Slashdot Mirror

parasew asks: "I am searching for Web-based Project Management Software, which should be (mod-)perl based, so I can enhance it or put it into an existing environment using MovableType, which is in a sort of alpha-state. I found a site about Call Center, Bug Tracking and Project Management Tools for Linux and also this short listing, but sadly they are just a bunch of projects which only come close to the kind of tool I am searching for. Gantt and Chronos, seem to be a very nice Web-Calendar packages written in Perl. I was just wondering why no one is using iCalendar (does anyone know of Perl-based Software using iCalendar), as most of the Agenda Software uses iCalendar, and even Mozilla Calendar is capable of subscribing to remote-Calendars. This looks very interesting to me. In general, I wanted to ask you Monks for the best way to do this. Should I create a new app from scratch or reusing existing stuff?"

"Here are the features I am looking for:

• The use of Calendars (multiple users) and iCalendar Support
• File-Pool for projects (CVS-based or similar)
• Progress-bar for showing the current state of a project
• A public calendar where users can publish events from their private calendars

I found a simple Calendar script from PerlMonks, and another easy one here. Of course, there are really lots of Calendar scripts out there, but I am asking you for hints. Which ones do you know of that comes close to my needs? There are several existing Modules for iCalendar on CPAN, and i thought about reusing stuff to maybe create a dirty hack of Chronos, Bricolage and add the CVS and iCalendar support on my own.

Please also see my topics on PerlMonks and MovableType

Thanks for any help, hints or suggestions."

no_such_user asks: "After a few years of successfully running a personal mail server at home via my residential cable modem, some organizations (i.e. AOL) and spam filters are now denying SMTP connections originating from residential/dynamic networks. Additionally, my ISP will likely block incoming SMTP traffic at some point. While I applaud these attempts to fight spam, I enjoy the freedom I have running my own mail server, and don't want to switch to a mail hosting provider using POP/IMAP/Webmail. What I need is a provider which does both ODMR (on-demand mail routing) and SMTP AUTH. Unfortunately, the only provider I've found is outside my country (US) and is more expensive than I was hoping for. Without switching to 'business class' internet service, what are my alternatives so that I can continue to run my own mail server without spending a fortune? I don't mind being subject to reasonable daily transfer limits or speed limits to prove I'm not out to spam anyone. Perhaps these is something like a DynDNS service for mail? Or perhaps someone provides permanent IP addresses which I can add to my server via VPN?"

no_such_user asks: "After a few years of successfully running a personal mail server at home via my residential cable modem, some organizations (i.e. AOL) and spam filters are now denying SMTP connections originating from residential/dynamic networks. Additionally, my ISP will likely block incoming SMTP traffic at some point. While I applaud these attempts to fight spam, I enjoy the freedom I have running my own mail server, and don't want to switch to a mail hosting provider using POP/IMAP/Webmail. What I need is a provider which does both ODMR (on-demand mail routing) and SMTP AUTH. Unfortunately, the only provider I've found is outside my country (US) and is more expensive than I was hoping for. Without switching to 'business class' internet service, what are my alternatives so that I can continue to run my own mail server without spending a fortune? I don't mind being subject to reasonable daily transfer limits or speed limits to prove I'm not out to spam anyone. Perhaps these is something like a DynDNS service for mail? Or perhaps someone provides permanent IP addresses which I can add to my server via VPN?"

ar32h writes "The 6bone is going to be phased out soon. This means all of us who have IP addresses or subnets beginning with 3ffe from tunnel brokers like Freenet6 are going to be sorry out of luck." According to the linked phaseout plan, "It is anticipated that under this phaseout plan the 6bone will cease to operate by July 1, 2006, with all 6bone prefixes fully reclaimed by the IANA," but there are a number of sub-deadlines along the way.

m00nun1t writes "CNET has an article about the Internet Engineering Task Force (IETF) looking at what they can do about spam. According to the article, many of the proposals seems to "require changes in basic e-mail technology", which presumably means SMTP (and about time!). Maybe they are looking beyond just SMTP - anyone have any insights here?"

Eric Savage writes "The IETF, through IRTF, has formed an Anti-Spam Research Group. If there is any hope for a technical solution the problem, it appears the first significant step has been taken. More info here in itworld and here in ComputerWorld." Three more exciting spam related posts inside, including news from the Nevada legislature regarding spam, Arkansas dislike of the meaty email and "when students go bad" torklugnutz writes "The NV state assembly just voted 41-0 in favor of a bill which allows spam recipients to collect up to $500 per piece of spam. The new law also requires ADV to be added to the subject line so that recipients can more easilly identify unwanted ads. In addition, spoofing of sender's email address or having an invalid return address is made illegal. The old law imposed a $10 fine on spammers, but required prosecuters to collect it. This law will, more than likely, increase my chances of reading the spam I get so that I can try to cash in. So, maybe I CAN make an incredible amount of money from this "Amazing Offer""

And in Arkansas: A.G. Russell writes "With House Bill 1008, Subtitled "Unsolicited Commercial and Sexually Explicit Electronic Mail Fair Practices Act." Arkansas looks to join other states that have criminal and cival legislation in place to deal with spam. Can we help them craft this?"

And from academia: mansemat writes "Seems spammers are using a new tactic these days by paying students to send spam over univeristy networks. This particular student will be disciplined by losing his computing privileges, and being educated on the policy he violated. One can only hope the education includes being subscribed to every pr0n, male enhancement, mortage, etc. spam on the planet." Should have booted the miscreant.

Luminous Coward writes "I first saw this on The Register. Kevin Murphy of Computerwire reports: The US Department of Commerce last week quietly published a document detailing its decision to "sole-source" the contract for the so-called IANA (Internet Assigned Numbers Authority) function to ICANN, as opposed to opening the contract for competitive bidding. ICANNWatch explains why this is a bad idea. They also report that the ccTLDs and the Internet Multicasting Service have expressed interest in running IANA."

Ross Finlayson writes "In a message posted to the IETF general mailing list, Bob Braden reminds us that, on January 1st, 2003, 20 years will have passed since "the most logical date of origin of the Internet [...] when the ARPANET officially switched from the NCP protocol to TCP/IP". And the rest is history..."

Wee writes "I saw this morning that the San Diego Supercomputer Center has released Secure Syslog, a replacement for the standard Linux/UNIX syslog daemon they've been working on for some time. It adds security and performance features (modular design, highly scalable), while retaining backwards compatibility. According to their announcement, it is the first syslog implementation to target "syslog-reliable" (RFC 3195) functionality and it is the first syslog targeted at very high performance and forensically-sound auditing. It's currently under the UC's "free for non-commercial use" license, but they are looking at moving to a completely open license (BSD-style licensing was mentioned). If you have high-traffic systems and you need reliable syslogging, this might be a worth a look. Those needing syslogging over TCP/BEEP, sockets, etc as well as UDP might also want to check it out."

Effugas writes "After pushing OpenSSH to perform feats of secure tunneling far beyond what I ever expected it could do, it became clear that some genuinely useful modes of network operation were simply inaccessable without either replacing or manipulating core network protocols. Since the basic infrastructure of the Internet isn't likely to change any time soon, that left...creative manipulation and reconstruction of the Lingua Reseaux: TCP/IP. Taking advantage of expectations, pitting layers against eachother, finding new uses for old options and data fields -- instead of simply unleashing the latest incarnation of some "Ping of Death", could such work unveil hidden functionality within existing networks? As I discussed at Black Hat 2002 and the inimitable Defcon X, the answer is yes. And now, proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP), The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4. The five -- scanrand, minewt, lc ( linkcat ), paratrace, and the OpenQVIS cross-disciplinary-a-go-go phentropy -- demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer Cryptography, and quite a bit more. (For details, stop by DoxPara Research or check out the latest slides. The academic paper is coming "soon".) In terms of actual usefulness, scanrand is no nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

An anonymous reader writes "The day before yesterday the root zone was silently changed for the first time in 5 years. The change was to J.ROOT-SERVERS.NET that is now managed by Verisign. The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced. An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."

EyesWideOpen writes "The iSCSI technology, which allows computers to connect to hard drives over a network connection such as a company Ethernet network or the Internet, requires only minor changes before the Internet Engineering Task Force endorses it as a formal version 1.0 standard. A final round of comments has been completed on the technology according to the Storage Networking Industry Association, the subgroup that led the creation of the iSCSI, and as a result companies now can start building iSCSI products."

21mhz writes: "There is a story on CNET news that provides an analysis of what is happening with SIP/SIMPLE, AOL protocols and Jabber/XMPP in the IETF. It says that Jabber is close to securing a dedicated IETF working group, in spite of political struggle and corporate maneuvering."

Dare Obasanjo writes: "XML namespaces are an integral aspect of most of the W3C's XML recommendations and working drafts, including XPath, XML Schema, XSLT, XQuery, SOAP, RDF, DOM, and XHTML. Understanding how namespaces work and how they interact with a number of other W3C technologies that are dependent on them is important for anyone working with XML to any significant degree." Some heavy reading below, as Dare completes the thought.

This article explores the ins and outs of XML namespaces and their ramifications on a number of XML technologies that support namespaces. What follows is a shortened version of my first Extreme XML column.

Overview of XML Namespaces

As XML usage on the Internet became more widespread, the benefits of being able to create markup vocabularies that could be combined and reused similarly to how software modules are combined and reused became increasingly important. If a well defined markup vocabulary for describing coin collections, program configuration files, or fast food restaurant menus already existed, then reusing it made more sense than designing one from scratch. Combining multiple existing vocabularies to create new vocabularies whose whole was greater than the sum of its parts also became a feature that users of XML began to require.

However, the likelihood of identical markup, specifically XML elements and attributes, from different vocabularies with different semantics ending up in the same document became a problem. The very extensibility of XML and the fact that its usage had already become widespread across the Internet precluded simply specifying reserved elements or attribute names as the solution to this problem.

The goal of the W3C XML namespaces recommendation was to create a mechanism in which elements and attributes within an XML document that were from different markup vocabularies could be unambiguously identified and combined without processing problems ensuing. The XML namespaces recommendation provided a method for partitioning various items within an XML document based on processing requirements without placing undue restrictions on how these items should be named. For instance, elements named <template>, <output>, and <stylesheet> can occur in an XSLT stylesheet without there being ambiguity as to whether they are transformation directives or potential output of the transformation.

An XML namespace is a collection of names, identified by a Uniform Resource Identifier (URI) reference, which are used in XML documents as element and attribute names.

Namespace Declarations

A namespace declaration is typically used to map a namespace URI to a specific prefix. The scope of the prefix-namespace mapping is that of the element that the namespace declaration occurs on as well as all its children. An attribute declaration that begins with the prefix xmlns: is a namespace declaration. The value of such an attribute declaration should be a namespace URI which is the namespace name.

Here is an example of an XML document where the root element contains a namespace declaration that maps the prefix bk to the namespace name urn:xmlns:25hoursaday-com:bookstore and its child element contains an inventory element that contains a namespace declaration that maps the prefix inv to the namespace name urn:xmlns:25hoursaday-com:inventory-tracking.

<bk:bookstore xmlns:bk="urn:xmlns:25hoursaday-com:bookstore">
<bk:book>
<bk:title>Lord of the Rings</bk:title>
<bk:author>J.R.R. Tolkien</bk:author>
<inv:inventory status="in-stock" isbn="0345340426"
xmlns:inv="urn:xmlns:25hoursaday-com:inventory-tracking" />
</bk:book>
</bk:bookstore>

In the above example, the scope of the namespace declaration for the urn:xmlns:25hoursaday-com:bookstore namespace name is the entire bk:bookstore element, while that of the urn:xmlns:25hoursaday-com:inventory-tracking is the inv:inventory element. Namespace aware processors can process items from both namespaces independently of each other, which leads to the ability to do multi-layered processing of XML documents. For instance, RDDL documents are valid XHTML documents that can be rendered by a Web browser but also contain information using elements from the http://www.rddl.org namespace that can be used to locate machine readable resources about the members of an XML namespace.

