For those of you who love a challenge, Adobe has sponsored a whopper. The Semaphore art project in San Jose is where art meets technology. Four large round glyphs rotate their position every 7.2 seconds while a simultaneous low power radio broadcast emits a coded message. Artist Ben Rubin's mind shred's message seems to follow a pattern. Each broadcast segment contains an audible analog tone, an audible analog pattern, followed by a string-integer hash. Several items vary during the broadcast including the tone of the woman's voice as she speaks the integers. The tones also change.

Here is a pattern:

Tone, dot pattern, click(ping), string, integer, ping

Here are some general observations that might help those trying to decode it. I also want to state that while I do work for Adobe, I have in no way had any internal knowledge of this project nor do I have any keys to the answer.

Background:

Semaphore is an ancient flag based signaling system. A person holds two flags and uses one rotational angle to act as a key while using a second flag to indicate a specific value. The comparison to the rotating glyphs cannot be ignored.

1. What is the significance of the glyphs changing position every 7.2 seconds? This could be a key or it could be incidental to the entire exercise. I would suspect that due to its' precise timing, it is a key.

2. Ben Rubin's education should probably be factored in. There are no details of him ever studying cryptographic techniques. Accordingly, I would presume the cypher's key to be less complex than Rinjdael's (AES) et al. I did find his master's thesis entitled "Constraint based cinematic editing" which may be a clue into his mind.

3.What possible significance does the tone of the woman's voice have? It seems to speak in two tones - one about one octave higher than the other. It this significant of some kind of logic gate?

4. What are the string-integer pairs. Here is an example:
India 02
Kilo 08
Echo 06
Delta 01
Charlie 05
Mike 03
Mike 14
Echo 06
Delta 04
Delta 04 (note repeat)
India 02
Kilo 08
Echo 06
Delta 01
Charlie 05
Mike 03
India 02
Delta 15
Delta 04
Mike 14
Alpha 10
Delta 04
Delta 04
Alpha 10
Charlie 16
Delta 15
India 02
Delta 15
Delta 04
Mike 14
Alpha 10
Delta 04
Delta 04
Alpha 10
Charlie 16
Delta 15
Delta 01
Pumpkin 02 ??
Kilo 03
November 04
Charlie 11
Charlie 16
Lima 03
Echo 06
.....

Note the pattern repeats certain characters (Delta 04's seem popular). There are alsio patterns of repetition that seem to repeat above a statistically normal basis. Based on this I would aver that the answer is a value of text. The same values suggest double letter combinations in the resulting text (example = Challenge has two "ll"'s)

While the Semaphore Flag code uses only 9 positions, note that the numeric values scale much higher. Could this be a revision of the code based on some key (7.2) to reflect the glyphs ability to provide a more precise rotational index? I did not encounter any numeric value over 16 while listening.

The Semaphore art uses the NATO phonetic alphabet.

A: Alpha
B: Bravo
C: Charlie
D: Delta
E: Echo
F: Foxtrot
G: Golf
H: Hotel
I: India
J: Juliet
K: Kilo
L: Lima
M: Mike
N: November
O: Oscar
P: Papa
Q: Quebec
R: Romeo
S: Sierra
T: Tango
U: Uniform
V: Victor
W: Whiskey
X: X-ray
Y: Yankee
Z: Zulu

Note that "Pumpkin" is not actually part of the phonetic alphabet. Perhaps I heard it wrong.

Good luck - anyone with Theories, please post them back to this blog. Maybe we can get lucky....

In a surprise move, Microsoft is bending to pressure from governments and will sponsor an open source project to build tools that enable conversion between its Open XML formats in Office 2007 and OpenDocument (ODF). The forthcoming Office suite will also support an add-in for saving directly to ODF.

A recent story on CNET discusses the US Senate proposal that "Web site operators posting sexually explicit information must slap warning labels on their pages or face prison terms of up to five years." Senator Conrad Burns goes on to declare that "This will protect children from accidentally typing in the wrong address and immediately viewing indecent material,". I find this is once again highly flawed logic. First - without a globally agreed upon consensus on what constitutes "sexually explicit information", there is no metric for such labeling. Will the labels include sites that include educational materials about how human reproductivity works? Is the goal to create a system of mandatory ignorance for the masses resulting in more unwanted pregnancies and STD's? Secondly, how in the world are warning labels going to prevent someone from making typing mistakes? Once again, the government seems to be jumping the gun. Perhaps their time may be better spent educating themselves and parents about watching what their children do on the internet?

Early rebuff to Gartner's use of the term SOA 2.0 seems to be gathering significant steam on both a grassroots and mainstream level. Several bloggers shared similar comments that the "SOA 2.0" term/buzzword was not something the tech community should just lie down and take. A resulting petition - SOA 2.0 - No Thanks! reflects the "Stop the Madness" feeling. While only 70 or so people have signed it as of today, the names on the list are notable with respect to SOA. The main complaint with the term is that other than the OASIS Reference Model for SOA, there appears to be little metric for defining SOA at all.

