Single Sign on

Single Sign on
This post is a bit of an experiment, rather than like most of my posts where I come up with an idea and document it once complete I am going to blog about my progress getting this to work as I go, a sort of impressionist blog, which is most likely the way they were originally intended to be done.

What is SSO?
The way I see single sign on, which may not be the right way to view it, is that a user in a company has to interact with a multitude of computer systems, each of which requires some form of authentication before access is granted and single sign on means that a user once authenticated in one system will auto-magically be authenticated in the others without being prompted for a username and password or whatever.

The first method that I am looking at is Kerberos, the way I think this works is that a user signs in using whatever means at their disposal (card reader, password or biometric scanner) then that user has a token that is given to any other systems that require authentication.
The premise here is that there is a single secure token provider that every application within the enterprise/corporation then trusts.

JAAS the java way
Being a Java developer on enterprise systems I would have been lucky to have not had to have some experience with using JAAS the java authentication authorisation service.  This is a pluggable system like much of the JEE components where any particular vendor can make their own implementation, and as luck would have it there is already a Kerberos version available.

JBoss
I am going to use JBoss (likely version 4 but maybe 7 as I kinda like where that's going) as my application server, I may show using GlassFish too, plus I may also show it being used in tomcat just for kicks.

Step 1
In order to actually test these things out I need to actually have a kerberos system setup, as I tend to use Linux the instructions for setting this up will be linux orientated.

I followed these instructions for installing and setting up a kerberos system.
I rapidly hit a stumbling block with the first pre-requisite of the installation

Before installing the Kerberos server a properly configured DNS server is needed for your domain

D'oh! I don't have a DNS server, so I went to get one and set it up.  Doing a quick google I found these instructions which are for Ubuntu and as I am using a Debian system thought it would work.  I didn't bother following any of the reverse DNS lookup instructions as (a) I am lazy and (b) I want to move on quickly from setting up a dns.  The only thing to note at this point is that nslookup gw didn't give any results.

Back to installing Kerberos
So now that dns seems to be installed time to go back to the kerberos instructions.

Everytime I try  kinit steve/admin I get

kinit: Cannot resolve network address for KDC in realm "RLJASSOCIATES" while getting initial credentials

I altered the instructions for both dns installation and kerberos installation so that the domain is RLJASSOCIATES.
I found a forum that states;

"each host's IP address must reverse-resolve the canonical name."

so I guess it's time to go back to the DNS setup instructions once more, damn it serves me right for being lazy in the first place!

Ok the DNS setup doesn't work right off the bat but I did find a nice little utility to test called named-checkzone which I can use to check the zone files for correctness.  Needless to say they weren't.  Well I've been over those DNS instructions many times now so I can be absolutely sure my setup matches and guess what...they don't work so I guess they're crap!

I think there might have been a missing entry in the RLJASSOCIATES.db file so I added these lines
ns        IN        A        192.168.1.34
@        IN        NS        ns.RLJASSOCIATES
and that seems to allow nslookup gw to work.

however running sudo kinit steve/admin still results in the error

kinit: Cannot resolve network address for KDC in realm "RLJASSOCIATES" while getting initial credentials

Setting up krb5.conf
I remembered that after the first fault with the kerberos setup I uninstalled it, then when I re-installed it I was never asked the same questions about default domains once the installation was complete, this may have been the route cause of this last failure.
Essentially there is a file called /etc/krb5.conf that seems to list settings that are relevant for different domains, so I took a guess at what to write and put this in;

    RLJASSOCIATES = {
                kdc = rjohnson-acer.RLJASSOCIATES
                admin_server = rjohnson-acer.RLJASSOCIATES
                default_domain = RLJASSOCIATES
    }

I have no idea if this is correct or not apart from when I ran this command kinit steve/admin instead of it failing with the usual error message shown above it prompted for the password, which I typed in and ... nothing happened which still means no error :)

