on for the rest of Ross's review. Spring Into PHP 5 author Steven Holzner pages 340 publisher Addison-Wesley rating 8 reviewer Michael J. Ross ISBN 0131498622 summary A comprehensive and no-nonsense primer on the basics of PHP.

This title is another entry in Addison-Wesley's promising "Spring Into" series, which, as suggested by the name, is aimed at developers who want to jump into a new technology and get up to speed as quickly as possible, but without missing any of the essentials. In the case of Holzner's PHP book, this goal is pursued by presenting the information in so-called "chunks," with each spanning just a few pages. Every chunk attempts to cover only one or a few related ideas, and is designed to build upon earlier chunks. The bulk of the explanation takes the form of code samples, which fortunately are short enough in length and clear enough in composition to be easily digestible. This is in stark contrast to far too many other programming books on the market, whose code samples can span multiple pages, making it difficult for the reader to discern all of the ideas that the author is trying to get across -- especially when the reader has to flip back and forth between pages. Even worse is how some authors (such as Deitel and Deitel) use lengthy code listings -- sometimes even complete applications -- to demonstrate many ideas at once, which can be quite confusing, especially for the newbie reading about a challenging language for the first time. As Holzner notes in his preface, his book is example-oriented, with dozens of tested code samples. But none are overwhelming.

Spring Into PHP 5 was published on 12 April 2005. It is organized into nine chapters, covering a range of topics: PHP essentials; operators and flow control; strings and arrays; functions; PHP in HTML pages; Web forms and input validation; object-oriented programming and file handling; PHP and databases; cookies, user sessions, FTP, e-mail, and hit counters. The book has two appendices. The first one, on PHP language elements, is remarkably complete, considering that it only fills 18 pages. Owners of the book will likely find themselves turning to this material quite frequently. The second appendix lists the most commonly used functions in PHP, particularly those dealing with arrays, strings, and files. These two appendices combined go a long way to making this book more than an approachable primer -- it could serve as a reference book for the language for any reader not required to dig into the more obscure intricacies of PHP. Readers with those needs will have to use more detailed sources, such as the online PHP Manual.

Each one of Holzner's chapters explains the core concepts, using the bite-sized chunks mentioned earlier. This approach is somewhat similar to the "recipes" found in many books published by O'Reilly Media, and it works well here for introducing a computer language. Holzner's writing style is clear yet never condescending, and concise yet never cryptic. The intended reader only really needs an understanding of simple HTML and how to edit text files, to make this book worthwhile and usable. The book is meaty with information, and yet not too lengthy. This is a refreshing change of pace from countless other computer language books that are bloated with redundant sample code and overly wide margins, apparently in an attempt to entice the consumer with maximum page count per dollar.

Some programming books try to move the novice along at too rapid a pace, which can get quite discouraging if and when the reader is unable to follow the discussion, and particularly if trying to follow the author in building a working example. But a far more common mistake among programming books, is to drag out the process with humongous code listings or redundant verbiage (such as following the senseless rule of telling the reader something three times -- a technique that makes far more sense for speechwriting). Holzner sets and maintains an excellent pace, partly by keeping the code snippets reasonably sized, and partly through his modular approach of presenting ideas in chunks.

The physical book itself is well made and attractive, with a readable font face and size, and intelligent use of bolding to highlight those lines of code upon which the reader should focus. My only complaint in terms of the presentation, is that the gray background used for the code samples could be lightened up a bit, to make the text itself stand out more, especially the bold text. All of the screenshots are in black-and-white, which works just fine, as there would be no value in using color in the majority of the sample Web pages.

The author does an excellent job of explaining and illustrating all of the most commonly used and needed elements of the language. But he provides little guidance as to when a particular technique or approach should be used over another. For instance, when explaining how the programmer can use PHP to connect to a MySQL database, the author presents two alternatives -- direct layer and Pear::DB -- but no recommendations as to the choice of one over the other. On the other hand, one might argue that to include recommendations of techniques, as well as language best practices, would require the book to be much longer than it is, which would detract from the book's goal of getting a programmer up to speed on PHP in an efficient manner. The serious programmer who wishes to take PHP to the next level, can be expected to read more advanced books, to learn from expert PHP developers posting in online newsgroups, and to learn from experience as the programmer creates his or her own applications.

