Who was it who said "hindsight is 20/20"? Whoever it was, they must have had me in mind when I picked the New York Yankees to win the 2009 World Series of baseball this past weekend. It's only a minor annoyance that the series wrapped up last week, a couple of days before I got around to making my picks.

Clearly Bruce Bukiet likes a challenge more than I, which is why he went to all of the trouble of picking the winner before the series began. But then Bukiet is a mathematician who is better equiped intellectually than me to take on such challenges. Bukiet, who is a professor at the New Jersey Institue of Technology (NJIT), used mathematical modeling techniques to compute the probability of the Yankees and Phillies winning the World Series.

Who did he pick? The Yankees, of course. His model gave the team a 70 percent chance of winning. How did he pick them? Bukiet's method uses the 2009 regular season statistics for each player on each team's roster. He then applies a Markov Process approach to modeling production of runs in baseball games. Bukiet first presented this mathematical model in 1997 in Operations Research, and it has since been used for a number of purposes, including predicting how many games a team should win in a season, the expected influence of trades, the value of wagering on a game and who is most deserving of Major League Baseball's most prestigious awards.

But Bukiet doesn't stop there. No, he has to put a little extra mustard on his ballpark hotdog by picking the Cy Young winners too. In doing so, he considers that the players contribution is most heavily influenced by how well he has kept players off the basepaths over a large number of innings. According to Bukiet, Zack Greinke of the Kansas City Royals deserves the American League Cy Young Award, while in the National League, the Cy Young Award winner ought to be Tim Lincecum of the San Francisco Giants.

So you're probably wondering who I picked for the Cy Young awards. Hang on to that thought ... I'll let you know in a couple of weeks.

-- Jonathan Erickson
jerickson@ddj.com

There's a lot of rhetoric flying about -- but not much hard data -- about what IT departments and IT professional actually do in practice to make fact-based decisions as to how to organize the work they do.

To address the issue and answer some questions, I'd like to invite you to participate in the November 2009 of Dr. Dobb's State of the IT Union Survey, compiled and coordinated by Senior Contributing Editor Scott Ambler. The goal of this ongoing survey series is to find out what IT professionals are actually doing in practice. The survey should take you less than 5 minutes to complete, and your privacy will be completely protected.

At the end of the survey, you will be given the chance to be entered into a draw for one of 10 copies of Leading Lean Software Development, by Mary and Tom Poppendieck (Addison Wesley, November 2009). Additionally, Dr. Dobb's again is giving you the opportunity to be entered in a draw for one of five official Dr. Dobb's hats.

The results of this survey will be summarized in a forthcoming article by Scott. This is an open survey, so the source data (without identifying information to protect your privacy), a summary slide deck, and the original source questions will be posted at www.ambysoft.com/surveys/ so that others may analyze the data for their own purposes. Data from previous surveys have been used by university students and professors for their research papers, and hopefully the same will be true of the data from this survey. The results from several other surveys are already posted there, so please feel free to take advantage of this resource.

This is on the heels of the September 2009 State of the IT Union Survey, which had similar goals. Scott presents the feedback and results of that survey here. It's interesting stuff.

But the big news is that five randomly selected participants should have received their official Dr. Dobb's hats by now. Congratulations to Lawrence Becker, David Radford, Rich Joyner, Thomas Mossberg, and Phil Sargeant. Thanks for participating guys, and I hope the hats keep your heads warm and eyes shaded.

Don't miss your chance to get a Dr. Dobb's hat while they last. It just takes 5 minutes of your time to complete the survey and throw your hat in the Dr. Dobb's ring.

Go right now to Dr. Dobb's State of the IT Union Survey.