It should be noted that by definition the prefix xml is bound to the XML namespace name and this special namespace is automatically predeclared with document scope in every well-formed XML document.

Default Namespaces

The previous section on namespace declarations is not entirely complete because it leaves out default namespaces. A default namespace declaration is an attribute declaration that has the name xmlns and its value is the namespace URI that is the namespace name.

A default namespace declaration specifies that every unprefixed element name in its scope be from the declaring namespace. Below is the bookstore example utilizing a default namespace instead of a prefix-namespace mapping.

<bookstore xmlns="urn:xmlns:25hoursaday-com:bookstore">
<book>
<title>Lord of the Rings</bk:title>
<author>J.R.R. Tolkien</bk:author>
<inv:inventory status="in-stock" isbn="0345340426"
xmlns:inv="urn:xmlns:25hoursaday-com:inventory-tracking" />
</book>
</bookstore>

All the elements in the above example except for the inv:inventory element belong to the urn:xmlns:25hoursaday-com:bookstore namespace. The primary purpose of default namespaces is to reduce the verbosity of XML documents that utilize namespaces. However, using default namespaces instead of utilizing explicitly mapped prefixes for element names can be confusing because it is not obvious that the elements in the document are namespace scoped.

Also, unlike regular namespace declarations, default namespace declarations can be undeclared by setting the value of the xmlns attribute to the empty string. Undeclaring default namespace declarations is a practice that should be avoided because it may lead to a document that has unprefixed names that belong to a namespace in one part of the document, but don't in another. For example, in the document below only the bookstore element is from the urn:xmlns:25hoursaday-com:bookstore while the other unprefixed elements have no namespace name.

<bookstore xmlns="urn:xmlns:25hoursaday-com:bookstore">
<book xmlns="">
<title>Lord of the Rings</bk:title>
<author>J.R.R. Tolkien</bk:author>
<inv:inventory status="in-stock" isbn="0345340426"
xmlns:inv="urn:xmlns:25hoursaday-com:inventory-tracking" />
</book>
</bookstore>

This practice should be avoided because it leads to extremely confusing situations for readers of the XML document. For more information on undeclaring namespace declarations, see the section on Namespaces Future.

Qualified and Expanded Names

A qualified name, also known as a QName, is an XML name called the local name optionally preceded by another XML name called the prefix and a colon (':') character. The XML names used as the prefix and the local name must match the NCName production, which means that they must not contain a colon character. The prefix of a qualified name must have been mapped to a namespace URI through an in-scope namespace declaration mapping the prefix to the namespace URI. A qualified name can be used as either an attribute or element name.

Although QNames are important mnemonic guides to determining what namespace the elements and attributes within a document are derived from, they are rarely important to XML aware processors. For example, the following three XML documents would be treated identically by a range of XML technologies including, of course, XML schema validators.

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:complexType id="123" name="fooType"/>
</xs:schema>

<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:complexType id="123" name="fooType"/>
</xsd:schema>

<schema xmlns="http://www.w3.org/2001/XMLSchema">
<complexType id="123" name="fooType"/>
</schema>

The W3C XML Path Language recommendation describes an expanded name as a pair consisting of a namespace name and a local name. A universal name is an alternate term coined by James Clark to describe the same concept. A universal name consists of a namespace name in curly braces and a local name. Namespaces tend to make more sense to people when viewed through the lens of universal names. Here are the three XML documents from the previous example with the QNames replaced by universal names. Note that the syntax below is not valid XML syntax.

<{http://www.w3.org/2001/XMLSchema}schema>
<{http://www.w3.org/2001/XMLSchema}complexType id="123" name="fooType"/>
</{http://www.w3.org/2001/XMLSchema}schema>

<{http://www.w3.org/2001/XMLSchema}schema>
<{http://www.w3.org/2001/XMLSchema}complexType id="123" name="fooType"/>
</{http://www.w3.org/2001/XMLSchema}schema>

<{http://www.w3.org/2001/XMLSchema}schema>
<{http://www.w3.org/2001/XMLSchema}complexType id="123" name="fooType"/>
</{http://www.w3.org/2001/XMLSchema}schema>

To many XML applications, the universal name of the elements and attributes in an XML document are what is important, and not the values of the prefixes used in specific QNames. The primary reason the Namespaces in XML recommendation does not take the expanded name approach to specifying namespaces is due to its verbosity. Instead, prefix mappings and default namespaces are provided to save us all from developing carpal tunnel syndrome from typing namespace URIs endlessly.

Namespaces and Attributes

Namespace declarations do not apply to attributes unless the attribute's name is prefixed. In the XML document shown below the title attribute belongs to the bk:book element and has no namespace while the bk:title attribute has urn:xmlns:25hoursaday-com:bookstore as its namespace name. Note that even though both attributes have the same local name the document is well formed.

<bk:bookstore xmlns:bk="urn:xmlns:25hoursaday-com:bookstore">
<bk:book title="Lord of the Rings, Book 3" bk:title="Return of the King"/>
</bk:bookstore>

In the following example, the title attribute still has no namespace and belongs the book element even though there is a default namespace specified. In other words, attributes cannot inherit the default namespace.

<bookstore xmlns="urn:xmlns:25hoursaday-com:bookstore">
<book title="Lord of the Rings, Book 3" />
</bookstore>

Namespace URIs

A namespace name is a Uniform Resource Identifier (URI) as specified in RFC 2396. A URI is either a Uniform Resource Locators (URLs) or a Uniform Resource Names (URNs). URLs are used to specify the location of resources on the Internet, while URNs are supposed to be persistent, location-independent identifiers for information resources. Namespace names are considered to be identical only if they are the same character for character (case-sensitive). The primary justification for using URIs as namespace names is that they already provide a mechanism for specifying globally unique identities.

The XML namespaces recommendation states that namespace names are only to act as unique identifiers and do not have to actually identify network retrievable resources. This has led to much confusion amongst authors and users of XML documents, especially since the usage of HTTP based URLs as namespace names has grown in popularity. Because many applications convert such URIs to hyperlinks, it is irritating to many users that these "links" do not lead to Web pages or other network retrievable resource. I remember one user who likened it to being given a fake phone number in a social situation.

One solution to avoid confusing users is to use a namespace-naming schema that does not imply network retrievability of the resource. I personally use the urn:xmlns: scheme for this purpose and create namespace names similar to urn:xmlns:25hoursaday-com when authoring XML documents for personal use. The problem with homegrown namespace URIs is that they may run counter to the intent of the Names in XML recommendation by not being globally unique. I get around the globally unique requirement by using my personal domain name http://www.25hoursaday.com as part of the namespace URI.

Another solution is to leave a network retrievable resource at the URI that is the namespace name, such as is done with the XSLT and RDDL namespaces. Typically, such URIs are actually HTTP URLs. A good way to name such URLs is by using the format favored by the W3C, which is as follows:

http://my.domain.example.org/product/[year/month][/area]

See the section on Namespaces and Versioning for more information on using similarly structured namespace names as a versioning mechanism.

DOM, XPath, and the XML Information Set on Namespaces

The W3C has defined a number of technologies that provide a data model for XML documents. These data models are generally in agreement, but sometimes differ in how they treat various edge cases due to historic reasons. Treatment of XML namespaces and namespace declarations is an example of an edge case that is treated differently in the three primary data models that exist as W3C recommendations. The three data models are the XPath data model, the Document Object Model (DOM), and the XML information set.

The XML information set (XML infoset) is an abstract description of the data in an XML document and can be considered to be the primary data model for an XML document. The XPath data model is a tree-based model that is traversed when querying an XML document and is similar to the XML information set. The DOM precedes both data models but is also similar to both data models in a number of ways. Both the DOM and the XPath data model can be considered to be interpretations of the XML infoset.

Namespaces in the Document Object Model (DOM)

The XML namespace section of the DOM Level 3 specification considers namespace declarations to be regular attribute nodes that have http://www.w3.org/2000/xmlns/ as their namespace name and xmlns as their prefix or qualified name.

Elements and attributes in the DOM have a namespace name that cannot be altered after they have been created regardless of whether their location within the document changes or not.

Namespaces in the XPath Data Model

The W3C XPath recommendation does not consider namespace declarations to be attribute nodes and does not provide access to them in that capacity. Instead, in XPath every element in an XML document has a number of namespace nodes that can be retrieved using the XPath namespace navigation axis.

Each element in the document has a unique set of namespace nodes for each namespace declaration in scope for that particular element. Namespace nodes are unique to each element in that namespace. Thus namespace nodes for two different elements that represent the same namespace declaration are not identical.

Namespaces in the XML Information Set

The XML infoset recommendation considers namespace declarations to be attribute information items.

In addition, similar to the XPath data model, each element information item in an XML document's information set has a namespace information item for each namespace that is in scope for the element.

XPath, XSLT and Namespaces

The W3C XML Path Language also known as XPath is used to address parts of an XML document and is used in a number of W3C XML technologies including XSLT, XPointer, XML Schema, and DOM Level 3. XPath uses a hierarchical addressing mechanism similar to that used in file systems and URLs to retrieve pieces of an XML document. XPath supports rudimentary manipulation of strings, numbers, and Booleans.

XPath and Namespaces

The XPath data model treats an XML document as a tree of nodes, such as element, attribute, and text nodes, where the name of each node is a combination of its local name and its namespace name (that is, its universal or expanded name).

For element and attribute nodes without namespaces, performing XPath queries is fairly straightforward. The following program, which can be used to query XML documents using the command line, shall be used to demonstrate the impact of namespaces on XPath queries.

using System.Xml.XPath;
using System.Xml;
using System;
using System.IO;
class XPathQuery{
public static string PrintError(Exception e, string errStr){
if(e == null)
return errStr;
else
return PrintError(e.InnerException, errStr + e.Message );
}
public static void Main(string[] args){
if((args.Length == 0) || (args.Length % 2)!= 0){
Console.WriteLine("Usage: xpathquery source query <zero or more
prefix and namespace pairs>");
return;
}

try{

//Load the file.
XmlDocument doc = new XmlDocument();
doc.Load(args[0]);
//create prefix<->namespace mappings (if any)
XmlNamespaceManager nsMgr = new XmlNamespaceManager(doc.NameTable);
for(int i=2; i < args.Length; i+= 2)
nsMgr.AddNamespace(args[i], args[i + 1]);
//Query the document
XmlNodeList nodes = doc.SelectNodes(args[1], nsMgr);
//print output
foreach(XmlNode node in nodes)
Console.WriteLine(node.OuterXml + "\n\n");
}catch(XmlException xmle){
Console.WriteLine("ERROR: XML Parse error occured because " +
PrintError(xmle, null));
}catch(FileNotFoundException fnfe){
Console.WriteLine("ERROR: " + PrintError(fnfe, null));
}catch(XPathException xpath){
Console.WriteLine("ERROR: The following error occured while querying
the document: "
+ PrintError(xpath, null));
}catch(Exception e){
Console.WriteLine("UNEXPECTED ERROR" + PrintError(e, null));
}
}
}

Given the following XML document that does not declare any namespaces, queries are fairly straightforward as seen in the examples following the code.

