13:14 Received notice from the maintainer of JSON Smart about a fix to a serious serialisation bug.
14:45 Released updates for all affected JSON-RPC 2.0 packages: Base, Client, Server and Shell.
Go to the downloads section to get a copy.
JsWorld 2.7 with improved date/time parsing
With version 2.7 JsWorld received a small upgrade and a few small fixes to date, time and date/time parsing in JavaScript.
Case-insensitive parsing of dates
Weekday and months names, both in their full and abbreviated versions, are now parsed irrespective of case. This is done while taking care of world locales that don't have the notion of case (quite many actually).
So, for example, if you have the en_GB locale and your date format pattern is set to
POSIX_LC.en_GB.d_fmt = "%d/%b/%Y"
then the following input will parse to the same date:
17/Apr/2010 -> 2010-04-17 17/apr/2012 -> 2012-04-17 17/APR/2012 -> 2012-04-17
Do write us when you wish to have such features added to JsWorld. This particular one was requested by a customer who wanted to have more flexible parsing of dates. I'm considering making the date/time parser even more flexible, while staying completely on the safe side.
Fixed bugs in %e, %k, %l parsing
JsWorld 2.7 also fixes a few bugs that may cause incorrect parsing of date/time values against format templates that use the %e (day of the month as a decimal number, space padded), %k (hour in 24-h clock as a decimal number) and the %l (hour in 12-h clock as a decimal number) patterns.
If you're subscribed you should receive an email how to get this update shortly.
Browser-side JS numeric, currency and date/time formatting
It's now four years since JsWorld's inception and today the JavaScript l10n library is used in a range of web applications, from international online retail to finance and enterprise SaaS.
What are the advantages of applying numeric, currency and date/time formatting on the browser-side?
1. Clean separation of data and presentation.
In the spirit of modern Ajax + Web 2.0 apps the web server can supply the raw numeric, currency or date/time values in raw JSON or HTML which the browser-side JavaScript then formats accoring to the current locale. You can then have your business logic focus on the raw data and services, while the front-end is taking care of the presentation.
Example of currency data supplied as JSON:
{ "amount":"1500000.99", "currency":"GBP", "locale":"en_GB" }
Which then JsWorld takes to format accordingly as British Pounds :
£1,500,000.99
The data may alternatively be supplied as unformatted HTML elements which are then walked by a piece of JavaScript applying localised formatting according to their class (or some other attribute, e.g. "data-" in HTML5).
<span class="date">2012-01-09</span>
Which then if the current locale is set to Portuguese/Brazil (pt_BR) is converted to
9 de janeiro de 2012
JsWorld comes with a simple API which gives you plenty of flexibility in how the data is fed to the browser. It could arrive through JSON/XHR or XML or it could be static HTML.
2. Agile development
Now that you have clean separation between business data + logic and presentation layer your engineers can proceed with greater speed in developing and maintaining your applications. The back-end developers can concentrate on the data and the service process, your front-end developers on the user experience - without having to worry about intricacies of data l10n - this is JsWorld's task.
3. Conserve server resources
The localisation of data, if done repeatedly or on large data sets, can consume quite a bit of CPU resources. If you do that in your PHP/Java servlet/Ruby/etc code on the server-side this will cost your own resources. So why not shift this load to the browser-side? The effects could be small or more significant, depending on your web app and the amount of traffic you serve.
JsWorld is now in its 2.5 release and supports over 300 languages, 200 countries and 100 currencies.
JsWorld 2.5 with updated locale definitions
Just before going into the Christmas holidays we got out a new release of JsWorld, the most comprehensive JavaScript library for localised formatting and parsing of numbers, currency and date/times.
What is in the new release?
The locale definitions were updated to match the latest CLDR data from Unicode. JsWorld now supports 354 world locales, with some of them reflecting important recent changes, such as the new Indian Rupee sign which became official in 2011.
JsWorld 2.5 also fixes a bug which resulted in incorrect formatting of midnight time using AM/PM notation. Thanks to our customer who reported this problem.