-- Jonathan Erickson
jerickson@ddj.com

According to Microsoft, infection rates and threats vary geographically, and SIRv7 contains proven best practices from countries with the lowest infections. For example, infection rates in Japan, Austria, and Germany remained relatively low during this period. The following best practices provide insight into how security experts in these regions keep resources safe from cyber threats:

• Japan has seen its infection rates remain relatively low. One of the reasons is due in large part to collaborations such as the Cyber Clean Center, a cooperative project between ISPs, security vendors, and Japanese government agencies to educate users.
• Austria has implemented strict IT enforcement guidelines to lower piracy rates, and this -- along with strong ISP relationships and fast Internet lines, which aid in security-update deployment -- has helped ensure its generally low infection rate.
• Germany has also leveraged collaboration efforts with its computer emergency response team (CERT) and ISP communities to help identify and raise awareness of botnet infections and, in some cases, quarantine infected computers.

Central to each of these regions is the growing trend of community-based defense, in which the broader industry combines its collective strengths and intelligence to help defend computer users.

Microsoft also recommends that organizations use the data and guidance outlined in the Microsoft Security Intelligence Report to assess and improve their security practices. Among some of the proactive steps organizations can take are:

• Ensure that all third-party applications are being updated regularly by the vendor. Check the vendor's website to determine whether any updates have been released and whether they need to be applied to computers.
• Ensure that a customer's development team is using the Security Development Lifecycle (SDL), or similar software security assurance process.
• Ensure that policies are in place to help secure all file shares and regulate the use of removable media. Install AutoPlay update to help regulate automatic initiation of potentially dangerous removable media.

The nice thing about being agile is that, depending on how circumstances roll out, you have the flexibility to change your mind. That's the case with the Symbian Foundation, anyway.

For instance, when the Foundation was formed in mid-2008, one of the cornerstones was to be a Symbian developer app store, along the lines of Apple's App Store, Nokia's Ovi Store, and the like. What a difference a year can make.

As Symbian Executive Director Lee Williams said in a welcoming keynote at the Symbian Exchange and Exposition, "The world doesn't need another app store for developer products."

Instead, the Foundation will be focusing on Symbian Horizon, an application-publishing program designed to reduce barriers to delivering applications on the Symbian platform. Horizon will provide a service that lets developers write an application once, and publish in dozens of stores worldwide. Secondarily, Horizon is a directory of Symbian signed applications that will let developers display and advertise their applications. It will allow users to discover apps and find out which store they are available from by browsing the directory for all apps for their phone, or for specific app categories cross phones.

"Think of Horizon as the 'yellow pages' for S60 applications," explains Symbian's Daniel Lee. "Unlike app stores, Horizon will point users to applications across many app stores." A total of seven stores support Symbian Horizon. In addition to the initial stores announced, Ovi Store by Nokia, Samsung Applications Store, and AT&T's MEdia Mall, four new stores are now participating; China Mobile, Handango, Orange, and Sony Ericsson's Playnow.

From Symbian Horizon, users can find apps specific to their phone, developed by their favorite developer, or browse through them all.

Horizon also provides services to help developers to get the most out of the program, including assistance with application certification, technical development issues, language translation, application publishing to third-party stores, and comarketing opportunities.

-- Jonathan Erickson
jerickson@ddj.com

"Our objective is to look at strategic needs and opportunities that cut across product groups and find technology solutions to those problems," says Dan Reed, VP of XCG.

XCG will tackle challenges such as cryptography and parallel-programming models with rapid, large-scale prototyping and testing. That testing will help it transfer new technologies to Microsoft partners and product teams. "It's not just 'let's look at this problem and figure out new alternatives,'" Reed says. "It's 'look at the problem, figure out some new alternatives, build some prototypes of those alternatives, validate them, and then push them into production.'"

Reed predicts that there will be a huge set of technology changes on the hardware level -- and even more to systems software and next-generation applications. Multicore issues will affect Windows and other business products, and XCG is helping to prepare those product teams to cope with the new reality. The group operates on a five- to seven-year time horizon, and, along the way, it will spin off technologies that have shorter-term significance, Reed says. For example, earlier this year, the team demonstrated a hardware/software prototype based on Intel's low-power Atom processors. An intelligent energy-management system could turn processors on/off automatically while still delivering performance, and XCG is working with the Windows Azure team to transfer the energy-management software it has developed.