The next fault to get over in the kerberos instructions is

#> kinit steve@RLJASSOCIATES
kinit: Client not found in Kerberos database while getting initial credentials

 Once again I have no idea what is causing this to happen, so on to professor google.
Not actually sure this is an error as the list of principals is now
kadmin:  list_principals

K/M@RLJASSOCIATES
kadmin/admin@RLJASSOCIATES
kadmin/changepw@RLJASSOCIATES
kadmin/history@RLJASSOCIATES
kadmin/rjohnson-acer@RLJASSOCIATES
krbtgt/RLJASSOCIATES@RLJASSOCIATES
steve/admin@RLJASSOCIATES

The big issue is that it says I am not entering the correct password for kadmin/admin and yet I know damn well what I entered so this might be an issue with the re-installation I tried earlier ooops!

JBoss
I am going to start with a vanilla installation of jboss-4.2.3.GA, simply because I wanted to start with a version 4 and this was the latest 4 I found on jboss community site, don't worry I'll show the same kerberos stuff on jboss-7.0.2, I would want to use 7.1.0 as this is the version where remote ejb calls are supported but it doesn't exist yet tee hee :)

Since JBoss comes with a jmx-console lets try to secure the access to this web app with kerberos.

The current setup for security on this app is;

   <application-policy name="jmx-console">
      <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
              <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
              <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
          </login-module>
       </authentication>
    </application-policy>

So in order to use the same login that I want to use for kerberos I've created a user called steve and I've added that to the props/jmx-console-users.properties.

Stupidly the first time I added the new user I forgot to also add him to the roles properties file, the trouble is you can't sign in but you don't get any error messages in the jboss log which was a bit annoying.

Introducing Krb5LoginModule

I've never used this login module before so it's going to be a learning experience :)

I found some documentation for Krb5LoginModule and just decided to run with it.

So I changed the login-config.xml to read

    <application-policy name="jmx-console">
       <authentication>
          <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
           <module-option name="debug">true</module-option>
          </login-module>
       </authentication>
    </application-policy>

As you can see I've only set a single option, this is just so I can see what happens, remember I have no idea.

Hooray
It looks like I was successful, the usual prompt popped up so I logged in as Steve and hey presto got this in the log

10:38:00,893 INFO  [STDOUT]         [Krb5LoginModule] user entered username: steve
10:38:00,978 INFO  [STDOUT] Acquire TGT using AS Exchange
10:38:01,056 INFO  [STDOUT] principal is steve@RLJASSOCIATES
10:38:01,057 INFO  [STDOUT] EncryptionKey: keyType=3 keyBytes (hex dump)=0000: FE 75 E3 7A 1A 29 7C A8  
10:38:01,057 INFO  [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: FE 75 E3 7A 1A 29 7C A8  
10:38:01,057 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3D 8C CB 99 50 CC 9A 13   69 12 6D AA BF E7 C6 4E  =...P...i.m....N
10:38:01,058 INFO  [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 79 75 9B A7 67 EC BF 2F   7A 32 C1 C8 9E AB 57 0D  yu..g../z2....W.
0010: 5B B3 3D D0 64 F4 34 4F  
10:38:01,058 INFO  [STDOUT] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 87 17 D5 4C 61 35 48 4D   D4 8B 14 58 91 E5 E8 AE  ...La5HM...X....
10:38:01,078 INFO  [STDOUT] Commit Succeeded

Actually do SSO

So far we have a working test environment setup and have been able to make a call out to Kerberos to authenticate a user.

Although this is a good start to the experiment what we don't have are;

• a way of automatically sending a username to do the login, this wouldn't just be a username but would need to be the TGT.
• a way to set the Subject to the user signing in, currently we only have the principal.

I should have read the documentation as we really do have the subject of the person doing the login this is bundled up in the Credentials of the login itself, so score!!