The next locale updates are expected in the first half of 2012.
Merry Christmas to all of you 
The God particle - a projected reality?
The Large Hadron Collider, image CERN
According to quantum theory observation affects reality. Could the God particle, the Higgs Boson, simply be projected reality?
One of the most astounding discoveries of quantum mechanics is that the very act of watching affects the observed reality. This was demonstrated in the minuscule world of waves and particles by a highly controlled experiment where electrons under observation change their "regular" wave-like behaviour to particle-like.
Today's news are filled with reports from the latest experiments at CERN claiming that the God particle, the elusive Higgs boson, was finally proven to exist. Since ancient times people have strived to explain the universe. The so-called Standard Model theory is the modern take of scientists at that. A theory, however, must be proven experimentally in order to be accepted as true, and there a crucial missing piece for many years was the Higgs boson. And now that its existence is finally validated, scientists are one step closer to proving their theory of (almost) everything.
But wait a minute - if observation plays such a gigantic role in the subatomic world - what is then the likelihood of the detected traces of the Higgs particle simply being observer effects of the experiment and that mammoth machine behind it, the Large Hadron Collider? How much of these building blocks of matter is simply there because we're looking for them?
Fantasy turned reality - ironically, this was the title of the Economist's cover story on the God particle today
Би Ти Ви или как ни се програмира съзнанието
Гледате ли телевизия и добре ли се чувствате след новините?
Илиан, мой приятел от салсата и рейки, редовно ни провокира с разни неща за размисъл, които после генерират едно огромно количество коментари Поводът днес беше следния "цигарен" колаж за една от нашите национални телевизии Би Ти Ви и що за информационен канал са те. 
Ако сте запознати с невролингвистичното програмиране (NLP) лесно ще забележите, че от всички местни телевизии Би Ти Ви са най-напред с техниките за повлияване на съзнанието. А целта - тя е съвсем проста - повече пари от реклами и повече власт. Защото в същината бизнес моделът на големите съвременни телевизии е съвсем прост - събиране на максимално количество втренчени погледи за продаване на реклами. А когато зад тях стоят и хора с желание за власт и политически интереси - тогава и пропаганда. Повече или по-малко скрита.
Лесно е да се види защо Би Ти Ви са толкова "добри". Нужно е само да се сетим, че телевизията е клонинг от медийната империя на Рупърт Мърдок, който има нескрити политически и властови интереси, при това глобални. За една такава медийна машина като News Corporation, простираща се на пет континента, просто няма как да не разполагат с персонала и похватите за едно такова ТВ програмиране. Не изключвам при създаването на Би Ти Ви специален екип от компанията майка да е бил пратен тук в България именно с цел такъв инструктаж.
Най-простият начин да установите как даден информационен канал ви действа психически е като се запитате как се чувствате. По-добре ли се чувствате след това? Или нещо сериозно е разбъркало мозъка ви?
А последното, това при Би Ти Ви се прави като по учебник
Забележете например как се формулират текстовете на новините. Просто на ниво думи и граматика. Всяка новина обикновено тръгва с кратко въвеждащо отрицателно изречение, което после бива последвано от постепенно по-дълги изречения. Първото изречение е кратко за да фиксира вниманието (шок) и да наложи общ емоционален фон на цялото послание, а последващите изречения са "въвеждане" на самото послание (защото при тях човек вече по-малко мисли и по-лесно се приемат подсъзнателно).
А защо има толкова много негативизъм в новините?
Отговорът е лесен: колкото по-стресиран, несигурен и дезориентиран е човек, толкова по-вероятно е да остане с убеждението, че нещо му липсва. И после - дрън - идва сублимния момент - време за реклама
При това рекламата често се вкарва на максимален контраст. Примерно, сцена с прегърбени и мизерно изглеждащи пенсионери чакащи на опашка с оръфани дрехи. И веднага след това - дрън - реклама на козметичен продукт, където се показва супер и до нереална красота обработен образ на жена манекенка
За внушаване на недоимък (т.е. че ти трябва нещо) любима думичка е НЯМА. Тя най-добре се вкарва във въвеждащите кратки изречения за дадена новина, при това най-отпред.