<?xml version="1.0" encoding="utf-8" ?>
<bookstore>
<book genre="autobiography">
<title>The Autobiography of Benjamin Franklin</title>
<author>
<first-name>Benjamin</first-name>
<last-name>Franklin</last-name>
</author>
<price>8.99</price>
</book>
<book genre="novel">
<title>The Confidence Man</title>
<author>
<first-name>Herman</first-name>
<last-name>Melville</last-name>
</author>
<price>11.99</price>
</book>
</bookstore>

Example 1

1. xpathquery.exe bookstore.xml /bookstore/book/title

   Selects all the title elements that are children of the book element whose parent is the bookstore element, which returns:
   <title>The Autobiography of Benjamin Franklin</title>
   <title>The Confidence Man</title>

2. xpathquery.exe bookstore.xml //@genre

   Select all the genre attributes in the document and returns:
   genre="autobiography"
   genre="novel"

3. xpathquery.exe bookstore.xml //title[(../author/first-name = 'Herman')]

   Selects all the titles where the author's first name is "Herman" and returns:
   <title>The Confidence Man</title>
   

   However, once namespaces are added to the mix, things are no longer as simple. The file below is identical to the original file except for the addition of namespaces and one attribute to one of the book elements.

   <bookstore xmlns="urn:xmlns:25hoursaday-com:bookstore">
   <book genre="autobiography">
   <title>The Autobiography of Benjamin Franklin</title>
   <author>
   <first-name>Benjamin</first-name>
   <last-name>Franklin</last-name>
   </author>
   <price>8.99</price>
   </book>
   <bk:book genre="novel" bk:genre="fiction"
   xmlns:bk="urn:xmlns:25hoursaday-com:bookstore">
   <bk:title>The Confidence Man</bk:title>
   <bk:author>
   <bk:first-name>Herman</bk:first-name>
   <bk:last-name>Melville</bk:last-name>
   </bk:author>
   <bk:price>11.99</bk:price>
   </bk:book>
   </bookstore>
   

   Note that the default namespace is in scope for the whole XML document, while the namespace declaration that maps the prefix bk to the namespace name urn:xmlns:25hoursaday-com:bookstore is in scope for the second book element only.

Example 2

1. xpathquery.exe bookstore.xml /bookstore/book/title
   

   Selects all the title elements that are children of the book element whose parent is the bookstore element, which returns NO RESULTS.

2. xpathquery.exe bookstore.xml //@genre

   Selects all the genre attributes in the document and returns:
   genre="autobiography"
   genre="novel"
   

3. xpathquery.exe bookstore.xml //title[(../author/first-name = 'Herman')]

   Selects all the titles where the author's first name is "Herman," which returns NO RESULTS.

   The first query returns no results because unprefixed names in an XPath query apply to elements or attributes with no namespace. There are no bookstore, book, or title elements in the target document that have no namespace. The second query returns all attribute nodes that have no namespace. Although namespace declarations are in scope for both attribute nodes returned by the query, they have no namespace because namespace declarations do not apply to attributes with unprefixed names. The third query returns no results for the same reasons the first query returns no results.

   The way to perform namespace-aware XPath queries is to provide a prefix to namespace mapping to the XPath engine, then use those prefixes in the query. The prefixes provided do not need to be the same as the namespace to prefix mappings in the target document, and they must be non-empty prefixes.

Example 3

1. xpathquery.exe bookstore.xml /b:bookstore/b:book/b:title b urn:xmlns:25hoursaday-com:bookstore

   Select all the title elements that are children of the book element whose parent is the bookstore element and returns the following:
   <title xmlns="urn:xmlns:25hoursaday-com:bookstore">The Autobiography of Benjamin Franklin</title>
   <bk:title xmlns:bk="urn:xmlns:25hoursaday-com:bookstore">The Confidence Man</bk:title>

2. xpathquery.exe bookstore.xml //@b:genre b urn:xmlns:25hoursaday-com:bookstore

   Selects all the genre attributes from the "urn:xmlns:25hoursaday-com:bookstore" namespace in the document that returns:
   bk:genre="fiction"

3. xpathquery.exe bookstore.xml //bk:title[(../bk:author/bk:first-name = 'Herman')] bk urn:xmlns:25hoursaday-com:bookstore
   

   Selects all the titles where the author's first name is "Herman" and returns:
   <bk:title xmlns:bk="urn:xmlns:25hoursaday-com:bookstore">The Confidence Man</bk:title>
   

   Note This last example is the same as the previous examples but rewritten to be namespace aware.

For more information on using XPath, read Aaron Skonnard's article Addressing Infosets with XPath and view the examples at the ZVON.org XPath tutorial.

XSLT and Namespaces

The W3C XSL transformations (XSLT) recommendation describes an XML-based language for transforming XML documents into other XML documents. XSLT transformations, also known as XML style sheets, utilize patterns (XPath) to match aspects of the target document. Upon matching nodes in the target document, templates that specify the output of a successful match can be instantiated and used to transform the document.

Support for namespaces is tightly integrated into XSLT, especially since XPath is used for matching nodes in the source document. Using namespaces in your XPath expressions inside XSLT is much easier than using the DOM.

The example that follows contains:

• A program for use in executing transforms from the command line.
• An XSLT stylesheet that prints all the title elements from the urn:xmlns:25hoursaday-com:bookstore namespace in the source XML document when run against the bookstore document from the urn:xmlns:25hoursaday-com:bookstore namespace.
• The resulting output.

Program Imports System.Xml.Xsl
Imports System.Xml
Imports System
Imports System.IO
Class Transformer
Public Shared Function PrintError(e As Exception, errStr As String) As String

If e Is Nothing Then
Return errStr
Else
Return PrintError(e.InnerException, errStr + e.Message)
End If
End Function 'PrintError

'Entry point which delegates to C-style main Private Function
Public Overloads Shared Sub Main()
Run(System.Environment.GetCommandLineArgs())
End Sub 'Main


Overloads Public Shared Sub Run(args() As String)

If args.Length <> 2 Then
Console.WriteLine("Usage: xslt source stylesheet")
Return
End If

Try

'Create the XslTransform object.
Dim xslt As New XslTransform()

'Load the stylesheet.
xslt.Load(args(1))

'Transform the file.
Dim doc As New XmlDocument()
doc.Load(args(0))

xslt.Transform(doc, Nothing, Console.Out)

Catch xmle As XmlException
Console.WriteLine(("ERROR: XML Parse error occured because " +
PrintError(xmle, Nothing)))
Catch fnfe As FileNotFoundException
Console.WriteLine(("ERROR: " + PrintError(fnfe, Nothing)))
Catch xslte As XsltException
Console.WriteLine(("ERROR: The following error occured while
transforming the document: " + PrintError(xslte, Nothing)))
Catch e As Exception
Console.WriteLine(("UNEXPECTED ERROR" + PrintError(e, Nothing)))
End Try
End Sub
End Class 'Transformer
XSLT stylesheet <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:b="urn:xmlns:25hoursaday-com:bookstore">
<xsl:template match="b:bookstore">
<book-titles>
<xsl:apply-templates select="b:book/b:title"/>
</book-titles>
</xsl:template>
<xsl:template match="b:title">
<xsl:copy-of select="." />
</xsl:template>
</xsl:stylesheet>

Output <?xml version="1.0" ?>
<book-titles xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:ext="urn:my_extensions" xmlns:b="urn:xmlns:25hoursaday-com:bookstore">
<title xmlns="urn:xmlns:25hoursaday-com:bookstore">The Autobiography of
Benjamin Franklin</title>
<bk:title xmlns="urn:xmlns:25hoursaday-com:bookstore"
xmlns:bk="urn:xmlns:25hoursaday-com:bookstore">The Confidence
Man</bk:title>
</book-titles>

Note that the namespace declarations from the stylesheet end up on the root node of the output XML document. Also to note is the fact that the XSLT namespace is not included in the output XML document.

Generating XSLT stylesheets from the output of your XSLT transforms is slightly cumbersome because the processor has to be able to determine the output elements from the actual stylesheet directives. There are two ways I have found to deal with this issue, both of which I'll illustrate by showing stylesheets that generate the following XMLT stylesheet as output.

<xslt:stylesheet version="1.0"
xmlns:xslt="http://www.w3.org/1999/XSL/Transform">
<xslt:output method="text"/>
<xslt:template match="/"><xslt:text>HELLO WORLD</xslt:text></xslt:template>
</xslt:stylesheet>

The first method involves creating a variable containing the stylesheet to be created, and then using value-of in combination with the disable-output-escaping attribute to create the stylesheet.

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" encoding="utf-8"/>
<xsl:variable name="stylesheet">
&lt;xslt:stylesheet version="1.0"
xmlns:xslt="http://www.w3.org/1999/XSL/Transform"&gt;
&lt;xslt:output method="text"/&gt;
&lt;xslt:template match="/"&gt;&lt;xslt:text&gt;HELLO
WORLD&lt;/xslt:text&gt;&lt;/xslt:template&gt;
&lt;/xslt:stylesheet&gt;
</xsl:variable>
<xsl:template match="/">
<xsl:value-of select="$stylesheet" disable-output-escaping="yes" />
</xsl:template>
</xsl:stylesheet>

This first method works best if the stylesheet being created can be easily partitioned so that it can be placed in variables. While this technique is quick and easy, it also falls into the category of gross hack, which typically tend to become unmanageable when faced with any situation requiring flexibility. For instance, when creation of the new stylesheet involves lots of dynamic creation of text and is intertwined with the stylesheet directives, the following method is preferable to the aforementioned gross hack.

<xslt:stylesheet version="1.0" xmlns:xslt="http://www.w3.org/1999/XSL/Transform"
xmlns:alias="http://www.w3.org/1999/XSL/Transform-alias">
<xslt:output method="xml" encoding="utf-8"/>
<xslt:namespace-alias stylesheet-prefix="alias" result-prefix="xslt"/>
<xslt:template match="/">
<alias:stylesheet version="1.0">
<alias:output method="text"/>
<alias:template match="/"><alias:text>HELLO
WORLD</alias:text></alias:template>
</alias:stylesheet>
</xslt:template>
</xslt:stylesheet>

The above document uses the namespace-alias directive to substitute the alias prefix and namespace name it is bound to with the xslt prefix and the namespace name to which it is bound.

Namespaces are also used to specify mechanisms for the extension of XSLT. Namespace prefixed functions can be created that are executed in the same manner as XSLT functions. Similarly, elements from certain namespaces can be treated as extensions to XSLT and executed as if they were transformation directives like template, copy, value-of, and so on. Below is an example of a Hello World program that uses namespace-based extension functions to print the signature greeting.

<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:newfunc="urn:my-newfunc">
<output method="text"/>
<template match="/">
<value-of select="newfunc:SayHello()" />
</template>
<msxsl:script language="JavaScript" implements-prefix="newfunc">
function SayHello() {
return "Hello World";
}
</msxsl:script>
</stylesheet>
XML Namespace Caveats

Namespaces in XML, like any useful tool, can be used improperly and have various subtleties that may cause problems if users are unaware of them. This section focuses on areas where users of XML namespaces typically have problems or face misconceptions.

Versioning and Namespaces

There are two primary mechanisms used in practice to create different versions of an XML instance document. One method is to use a version attribute on the root element as is done in XSLT, while the other method is to use the namespace name of the elements as the versioning mechanism. Versioning based on namespaces is currently very popular, especially with the W3C, who have used this mechanism for various XML technologies including SOAP, XHTML, XML Schema, and RDF. The namespace URI for documents that are versioned using the namespace is typically in the following format:

http://my.domain.example.org/product/[year/month][/area]

The primary problem with versioning XML documents by altering the namespace name in subsequent versions is that it means XML namespace-aware applications that process the documents will no longer work with the documents, and will have to be upgraded. This is primarily beneficial with document formats whose versions change infrequently, but upon changing alter the semantics of elements and attributes, thus requiring that all processors no longer work with the newer versions for fear of misinterpreting them.