Another potential point of criticism could be that the book does not adequately explain how to use PHP with the various available database systems, only covering MySQL (the industry's favorite for use with PHP). But the database chapter, number 8, provides just enough information for the beginner to get started and to try out the basics. For simple database needs, the material in that chapter might be sufficient. Yet for more extensive MySQL usage, including installation and administration, other resources will need to be consulted. This book is clearly not intended to be one of those PHP + MySQL combo books that have proven so popular during the past few years.

The publisher's Web site for the book does not appear to have any collection of errata. Here are some that I found: On page 6, in the NOTE, "scripts can be used" should read "scripts cannot be used." On page 20, "#/ message to the user" should read "# message to the user." On page 49, in Table 2-4, in the last line, the formatting is partly wrong. Examples 3-1 through 4-14 contain incorrect indentation. On page 158, the last line in the $_FILES['userfile'] values is missing $_FILES['userfile']['error']. In Examples 5-19 and 5-20, the <head> and <h1> tags are missing ": Take 1." On page 169, the formatting of Example 6-2 is inconsistent with the others.

Aside from the errata, there were some other weaknesses -- none of them serious: The chapter summaries are useless, like in most other technical books, as there's not enough details to be instructive, and more details would make them even more redundant and space-consuming. On page 176, in Figure 6-6's caption, "Navigating" should be "Redirected." On page 197, the discussion of HTTP authentication is too brief to enable the typical reader to implement it. For instance, there is no mention of where to set $_SERVER[ 'PHP_AUTH_USER' ] to make it work. Chapter 7, on object-oriented programming and file handling, should be split into two chapters. Combining them makes no sense, and the author does not even transition from the first topic to the second.

Like others in the "Spring Into" series, this title is reasonably priced, at only $29.99 list for over 300 pages of quality material. The publisher, Addison-Wesley, has a page on their Web site devoted to the book, which includes a book description, a table of contents, an index, source code from the book, and a link for downloading a sample chapter (in PDF format), namely, Chapter 3, which covers strings and arrays. The site also has a link to a bonus chapter (also in PDF) that explains how to draw graphics interactively on a Web server and then send them back to the browser. Oddly enough, the page's title is "Spring Into PHP 5 - $20.99," but there's no indication as to how to get the book for only $20.99. That could simply be a typo. But there is a link to purchase the book online for $26.99. For those looking to spring into Web server-side development in general, or PHP in particular, it would be money well spent.

Michael J. Ross is a freelance writer, computer consultant, and the editor of the free newsletter for PristinePlanet.com. You can purchase Spring Into PHP 5 from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Spring into HTML and CSS

Books · Programming · 2005-06-14 07:20 · posted by timothy · from the brevity dept. · 131 comments

Simon P. Chappell writes "One of the perks of regular book reviewing is that, periodically, you'll check your mail box and discover a book waiting for you. A serendipitous surprise! I don't review all such books that I receive, but this one, Spring Into HTML and CSS by Molly E. Holzschlag, stood out from the crowd and I felt that I should share my thoughts on it with you." Read on for Chappell's brief review. Spring into HTML and CSS author Molly E. Holzschlag pages 316 (18 page index) publisher Addison Wesley rating 9.5 out of 10 reviewer Simon P. Chappell ISBN 0131855867 summary A great book for learning or upgrading your current skills.

Who's it for?

This seems a very clearly targeted book. It's directed towards professionals that need to work with websites, but do not necessarily have a software development background.

The Good Stuff

The approach of the book reflects the targeted audience very well. The book starts by introducing a basic HTML page and then building upon it by showing how to add text and graphic content. The next couple of chapters then show a few more advanced subjects like forms and tables. The second half of the book then moves into explaining CSS, starting with some of the basic ground rules and then moving into applying colours, styles and borders to the HTML document. The last chapter is a cookbook of classic layouts, explained clearly and with code.

Even though I'm not a typical member of the intended audience, I found the organisation of the book very well thought-out and with a good sense of flow. Each chapter builds on the preceding one, with a small set of examples that are built up through the course of the book. Each chapter is broken into one or two page "chunks," as the book itself describes them. These chunks are small discrete explanations of aspects that the chapter covers. For example, in the chapter on images, the chunks cover topics like adding alternative text to an image, specifying its height and width and using an image in a hyperlink.