Няма да има увеличения на пенсиите.
Дори положителна новина по-този начин бива обръщана чрез отрицателно изречение, където отново в началото се заковава това НЯМА. Примерно, новина че болница в еди кой си град ще продължи да работи се обръща на следното
Няма да бъде закрита болницата в...
И други такива:
Не беше постигнато съгласие на срещата на...
Няма пари за бюджет 2012...
Но думите като такива са само малко част от информационния поток. Изследвания са показвали, че понякога над 80% от информацията се приема по-други канали, като интонация и езика на тялото.
Разпускащи, усмихнати и спокойни ли изглеждат говорителите по новините?
Или по-скоро имате усещане за някакво неспокойствие (дори на външен план уж да не изглежда така)?
Обърнете внимание на тона, интонацията и скоростта на изговаряне на думите. По принцип, когато човек говори малко по-бързо и монотонно, тялото е вдървено, а погледът сравнително неподвижен - тогава зрителят възприема повече сигнали за несигурност. Все едно сте ученик пред дъската, а водещият е някой даскал, който не ви мисли доброто
Мой колега също сподели и друга психологическа особеност на гледането на телевизията, а именно че при прикован и неподвижен поглед мозъкът по-принцип е податлив на хипнотично въздействие.
А за капак на менталното програмиране при Би Ти Ви идва лозунгът "Новините - Всички гледни точки"... са нашите
Решението да излезете от тази матрица е съвсем лесно - просто изключете дистанционното. Може би в началото няма да е лесно, защото гледането на телевизия и особено на новините може да е станало почти зависимост. Но ще си струва, за доброто на вашата душа и ум
Аз не гледам новини по телевизията и това никак не значи, че не съм информиран какво става в България. Даже по-ясни започнаха да ми стават много неща Светът извън телевизията е много по-спокоен и там има много повече решения и хубаво настроение отколкото предполагате
LDAP schema for Secure Remote Password authentication
Here is a simple LDAP schema for storing Secure Remote Password (SRP-6a) authentication credentials. It defines an object class srp6Account which can be attached to any directory entry to enable SRP-6a authentication for it. The SRP salt and verifier are stored in a text attribute called srp6Verifier.
dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema attributeTypes: ( 1.3.6.1.4.1.31487.3.1 NAME 'srp6Verifier' DESC 'Stores SRP6 salt and verifier, in hex and delimited by semicolon' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE userApplications ) objectClasses: ( 1.3.6.1.4.1.31487.3.2 NAME 'srp6account' DESC 'Account with SRP-6a authentication support' SUP top AUXILIARY MAY srp6Verifier )
The following format is suitable for storing the Secure Remote Password credentials:
srp6Verifier: [hex-string-salt];[hex-string-verifier]
The salt and the verifier are hex encoded (to save space and avoid ambiguity) , separated by a semicolon.
Example:
srp6Verifier: b24c9bc199aafd143a94;10b3a3986ec57075d1a8f83bafc3350f582f6bd08064d3a09b9f5b4cdcf21c6ee
Check out Nimbus SRP if you're looking for a solid and well documented Secure Remote Password library.
New prices
This week the [d]zhuvinov [s]oftware website was redesigned and received new prices too!
As of today the prices for JsWorld, the JSON-RPC Shell and new Nimbus SRP library are listed in three major currencies: Euros, British pounds and US dollars. With that more people should be able to shop in their own currency.
In the next few days we'll add more docs to the Nimbus SRP library. It came about as a side-product of the most recent Json2Ldap feature - support for Secure Remote Password (SRP-6a) authentication for LDAP directory users. After having reviewed so many implementations of the protocol, and having found nothing that truly suit us, we sat down and coded Nimbus SRP. From scratch and with the lessons from the other works in the field. Today Web SRP 1.1 is probably the most complete and versatile toolkit you can get. Stay tuned!