-- Jonathan Erickson
jerickson@ddj.com

Kirk Ballou, CEO of start-up company Flash Widgets, can't say enough good things about the Open Screen Project Fund. That's because his company was the recipient of an Open Screen Project Fund grant that made it possible for Flash Widgets to develop the software they wanted to create, not the software they had to develop.

The software Ballou, who spoke at Nokia's Media Day (part of the Symbian Exchange and Exposition), wanted to develop was Twittle, a robust Flash Lite Twitter client. Twittle lets you access your Twitter account on the go via mobile phones and view Replies, Profile, Messages, Favorites, and your Main timeline. But, according to Ballou, "Twittle had to sit on the back burner while the company developed software to keep the lights on." That is, until they caught up with the Open Screen Project Fund.

The $10-million Open Screen Project Fund was developed jointly by Adobe and Nokia (each pitching in $5 million) to do exactly what it did in Ballou's case -- help developers create applications and services for mobile, desktop, and consumer electronic devices using the Adobe Flash Platform. The Open Screen Project is designed to enable a consistent runtime environment across screens. The initiative is dedicated to enable web content, standalone applications, and full web browsing across televisions, set-top boxes, mobile devices, and other consumer electronics that take advantage of Adobe AIR and Adobe Flash Platform capabilities.

According to Forum Nokia's Bill Perry, more than 800 developers have submitted applications for grants since the fund was launched in February 2009. Of that, 35 applicants, including Ballou's Flash Widgets, have received funding to the tune of approximately $50,000 each.

"We are excited about the Open Screen Project Fund and the possibilities it offers to designers and developers worldwide," said Adobe's David Wadhwani. "With close to 40 percent of all new mobile devices shipped with Flash Lite in 2008, the fund will enable more developers to bring their rich content and services to a large number of mobile users."

Yes, Wadhwani may be excited about the fund and it's possibilities for developers -- but not nearly as excited as developers like Ballou.

-- Jonathan Erickson
jerickson@ddj.com

The VTT Technical Research Centre of Finland has created an experimental system that lets people in multiple locations examine and interact with virtual objects that exist ... well, that don't exist at all. Visualize, if you will, two or three people in different locations, all wearing special video eye-glasses that let them see and actually manipulate the same virtual 3D objects that appear to be sitting on the empty table in front of them.

The Augmented Collaboration in Mixed Environments, or "ACME," was built using an open-source viewer from Linden Lab's Second Life virtual world, as well as from open-source ARToolkit and OpenCV libraries.

Sensors, cameras, and microphones located on both ends of the conversation allow voices, head and hand gestures, and movements to change in concert with the behavior of participants, enabling participants to sense the vital visual cues of body language. In this proof-of-concept, participants in physical rooms wear see-through video glasses that depict three-dimensional images of their online counterparts as they stand, walk, talk, or demonstrate and manipulate virtual objects shared between the spaces.

The research necessary for building ACME was supported in part by IBM Research and Nokia Research Center. Prototypes of ACME will be installed at IBM Research Austin and Nokia Research Center Tampere/Finland for internal use and further testing and development. To view a clip pf ACME in action, go to this YouTube video.

-- Jonathan Erickson
jerickson@ddj.com

Ironically, much of Professor Dozier's work has focused on snow hydrology, not necessarily a topic that springs to mind when thinking about Southern California. But then, much of that region does get its water from the Sierra Nevada range. Of particular interest to Microsoft Research, however, is the work Dozier has done in the use of remote sensing technology to track water in mountainous drainage basins.

As you might imagine, this involves data -- and lots of it -- which led him to crossing-paths with Jim Gray.

"I was interested in dealing with lots of data, and of course he was interested and incredibly knowledgeable about computing technology and databases and what he saw as their future," Dozier says. "So we had a very fruitful collaboration."

Over the years, Dozier has found time to write more than 20 books and monographs, and more than 100 technical articles, many of which focus on remote sensing and information systems. He also co-authored (with Microsoft's William Gail) the article The Emerging Science of Environmental Applications, which appears in The Fourth Paradigm: Data-Intensive Scientific Discovery, published by Microsoft Research and available here.

Again, congratulations to Professor Dozier for a justly deserved award.