For me, the combination of the chunk organisation and Molly's writing makes the book. The chunked approach fits the needs of both learning a new subject without being overwhelmed and those that want more of a reference capability. This book is not written to be a reference work, but with everything being so well partitioned, it comes close enough to meet my need for a good reference work as well. Some authors tell you about their subject, but Molly really does seem to explain it to you. A subtle difference, but one that gives this book the edge.

As a book that aims to be practical, the examples were very well chosen. There are plenty of pieces of example markup and images of the resulting rendering. The markup is nicely laid out and the images are large enough to show the effect, but not so large as to interrupt the flow of the explanation. The other nice thing about the examples, especially in the CSS section of the book, is that the examples are consistent. The same portion of text, from The Black Cat by Edgar Allen Poe, is used throughout. I found that this helped clearly show the difference between the effects being taught. The text stayed the same, only the layout changed with the new style being shown. Very effective.

Groan!

My first inclination when I saw that the book was part of a new series called "Spring into ..." was to groan and wonder when they were planning to fire the marketing non-genius that dreamt up such a bad title! Thankfully the contents more than make up for the corny name. The only other thing that bugged me was the inclusion of two appendixes with HTML and CSS reference information in them. The references are annotated very well with practical considerations, so I'm only going to knock off half a point from what would otherwise have been a perfect ten.

You can purchase Spring into HTML and CSS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Managing Information Security Risks

News · Security · 2005-02-21 09:30 · posted by timothy · from the stochasticism dept. · 67 comments

nazarijo (Jose Nazario) writes "With regulatory compliance hanging over so many peoples' heads (GLBA, SOX, HIPAA, etc), information security and related fields have taken on a new twist in recent years. To that end, a number of people are looking at formal evaluation methods like OCTAVE to help guide them through the tricky world of audits. It's a sensible move, too, because you want something documented, thorough, and demonstrable when it comes to an audit, and preferably something objective. The book Managing Information Security Risks: The OCTAVE Approach by Christopher Alberts and Audrey Dorofee is intended to help you fill this need." Read on for the rest of Nazario's review. Managing Information Security Risks: The OCTAVE Approach author Christopher Alberts and Audrey Dorofee. pages 471 publisher Addison-Wesley Longman rating 5 reviewer Jose Nazario ISBN 0321118863 summary An introduction to information security risk management using the OCTAVE method

Authors Alberts and Dorofee are the principal developers of OCTAVE and are staff members at the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU), where CERT has offices. As such, they're the right people to describe OCTAVE. The CERT OCTAVE website area explains the process in more detail. Needless to say, OCTAVE is a very large, complex, heavy process for an organization to go through, with some arguable benefits. Very few organizations have done so to the best of my knowledge -- most of them are scared off by the complexity of the whole undertaking.

This brings up a very important point. It's important to state the difference between a critique of the OCTAVE method and the book itself. OCTAVE is interesting in that it's an attempt to formalize the complex process of information security evaluations. Despite its shortcomings and turnoffs, it has a purpose, and I wont dispute it for the most part. The book, instead, covers an abbreviated format of OCTAVE. It's important to focus on the strengths and weaknesses of the book and not the topic.

The books is organized into three main parts. Part 1 (covering chapters 1 and 2) is an introduction to the principles being discussed in the book. The method itself, and therefore these chapters, focus on a formal evaluation of information security risks and how to manage them. The principles focus on enumeration of assets, their threats and vulnerabilities, and then remediation of the threats to minimize the risk. The section introduces the core concepts to this philosophy.

Part 2 of the book, covering chapters 3 through 11, server two main purposes, preparation and then execution of the method. Chapter 3 introduces the fundamentals of the OCTAVE method, specifically how the three phases (asset-based threat profiles, vulnerability identification, and security strategy planning) fit together. The inputs of the method and its outputs are then described; you'll be using them in later chapters. Chapter 4 helps you prepare for the approach in your organization, including how important it is to get management buy-in, who will participate, and how to organize the evaluation. Project managers will adore this chapter.