On the other hand, there are a number of scenarios where an XML document versioning mechanism based on a version attribute on the root element is sufficient. A version attribute is primarily beneficial when changes in the document's structure are backwards compatible. The following situations are all areas where using a version attribute is a wise choice:

• Semantics of elements and attributes will not be altered.
• Changes to the document involves the addition of elements and attributes, but rarely removal.
• Interoperability between applications with various versions of the processing software is necessary.

Both versioning techniques are not mutually exclusive and can be used simultaneously. For instance, XSLT uses both a version attribute on the root element, as well as a versioned namespace URI. The version attribute is used for incremental, backwards-compatible changes to the XML document's format, while altering the namespace name is done for significant changes in the semantics of the document.

Document Types

The term document type is misleading as discussed in several philosophical debates on various XML related mailing lists . In many cases, the namespace name of the root element can be used to determine how to process the document, however, this is hardly a general rule and stating it as such violates the spirit of XML namespaces as they were designed exactly so that developers could mix and match XML vocabularies.

A succinct post that captures the essence of why thinking that root element namespace URI are equivalent to a notion of document type is this post by Rick Jelliffe on XML-DEV. The essence of the post is that there are many different types that an XML document could have, including its document type as specified by its Document Type Definition (DTD), its MIME media type, its schema definition as specified by the xsi:schemaLocation attribute, its file extension, as well as the namespace name of its root element. Thus it is quite likely that in many cases a document will have many different types depending on what perspective one decides to take when examining the document.

Two examples of XML documents in which actual document types can be misconstrued by simply looking at the namespace URI of the root element are RDDL documents (sample, notice that its root element is from the XHTML namespace) and annotated mapping schemas, which have their root element is from the W3C XML Schema namespace.

In a nutshell, the type of a document cannot conclusively be determined by looking at the namespace URI of its root element. Thinking otherwise is folly.

Namespaces Future

There are a number of developments in the XML world focused on tackling some of the issues that have developed around XML namespaces. Firstly, the current draft of the W3C XML namespaces recommendation does not provide a mechanism for undeclaring namespaces that have been mapped to a prefix. The W3C XML namespaces v1.1 working draft is intended to rectify this oversight by providing a mechanism for undeclaring prefix namespace mappings in an instance document.

The debate on what should be returned on an attempt to dereference the contents of a namespace URI has lead to contentious debate in the XML world and is currently the focus of deliberations by the W3C's Technical Architecture Group. The current version of the XML namespaces recommendation does not require the namespace URI to actually be resolvable because a namespace URI is supposed to merely be a namespace name that is used as a unique identifier, and not the location of a resource on the Internet.

Tim Bray (one of the original editors of both the XML Language and XML namespaces recommendations) has written an exhaustive treatise on the issues around namespace URIs and the namespace documents that may or may not be retrieved from them. This document contains much of the reasoning that was behind his creation of the Resource Directory Description Language (RDDL), which is designed to be used for creating namespace documents.

wizzy writes "Irelands toplevel domain registry has a notice on Microsoft and Apple DHCP clients sending dynamic DNS updates per RFC2136. The problem is they are not sufficiently careful about where they send it if they are in RFC1918 space - usually used for behind-firewall addressing, which is where they usually are.. This is resulting in bogus updates being sent at the rate of nearly one million an hour to root nameservers, only to be rejected - as reported on the NANOG mailing list."

Tonight's Slashback features another string of updates, corrections, etc. to previous stories. In this case, that means more on the discoveries of America, the Mandrake-StarOffice connection, Joel Spolsky and more, all below.

Update: not everyone agrees on everything. ipoverscsi writes: "SoftwareMarketSolution has a followup interview with Joel Spolsky comprised mainly of rebuttals from the comments section of an older article on Slashdot. A quote I found interesting regarding re-writing software: 'Don't even talk to me about spending money replacing something that works. The only question that is relevant is -- what does it cost to fix it if it doesn't work?'"

'First' seems to be relative. MattJ writes: "A week or two ago, Gavni Menzies' theory about Chinese explorations preceding Columbus were mentioned on Slashdot. He has now made his presentation to the Royal Geographical Society. According to MSNBC, the response from historians who saw it was somewhat muted. They say they need to wait for his book to come out to treat the theory fairly, but right now it looks like a tower of suppositions."

"Or, to vote for 'irresponsible disclosure,' please press No ...". juliao writes: "The IETF has dropped the draft proposal for responsible disclosure of bugs."

Fax early and often. jd142 writes: "A follow up to Friday's CBDTPA story. Electronic petitions and e-mail are unlikely to sway a Senator. Dead trees do. Luckily you can easily have a message faxed to your Senators. Letters are good too, so send both. This is a case where the more paper we can swamp them with, the better chance we have of killing this. And take the time to personalize your faxes and letters."

A matter of phrasing? I mentioned that StarOffice 6.0 was due for retail release in April; Jacques Le Marois from Mandrakesoft (among many others) wrote to point out that "MandrakeClub is the first and only place in the world where you can get StarOffice 6.0 currently!" They've worked out an OEM deal with Sun to let those who've paid for a "Silver" membership to MandrakeClub ($120 annually) download the software.

Exactly which MandrakeClub members were eligible for the payware StarOffice was the cause of some contention. "We also answer to your previous post about the ZDNet controversy. It's an interesting case of mis-information spread."

saridder writes "In an increasing attempt to regulate the Internet like the current PSTN, the US Government has asked the IETF to come up with a system to prioritize government and emergency worker traffic in the event of another disaster, much like the GETS system already in place for the PSTN. It's interesting to follow, because it's only an RFC, so you don't have to follow it. I probably won't be prioritizing government traffic on any of my routers." The story has a link to the ieprep working group if you want to get involved or comment. Perhaps this is a better way than GOVNET.

Jodrell writes: "Randy Bush, internet architect and co-chair of the IETF's working group on DNS, has some interesting thoughts on the recent proposals to re-organise ICANN. Randy makes some interesting points about the likely result of allowing Government control into the DNSO, and on the current bloated condition of ICANN."

Cowboy71 writes: "An interesting posting on Bugtraq by Stephen Christie announcing the release for comment of an internet-draft "Responsible Disclosure Process" document, prepared by himself and Chris Wysopal of @stake. You can view the full paper at the IETF site."

Honest Postmaster asks: "Maybe I am a paranoid nut, or maybe I just feel like my users email is as sacred as snail mail (which we like to hope is untouched); but i have been getting a sinking feeling about all the news I have been hearing about NSA & Government agencies getting potential carte-blanch to sniff email traffic (if they didn't have such, already). I did a quick search and found RFC 2487, which seems to define secure transfer of traffic between SMTP servers using TLS/SSL. Firstly, is this truly a reasonably 'secure' solution? Secondly it seems to have actual implementations (e.g. exim), but it will only work if both client and server support it -- how widespread is its usage? is it hopeless to expect every ISP, megamail .com to get around to turning this feature on, or will sniffing just be a part of our everyday reality?"

Holger Blasum writes: "The W3C is closing its last call for comments on its future patent policy (with disputed RAND: "reasonable and non-discriminatory licensing") on 30 Sept 2001. One of the authors of the framework argues this to be not uncommon (and, in fact, RFC 2036's section 10.3.3 has it too). As it is common practice, the W3C has set up an archived mailing list (www-patentpolicy-comment-request@w3.org) for comments. Adam Warner has outlined (mirror) some possible consequences for th e SVG standard."

Imagine Slashdot closing its Your Rights Online section because you no longer have any rights online, and find many of your other rights severely curtailed, too. Saturday a small group of people, including U.S. Representative Lynn Rivers, from Michigan's 13th Congressional District, met in the University of Maryland Baltimore County [UMBC] library to discuss ways to maintain Americans' civil liberties despite major pressure to curtail them in the name of "fighting terrorism." The government does listen, you know, if you speak to the right people in the right way. So here's a guide, a HOWTO, if you will, that will teach you how to lobby effectively for your Constitutional rights.

Let's start with one simple and rather sad truth: You are going to be less free next week than you were last week.

We are already seeing what several newspapers have called "the biggest criminal investigation in history." Sure, a lot of this investigation's energy is being focused on Islamic countries, but it is also going on in Europe and, more than anywhere else, the United States itself. Landlords who have rented to young men with Arab-sounding names are being interrogated. Topless-bar patrons are being asked about conversations they allegedly heard, boasting about upcoming mass destruction.

And then there's email and the World Wide Web. Imagine a technically unhip Senator or Member of Congress who has read about Osama bin Laden allegedly using encrypted email and secret messages hidden in online porn to communicate with his followers and allies. Put the words "Osama bin Laden" in the same sentence as "pornography" and "the Internet," and you had better get out of the way of the avalanche of anti-online privacy laws coming your way -- or get crushed by them, even if people like bin Laden can switch to other means of communication at the drop of a hat.

Worse, disagreeing with the U.S. government right now may almost be viewed as treason in some quarters. "My Country, Right or Wrong" was a popular bumper sticker among the gunrack-and-confederate-flag pickup truck crowd in the late 60s, and this attitude, if not yet the bumper sticker itself, has been making a major comeback

But Dissent We Must
The problem with the "My Country, Right or Wrong" attitude is that it allows our government to go terribly wrong in many ways that may not be made right again for a long time, if ever. As Rep. Rivers pointed out Saturday, once laws are made that are supposed to help law enforcement in some way, they are almost never repealed because Members of Congress don't want to be seen as "soft on terrorism, soft on crime, soft on drugs."

Carry this a little farther. What about treason charges? At what point does it become illegal to speak out against a planned US government action that, on its face, is being taken to fight against the Terrorist Enemy, whoever he or she may be, even though that action may have very bad, long-term consequences for ordinary American citizens who want nothing more that to live their own lives quietly without being afraid of their own government?

Rep. Rivers said half the people in her district's gut reaction to the idea of legislation allowing government to read their email without getting a warrant first was along the lines of, "So what? I don't break any laws, so I have nothing to hide."

Long-time EPIC activist Kathleen Ellis told Rep. Rivers she believed questions about privacy should not be asked in the context of email. "Ask people if they should have the right to keep a secret and almost all of them will answer 'Of course,'" she said. Ellis also mentioned that cryptography is the email equivalent of an envelope on a letter sent by postal mail. "Unencrypted email is like a postcard," she said, "open for anyone to read. Ask people if they want all mail to be as open as a postcard and they're going to say no."

From that point on, the meeting focused on tactics. The question in the room wasn't, "Are privacy and freedom of speech good?" but "What can we do to protect our privacy and freedom of speech?"

Background on the Meeting Itself
The forum in which all this discussion took place was decidedly unofficial. It was an informal meeting thrown together hastily by local Linux user and ham radio afficianado Rob Carlson. Carlson sent a meeting notice to several email lists and posted it at cluebot.com. 13 people showed up at Saturday's gathering, most of whom were Baltimore and Washington D.C. area privacy advocates and/or Linux users. I was there myself for that reason. Wired News reporter Declan McCullagh is another "local" who hangs in the same circles, which explained his presence.

Rep. Rivers was there because her husband, William Simpson, is a computer consultant involved with the Internet Engineering Task Force [IETF] who spotted Carlson's notice on one of the cryptography-oriented email lists he's on. He had driven Rivers' chief of staff, who needed to get back to Washington but was marooned in Michigan by the airlines shutdown, to D.C., and was taking his Congresswoman wife back to her district for a little rest and some scheduled meetings (Congress had adjourned until Friday, Sept. 21), and they noticed that UMBC was on their way. So there they were, not dressed in "mover and shaker" clothing but looking like anyone else taking a 1000+ mile car trip.