The Connector 

The way that I want to pass the name through rather than prompt for it is to use the java system property user.name this seems like the easiest thing to do for this simple test.  Essentially the way I see this working is that the name is used to retrieve a TGT from the local cache if there is one, and of course if there is one then they are authenticated and this TGT can then be passed from app to app.  In order to do this before a call reaches the application running on the application server I intend to use connectors (or valves in tomcat) which means I need to brush up on my JCA knowledge first...more on this the next time I have some free time to add to it.

Lets take a step back

Before getting too far ahead of ourselves I think it's time to explain what exactly Kerberos will entail, much of the information about Kerberos in an easy to understand  style can be found on the MSDN site but here is the super abridged version of events.

The way my system is setup is that the is a server called the KDC (kerberos distribution centre) which has two roles.  The first role is upon request a valid user is given a ticket to get tickets (cunningly disguised as a TGT), then when a user wants to access a service they use the TGT to get a service request ticket.  Finally with this ticket the user authenticates his/her self with the service they wish to use.

The stage that our test system is at is that when a user requests the resource at /jmx-console 

Done...I think
Not sure if this is done now but it seems to be which is strange as I've set virtually nothing up?


login-config.xml
    <application-policy name="jmx-console">
       <authentication>
          <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
        <module-option name="debug">true</module-option>
        <module-option name="useTicketCache">true</module-option>
        <module-option name="doNotPrompt">false</module-option>
        <module-option name="useKeyTab">true</module-option>
        <module-option name="useKeyTab">true</module-option>
          </login-module>
       </authentication>
    </application-policy>

Now when I log in to jmx-console it seems to authenticate me when I have a service ticket already.

Firefox

I also discovered that if you put about:config into firefox and then filter on negotiation you can set network.negotiate-auth.trusted-uris; to the domain kerberos authenticates against et voila ! .RLJASSOCIATES

But is it SSO
The simple truth is I don't know at the moment I haven't tested it and this is because I am not sure how to test it, so lets look back at square 1 what was the criteria;

1. not be able to access resource (/jmx-console) if I am not authenticated.
2. authenticate via the KDC.
3. once authenticated don't get prompted for authentication again.

I think that I have managed 2 of the 3 above points, however the third is a partial victory.  I don't get asked for authentication when I visit the resource in a second tab of the browser but this is simply the typical cookie authentication, when I use a different browser I still get asked for authentication and it is this step that I need to get rid of in order to claim SSO works.  The trouble is I am not sure how to do that with the tools that I have used so far, I think I might need to write my own LoginModule or something. 

One More Piece of the puzzle
I've not had much time to look into all of this stuff at the moment and tidy up this rambling blog post, this link looks like it'll be quite useful.
http://download.oracle.com/javase/1.4.2/docs/guide/security/jgss/single-signon.html 
http://download.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/JGSSvsJSSE.html
http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html 

Exceptions (again)

The argument that keeps on giving :)
This is the fairest assessment that I think I've ever made of exception (specific to java, possibly).

Exceptions are a very good way of having more than one return type on call. Originally they were invented so that constructors could inform the caller of something rather than having to have a special "error" type of every class.
Handling exceptions early isn't always the best idea, code where an exception occurs may not be best suited to remedy it as the lowest level tends to be a generic handler of something.
Take for example the File API, if a file can't be found it is highly unlikely that the File object should be made to handle every failure adequately. Maybe it should simply return a null, but how then do we know the file couldn't be found rather than it couldn't be read? These 2 scenarios should be handled in very different ways (1) file not found: get the user to pick another (2) read error: try again X times then fail. Scenario 1 requires user interaction so bubble the exception up through the code so the user can pick another file.
There is also an argument against interpreting an exception at a lower level and sending specific "error" style replies up the chain.