The next few chapters cover the meat of the OCTAVE method. Chapter 5 covers processes 1 to 3, where assets are enumerated and the current state of the security profile is captured, as well. This step is crucial for building a baseline and knowing what you'll have to cover. Chapter 6 leads you through the threat profile, where you examine assets that you've identified as critical and the security requirements for them. And finally, in Chapter 7, the basic identification steps are done as you identify critical infrastructure components to examine later on. This is done so that you can work efficiently, as opposed to studying every asset in depth. By studying classes of assets you can (hopefully) achieve the same coverage without spending valuable time repeating the process.

Chapters 8 and 9 deal with the commonly understood parts, the actual vulnerability and risk analysis. Chapter 8 discusses vulnerability assessment tools and some basic questions to ask about them, but leaves the actual evaluation of those tools up to another text. Chapter 9 then helps you undertake the actual risk analysis, such as the impact of any threat being realized or the probability that one would be encountered. This is what most people think of when they think of an information security audit.

This gets to what is perhaps my biggest complaint about the book. It doesn't teach you how to think creatively about threats to information security. Instead, you're told to enumerate assets and threats against them via brainstorming, as though you'll somehow "get it" the first time (or every time). For someone new to the field, this can be hard, because not all assets are obvious -- and not all threats are understood. It's a hard skillset to teach, but it should have been attempted with more gusto.

Chapters 10 and 11 close the big circle of an information security audit, by developing an information security protection strategy. It's basically a series of outlines of meetings and their agendas as you present the findings of the evaluation but are (obviously) vague in the absence of any concrete findings.

This is probably a good time to raise another objection to this book. My second biggest complaint is that the authors never cut to the heart of what the OCTAVE method is trying to do. Sure, the book covers a stripped-down version of OCTAVE, but it doesn't ever get at how you can really adapt this to your organization. Instead, it's a series of rigid steps in the OCTAVE method. If you attempt to do something different for whatever reason, you're on your own. Again, an attempt to work in some flexibility beyond what is present in Chapter 12 (An Introduction to Tailoring OCTAVE, the start of part 3) would have been welcome. This chapter just keeps you inside the narrow confines of the OCTAVE approach.

Chapter 13 attempts to bring this home by discussing the practical applications for an organization. They attempt to discuss how a small company would utilize OCTAVE, but to be honest it's so heavy and time-consuming it's hard to see how they would employ anything but the barest of concepts to their workflow. Three other examples are given: a very large distributed organization, an integrated Web portal service provider (which faces unique threats), and large and small organizations. Again, while this chapter attempts to show how to tailor OCTAVE to anything but the largest and most diligently staffed of organizations, it falls to get to the salient points of the method. Instead, it tries to foist the process on them.

Finally, chapter 14 tries to bring it all home and discuss the information security life cycle of analysis, monitoring, control, and implementation (not in that order). They hope that OCTAVE has become a part of this process and show how it complements and matures this process. Instead, I wonder if an organization will think about the effort they just expended and be reluctant to do this again. The appendices are piles of worksheets, charts and workflows to go through with OCTAVE. You can make photocopies and use them if you implement the OCTAVE approach. It's very hard to take consider these methods strong enough when you read about the report card government agencies received for information security. While they may have not been following OCTAVE, it's hard to see how a book that so superficially treats the subject matter can help anyone do better. Almost everything is just a high-level line-item risk-and-mitigation strategy. Things like "Our organization cannot deliver effective or efficient health care without PIDS" and an impact of "High" are, to put it mildly, interesting in their superficiality. So many things are simply glossed over, yet so many worksheets remain. On the other hand, if a fair treatment of threats, assets, and the like were fully discussed the book would be many more volumes, a significantly more tedious tome, and too sensitive to the shifting sands of time.

Overall the book does a decent job of covering OCTAVE's core premises, but doesn't really provide much beyond that. It's a complex process that doesn't work well for a number of organizations. Instead of helping organizations see how to use it, the authors simply keep presenting OCTAVE for what it is, which makes me question the value of this book beyond someone who has already decided to implement OCTAVE. It doesn't seem like it has a lot to offer anyone who doesn't have a large body of knowledge in information security management and a staff to deploy with worksheets in hand. The book simply fails to contribute greatly beyond the very narrow specifics of OCTAVE.