One doesn't usually think of a Member of Congress fitting in with a group of downdressed geeks, but this one sure did. We only knew what she did for a living because Carlson asked everyone in the little circle to identify themselves by name and job, and when it was her turn Rep. Rivers gave her name as "Lynn," then added "Rivers," and softly, sort of as an aside, mentioned that she was "in Congress." Her husband had already mentioned that they were "from Michigan," which was curious enough in itself for a meeting with a decidedly local orientation. But Linux folks are friendly, and Rep. Rivers was as welcome as anyone else even though she was from out of town -- and freely admitted she used Mac OS, not Linux, both at home and in her office.

When he organized the meeting, Carlson said, "I didn't know whether no one or 100 people would show up." 13 did. And revolutions have started with as few as 13 people, so why shouldn't a strong pro-Constitution lobbying movement? The next step is to get 13 more, and another 13, and so on. This means calling and emailing friends until there are 13X13X13X13.... people talking to their elected representatives about privacy issues in terms they can understand, that will help them change their minds.

How You Can Lobby Against Anti-Privacy Laws
Start with this line Rep. Rivers laid on us, which is not new but needs to be said over and over: "Democracy is not a spectator sport."

Those Americans who don't vote, no matter how they excuse this failure, have no right to criticize their government. And those who don't bother to tell their elected representatives what they want and don't want their government to do should not act shocked when the government passes laws they don't like. It gets sickening, going to hearing after hearing about proposed laws like UCITA, DMCA, and SSSCA and always seeing a whole bunch of industry lobbyists wearing expensive suits, but hardly ever anyone who could be classified as an "ordinary citizen."

You need to make some noise instead of letting "them" talk while you sit around and let "them" get their way. Pump up the volume. Take some of the time you spend posting on Slashdot and register to vote. Write email and snail mail letters, send faxes, and make phone calls to Congresspeople and Senators and other representatives, and tell other people (13X13X13X13.... voices, remember) to do the same. This, not just complaining, is what this whole representative government thing is all about.

Rep. Rivers says phone calls "...have a sense of personal contact to them," and this makes them the most effective grassroots lobbying tool. "Stick to one issue," she advises. "Don't come up with a laundry list."

Also send email and write letters, even though they probably won't have as much impact as calls. And don't forget the fax machine; reps who are too technically unhip to read email read faxes. The ACLU and NRA have both famously used fax as a means of rapid communication with legislators for many years.

Now comes the matter of what to say. A letter, call or email that starts with something like, "I has nevir voted for you I am not registered to vote but you got to lisen to me," will go nowhere, says Rivers, pointing out that many pro-Napster messages she got were along those lines -- and got ignored. Better, she says, is something that tells your representative you are a computer professional (or manager or student or business owner or whatever) whose business, occupation or future will be hurt by whatever legislation you are working against. In this case (this week), privacy and online crypto are under attack. Next week, who knows?

So you're not a business owner? Know any? Know anyone who depends on privacy to transact their business? How about your doctor? Doesn't he or she want to keep patient records confidential? Ditto any lawyer you know. If a lawyer is serious about maintaining client trust, he or she certainly doesn't want the government snooping on email through Carnivore or a similar system with a less aggressive name. Other businesses have client information they want to private, along with trade secrets and other information they would rather not share with competitors. These are all points to bring up rationally, in an orderly debate format, when communicating with an elected rep, and they are ones you should ask others to bring up, too.

Stay calm, in other words. Assume your representative is sane and really wants to do what's right and what most people want, based on the input he or she gets. Your trick is to become part of that input, and right now the input you need to give must be strong and focused because Congress is caught up in post-attack hysteria and, like the rest of us, is saying, "We need to do something to help those poor victims and their families and make sure nothing this awful ever happens again."

The only problem here is that what Congress does is make laws, not post on Slashdot, and a law made in the same emotional heat as a flame post on Slashdot can't be moderated down to -1 after it is passed. Once that law is on the books, if you break it you can be arrested, tried, and fined or sent to jail. You've heard the saying, "If [guns/crypto/brains] are outlawed, only outlaws will have [guns/crypto/brains]." It's true, you know.

Right now, legitimate Americans are in danger of having many of their Constitutional freedoms revoked by a government that is doing its best, possibly in a misguided way, to protect its citizens. This is not about Disney's copyrights or the freedom to play DVDs on computers running Linux. The current debate is about much more basic issues than those, issues I will not repeat here because they have been written about so extensively elsewhere.

An Aside: How Congress Works
Rep. Rivers said it this way: "The House [of Representatives] is ruled by brute force."

Since she was talking to geeks who follow such things, she used the DMCA as an example. She told us that the "unanimous" vote that got DMCA through the House was not really unanimous at all; that the bill got through a committee dominated by a powerful chairman (which is how bills generally get to the floor for a vote) and that the Speaker called for a voice vote. "Most yelled 'Aye,'" Rivers said, and some yelled 'Nay.'"

The voices yelling "Aye" were the loudest, so DMCA passed by acclamation. Brute Force. People yelling at the top of their lungs. If 50 loud voices had yelled "Nay" instead of "Aye," perhaps we wouldn't have the DMCA as law today, and the EFF wouldn't be begging for money to get it overturned in the courts.

Now think about a Member of Congress who is hearing, right now, from all the "Kill-the-Arab-bastards-and-stamp-out-Internet-porn" crowd loudly and repeatedly by phone, fax, mail and email, but isn't hearing from you. Who is shouting the loudest? Which wheel is so squeaky that it is going to get the grease? So far, it's not the voices of reason and Constitutionality. They are getting drowned out. Heck, they are hardly there at all. At least Rep. Rivers isn't hearing them, and if she isn't hearing them -- with her ear attuned to Internet privacy matters and a totally Net-hip husband at her side -- you can bet the rest of Congress don't even know those voices (yours) exist.

Don't Delay! Do It Today!
Congress reconvenes Friday, September 21. The anti-privacy bills and anti-privacy amendments to various anti-terrorist bills are being written now, not someday. This means you must act immediately. If you put off those calls and emails to friends asking them to help support their right to communicate with each other in private, and to live without fear of police breaking down their doors or seizing their computer hard drives without warrants for even a few days, it is going to be too late. We are in the grip of national hysteria. A $40 billion appropriations bill to support the war on terrorism was passed a few days ago, with bipartisan support, almost without debate.

I'm going to admit that I am as ready to kick terrorist butt as anyone else, so I can't really blame Congress for being so gung-ho that it will pass all kinds of measures that will make America a less free country for decades to come in response to the current emergency. All I'm really asking Congress to do -- and asking you to join me in asking Congress to do, and to convince 13X13X13.... others to ask your Representative and your Senator to do -- is remember that the freedoms that make this country great must not be forgotten in our rush to avenge our fallen fellow Americans and our attempts to keep ourselves safe from future terrorist attacks.

Specifically (concentrate on one issue, remember), as a Net user I am concerned about watching our online privacy and freedoms evaporate if the government makes strong cryptography illegal or tries to have it controlled by agencies like the NSA, CIA, and FBI, or starts reading all of our private email without due cause and legitimate judicial warrants.

The deadline is Friday. That's when the legislative fur will start to fly. So let's get to work now!

• How to find your representative
• How to contact your senator

Rich Salz writes: "The Internet Research Task Force, a sister of the IETF, has a research group on Internet digital rights management. Ebooks, secure content, no-fair-use (sic), etc. According to a presentation at the last IETF, one of the group's work items is to influence other IETF activities to support/architect DRM. IDRM membership is open to anyone, presumably including nay-sayers." Meanwhile, the IETF has put on hold its work toward an internet fax standard, as Adobe and Xerox squabble over a file format.

A reader writes "MPLS, or Multi-protocol Label Switching, seems to be a popular choice for router vendors nowadays until two AT&T researchers argue it differently. They "say MPLS create serious network management challenges for Internet backbone providers." "Even more dire are their warnings about potential security and privacy problems for companies that deploy MPLS-based VPNs." This issue will be discussed on an IETF meeting held this week in London. More details here ." Related to the IETF ^[?] , this submission came in: The Internet Engineering Task Force (IETF) is now meeting in London for IETF-51. You can watch multicast sessions. "

A reader writes "MPLS, or Multi-protocol Label Switching, seems to be a popular choice for router vendors nowadays until two AT&T researchers argue it differently. They "say MPLS create serious network management challenges for Internet backbone providers." "Even more dire are their warnings about potential security and privacy problems for companies that deploy MPLS-based VPNs." This issue will be discussed on an IETF meeting held this week in London. More details here ." Related to the IETF ^[?] , this submission came in: The Internet Engineering Task Force (IETF) is now meeting in London for IETF-51. You can watch multicast sessions. "

A reader writes "MPLS, or Multi-protocol Label Switching, seems to be a popular choice for router vendors nowadays until two AT&T researchers argue it differently. They "say MPLS create serious network management challenges for Internet backbone providers." "Even more dire are their warnings about potential security and privacy problems for companies that deploy MPLS-based VPNs." This issue will be discussed on an IETF meeting held this week in London. More details here ." Related to the IETF ^[?] , this submission came in: The Internet Engineering Task Force (IETF) is now meeting in London for IETF-51. You can watch multicast sessions. "

Ian Lance Taylor writes: "Two IETF drafts were filed today which fire a shot across ICANN's bows. They say that anybody who introduces a new version of an existing TLD is destabilizing the DNS--even ICANN. These are still only drafts, mind, not standards. They both acknowledge input from Karl Auerbach, the member of ICANN's board who was elected by North America. The drafts are Alternative Roots and the Virtual Inclusive Root and Root Server Definitions." The IETF drafters are attempting to define a system where non-ICANN TLDs can easily be added. ICANN is set to push their one root concept of operations where ICANN gets absolute authority over internet naming. All ICANN PR is geared toward presenting the ICANN-only plan as being necessary for "internet stability".

Ian Lance Taylor writes: "Two IETF drafts were filed today which fire a shot across ICANN's bows. They say that anybody who introduces a new version of an existing TLD is destabilizing the DNS--even ICANN. These are still only drafts, mind, not standards. They both acknowledge input from Karl Auerbach, the member of ICANN's board who was elected by North America. The drafts are Alternative Roots and the Virtual Inclusive Root and Root Server Definitions." The IETF drafters are attempting to define a system where non-ICANN TLDs can easily be added. ICANN is set to push their one root concept of operations where ICANN gets absolute authority over internet naming. All ICANN PR is geared toward presenting the ICANN-only plan as being necessary for "internet stability".

Marc Petit-Huguenin writes: "Vinton G. Cerf and others just released an Internet Draft about the Architectural Definition of the Interplanetary Internet (IPN). The first section "Desiderata of Interplanetary Internetworking" is a wonderful text." This is beautiful, both the document itself and the work put into something which, at the present time, has no practical use whatsoever. Bravo... I hope I live to see this deployed.

As usual, updates and tangents from previous stories in tonight's Slashback. Read on for more on toys from Pittsburgh, the newest iteration of the Magician-named distro, open source directory entries, and everyone's favorite trademark dispute. So hit the button.

For better, for worse, for what it's worth. Thanks to the people who pointed out reviews of Mandrake 8.0 after I complained about a dearth of these when posting a couple of other reviews

Chris "soup" Campbell, for instance, points to his 8.0 review at Binary Freedom, and the_rev_matt writes: "Timothy was bemoaning the lack of Mandrake 8.0 reviews, so here is one." There's also a pctalk.org review discussed at the excellent Mandrakeforum site, as well as quite a few harsher comments when the release was announced. (I wish other distros would put comments in a forum like this, too.)