1. Multiple levels in the call stack will have to handle error return states.
2. The returned objects would each have to have an error version created i.e.
   

   public A getA()
       public B doB()
           public C getC()
   

   each return type A, B, C would have to have an error version created, plus each call would have to handle this.
3. There is already an adequate mechanism to repeatedly send exceptional responses up the stack regardless of method return type.
4. Sometimes it is impractical to escape from a normal flow and return a meaningful error, the use of try catch blocks greatly simplifies this.

Also
Also the idea that exceptions are errors is flawed, exceptions are an
exceptional flow, the clearest use of this fact I think is the Thread
usage of InterruptedException. When things are running concurrently (even
pseudo concurrently) a message should be sent at any point during the flow
and the way to handle this is with exceptions.

The problem is that with legacy old shit (and I mean it is shit) does
the biggest sin of all which is to catch ALL general exceptions and simply
throw it without adding a cause to it. No attempt is made to handle the
exception where it is relevant which means the final resting place of a
thrown exception is the client which is why some people believe that the client
shouldn't handle them because 9 times in 10 the client is the wrong place
to handle them.

IT Confidence

Developer confidence / arrogance

I had a sudden realisation about why most developers come across as arrogant. Ok, so in a lot of cases it is because they are, but I am always accused of being arrogant (mostly by my wife) so decided to look into why that was.

During a developers career they are always trying to sell their solution to a problem, usually without any evidence, the manager in charge has to be convinced that your idea is the correct solution over and above all other solutions in order for you to win the right to implement it. I think this is where it all stems from you have to have ultimate confidence in an idea and it is this confidence that could be observed as arrogance.

Religion

I recently attended a christening at a local church.

Things I noted were that religion is a very good form of control, it uses some clever psychological tricks to reinforce its ideals such as chanting and mob vilification. It is a commonly understood fact that people when acting as a group rather than as free thinking individuals are capable of vilifying something that is different from themselves for the simple reason that its not them. Another time when this psychological trick was used was by Adolf Hitler when he managed to turn a country against a race via clever propaganda and the mob reflex of human beings.

By acting as a mob in this way a persons individuality is damaged, keep it up for long enough and it is destroyed, when a persons individuality is destroyed they then become automatons, very susceptible to suggestion almost regardless of the nonsense of the suggestion.

I used to attend church as a child however I was lucky enough to have very intelligent and sensible parents that neither wanted to push me away from religion or enforce their own doctrine on me. They wanted me to experience religion and for me to make up my own mind, this is all that can be done if a child is to retain their individuality and it encouraged independent thought and reinforced the belief that I should question everything. I don't think I was liked in church for the fact that I would ask questions and follow them through to their logical conclusion without prejudice, malice or preconceptions. I will always remember one particular discrepancy in the logic of the bible “if god forgives all sins then why does hell exist...it's for people that have committed sins...which are presumably forgiven so they no longer have sin...they will always have sin...so what does it mean to be forgiven...it means your sin is removed...so god forgives all sin and it is removed, so why does hell exist...it doesn't work like that...so god doesn't forgive all sin?...yes he does...so hell is empty...no hell keeps all sinners e.t.c. Keep following these arguments through to their conclusion again without emotion and you come to a few plausible conclusions 1. that religion is full of discrepancies, flaws and illogical leaps that are nonsensical. 2. you need to have a leap of faith!

A leap of faith, this is religious parlance for ignoring what you know to be true in favour of mob rules.

A nice quote in Dracula is something like "faith means convincing yourself of something you know not to be true actually is." - I'll try and find the actual quote later

It is this “leap of faith” idea that is very clever when it comes to control, as explained before when under the control of mob mentality you freely adhere to the reality that is put before you and the more ridiculous it becomes the more likely you are to reject it, but not if you are made to bring yourself into question which is where the “leap of faith” comes into its own. People already indoctrinated into religion will shun those that question things rather than accept what they are told at face value, which makes those people doing the questioning into the vilified culture which they don't want to be so weak of will take a “leap of faith” and those that don't serve to reinforce the beliefs of the rest of the mob.