You can purchase Managing Information Security Risks: The OCTAVE Approach from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

High-Tech Crimes Revealed

Books · Books · 2004-11-01 09:30 · posted by timothy · from the alex-is-behind-all-of-them-at-once dept. · 114 comments

Alex Moskalyuk writes "When reading about the computer crimes, we are usually told the victim's point of view. We learn about the thieves stealing thousands of credit card numbers and identity theft victims, who lost their credit history with the wallet they lost at the mall. But how do criminals ever get caught? Who performs the forensic search and participates in sting operations?" Read on for Alex's review of High-Tech Crimes Revealed, which addresses these questions. High-Tech Crimes Revealed author Steven Branigan pages 448 publisher Addison-Wesley rating 9 reviewer Alex Moskalyuk ISBN 0321218736 summary Cyberwar Stories from the Digital Front Steven Branigan is a cop, a system administrator, an Internet security consultant and network security researcher. Ex-employee of Bell Labs now is a founder of a company that "specializes in solving leading edge computer and network security issues."

The book is a collection of high-tech investigations performed by Branigan in cooperation with the police force and sometimes the Feds. Generally Branigan would be involved in forensic research of the evidence and be on the scene as the "computer expert" that cops would refer to when dealing with cybercrime.

Twelve chapters take us through some of the high-tech crimes that the Western world faces today. An attack on the telephone network (unauthorized access to the switches), backdoors left at the former employer, hacking into university networks and the well-publicized identity theft are all covered in the book. Branigan brings up anecdotal evidence from his own career, describes some of his cases in great detail, and provides advice for practitioners in the forensics field.

The author is a Linux/Unix/BSD guru, and he shares his methods for retrieving telltale data from the equipment that the criminals leave behind. He also talks about the generic problems that law enforcement faces when investigating a high-tech crime - how do you obtain a warrant, what's a proper way to conduct searches, how do you work with the confiscated computer so that all the data is left intact?

However, don't expect some secrets to pop-up in regards to data collection - Branigan uses commonly available Linux tools like grep for searching the suspect's hard drive for needed data. More often that not, the investigator, it turns out, depends on his experience, not the book knowledge - one has to recognize the network sniffer log when they see it, and be capable of recognizing the tools freely downloadable from security sites.

Thus it's not surprising that there are some chapters in the book dedicated purely to the author's experience in the field. He describes working with the hackers who have been arrested, discusses how rootkits are spread around, discusses the motivation behind the network attacks (it's not always money, to say the least), describes the structure of a hacking ring and their potential revenues and also talks about ways to unravel the networks. His motto? No crime is too small, and sometimes things so little as missing the rent can lead to more discoveries and tie-ins into bigger crimes.

If you're thinking about becoming a security consultant, a law enforcement officer or just a sysadmin with better than average knowledge of security, this book is an interesting read. It's not a textbook, nor it is technical by nature. It reads more like a detective story, except the stories are real, the culprits are real and so are the victims. One can read the book on two levels - as a forensics tutorial (however, don't expect extended technical tutorials and tools overview) or as an autobiography of a cop, who had to deal with high-tech crimes all his life. If you liked Art of Deception or Hacking: The Art of Exploitation , this title would be a perfect complement.

Chapter 3, If Only He Had Paid the Rent, is available online from Addison-Wesley.

Alex enjoys reading programming, technology and business tech books in his spare time. He also keeps a list of free books available on the Internet for tech readers on a budget. You can purchase High-Tech Crimes Revealed from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Mono: A Developer's Handbook

News · Programming · 2004-09-29 07:15 · posted by timothy · from the one-at-a-time dept. · 301 comments

vertigo writes "I am reasonably proficient in C and C++ as well as the more common scripting languages, but i always felt the lack of a sweet spot between the hard and fast low-level programming languages and the loosely typed scripting languages. Lately, my interest in the Mono project has been growing. The C# language appears to offer just that sweet spot between power and productivity I've been looking for, and its class libraries like Gtk# seem to provide the programmer with a very clean and intuitive API." Read on for vertigo's review of Mono: A Developer's Handbook from O'Reilly. Mono: A Developer's Handbook author Edd Dumbill and Niel M. Bornstein pages 278 publisher O'Reilly Media, Inc. rating 8 reviewer vertigo ISBN 0596007922 summary An introduction to programming with Mono

When learning a new language such as C#, or working with a new development environment such as Mono, it usually takes some time before you get up to speed in developing programs. Wading through the reference documentation and reading other people's source code often provides much-needed information on how to do certain things. Both, however, are very time consuming and tedious.