A new week, a new Buzzword. This time it is different - "SOA 2.0" is a version qualified buzzword that makes people finally speak out! I have observed a really cool phenomena - normally, when someone comes out with a new buzzword that doesn't really have any substance, most people merely complain quietly and go about their business. With certain components going public with their term "SOA 2.0", the collective disgust seems to have finally reached the tipping point where people can no longer keep quiet. This list is a compilation of my favorites so far.

SOA 2.0 Ignorance: http://markclittle.blogspot.com/2006/05/soa-20-ignorance.html

What are they smoking and where can I buy some: http://www.mac-kenzie.net/blog/2006/05/24/soa-20-what-are-they-smoking/

SOA 2.0 - stop the madness: http://www.mwdadvisors.com/blog/2006/05/soa-20-stop-madness.html

OH NO - SOA 2.0: http://jroller.com/page/dancres?entry=oh_no_soa_2_0

http://sw.deri.org/~juan/weblog/?p=242

http://mult.ifario.us/articles/2006/05/24/soa-2-0-mud-in-the-mud-puddle h

http://www.thedatafarm.com/blog/PermaLink.aspx?guid=cfb38e60-5c9c-4670-8c36-ae36f114e075

IT folks out of control: http://voelterblog.blogspot.com/2006/05/it-folks-out-of-control.html

http://data-entry-business.blograzor.com/52352/

I can only summarize the term "SOA 2.0" like this - "The fan just got hit big time"!

I cannot believe this is happening. I met up with Mark Little at Java One and he told me some people are actually starting to talk about "SOA 2.0". The German language has the only words for this - "einfach unglaublich". Roughly translated it means "utterly unbelievable".

Now Mark is a very smart guy - I work with him on many Web Services standards bodies where he provides great value. I have never seen him get really upset about anything before I saw this blog entry. This should be a testament to how absurd the concept of SOA 2.0 is.

As Mark correctly points out, you cannot take some half baked marketing term and milk it for another few miles by sticking a version number at the end of it. This appears to be nothing more than a scam to keep people coming back for more information. People - they are making it up!!! You are being lead down the wrong path. I can see it in my head:

Analyst: "SOA is the answer to anything. Even if you don't know the question. Too bad I can't tell you what it is exactly but if you listen to me, maybe you can do it someday."

Customer: "Actually, I think I figured it out. It is a model for software architecture."

Analyst: (Thinks silently - "Dang - they're on to me. What should I do??")

Analyst: " Very well, I think now you are ready for SOA 2.0".

Please note I am not just picking on analysts - they are just the easiest target in this case ;-)

On Mark's blog, he notes that Steve says Web 2.0 it is a mix of EDA and SOA. Bullocks! All SOA is event driven. How can you have a service that does something if there is no notion of an event (trigger) in the architecture? I suppose if you just built it and it sat there doing absolutely nothing but even then it would be event driven since doing nothing is what it should do in the absence of any events. Can anyone provide an example of SOA that is NOT event driven?

A group of people (over 200 members and observers to be precise) got together out of disgust for lack of clarity around SOA and put together a Reference Model to clarify what is meant by the term. Being largely end users, they asked all the right questions. If SOA is architecture, as the name implies, how do we express it as architecture or some architectural artifact? How is it different from other interface based designs? Does it have a right to exist as a term (*read - does it have any substance or is it pure marketing hype)?

These people wrote a Reference Model which defines an architectural paradigm for organizing and using resources under different domains. The Reference Model is not architecture per se, it merely notes the main concepts, at a completely abstract level, for the entities which consistently appear within service oriented domains.

SOA Definitions - There's enough for one per person.

Given the current Wikipedia definition and the OASIS Reference Model for SOA, it appears that SOA is something we all have probably been doing for a long time. Even Starbucks implements the OASIS Model. Service provides for their Services (they provide caffienated beverages to customers) use visibility (signs, advertising) to let others know the services are available. There is an interaction model (money for coffee) that uses a behavior model (pay first, coffee later) to provide the service. There is a service description (like WSDL for customers) and a fabric they attach to to allow service consumers to interact with the service. WS-* is the same. This really makes me wonder when I see quotes stating things like "over 60% of all companies hope to be doing SOA by 2007". Even some smart IBM'ers have been skeptical of peoples claims to be "doing SOA". Given they also have at least established a metric for SOA, they are IMO entitled to talk about it. For someone who starts this sort of a conversation without using a *useful and measure-able" definition of SOA is, cannot be held in high esteem.