Religion is a remarkable control mechanism that works best on the masses which is exactly what it was invented for.

The problem occurs when the original people who developed the control are no longer around and the followers are left to try and make sense of things. Without someone to give direction the discrepancies are fudged until a new leader takes over. This can and has caused factions to form while the mob lurch around like a hydra with a head missing, the scary thing is that there is no control over the leaders that gain control and hence fanaticism is allowed to take hold.

This could all be remedied if everyone simply retained their own individuality. As I said before I judge these things without emotion, I truly have no feeling good or bad towards religion. In certain circumstances it is a good thing it provides support groups and if everyone made a promise to be nice to one another the world would be a better place but sadly no such religion exists (although Buddhism comes pretty close).

QCon London 2011

Once again I went to London, and once again it did not disappoint :) this is by far the best meeting of the minds that I have the pleasure of going to. Although I must admit I find the choice in flavours of cake a bit weird, chocolate and lime ?!?!

I heard some interesting talks, I wish that I had the confidence to ask questions when I am there as there are many people I would like to pick the brains of. Maybe next time I'll pluck up the courage to ask why "facts" displayed by two different talks were in complete opposition or why the facebook team seem to think the problems they have faced are unique to them.

So on with my break down of some talks I personally attended, the following is a series of opinions. The thing about opinions is they are mine and you almost certainly won't agree 100%.

Wednesday

Why Don't We Learn?

This was an enlightening, informal chat with the audience that explained the principles of learning combining many ideas from the psychology field rather than IT. The speaker Russ Miles was enthusiastic and fluid not having to read from slides and making sure that his voice projected. A brief mention of the placebo effect was the only item that wasn't accompanied by facts, a simple read of some Ben Goldacre could solve that.

Software quality - you know it when you see it

Once again a very practised talk that conveyed in a short time the fact that you really do know good code when you see it, or rather you can tell when there is bad code. Erik Dörnenburg produced a slick series of graphical views of code that can make a series of issues clearly visible even to inexperienced personnel that don't code for a living. Such things that we all know are bad such as monolithic classes a high degree of coupling as well as pointless interfaces.

Learning and perverse incentives: "The Evil Hat"

This was one of those choices that I was unsure of at the time, I needn't have been. The speaker Liz Keogh was a brilliant speaker, she mixed up real life experience and sarcasm just the way I like it. The actual content of the talk was essentially carrot works better than stick and if you set a kpi prepare to have it gamed! She cited one example of a kpi being gamed that rang true with circumstances that I've had the misfortune of coming in contact with. One of her friends said he had a new project manager that had told him that the project was to be listed as "in trouble" and that he was calling an emergency meeting. The project was meeting deadlines and bugs were minimal so he couldn't understand why it needed saving. Liz asked a simple question, "are pm's bonuses related to rescued projects", bingo, the pm would get a bonus for simply saying a project was in trouble so that he could be seen to swoop in and "save" it.

Agile Operations - optimising the business on shell script at a time

I am going to be slightly controversial on this one, so be warned. Dan as always was a brilliant speaker as was his co-host (I resist the term side-kick) Chris Read. However the talk didn't really do it for me, the comedy was good but over-played. I will admit that it's probably just me that doesn't yet get it as Dan North himself admits he didn't "get it" straight away. Yes it is nice to be able to deploy an image across multiple servers at the press of a button and send changes out in a similar fashion, but this doesn't seem new to me as it seems obvious.

Java without GC Pauses

Gil Tene was a comfortable speaker, I did get the impression from his demeanour on stage that he was beginning to get tired of having to explain the same things over and over again and people not getting it. I have to admit that this is the talk I had wanted to see the most all day, I like the clever stuff that happens at a low level thus my love of the JIT e.t.c.
The solution to the compaction problem seems so simple once explained, it uses virtualisation so that rather than change physical memory during compaction (the long part of a full GC) you alter the vector table of memory. The only issue that this has is that Azul's GC (C4 I think) does require being installed in unison with some virtualisation server...as I understand it anyway??? This idea seemed so obvious and if the charts are to be believed it is very effective so it seems a no brainer that virtual-pointers become the next change for the linux kernel. Loved this talk immensely, however on day 3 of QCon it was bought into question.