-- Jonathan Erickson
jerickson@ddj.com

Intruders are relentless, attacking websites for security holes over and over. Programmers can perform security checks, but what's the point if you plug 100 holes but still miss one or two. Which is where "Resin," an automatic security checker developed by researchers at MIT, comes into play.

Resin is a runtime that helps prevent security vulnerabilities by letting programmers specify application-level data flow assertions. Developed by Nickolai Zeldovich, an assistant professor in MIT's Computer Science and Artificial Intelligence Lab, grad students Alexander Yip and Xi Wang, and Professor Frans Kaashoek, Resin checks data-flow assertions by propagating policy objects along with data, then invoking filter objects when data crosses a data-flow boundary, such as when writing data to the network or a file. In other words, it's checking the data instead of the code. Attempts to access the data invoke the checker.

To test Resin, the team modified 12 existing applications written in Python and PHP so that they used the Resin system. The modified applications fended off attacks that exploited known security holes, too.

The PHP prototype involved 5,944 lines of code, with the largest module handling SQL parsing and translation mechanisms at about 2,600 lines. The core data structures and related functions are about 1,100 lines. Most of the remaining 2,200 lines involve propagating and merging policy objects. The Python prototype is only 681 lines of code because it doesn't implement all Resin features, and does not have character-level tracking, persistent policy storage in SQL databases, and Apache static file support. Plus Python uses fewer C libraries, thereby requiring less propagation code. All in all, the prototypes incur a 33% CPU overhead.

-- Jonathan Erickson
jerickson@ddj.com

I could understand that happening once and maybe even twice over the long haul. But three times in two weeks? That's a bit much even for those of us who appreciate a good punch line and a little irony from time to time.

Then there was the mobile phone executive who put the prototype of a new phone in his pocket just before getting on a crowded subway in Barcelona. When he got off the train, his pocket was empty, not to mention his future with the company.

What all this is leading up to is the news about the possibility of 128-bit support for Windows 8 and Windows 9 -- news inadvertantly posted in a LinkedIn profile by a Microsoft engineer. What makes this interesting isn't the fact that future versions of Windows will have 128-bit support (rumor has it that Windows 9 will also have support for kitchen sinks), but how that news became public. For the life of me, I can't understand why would someone post something of a confidential nature on a public site. But then it happens all the time. I could just as easily ask how someone could put their laptop on top of a car and driving away.

In all likelihood, this is interesting, but not Earth shattering since Windows 7 is just now rolling out, and Windows 8 won't be real until 2011 at the earliest. Your guess is as good as anyone's for Windows 9. Windows 7 will probably be the last 32-bit and 64-bit versions of Windows, as Windows 8 will likely come in 64-bit and 128-bit versions. If not Windows 8, then surely Windows 9. In the meantime, I'd just ike to see Windows 7 get out the door.

-- Jonathan Erickson
jerickson@ddj.com

Visa (the credit-card people, not the immigration people) has released a set of best practices for data field encryption (a.k.a. "end-to-end encryption") entitled Data Field Encryption Version 1.0.

Data field encryption is intended to protect card information from the swipe to the acquirer processor without the merchant needing to process or transmit card data in the "clear." The end result is that cardholder data is useless to criminals in the event of a merchant data breach.

The goals of the best practices are to:

• Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption (e.g., all cardholder data and sensitive authentication data shall be encrypted using only ANSI X9 or ISO approved encryption algorithms such as AES).
• Use robust key management solutions consistent with international and/or regional standards (e.g., keys shall be managed per ANSI X9.24/ISO 11568 or equivalent).
• Use key-lengths and cryptographic algorithms consistent with international and/or regional standards (e.g., encryption keys shall have the strength of at least 112 equivalent bit strength).
• Protect devices used to perform cryptographic operations against physical/logical compromises (e.g., devices used to perform cryptographic operations should undergo independent assessment).
• Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs, or fraud management (e.g., if any cardholder data is needed after authorization, a single-use or multi-use transaction ID or token should be used instead).