Enter Mono: A Developer's Notebook. This book provides a series of task-driven chapters which are thin on theory, but rich on practical content and example code. The featured code snippets are, in contrast to ones in books that teach theory and concepts, not solely designed to illustrate a specific theoretical aspect of programming. Each one is designed to perform a useful task that is essential in day-to-day application programming. What sets this book apart from the multitude of .NET books already available on the market? In order to answer this question it is neccesary to provide a short introduction on Mono.

Mono is essentially an open source cross-platform implementation of Microsoft's .NET development framework and implements the API's which are standardized by ECMA. It is, however, not an exact clone. Besides providing a (partially implemented) stack that provides compatibility with Microsoft's .NET API's, Mono adds a whole new API-stack of its own, consisting of open source technologies such as the Gtk+ toolkit and the Gecko HTML rendering engine. This makes it possible to develop cross-platform applications based on open source technology while (mostly) compiling from a single code-base. In contrast to most .NET books available on the market, which focus primarily on Microsoft's API's in the context of Visual Studio.NET, this book concentrates on the basic ECMA API's and Mono's own open source stack. A complete coverage of .NET and the Mono architecture is outside of this review's scope, so for more information you are advised to check the Mono Project's website.

Before we dive deeper into the content of the book, a short introduction on the Developer's Notebook series by O'Reilly may be useful. The books in this series are styled to resemble the kind of notebooks college students carry around during their classes in which to take notes or, more commonly, draw caricatures of their teachers. The 'notebook' theme persists throughout the look-and-feel of the book. The 278-page thick paperback has a glossy blue cover, complete with faux post-it note and coffee-stains. Inside, the pages are not clean white but lined like the pages found in math notebooks. In the margin, useful comments are scribbled in a font that resembles handwriting. At first I suspected that the 'busy' look would distract from the content, but in practice this was no problem, thanks to the thick black typewriter font in which the bulk of the text is printed.

The chapters in this book are referred to as labs. Each of them focuses on a specific set of tasks and/or features and is divided into several paragraphs. Most paragraphs consist of a number of standard sections following a rigid formula that help you understand a certain aspect of working with Mono. The most common sections are:

How do I do that?: Often using a liberal amount of practical code, this section shows how to accomplish the task at hand, for example working with files.
How it works: In this section, the code and concepts involved in the previous section are explained more in depth, step by step.
What about...: Offers a short focus on more advanced topics or pitfalls.
Where to learn more: If you are craving more information after reading the previous sections, you are often offered a helping hand on where to find more information, providing url's to relevant documentation such as MSDN and other websites.

The first chapter, Getting Mono Running, describes how to get Mono up and running on Linux, Windows or Mac OS X, and how to compile from source on other platforms. The installation instructions for Windows only describe how to install Mono and Gtk#. Integration of Gtk# only in an existing Visual Studio.Net installation falls outside of the scope of the book, but a recent blog entry offers some hints on how to accomplish this. Besides installation, the first chapter offers a short description of the individual tools that make up the mono development. After installation, you will want some kind of editor or IDE to work with. Both the MonoDevelop IDE and several other ways of integrating Mono into your existing environment as a Java or Windows developer are covered. Finally, the community is an important aspect of every open source project. Ways of interacting with the community as well as a guide on how to submit bugs and links to some working Mono/C# applications are part of this chapter.

The C# introduction in the second chapter, Getting Started with C#, is tailored towards people who have at least some proficiency in using an object-oriented language such as C++ or Java. Some differences between C#, Java and C++ are discussed, as well as the differences between value- and reference types, the basics of error handling, working with assemblies and more. Concepts such as classes, methods, inheritance and namespaces are assumed to be known territory. If you have no previous programming experience, Mono: A Developer's Notebook is only useful in combination with a book that teaches programming with C# such as The C# Programming Language by Anders Hejlsberg.

An important part of any modern language is its class libraries. The third chapter, Core .NET, provides an introduction to the standard Framework Library Classes, which describes essential everyday tasks that are part of every program, such as working with files, strings, searching for text patterns and handling collections of data. Besides those basic functions, the chapter also dives deeper into the internals of a compiled assembly, the handling of processes and easy multitasking using threads. Finally, the last paragraph explains how to use a .NET version of the JUnit Java Unit testing framework, Nunit, to test your code.