LDAP directories, explained in 1 minute
An LDAP directory is a type of hierarchical NoSQL storage. A quick way to explain the essence of LDAP is by drawing a comparison to a computer file system which people are familiar with.
LDAP directories share many similarities with a file system
Overall organisation
- A file system consists of files in a tree-like structure.
- An LDAP directory consists of entries in a tree-like structure.
Data types
- A file in a file system is an arbitrary blob of text or binary data.
- A directory entry is a collection of attributes, or name / value pairs. Attributes may be text or binary. They may be mandatory or optional, single or multi-valued.
Naming
- A file in a file system has a name, e.g. "tax-report-2010.xml". The file name must be unique within the containing folder.
- An entry in a directory branch has a relative distinguished name (RDN), e.g. "cn=Alice Wonderland". The RDN comes from an existing name/value pair in the entry that was chosen to become the entry's name (or title). RDNs must also be unique within the containing directory branch.
Global naming
- A file in a file system is uniquely identified by its path, e.g. "/home/vladimir/taxes/tax-report-2010.xml".
- An entry in a directory is identified by its distinguished name (DN), which is formed by the chain of RDNs leading all the way to the directory root, e.g. "cn=Alice Wonderland, ou=people, dc=wonderland, dc=net".
Here is a truncated example directory entry of a user, in LDIF (LDIF stands for LDAP data interchange format).
The distinguished name (DN) is in bold, the name/value pair serving as RDN is slanted.
dn: uid=alice,ou=people,dc=wonderland,dc=net uid: alice objectClass: inetorgperson objectClass: organizationalperson objectClass: person objectClass: top cn: Alice Wonderland sn: Wonderland employeeNumber: 18001 givenName: Alice initials: AA mail: alice@wonderland.net mobile: +1 010 154 3228 userPassword:: c2VjcmV0
If you like this analogy explanation of LDAP you're welcome to use it in your own presentations
Secure Remote Password (SRP-6a) compatibility issues
Secure Remote Password (SRP) is a clever protocol for secure username + password based authentication where the client doesn't reveal the actual password to the server, at any time. The password remains entirely private to the user. What the server stores and deals with during authentication are cryptographically secure one-way values that the client derived from the password. So if communication between client and server or the underlying server database is compromised, there is no technical risk of the intruder finding out the user password. The merits of SRP are discussed at greater detail on Tom Wu's website who is the protocol designer.
Despite its virtues SRP is not particularly well known and widely used. I personally found about it when a customer requested SRP-6a authentication to be added to the Json2Ldap directory web service. My guess is that most developers find transmission of passwords over TLS/SSL and storing them in some hashed form (e.g. SHA1) good enough for most purposes. If you however run a low-budget web service and don't want to purchase an SSL certificate SRP is the best alternative for secure authentication over plain HTTP.
There are a number of libraries implementing the latest version of Secure Remote Password, namely SRP-6a. I was particularly interested in Java and JavaScript support as these are the languages I use most. For example, a good general purpose Java crypto library that covers SRP-6a is the one produced by Bouncy Castle.
Mixing libraries, however, is very likely to lead to compatibility issues. This may occur if you want to use one library on the server side (e.g. Java) and another on the client (e.g. JavaScript).
Here is a list of the four likely compatibility issues with SRP:
Compatibility factor #1: Choice of initial crypto constants - N and g
SRP must be preset with two initial (public) parameters - a safe prime number (N) and a generator (g). These must be agreed in advance between client and server. The practical approach is to have the server manage these and make them available to clients on request. This way, the client does not need to anticipate or otherwise keep track of which parameters are used for which users or servers; it only needs to verify their validity, which can be done mathematically or by simple table lookup.
Unfortunately, many client libraries employ hard-wired values for N and g.
For servers, look for implementations which have configurable N and g, to allow a choice of optimal bitsize lengths for N, e.g. 256 bit, 512 bit and 1024 bit. Shorter primes speed up the crypto computations while longer ones provide better protection.