At the same time, Visa underscored its commitment to data field encryption by announcing it will chair the ANSI X9F6 standards working group to develop a data field encryption standard. ANSI X9 is the committee developing standards for the financial industry -- specifically for personal identification number (PIN) management, check processing, electronic transfer of funds, and the like. Within the committee of X9, there are subcommittees (such as X9F6).

-- Jonathan Erickson
jerickson@ddj.com

Computer scientists at Sandia National Labs have shown that it is possible to run more than 1 million Linux kernels as virtual machines. Okay, I'm impressed by a million anything. But I do have one question: Why?

The answers are obvious; that is, if you're smart enough to be a computer scientist at Sandia in the first place. For one thing, says Ron Minnich (who is smart enough to be a computer scientist at Sandia), running all those VMs lets security researchers more effectively observe the behavior of malicious botnets, or networks of infected machines that can operate on the scale of a million nodes. Botnets, says Minnich, are often difficult to analyze since they are geographically spread all over the world.

But a million VMs? You can't run that on an Atom-powered Acius netbook, no matter how cool you think they are. Instead, what a million VMs call for is something along the lines of a 4,480-node Dell high-performance computer cluster known as Thunderbird. To hit the 1 million Linux kernel figure, Minnich and his team ran one kernel in each of 250 VMs and coupled those with the 4,480 physical machines on Thunderbird.

Okay, security. Anything else? Sure, says Minnich. How about tens of millions of operating systems for building high-fidelity models of parts of the Internet.

"The sheer size of the Internet makes it very difficult to understand in even a limited way," says Minnich. "Many phenomena occurring on the Internet are poorly understood because we lack the ability to model it adequately. By running actual operating system instances to represent nodes on the Internet, we will be able not just to simulate the functioning of the Internet at the network level, but to emulate Internet functionality."

"Development of this kind of software will take years, and the scientific community cannot afford to wait to begin the process until the hardware is ready," says Minnich. "Urgent problems such as modeling climate change, developing new medicines, and research into more efficient production of energy demand ever-increasing computational resources. Furthermore, virtualization will play an increasingly important role in the deployment of large-scale systems, enabling multiple operating systems on a single platform and application-specific operating systems."

Minnich goes on to say that "it has been estimated that we will need 100 million CPUs by 2018 in order to build a computer that will run at the speeds we want. This approach we've demonstrated is a good way to get us started on finding ways to program a machine with that many CPUs, so that when we have a computer with 100 million CPUs we can actually use it."

-- Jonathan Erickson
jerickson@ddj.com

Doloto is an AJAX application-optimization tool designed to address this problem. Developed by Ben Livshits and Emre Kiciman, researchers in Microsoft Research's Runtime Analysis and Design group and Internet Services Research Center, respectively, Doloto analyzes application workloads and automatically performs code splitting of existing large Web 2.0 applications. Once processed by Doloto, an application will transfer only the portion of code necessary for application initialization. The rest of the application's code is replaced by short stubs.

To demo Doloto, Livshits and Kiciman performed experiments on several large Web 2.0 appps. Doloto reduced the size of initial application code download by hundreds of kilobytes -- as much as 50% of the original download size. Page-loading time for JavaScript-heavy applications improved by as much as 40%, depending on the application and network conditions.

According to Livshits, "We start with the original JavaScript codebase, and we take out every function that doesn't need to be downloaded and replace it with a small stub. A function might be half a kilobyte, and we replace it with a stub that’s about 60 bytes. This is where the space and time savings come from. And the stub is going to download the actual body of code whenever necessary."

For details on how Doloto works, see Doloto: Code Splitting for Network-Bound Web 2.0 Applications. You can download Doloto here.