Developing Gtk-applications with Mono and C# is remarkably easy. Chapter 4, Gtk#, describes the basics of writing Gtk# applications. First, it's neccesary to remark that Gtk# might be a bit of a misnomer. Besides the raw Gtk+ toolkit functionality, Gtk# also includes most of the Gnome libraries like gconf, the gnome canvas, libglade and more. Chapter 4 describes functionality available in the Gtk namespace, the basic Gtk+ toolkit. Gtk+ is a constraints-based toolkit, which means that widgets are not positioned using absolute pixel coordinates but rather on basis of their logical relation to each other. This can be a bit confusing for novices, but this chapter provides a good introduction to the basic principles of writing layouts using Gtk#. The authors provide descriptions of essential operations that almost every application needs, such as creating menus and drawing pixmaps (or more advanced things like using the treeview widget and drag-and-drop), assisted by easy-to-read code snippets.

While chapter 4 introduces basic Gtk# functionality, chapter 5, Advanced Gtk#, delves deeper into more advanced features of the Gtk# library which also include functionality outside of the basic Gtk-namespace, such as the Gnome libraries. Working with Gnome button toolbars, the Glade user interface designer, storing your application settings in Gconf, setting up some preferences through the use of a wizard/druid, asynchronous operations and threading to increase responsiveness of your application while performing background tasks, rendering HTML in your application using the Gecko rendering engine and internationalisation and translation of applications are all described in this chapter.

The use of XML is tightly integrated throughout the Mono framework. It is, for example, the underlying format of the messages that web services use to communicate using the SOAP and XML-RPC protocols. The 6th chapter, Processing XML, describes the XML functionality available in Mono. It starts off by simple operations, reading and writing to an XML-file using relevant examples such as RSS and Dashboard clue-packets. It then proceeds to describe how to modify XML in memory, how to navigate and transform XML using Xpath and XSLT, how to constrain XML in several ways and how to serialize and deserialize objects into and from their XML representation. As in previous chapters, the information density is very high so it might take several reads to grok everything explained. The code examples and accompanying text however are very clear and concise.

The 7th chapter called Networking, Remoting, and Web Services describes the networking functionality available in Mono. The chapter starts off with ASP.NET. Mono's stand-alone XSP webserver and Apache integration with mod_mono are discussed, as well as the basics of writing a web application using ASP.NET's code-behind functionality which enables web applications to completely seperate presentation from the underlying code. Communication using plain tcp/ip, remoting using binary serialized objects and invoking remote procedures using XML-RPC as an alternative to SOAP are also described in this chapter. You might want to encrypt the data you send over the network, so a basic description of the Mono cryptographic API is provided. Finally, a short introduction to database handling using ADO.NET concludes chapter 7.

The 8th and last chapter titled Cutting Edge Mono starts off with an introduction on how to use the GNU Automake, Autoconf and the pkg-config tools to create an easy to build source package of your project. It then proceeds to describe various pitfalls and considerations in case you want to write cross-platform applications using Mono, such as filesystem layout, configuration storage and the calling of native code using p/invoke. A particularly cool project is IKVM, which translates Java bytecode into the Common Intermediate Language bytecode Mono uses. This enables Mono to run Java applications and allows Java and Mono code to inter-operate. A short introduction on the use of IKVM is provided, as well as some code examples on how to call Mono assemblies from Java and use the Java class libraries from within Mono applications. The chapter ends with some other cutting-edge functionality, like how to run a development version of Mono, a preview of the Generics (templates in c++) implementation available as featured in C# 2.0 and how to write Mono programs in Basic.

What is missing? The book doesn't contain a reference section on any of the described API's. If you need detailed information on the C# language specification or an API reference you will need to consult external resources such as the documentation provided with Mono, MSDN, or a separate book covering the topic to make optimal use of the information contained in this book. Fortunately, the book kindly provides pointers on where to find those. The information-density is much higher than you would expect from a book this size. This means the information contained in it is terse. Many topics are treated in a only a couple of pages and the book doesn't take time to explain a lot of programming concepts. The information gets you 'on the road' quickly however, which is exactly what this book is supposed to do.