For clients, look for generic implementations which allow N and g to be set through the client API, typically from values passed by the server.
Compatibility factor #2: Hash function
Similar to the N and g parameters, client and server must also employ the same hash function throughout the crypto computations. Otherwise the protocol will not work. Commonly used hash functions are SHA-1, SHA-256 and SHA-512. Here again it is advisable to have the server set the preferred hash function.
For servers, look for implementations which allow selection of a digest algorithm, so you can choose the optimal one for your application case. While SHA-1 may be good enough for many situations, SHA-512 provides increased security.
For clients, look for implementations which allow the hash algorithm to be set externally, to fit the server's choice.
Compatibility factor #3: Verifier computation
The verifier (v) is a special value derived cryptographically from the user password. The client stores it on the server when a new password is set; the server uses it then during authentication. The authenticating clients must use the same method for verifier computation as the client that uploaded the original verifier to the server, else authentication will fail.
The verifier (v) is computed from
v = g^x (mod N)
where x is a hash of the password and the password salt (s), and sometimes the username too.
Some clients base the hash on the simple concatenation of the salt (s) and password:
x = H(s || password)
while others make use of additional hashing that includes the username as well:
x = H(s || H(username) || H(password))
or something more complicated as (from SRP/TLS - see RFC 5054).
x = SHA1( s || SHA1( username || ":" || password))
When devising a web application or service, you have to make sure all clients employ the same method for x computation. This can be done by providing a default client and/or by communicating to developers the expected formula for the x hash creation.
When not to include username in the x hash?
Do not make username part of the x hash if users can have more than one login (e.g. username and email) or if the username is expected to change without an update to the password.
Compatibility factor #4: Validation messages
At the end of the authentication session client and server exchange validation messages.
M1 - а message from client to server. It completes the user authentication.
M2 - оptional message from server to client. It proves that the server has a valid verifier (v) for the user's password.
Together M1 and M2 can be used for mutual authentication.
The problem is that SRP implementations may have different methods for computing the validation messages, for example:
M1 = H(A || B || S) M1 = H(A || B || H(S)) M1 = H(H(N) xor H(g) || H(username) || s || A || B || H(S)) M2 = H(A || M1 || S) M2 = H(A || M1 || H(S))
If the M computation methods differ authentication will fail. Make sure that both server and client use the same method for computing M1 and M2.
How do some of Java libraries fare in terms of the above compatibility factors?
- Bouncy Castle: Allows for arbitrary choice of N, g and hash function. The implementation is however geared towards use of SRP for TLS (RFC 5054) and doesn't provide methods for validating M1 and M2. Also x = SHA1( s || SHA1( username || ":" || password)). The verifier (v) generator should have been an interface, not a hard-wired class.
- Jordan Zimmermann's SRPforJava: Hard wired parameters and hash function, the verifier is based on non-conventional concatenation of password and salt (s) so client and server implementations must use the same library.
With JavaScript (client) implementations the situations is more or less the same - hard-wired constants and hash function.
So what to do if you encounter a compatibility issue between the server and client libraries you're using? There's not much choice but modify the existing code. Fortunately, SRP code is relatively simple and the required touches to match the parameters, the hash function or the V, M1 or M2 methods small. If you need a good and flexible base Java server implementation, Bouncy Castle's is probably the best point to start.
Update 18 November 2011
Following our unsatisfactory experience with the listed Java SRP libraries we put ourselves to work and produced the ultimate Java library for Secure Remote Password authentication. It addresses all of the above issues: it is fully configurable in terms of crypto parameters 'N' and 'g' as well as hash algorithm 'H'; it provides interfaces for custom password key 'x' as well as client and server evidence message 'M1' + 'M2' routines. The library was extensively tested in the context of our Json2Ldap service and incorporates a number of lessons to make it easier to integrate into a complex server environment (session management, timeouts, arbitrary attributes).
Check it out for yourself: Nimbus SRP