-- Jonathan Erickson
jerickson@ddj.com

Actuate has released the results from its 2009 Open Source Survey, which examines trends related to open source software awareness and adoption, and benefits and barriers to adoption. This year's survey, which included feedback from nearly 1500 IT and business professionals, provided for the first time respondence from China, in addition to North America, the UK, Germany, and France. Among the more noteworthy results are:

• 80.3% of those surveyed in China are using open source software.
• Interestingly, 72.6% of respondents in China said they had "access" to source code. This compares to 41.4% in Germany, 39.9% in North America, 36% in France, and 35.2% in the UK.
• 67.0% of those surveyed in France are using open source, leading all other European countries counted.
• 41% of respondents in North America are already using open source with nearly 1/10 either in the process of adopting or planning to adopt. The proportion of respondents who feel that the benefits of open source software outweigh the inhibitors (56.8%) is nearly seven times higher than the proportion that disagree (8.4%). This is more positive than in previous surveys.
• Germany's attitudes to open source adoption seems to be more positive than the UK. For example, the proportion of UK respondents who feel that the benefits of open source software outweigh the inhibitors has decreased this year to 47.0% (from 54.0% in 2008), whereas Germany scores 62.0% in favor of open source, an increase since last year's survey.
• The UK shows little change since last year with just over 42.1% already using open source software. Significantly, the UK continues to demonstrate a degree of reticence towards open source adoption with 22.4% still monitoring developments, but not yet evaluating.

In general, open source interest/adoption continues to trend upwards slightly, at least compared to previous Actuate surveys. The main perceived benefit of open source software across the board is no license costs. According to Gartner, "By 2010, 90% of Global 2000 organizations will have formal open-source acquisition and management strategies."

As founder and co-lead of the Eclipse BIRT project, (short for "Business Intelligence and Reporting Tools"), Actuate is deep into open source. The 2009 Actuate Open Source Survey is conducted independently by Survey Interactive and now into its fourth year.

-- Jonathan Erickson
jerickson@ddj.com

To me, solving an old mathematic problem is a lot like picking at a scab. Leave it alone! But then I'm not a mathematician. Still, it's hard not to be impressed when mathematicians solve a problem that's stumped other mathematicians for hundreds of years. The latest example is the Congruent Number Problem, first posed by the Persian mathematician al-Karaji (c.953 - c.1029).

The problem involves determining which whole numbers can be the area of a right-angled triangle whose sides are whole numbers or fractions. The area of such a triangle is called a "congruent number." For example, the 3-4-5 right triangle that students see in geometry has area 1/2 x 3 x 4 = 6, so 6 is a congruent number. The smallest congruent number is 5, which is the area of the right triangle with sides 3/2, 20/3, and 41/6. The first few congruent numbers are 5, 6, 7, 13, 14, 15, 20, and 21.

Actually, the international team of mathematicians didn't really solve the problem -- they only resolved it for the first 1 trillion cases. As it turns out, the biggest challenge was that these numbers were so large that they couldn't fit in the computer's main memory (right, it's a hardware problem), so the researchers resorted to accessing hard drives (what do you think *that* did to network performance?).

To ensure accuracy, the mathematicians split into two teams. Team "1" -- Bill Hart (Warwick University) and Gonzalo Tornaria (Universidad de la Republica) -- used "Selmer," a DUNK Teraserve R2850 with four 2.4 Ghz AMD quad-core CPUs, 128-GB RAM, a 1.5-TB hard drive, and an NVIDIA nForce Pro 3600 chipset. Team "2" -- Mark Watkins (University of Sydney), David Harvey (NYU), and Robert Bradshaw (University of Washington) -- used "Sage," a Sun Fire X4450 Server built around 4x6-core 2.66-GHz Intel Xeon CPUs, 128-GB RAM, and 2.7 TB hard drive. As for the software, the teams based their calculations on the freely available C library FLINT (short for "Fast Library for Number Theory").

"The difficult part was developing a fast general library of computer code for doing these kinds of calculations," says Bill Hart. "Once we had that, it didn't take long to write the specialized program needed for this particular computation." (For a detailed description of how they approached the problem, see Congruent Number Theta Coefficients to 10^12.)

Many congruent numbers were known prior to the new calculation. For example, every number in the sequence 5, 13, 21, 29, 37, ..., is a congruent number. But other similar looking sequences, like 3, 11, 19, 27, 35, ...., are more mysterious and each number has to be checked individually. The calculation found 3,148,379,694 of these congruent numbers up to a trillion. I'm impressed.

-- Jonathan Erickson
jerickson@ddj.com