The strength of this book is that it fills the gap between the earlier-mentioned reference documentation and the need to go out and try to read sourcecode to find out how a particular thing is done. The writing style is clear, concise and neutral. Some topics are clarified by the use of screenshots, which is especially useful in the chapters dealing with Gtk# widgets. All in all, if you are a developer with previous experience in object-oriented programming, Mono: A Developer's Notebook will provide you with an excellent introduction into many of the aspects of working with Mono, its associated libraries and programs.

More information and a sample chapter can be found at the book's homepage.

You can purchase Mono: A Developer's Handbook from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Succeeding With Open Source

News · Business · 2004-09-17 08:15 · posted by timothy · from the persuading-the-gatekeeper dept. · 68 comments

Alex Moskalyuk writes "'Open source is great, but where do we start?' This is probably one of the most frequently asked questions in the corporate world when CIOs are faced with the need to choose between open and proprietary solutions. How do you figure out when it's feasible to implement an open source solution? Are there any support or training options if the solution does get approved, or if the project chosen was an alpha version developed by some student, who's away for the summer? Bernard Golden from NavicaSoft has probably heard the same questions too often, and then decided to write the book." Read on for prostoalex's review. Succeeding with open source author Bernard Golden pages 272 publisher Addison-Wesley Professional rating 7 reviewer Alex Moskalyuk ISBN 0321268539 summary IT manager's guide into implementing an open-source solution

Implementing an open source solution requires a different approach from the buyer's point of view: There is no salesperson you'll get a call from, there are no license agreements to sign and no serial numbers to enter. Access to the software is simplified, but sometimes there are few pointers about what to do next.

Golden takes the reader through different aspects of dealing with open source technologies. As one can see from the table of contents, the information is presented from the business professional's point of view. This title is for an IT manager, not developers or IT personnel who might be using open source products already and feel strongly about them. The basic question that the book explores is this: When does it make sense for an organization to implement an open source product? How do you evaluate the product's maturity, functionality, ease of use, support infrastructure and documentation quality so that running open source within the organization starts making sense?

Golden's answer is the Open Source Maturity Model (OSMM), which the author developed himself. The model asks the IT manager to evaluate the software, support, training options, documentation, integration and professional services on 10-point scale. If the technology ranking reaches a certain score (which highly depends on the userbase), then it will make sense to implement it.

For example, on page 144, when the author discusses software support options, he suggests assigning 6 points for excellent community support, 3 points for available paid support and 1 point for availability of self-support (i.e., an employee who understands the product). So on the next page JBoss gets 6 points for community support (very helpful and respectful forums), 2 points for commercial support (since it was e-mail and phone only, and no on-site support) and 0 points for self-support (since no one within the organization stepped up to claim herself as JBoss expert).

JBoss is the prime example used by the author throughout the chapters, and turns out to be quite a convenient choice -- the company offers commercial support, training and documentation for an open-source product. Golden's model is supposed to help IT managers distinguish high-quality open source projects from 0.0.1 version, so widely available on SourceForge.

The book's primary market is business professionals and IT managers who would probably benefit from having a formal evaluation model instead of relying on pure gut feeling. Despite the book's ambiguous title, it's not a manual on how to create your own business with open-source products. Some chapters will be helpful for figuring that out (Chapter 2 talks about business models in the open source world), but it's mostly for people who are implementing rather than developing open source products. The language is somewhat dry, but if your weekly reading requires CIO Magazine, you're probably used to that.

Something I think the author would have done well to include is a collection of in-depth case studies on open source implementations. There's some data on Sabre and Charles Schwab running successful businesses on open-source infrastructure, but the details are not there. While certain companies publish hundreds of case studies to prove that their products will either save money or allow the customer to make more, the success stories are not that frequently publicized in the open source world. Having such material in the book would provide a confidence booster for an IT manager, I think.

The last chapter or the first appendix is where I would expect to find information on solid open-source products suitable for corporate deployment. I mean, if the evaluation model is introduced, why not list the most prominent projects out there for quick reference? The highest-ranked open-source operating system, office suite, corporate messaging system, accounting and tax package, etc.?

Overall the book is pretty good for a manager who has heard of open source, but has not read too much into it. Chapter 1 in PDF format is available from Addison Wesley site. Golden also wrote an article for OreillyNet that deals with bringing open source into the organization. There's also an interview with the author on TechTarget.

You can purchase Succeeding With Open Source from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.