You know, 'bouncy bouncy'! Illah Nourbakhsh of CMU's CS lab (the same folks who brought your the Palm Pilot robot kit) writes: "... So here is the newest thing we've done. We make one-legged hopping robots that use an unusual spring system. We wondered what would happen if we scale the hopping robot up so it's much larger than 6 inches-- big enough to carry a human being. Then we can throw away the computer and the human can do the control. The result, the BowGo, enables ordinary humans to jump very, very high into the air and over obstacles. It is a far more powerful Pogo stick. http://www.cs.cmu.edu/~bowgo - there are both pictures and videos available from there. This is from the Toy Robots Initiative at Carnegie Mellon University."

Please give these people your venture capital, because I want to ride one of these! Mountain pogo-ing looks fun.

How can a jump rope be "open"? An unnamed reader contributes: "I've kept my eye on the guys over at the open source directory since I saw them take a good tongue lashing on /. a few weeks ago. They aren't doing too bad getting some listings, but the ones they have gotten seem to be making some waves. By my math, it looks like they've somehow gotten *two* new open source licenses passed through the boys at OSI (open source initiative) since they started three weeks ago."

Well, my tongue is out of lashing practice, but queries for "nano," "bluefish," "gimp" and "python" all return zero matches, so it doesn't seem like the first place I would go "to find Open-Source applications that are stable." The site still looks like a good idea, but is it eclipsed by existing resources? Maybe if enough people go visit it and add entries ...

A high-security remote terminal app by any other name nodvin writes: "In a Slashdot story on Mar. 22, 2001, it was stated Secure Shell Will Remain 'SSH'. However, the draft documents
now start with the title "draft-ietf-secsh-" rather than "draft-ietf-ssh". The charter is now found at: http://www.ietf.org/html.charters/secsh-charter.ht ml and the mail archive is now at:
ftp://ftp.ietf.org/ietf-mail-archive/secsh/ "

Say it ain't so.

As usual, updates and tangents from previous stories in tonight's Slashback. Read on for more on toys from Pittsburgh, the newest iteration of the Magician-named distro, open source directory entries, and everyone's favorite trademark dispute. So hit the button.

For better, for worse, for what it's worth. Thanks to the people who pointed out reviews of Mandrake 8.0 after I complained about a dearth of these when posting a couple of other reviews

Chris "soup" Campbell, for instance, points to his 8.0 review at Binary Freedom, and the_rev_matt writes: "Timothy was bemoaning the lack of Mandrake 8.0 reviews, so here is one." There's also a pctalk.org review discussed at the excellent Mandrakeforum site, as well as quite a few harsher comments when the release was announced. (I wish other distros would put comments in a forum like this, too.)

You know, 'bouncy bouncy'! Illah Nourbakhsh of CMU's CS lab (the same folks who brought your the Palm Pilot robot kit) writes: "... So here is the newest thing we've done. We make one-legged hopping robots that use an unusual spring system. We wondered what would happen if we scale the hopping robot up so it's much larger than 6 inches-- big enough to carry a human being. Then we can throw away the computer and the human can do the control. The result, the BowGo, enables ordinary humans to jump very, very high into the air and over obstacles. It is a far more powerful Pogo stick. http://www.cs.cmu.edu/~bowgo - there are both pictures and videos available from there. This is from the Toy Robots Initiative at Carnegie Mellon University."

Please give these people your venture capital, because I want to ride one of these! Mountain pogo-ing looks fun.

How can a jump rope be "open"? An unnamed reader contributes: "I've kept my eye on the guys over at the open source directory since I saw them take a good tongue lashing on /. a few weeks ago. They aren't doing too bad getting some listings, but the ones they have gotten seem to be making some waves. By my math, it looks like they've somehow gotten *two* new open source licenses passed through the boys at OSI (open source initiative) since they started three weeks ago."

Well, my tongue is out of lashing practice, but queries for "nano," "bluefish," "gimp" and "python" all return zero matches, so it doesn't seem like the first place I would go "to find Open-Source applications that are stable." The site still looks like a good idea, but is it eclipsed by existing resources? Maybe if enough people go visit it and add entries ...

A high-security remote terminal app by any other name nodvin writes: "In a Slashdot story on Mar. 22, 2001, it was stated Secure Shell Will Remain 'SSH'. However, the draft documents
now start with the title "draft-ietf-secsh-" rather than "draft-ietf-ssh". The charter is now found at: http://www.ietf.org/html.charters/secsh-charter.ht ml and the mail archive is now at:
ftp://ftp.ietf.org/ietf-mail-archive/secsh/ "

Say it ain't so.

Eloquence writes: "NymIP is a new project that aims to set a standard for Internet anonymity at the IP level. It was started by Zero Knowledge Systems, but is now led by Harvard's Scott Bradner, an IETF member. Some of the biggest players in the field participate in the project, which will be introduced at the 49th IETF Meeting that starts today." Comments especially sought from anyone who attends that meeting.

Eloquence writes: "NymIP is a new project that aims to set a standard for Internet anonymity at the IP level. It was started by Zero Knowledge Systems, but is now led by Harvard's Scott Bradner, an IETF member. Some of the biggest players in the field participate in the project, which will be introduced at the 49th IETF Meeting that starts today." Comments especially sought from anyone who attends that meeting.

Stanford University held a workshop last Friday - The Policy Implications of End-to-End - covering some of the policy questions cropping up which threaten the end-to-end paradigm that serves today's Internet so well. It was attended by representatives from the FCC, along with technologists, economists, lawyers and others. Here are my notes from the workshop. I'm going to try to skip describing each individual's background and resume, instead substituting a link to a biography page whenever I can. (Part one of two.)

The summary provided by the conference organizers has a brief description of end-to-end:

"The "end-to-end argument" was proposed by network architects Jerome Saltzer, David Reed and David Clark in 1981 as a principle for allocating intelligence within a large scale computer network. It has since become a central principle of the Internet's design. End-to-end [e2e] counsels that "intelligence" in a network should be placed at its ends -- in applications -- while the network itself should remain as simple as is feasible, given the broad range of applications that the network might support."

Another way to view end-to-end might be as a sort of network non-interference policy: all bits are created equal. The problem is that there are substantial economic incentives to treat bits differently, and these incentives are changing the architecture of the Internet in ways which may be detrimental to public values.

The workshop covered a number of areas:

• Voice over IP
• Network Security
• Quality of Service
• Content Caching
• Broadband
• Wireless

Jerome Saltzer started off with a technical overview of the end-to-end argument. In summary: digital technology builds systems of stunning complexity, and the way to manage this complexity is to modularize. For networking, this resulted in the layer model that many slashdot readers are familiar with. He suggested that designers should be wary of putting specific functions in lower layers, since all layers above must deal with that design decision. For a longer explanation, one can always read the original paper. If you've never heard of end-to-end before, I do suggest reading this paper before continuing. It's short.

First, Scott Bradner described two competing architectures for voice-over-IP protocols: one which employs central servers to direct and manage calls (the Media Gateway Control model, or Megaco), and one which puts most of the intelligence in the end-points, with the phones/computers originating the calls (the Session Initiation Protocol, or SIP). One important difference: SIP phones can use a central server to direct calls, but Megaco phones have no capability to act independently. Building a great deal of intelligence into the central servers is less end-to-end-compliant than building it into phones at the edges of the network.

One member of the audience pointed out that Federal law requires companies to build wiretapping capabilities into phone switches and wireless network equipment, and wondered how that would be implemented if the phones initiated the connections themselves (SIP). Traditional wiretapping is predicated upon the idea that there is a central server which all communications pass through. The panel candidly replied that when no central server is used and encryption is employed, wiretapping is difficult. One audience member pointed out that wiretapping at centralized switches is not the most effective way to do it, anyway -- since switches can be routed around and communications can be encrypted, the only truly effective way to wiretap would be to build tapping capabilities all the way at the edge of the network -- the phone itself. While some of the audience laughed, I think most of the participants also realized the dark undertones of this suggestion.

Next the discussion turned to innovation. In one model, the central servers would be controlled by companies with a vested interest in managing them conservatively, suppressing competition, etc. In the other, individuals would be able to create/control their own phones on the perimeter of the network, and the only barrier to innovation would be finding someone else to adopt your improvement as well so that the two of you could communicate. In the first model, innovations which benefited the company would be the only ones permitted. In the second one, any innovation which benefited the end-user would be possible.

Finally the discussion moved to a rarely thought about side effect of voice over IP. Universal service -- phone service to (nearly) every resident of the United States -- is funded through access charges on your phone bill. In effect, people in cheap-to-service areas are subsidizing those in expensive-to-service areas, ranging from the badlands of Nevada to wilderness areas of Alaska. From a societal point of view, ubiquitous access to telephones has been a great boon, but providing it requires a societal commitment -- otherwise people living outside of major population centers might never have phone service. Suppose now that traditional telephony is replaced by voice over IP, and no central servers are involved -- there would be no easy way to collect the access charges which subsidize outlying areas. While lowering such taxes may have widespread appeal, completely abandoning the commitment to universal service would be a great loss to society.

The next focus was network security. Firewalls are probably the most obvious breaks in the end-to-end paradigm -- after all, these devices' sole purpose is to stand in the way of network connections, and decide which are permitted and which are not. Participants brought up (but thankfully, quickly moved past) the true-but-useless point that if all operating systems were secured properly, there would be no need for firewalls.

Hans Kruse pointed out that if security must be implemented at the end anyway -- as it must if any incoming traffic is permitted through the firewall -- then there's no reason to do it at the center as well. David Clark put forth the useful distinction between mandatory and discretionary access controls -- mandatory controls being ones put into place by someone else, discretionary ones put into place by you. Discretionary controls do not violate end-to-end, but mandatory ones generally do. Michael Kleeman noted that the reasons firewalls are put into place include the desire to control the actions of users inside the firewall as often as the desire to control access from outside.

Doug Van Houweling spoke regarding Network Address Translation (NAT). NAT allows two networks to be joined together, and is typically used to join a network of machines with non-routable IP addresses to the global internet. NAT is an outgrowth of the limited availability of IPv4 addresses, but is also employed in some cases as a poor man's security measure. Generally, Houweling described NAT as an affront to end-to-end, because any application which requires transparency of addresses breaks, making end-to-end encryption impossible. Added to which, applications sometimes transmit data in the TCP/IP headers which NAT alters. The group noted that NAT can be eliminated simply by putting more addresses into circulation. Later in the workshop, Andrew McLaughlin talked about the address allocation process for IPv6 and said that it is shaping up to be much better than that for IPv4.

The workshop moved on next to Quality of Service. QoS in this case covers a wide range of proposals (and a few working implementations) for selectively speeding up or slowing down network traffic -- a sort of nice for network data flows. The "benign" use of QoS is to ensure that traffic which is strongly time-sensitive like videoconferencing or telephony gets priority over the download of NT Service Pack 16. There are less-benign uses: Cisco's 1999 White Paper which encouraged cable Internet operators to use Cisco's QoS features to speed up access to proprietary (read: profitable) content while slowing down content from competitors was the red flag in the QoS realm, raising concerns about the role of ISPs in traffic delivery and abuses by telecom carriers which are also content providers.