Thursday

Testing for the unexpected

This talk given by Ulf Wiger was a surprise for me, in a pleasant way. To be honest I had no idea which presentation took my fancy and as it is always good to learn something "totally" different from normal I went along. I didn't really know how we possibly could test what was not expected and in walk quicktest. Essentially you fill a series of tests up that are then filled with essentially random data. I tend to do this as a matter of course so the fact that there is a framework for it probably means I am missing a trick.

Data Architecture at Twitter scale - Nick Kallen

I can't really say much but it was a good talk, no surprises also no exceptional solutions to problems. The fact that I've written less about this talk doesn't mean it was less brilliant than the others it was great maybe I'll add some details later :)

Releasing Fast Code: the DevOps Approach to performance

I can't remember this one, hmmm need to review my notes

Better is Better

This was a somewhat strange talk. It was billed as being a bit of a rant and to be fair to the speaker that is exactly what it was. I did feel a bit sorry for the speaker as he was new to public speaking and had fallen into the same traps that all new comers do, slightly mumbling and stumbling. Things weren't helped by the fact that he moved off mic as he paced on stage. All this is rather negative at the end of the day it was his personal experience as a story, I found this quite interesting as I do enjoy hearing about the history of computing. The history of computing is very important at the moment as we seem to be re-living it, I'll blog what I mean on this later.

I went to another talk on Thursday but can't find the details for it unfortunately.

Friday

High performance web applications in Haskell - Steve Vinoski

I had high hopes for this talk, sadly totally unfounded. The speaker was very arrogant and childish, never passing up an opportunity to bad mouth another language. These "my language is better than yours so there nerr nerr nee nerr nerr" talks drive me mad. I feel like grabbing the guy shaking him and saying "Ok I get it you hate anything that isn't your language, tell me why yours is good not why any other is bad." these people say this language is more concise without realising that there is context to this claim for example recursion makes for very concise code in a lot of cases but not all plus there are other concerns to a language readability, maintainability, performance (that's right sometimes functional is not faster than procedural sometimes it is), plus there is always the expertise of the people looking at the code.

Anyway I digress this guy got off to a bad start, he did reign it in once he concentrated on the idea of the talk, however I waited to hear some Haskell my functional language of choice only not to hear any he did mention Erlang and throw some (badly formatted) slides containing very basic Haskell up but there was no depth to it. I actually tweeted a bad thing which I don't like doing as concentrating on the negative is not good, unless it's funny :)

HTML 5 Design/Development Tooling (+HTML and Flash)

Not really a talk this one, more of a sales pitch from the Adobe guys. I liked seeing what can be done but would have liked to have seen what was going on underneath the tools if that makes sense. I'll admit I am no longer into web design and GUI's as I find the server side more interesting so have fallen behind with HTML5 seeing what can be done in this talk has prompted me to learn about it especially as the company I work for use flex to produce their GUI. My work colleague who joined me for this presentation was not interested in the talk as all of the tools being demo'd he had already seen so sorry @DavidArno but I did enjoy it to a point. There is however the danger that QCon talks will start to become more about selling stuff than pure knowledge sharing which would be a terrible thing to happen. On that note there seemed to be more talks around a product (twitter, facebook, dynatrace, atlassian, adobe, azul ...) than last year so maybe the knowledge rot has already started.