The OASIS Reference Model for SOA does not purport to be the one and only true definition of SOA. It is simply a model that is a stick in the mud (or FUD in this case). Even if you do not agree with it, it represents a non-proprietary definition which you can use as a point of reference to state where your definition differs. Someone can easily state "When I say SOA, I differ from the OASIS Reference Model in the following ways..... [insert your POV here]".

Summary

Mark is a smart guy, beware of people selling anything undefined with a 2.0 extension and if your "doing SOA", be careful and don't forget to use Starbucks products.

I was recently amused by reading a blog of a group who apparently defeated PDF's DRM system by using GMail's "convert to HTML" option. I nearly fell off my chair when I read the claim " (it) works regardless of the files usage restrictions..". Yes - under certain circumstances you can gain access to text or other components of a PDF document that has policy protection on it, but *only* if the person applying the policies set the policies to allow this type of access AND does not encrypt the PDF. Keep in mind that PDF is a completely free, open and available standard that anyone can implement. There are several third party SDK's to manipulate PDF documents. Before you read the blog above, it is extremely helpful to understand how the encryption and DRM mechanisms work.

In general, if you do not want someone other than the intended recipient to view a PDF, you should encrypt it. By default, the encryption level for compatibility with Acrobat 5.0 and later is 128bit RC4. Encryptinng the contents of a PDF with a strong key results in a situation where there is no way gmail or any other application can crack it open by brute force. The PDF is turned into cipher text that is completely incomprehensible to anyone without the key to open it. I am so certain of this that I will provide $500 USD to the first person who can open this document within one year.

A person encrypting a PDF document has several options. First, you can determine the compatibility for earlier versions of Acrobat (5 , 6) or jump straight to Acrobat 7.0 and higher. If you select to encrypt it for Acrobat 7, the default level encryption method is AES, much harder (read = impossible) to crack using brute force.

You can also opt to encrypt all the document contents, or leave the metadata unencrypted. This is useful should you want to be able to have the document searchable in real time based on the metadata. Note the lower section of the screenshot above - by default, the box is checked to allow text access to the document. If you leave this selected, some PDF applications can access the text. If you don't want this, please de-select this option. After setting all of the options and pressing next, you will still be given a generic warning that certain non-Adobe products might not enforce this document's policies. Note that if you do not select "require a password to open the document", the usefulness of encrypting it is moot. Others will still not be able to copy the document by using the text copy tool or Control-C, but other means can be employed.

To summarize so far, Acrobat has DRM capabilities to limit the following interactions with documents

• 1. ability to disable printing
• 2. ability to disable cut and paste
• 3. ability to disable control printscreen
• 4. ability to disable local file saving
• 5. ability to disable local file saving
• 6. ability to disable accessibility
• 7. ability to make a document no longer exist

A person must comprehend the frame and scope of the intended use of each of these and their built in restrictions. PDF's are like music - if you can render it once, it is possible to capture it and render it again. Even if we figured out a way to prevent all third party screen scraping software from capturing what you see on a computer screen, someone who both has access to the document for a single view AND intent to distribute it further can simply take adigital photo of their computer screen to circumvent all of these. There is simply no way to stop someone who is intent on doing this using 1-6 above.

Another methodology is available to place a dynamic watermark on the page, perhaps stating the users name and address in bold gray text across the document. This too can be defeated if one took a screen shot of the document and used a great tool like ... err "Adobe Photoshop" to take care of that nasty watermark. I am guessing the magic wand tool is your best friend here ;-)

So how can you protect a PDF? If you really want to make it secure and also track the users interaction with it, you would be wise to use Adobe Policy Server. The policy server uses a model of persistent DRM that follows the document everywhere it goes. If you feel the document is out of control and you want to stop it, you can simply "destroy" the document which will cause it to fail to un-encrypt itself when someone opens it. Is there a way around that? Sure - sneak into the office of the person who made the policy, install a tiny pinhole camera near their desk and capture their authentication.

See what I am getting at, no matter what you do, there is a way around it if someone is really intent. The easier method is "social engineering" rather than brute force.

So here is a challenge. Take this document here (link to APS protected document) and try to render it with gmail (or any other method). I will pay $500 USD to the first person who can show me the un-encrypted content of this document within one year of this.

How I would do it? I would probably try to lure myself into providing a password to a site that offered me some form of membership and hope that I was rather lazy and used the same password for this document. D'oh!! Not gonna work - I typed a random phrase of about 13 characters to encrypt this using AES.

Good luck!

I cannot believe this is actually being contemplated: "A mandatory rating system will "prevent people from inadvertently stumbling across pornographic images on the Internet," Attorney General Alberto Gonzales said at an event in Alexandria, Va. How about a labeling law for not so bright politicians who flunked logic and ontology classes in high school? Can you imagine? Which one person will get to arbitrarily decide what is porn and what is not? Smart people in America - please do something before it is too late.