This segment started with an overview of QoS. There are several ways to implement QoS on a network. The simplest is to build a network with a capacity great enough to never be maxed out; if the network has sufficient bandwidth, there's no need to worry about QoS in the first place. There are costs, though, to maintain sufficient excess capacity on the network. This is called "adequate provisioning" if it is your preferred method of managing traffic, or "over-provisioning" if you prefer one of the other QoS approaches. The other ways under consideration are an integrated service architecture and a differentiated service architecture. The former would monitor and track each individual data flow -- the call you place to your mother in Singapore could be treated differently from the call you place to your grandmother in Kracow. The latter would only allow differentiation between classes of services -- all videoconferencing would be treated similarly, for example. Of the three, adequate provisioning is fully end-to-end while DiffServ is less so, and IntServ is highly non-compliant.

Jerome Saltzer (from the audience) made the point that no QoS technique provides real guarantees of service, and any technique except having plenty of excess bandwidth available violates the principles of end-to-end. He emphasized that people should be aware of the trade-offs.

Jamie Love mentioned not only the Cisco white paper but pointed out that this situation lent itself to behavior like that which has landed Microsoft in hot water -- using one's control of a particular system to speed up one's own content and impede competitors' from flowing. A member of the audience countered QoS would allow companies to create different levels of service -- pay more for fast access, less for slow access -- and that this was a good thing.

There were two distinct classes of problems identified. The first is similar to the distinction among methods for carrying voice over IP: the companies that control the QoS-enabled servers get to control who gets to innovate in QoS-related areas. The second, related problem is that of carriers using QoS features to promote their own content. The second problem has traditionally been solved by requiring a separation of carriage and content -- keeping the owner of the lines and the provider of content over those lines separate. The current FCC and FTC are not enforcing that traditional check against monopolization of content in telecommunications; thus it's likely that unless governmental policies change, AOL/Time Warner will be a position to promote its own content through control of the cable Internet services it owns.

Doug Van Houweling then spoke and noted that the Internet2 project is taking a very strong stance promoting QoS, because that stance is seen as necessary to promote investment in Internet2 architecture.

An audience member spoke up and suggested that the best regulatory course would be regulation with a light touch -- regulation could provide the minimum necessary controls to provide really necessary QoS while disallowing abusive uses. At this point Deborah Lathen asked the $64,000 question: how would the FCC make this fine regulatory distinction? No one had a good answer to that question.

In Part two tomorrow: transparent caching, broadband and wireless access, and capitalism.

Stanford University held a workshop last Friday - The Policy Implications of End-to-End - covering some of the policy questions cropping up which threaten the end-to-end paradigm that serves today's Internet so well. It was attended by representatives from the FCC, along with technologists, economists, lawyers and others. Here are my notes from the workshop. I'm going to try to skip describing each individual's background and resume, instead substituting a link to a biography page whenever I can. (Part one of two.)

The summary provided by the conference organizers has a brief description of end-to-end:

"The "end-to-end argument" was proposed by network architects Jerome Saltzer, David Reed and David Clark in 1981 as a principle for allocating intelligence within a large scale computer network. It has since become a central principle of the Internet's design. End-to-end [e2e] counsels that "intelligence" in a network should be placed at its ends -- in applications -- while the network itself should remain as simple as is feasible, given the broad range of applications that the network might support."

Another way to view end-to-end might be as a sort of network non-interference policy: all bits are created equal. The problem is that there are substantial economic incentives to treat bits differently, and these incentives are changing the architecture of the Internet in ways which may be detrimental to public values.

The workshop covered a number of areas:

• Voice over IP
• Network Security
• Quality of Service
• Content Caching
• Broadband
• Wireless

Jerome Saltzer started off with a technical overview of the end-to-end argument. In summary: digital technology builds systems of stunning complexity, and the way to manage this complexity is to modularize. For networking, this resulted in the layer model that many slashdot readers are familiar with. He suggested that designers should be wary of putting specific functions in lower layers, since all layers above must deal with that design decision. For a longer explanation, one can always read the original paper. If you've never heard of end-to-end before, I do suggest reading this paper before continuing. It's short.

First, Scott Bradner described two competing architectures for voice-over-IP protocols: one which employs central servers to direct and manage calls (the Media Gateway Control model, or Megaco), and one which puts most of the intelligence in the end-points, with the phones/computers originating the calls (the Session Initiation Protocol, or SIP). One important difference: SIP phones can use a central server to direct calls, but Megaco phones have no capability to act independently. Building a great deal of intelligence into the central servers is less end-to-end-compliant than building it into phones at the edges of the network.

One member of the audience pointed out that Federal law requires companies to build wiretapping capabilities into phone switches and wireless network equipment, and wondered how that would be implemented if the phones initiated the connections themselves (SIP). Traditional wiretapping is predicated upon the idea that there is a central server which all communications pass through. The panel candidly replied that when no central server is used and encryption is employed, wiretapping is difficult. One audience member pointed out that wiretapping at centralized switches is not the most effective way to do it, anyway -- since switches can be routed around and communications can be encrypted, the only truly effective way to wiretap would be to build tapping capabilities all the way at the edge of the network -- the phone itself. While some of the audience laughed, I think most of the participants also realized the dark undertones of this suggestion.

Next the discussion turned to innovation. In one model, the central servers would be controlled by companies with a vested interest in managing them conservatively, suppressing competition, etc. In the other, individuals would be able to create/control their own phones on the perimeter of the network, and the only barrier to innovation would be finding someone else to adopt your improvement as well so that the two of you could communicate. In the first model, innovations which benefited the company would be the only ones permitted. In the second one, any innovation which benefited the end-user would be possible.

Finally the discussion moved to a rarely thought about side effect of voice over IP. Universal service -- phone service to (nearly) every resident of the United States -- is funded through access charges on your phone bill. In effect, people in cheap-to-service areas are subsidizing those in expensive-to-service areas, ranging from the badlands of Nevada to wilderness areas of Alaska. From a societal point of view, ubiquitous access to telephones has been a great boon, but providing it requires a societal commitment -- otherwise people living outside of major population centers might never have phone service. Suppose now that traditional telephony is replaced by voice over IP, and no central servers are involved -- there would be no easy way to collect the access charges which subsidize outlying areas. While lowering such taxes may have widespread appeal, completely abandoning the commitment to universal service would be a great loss to society.

The next focus was network security. Firewalls are probably the most obvious breaks in the end-to-end paradigm -- after all, these devices' sole purpose is to stand in the way of network connections, and decide which are permitted and which are not. Participants brought up (but thankfully, quickly moved past) the true-but-useless point that if all operating systems were secured properly, there would be no need for firewalls.

Hans Kruse pointed out that if security must be implemented at the end anyway -- as it must if any incoming traffic is permitted through the firewall -- then there's no reason to do it at the center as well. David Clark put forth the useful distinction between mandatory and discretionary access controls -- mandatory controls being ones put into place by someone else, discretionary ones put into place by you. Discretionary controls do not violate end-to-end, but mandatory ones generally do. Michael Kleeman noted that the reasons firewalls are put into place include the desire to control the actions of users inside the firewall as often as the desire to control access from outside.

Doug Van Houweling spoke regarding Network Address Translation (NAT). NAT allows two networks to be joined together, and is typically used to join a network of machines with non-routable IP addresses to the global internet. NAT is an outgrowth of the limited availability of IPv4 addresses, but is also employed in some cases as a poor man's security measure. Generally, Houweling described NAT as an affront to end-to-end, because any application which requires transparency of addresses breaks, making end-to-end encryption impossible. Added to which, applications sometimes transmit data in the TCP/IP headers which NAT alters. The group noted that NAT can be eliminated simply by putting more addresses into circulation. Later in the workshop, Andrew McLaughlin talked about the address allocation process for IPv6 and said that it is shaping up to be much better than that for IPv4.

The workshop moved on next to Quality of Service. QoS in this case covers a wide range of proposals (and a few working implementations) for selectively speeding up or slowing down network traffic -- a sort of nice for network data flows. The "benign" use of QoS is to ensure that traffic which is strongly time-sensitive like videoconferencing or telephony gets priority over the download of NT Service Pack 16. There are less-benign uses: Cisco's 1999 White Paper which encouraged cable Internet operators to use Cisco's QoS features to speed up access to proprietary (read: profitable) content while slowing down content from competitors was the red flag in the QoS realm, raising concerns about the role of ISPs in traffic delivery and abuses by telecom carriers which are also content providers.

This segment started with an overview of QoS. There are several ways to implement QoS on a network. The simplest is to build a network with a capacity great enough to never be maxed out; if the network has sufficient bandwidth, there's no need to worry about QoS in the first place. There are costs, though, to maintain sufficient excess capacity on the network. This is called "adequate provisioning" if it is your preferred method of managing traffic, or "over-provisioning" if you prefer one of the other QoS approaches. The other ways under consideration are an integrated service architecture and a differentiated service architecture. The former would monitor and track each individual data flow -- the call you place to your mother in Singapore could be treated differently from the call you place to your grandmother in Kracow. The latter would only allow differentiation between classes of services -- all videoconferencing would be treated similarly, for example. Of the three, adequate provisioning is fully end-to-end while DiffServ is less so, and IntServ is highly non-compliant.

Jerome Saltzer (from the audience) made the point that no QoS technique provides real guarantees of service, and any technique except having plenty of excess bandwidth available violates the principles of end-to-end. He emphasized that people should be aware of the trade-offs.

Jamie Love mentioned not only the Cisco white paper but pointed out that this situation lent itself to behavior like that which has landed Microsoft in hot water -- using one's control of a particular system to speed up one's own content and impede competitors' from flowing. A member of the audience countered QoS would allow companies to create different levels of service -- pay more for fast access, less for slow access -- and that this was a good thing.

There were two distinct classes of problems identified. The first is similar to the distinction among methods for carrying voice over IP: the companies that control the QoS-enabled servers get to control who gets to innovate in QoS-related areas. The second, related problem is that of carriers using QoS features to promote their own content. The second problem has traditionally been solved by requiring a separation of carriage and content -- keeping the owner of the lines and the provider of content over those lines separate. The current FCC and FTC are not enforcing that traditional check against monopolization of content in telecommunications; thus it's likely that unless governmental policies change, AOL/Time Warner will be a position to promote its own content through control of the cable Internet services it owns.

Doug Van Houweling then spoke and noted that the Internet2 project is taking a very strong stance promoting QoS, because that stance is seen as necessary to promote investment in Internet2 architecture.

An audience member spoke up and suggested that the best regulatory course would be regulation with a light touch -- regulation could provide the minimum necessary controls to provide really necessary QoS while disallowing abusive uses. At this point Deborah Lathen asked the $64,000 question: how would the FCC make this fine regulatory distinction? No one had a good answer to that question.

In Part two tomorrow: transparent caching, broadband and wireless access, and capitalism.

Gleb sent us an IETF draft for electricity over IP (yeah it's old, but it's funny). dbcooper noticed that New Scientist mentioned a kit spaceship for $500k. Oh, and here's some (warning! Over 18 and over!) Odd Javascript that I can't even begin to describe, but it's so odd that I just had to share it. l@ps@n pointed out some Star Wars Origami that is actually pretty sweet. Mr. Fusion urges us to fry that Voodoo3 with two neon sign transformers and watch the fireworks. Phrogman noted that SpaceRef has posted some amazing time-lapse movies assembled from the Hubble space telescope showing stars blowing gas (insert joke here). zenray notd that this month's SC Magazine does a market survey about tools needed to do a forensics-quality copy of disk drives. Basically the requirement is to be an exact byte-for-byte copy; 'dd' gets their BEST BUY award. Congrats! mommydearest wrote in to plug that Ultimate Chaos is hosting the Ultimate AOL CD Invention contest here (grand prize is an IDE RAID controller!). Best I ever came up with was wallpaper (during my cubist period I filled up a wall). An anonymous reader found the x10-men which ain't exactly X10, and it ain't exactly X-Men, but it is truly frightening. And finally, what with election coming up and all, it's a good thing that LafinJack wrote in to let us know that Joe Leiberman and Dick Cheney have joined the ranks of political quake 3 skins available. Taunt and kill them before doing so becomes treason!