Performance Tuning for Java Applications

First of all this room was far too small for the number of people that attended the talk, it got really hot and at one point I had to leave to prevent myself passing out only to return to find someone sitting in my seat which I had left my belongings on to inform anyone that I was going to return, some people are dumb.
The speaker was great, it felt like an informal chat about how he tests products at Atlassian I don't know if it is a cultural thing but most Australians and Australian companies seem to foster a very easy going style that I respond well to George Barnett spends his time at Atlassian performance testing and really knows his stuff. I was however concerned at one point though as the charts he showed for heap size were in complete contradiction of the ones the Azul guy showed on the first day. George said if you have the memory available then use it in the heap and showed the performance increase even when the complete heap wasn't being used, whereas Gil Tene showed that compaction increased in stop-the-world length of time to run which had a marked effect on system performance. The only thing I can think that could make them both right is that the applications they used for testing were utilizing the heap in very different ways. confluence and jira for example should have short lived classes of small size so that even if they live long enough to reach old space the gc could easily remove them with concurrent mark sweep and not have much compaction whereas Gil may have used a system with irregular classes and life expectancies. This is something that George made clear at the start of the talk he was ONLY using Atlassian products and that anyone who blindly applied his performance tweaks to their system deserved every bit of failure they got, unless the system they were tuning was an Atlassian product.
Following on from this I did learn that in order to performance tune an application you have to know the application, how it uses memory and indeed what the current performance is before making any changes otherwise how do you know if you are making any improvements.

Using a Graph database to power the web [Rick Bullota & Emil Eifrem]

I did really enjoy this talk, it didn't expose me to anything new but was nice to hear that a few areas of mathematics that I enjoy are bubbling up to the surface graph theory and set algebra. The talk could have been more weighted to neo4j than thingworx as I was interested in the technology used more than they was a single solution was applied, but case studies are a way to learn I suppose as long as you remember each situation carries it's own unique attributes.

HTML5 and the dawn of rich mobile web applications

I didn't hold out much hope for another html5 talk given the sales pitch Adobe talk from earlier, but boy was I wrong.
This guy (James Pearce) was so enthusiastic and enthralling that you couldn't help but fall in love with the subject matter every bit as much as he obviously had. He started by demo'ing how we have learnt that the web is not just sitting at a desk and that it isn't just a change in screen size that we need to take into account but the whole interface and what visitors to sites want to do. He cited some good and some unexpectedly bad examples of where this is not done before showing some simple code and explaining more about offline html applications. This was a fast paced exciting talk I was blown away especially as it was a subject that over the past few years I've shown less interest in.

#qconlondon

3D stole my sequel :(

I am a geek and I love films so it's a no brainer that I love , so how excited do you think I was when I heard about the sequel.

I have now seen the sequel and it was nice, but no smash hit.

Pros and Cons

Pro, plus or good point	Con, bad point :(
Jeff Bridges as always is fantastic	3D was rubbish and actually a gimmic that took away some of the magic, Tron consists of massive contrast of bright colour and blackness. Sadly when your wearing 3D specs that act like sunglasses this fact is somewhat muted.
CGI is amazing (maybe too good, if that's possible).	I like Daft Punk, but the music should be secondary to the action, supporting it and adding that extra depth and not a lead role in it. The music for the first quarter was intrusive and frankly didn't fit what was going on.
Garrett Hedlund was much better than I had anticipated	Some parts were so camp I thought I was watching a sequel to Flash Gordon.
Paying tribute to the original especially the line That is a big door	To make up for a lack of story we were subjected to a number of travelling periods, moving from one place to another where nothing much happened, presumably showing off some of the superb cgi that has been employed.
	Some of the dialogue was a bit trying at times. I have to tread carefully here as the bits in question may have been good actors ad-libing. But using words like my bag and trip in an 80's style down with the kids manner was a bit gag enducing.

With all that said this wasn't a bad film, neither was it a great film, I left the cinema feeling "blah" about the whole thing.

maybe I expected too much but I am fed up of films consisting of pretty people not generally acting very well and letting gimmicks like 3D or CGI take the place of good story telling!