Step right up ladies and gentlemen and behold, quickies so amazing, that you may not want to stare directly at them. First up, a trio of Microsoft bits: Ethan sent us an RFC for writing RFCs in Word. Russ pointed us to a great entry contained within the microsoft knowledge base. and an anonymous reader noted that boardwatch is selling BillGatus of Borg posters again. You may need a soundtrack for this one: chisox sent a bit about Jem Finer composing a thousand year song (and a machine to play it). If generative music ain't your thing, Jason noted that MC (Stephen) Hawking has made some of his R&B and Rap cuts available in MP3 format. And while it isn't exactly music, Several folks showed us the way to best learn about Semi Conductors: have Britney Spears teach it. wishus's submission is much less educational: he's kissing up to me by telling us that Sarcasta's latest update is in depth study on Carpal Tunnel Syndrome. If you need some images to enlighten and amuse, B.D.Mills noted that stinky meat is back if you didn't get enough the first time, Ant sent us the correct use for the new mac cubes, and danfairs sent us a picture of... well, a fire extinguisher. table and chair pointed us to Political Arena, a Quake 3 modwhere you blow up the political candidates (is this treason once one of them gets elected?) If blowing up Bush isn't enough stress reduction for you, einstein has shown us how best to customize your case and void your warrenty in one swing. Of an axe. Kartoffel wrote a CueCat interface for BeOS as well as a Mr T vs. CueCat Comic Strip. Even more offensive then another Mr T vs. episode is a comic featuring Admiral Ackbar debating Napster sent in by georgeha. Last of all, if you didn't know, Spinal Tap is back out in limited release. God what a great flick. Just figured I'd mention it ...

trinitishwar writes "House Majority Leader Dick Armey (R-Tex.) has a site where you can vote to express your opinion on Carnivore: http://www.freedom.gov/vote/vote4.asp. Just let him know how you feel." The poorly-worded poll is for political purposes (TexasCowboy23 points out the House putting pressure on Reno at this exact moment) but it doesn't hurt to vote anyway. What I want to know is, where in RFC 2146 does it say a politician can own FREEDOM.GOV?! Complete with 468x60 banner ads promoting Deep Thoughts by Dick Armey ("Cloning is the way amoebas reproduce") and his other site FLATTAX.GOV. I guess this started when nobody made serious complaints about GOP.GOV (see Jim Warren's comments and an Armey staffer's response back in December) ... did someone change the rules when I wasn't looking?

Recently WAP ^[?] has come under serious criticism from a wide variety of places... Angus wrote a short piece saying that it'll be replaced. IcesTorm-I sent us an message on an IETF mailing list criticizing the format, and to suggesting that we use open formats like LEAP instead. Even Microsoft rejects the standard. Slashdot has supported WAP (well, kinda anyway) since I got bored a few months ago and slapped it together, and I'd tend to agree that its a crappy standard, but more due to the limitations of the devices that use it. (note: if anyone has a PDA format they're dying for on Slashdot, Send diffs -- not requests! We're working on some PDA formats, but there are only so many hours in the day, and we don't have devices that can do most of the formats users email me asking for). [Updated 7 July 18:25 GMT by timothy] Readers may also be interested in a WAP report prepared by Rohit Khare for 4K Associates, which is probably the most incisive (and one of the most critical) analyses on the topic to be had anywhere.

John Murdoch asks: "If you're administering a mail server, you are probably familiar with the SMTP VRFY command. I'm very curious to hear from Slashdot readers who are: 1) using mail servers that do not support VRFY (it technically is not mandatory under RFC 821); or 2) use mail servers that support VRFY, but have disabled it. I'd also love to hear from anyone that knows of mail servers that do ugly things if VRFY commands are sent (Microsoft Exchange 5.0, for example, hangs the Internet Mail Service if you send a VRFY for a valid address)." Do folks think that enabling VRFY is a good idea or a potential invasion of their privacy? (Read on..)

"[With the] SMTP VRFY command--you can verify the address of a user on your mail server. For example, if you sent 'VRFY CmdrTaco' to the SMTP server at SlashDot.org you'd get back "250 OK"; if you sent "VRFY CmdrChalupa" you'd probably get back "550 User is a little dog in a fast food commercial for somebody else" or something similar.

Or you would--IF your mail server will respond to VRFY messages.

Why do I want to know? I'm developing an e-commerce registration application for a major vendor to the semiconductor industry. The client produces some extremely dangerous materials, and wants to establish a rigorous authentication process for some systems. (You'd be surprised at how deadly some of the materials your chips are made of really are....) One small part of this is ensuring that the potential customer has a valid e-mail address.

If practically everybody permits (and supports) SMTP VRFY then we'll quietly check the user's address during registration. If a number of servers don't, then we'll resort to other, clunkier methods. (If you're wondering--there is a lot more authentication going on before we let you get anywhere near ordering nasty stuff. This is for a preliminary step in the process)."

Paul Boutin writes "The Industry Standard talked to Kerberos' principal author and all-around ubergeek Clifford Neuman about his proposed rewrite of the IETF Kerberos standard (RFC 1510) to close the loophole Microsoft has been using to create a non-interoperable version. " It also looks like Apple will be bringing Kerberos to OSX, in partnership with MIT.

I spent some of yesterday and part of today (Saturday) on the phone with our law firm's intellectual property specialist dicussing Microsoft's attempt to get us to remove reader posts about Kerberos. We're lucky to have a lawyer who "gets it." We're also lucky to have gotten some very favorable press about all of this.

But, sadly, I can't really tell you much more right now than "we're still working on it" for two reasons:

• We're exploring a lot of angles and doing a lot of research, and in order to maintain attorney-client privilege we must keep all discussions with our lawyer *extremely* private.
• Microsoft's legal people (obviously) read Slashdot.

I have scanned every single reader post on this subject, and some of them have contained *very* helpful suggestions. It hurts me not to be able to share more, especially with those of you who have given us useful advice.

Meanwhile, Andover.net's management has been totally supportive. Our President, Bruce Twickler, deserves special thanks for his staunch backing and general coolheadedness. And our VP of Corporate Communications, Janet Holian, has done an excellent job of getting information out to other media while letting us work (comparatively) undisturbed.

There are also rays of light from the other end. I've gotten a small but steady trickle of e-mailed support messages from Microsoft workers who are embarrassed by their employer's actions both in rudely extending Kerberos and their attempt to "publish" their proprietary Kerberos extensions while still trying to keep them hidden behind a non-disclosure agreement.

Please bear in mind that many Microsoft employees are perfectly nice people. For all we know, the nice people at Microsoft may yet persuade the not-so-nice ones that there are times when it's better to work with others to establish industry-wide standards than it is to act as if the freedom to innovate belongs only to Microsoft.

(Special message to nice Microsoft people: Here's a quote you may wish to call to your bosses' attention: "...Kerberos is a multivendor standard, so it allows secure interoperability and the potential for single sign-on between the Microsoft world and other vendor environments." If they ask where you got these words, please refer them to this Microsoft.com page.)

Anyway, once again, please accept my personal apology for not being able to share more information with you right now. This is an uncomfortable situation for everyone involved, and we hope that Microsoft chooses to give this story a happy ending as soon as possible.

- Robin "roblimo" Miller

I spent some of yesterday and part of today (Saturday) on the phone with our law firm's intellectual property specialist dicussing Microsoft's attempt to get us to remove reader posts about Kerberos. We're lucky to have a lawyer who "gets it." We're also lucky to have gotten some very favorable press about all of this.

But, sadly, I can't really tell you much more right now than "we're still working on it" for two reasons:

• We're exploring a lot of angles and doing a lot of research, and in order to maintain attorney-client privilege we must keep all discussions with our lawyer *extremely* private.
• Microsoft's legal people (obviously) read Slashdot.

I have scanned every single reader post on this subject, and some of them have contained *very* helpful suggestions. It hurts me not to be able to share more, especially with those of you who have given us useful advice.

Meanwhile, Andover.net's management has been totally supportive. Our President, Bruce Twickler, deserves special thanks for his staunch backing and general coolheadedness. And our VP of Corporate Communications, Janet Holian, has done an excellent job of getting information out to other media while letting us work (comparatively) undisturbed.

There are also rays of light from the other end. I've gotten a small but steady trickle of e-mailed support messages from Microsoft workers who are embarrassed by their employer's actions both in rudely extending Kerberos and their attempt to "publish" their proprietary Kerberos extensions while still trying to keep them hidden behind a non-disclosure agreement.

Please bear in mind that many Microsoft employees are perfectly nice people. For all we know, the nice people at Microsoft may yet persuade the not-so-nice ones that there are times when it's better to work with others to establish industry-wide standards than it is to act as if the freedom to innovate belongs only to Microsoft.

(Special message to nice Microsoft people: Here's a quote you may wish to call to your bosses' attention: "...Kerberos is a multivendor standard, so it allows secure interoperability and the potential for single sign-on between the Microsoft world and other vendor environments." If they ask where you got these words, please refer them to this Microsoft.com page.)

Anyway, once again, please accept my personal apology for not being able to share more information with you right now. This is an uncomfortable situation for everyone involved, and we hope that Microsoft chooses to give this story a happy ending as soon as possible.

- Robin "roblimo" Miller

Pig Hogger writes "It's official. The IETF has officially decided NOT to " consider requirements for wiretapping " in protocols, says this Wired.com story.

Now that they won't touch it, does this means that the vendors will implement it themselves? If so, I can't wait to see the backstabbing and fumbling that will happen when they will try to keep their proprietary ways under wraps... What will we see, a CISCO wiretapping standard, which is thoroughly incompatible with the Lucent Bugging Protocol??? "

Pig Hogger writes "It's official. The IETF has officially decided NOT to " consider requirements for wiretapping " in protocols, says this Wired.com story.

Now that they won't touch it, does this means that the vendors will implement it themselves? If so, I can't wait to see the backstabbing and fumbling that will happen when they will try to keep their proprietary ways under wraps... What will we see, a CISCO wiretapping standard, which is thoroughly incompatible with the Lucent Bugging Protocol??? "

The IETF will be considering building wiretapping into internet protocols (see previous slashdot story) tonight at their conference; the Washington Post has a story on the subject. A great many civil liberties and technically-oriented organizations have signed onto an Open Letter urging the IETF to reject any attempt to build snooping into the net.

Anonymous Coward writes "I just noticed that the IETF has sent out a request for discussion dealing with the implementation of wiretapping in Internet Protocols. The motivation is based on laws some Governments have about telecommunication systems." The message and subscription information to their discussion email list, punningly titled "Raven", are available on the web. Oh, and "some Governments" includes the U.S. and most other countries, so I hope the IETF will get some good feedback.

skuzbunny writes "The IETF ^[?] draft The Mathematical Reality of IP Addressing in IPv4 Questions the need for Another IP System of Addressing has some really interesting comments on IPv6 ^[?] . Quote: "I was indeed successful in the elimination of the problems associated with IP Address Flooding inherent in IPv4 and the complexities of IPv6. In short, small business and single family dwellings can now have the option of having their own private IP Addressing Scheme," " Interesting, particularly if I understand the math correctly. Can anyone who's actually qualified to comment on this comment below?

fabbe writes "The HTTP 1.1 protocol has been approved by the W3C and IETF. CNET article is here. " Both bodies apparently showed ruthless efficiency getting these standards out there... speeds that make even glaciers jealous.