Wednesday, December 24, 2008

Happy Newton's Birthday

George just pointed me to a great article in the NYTimes titled "The Ten Days of Newton".

On the tenth day of Newton,
My true love gave to me,
Ten drops of genius,
Nine silver co-oins,
Eight circling planets,
Seven shades of li-ight,
Six counterfeiters,
Four telescopes,
Three Laws of Motion,
Two awful feuds,
And the discovery of gravity!

Happy Newton, everybody!

Tuesday, December 23, 2008

Histrator update

I received this email from Hostrator:

"Dear Geoff,

We have some redirection issues, Note all your files are there intact, the issue occurred while we were upgrading the bandwidth for each user (was our surprise). Again your sites (files) are there and no need to worry about it, your site will be back online in a couple of hours hopefully."

I guess they resolved their issue, because my widget's HTML files are back online.

Monday, December 22, 2008

asscrack hosting, inc!

Wow, notice that my signup widget on the right side of the page has been replaced by the hostrator home page? Either these guys are complete scumbags, and they trick you into using free hosting, then replace your own HTML files with their homepage, or they are so broken that they have genuinely lost the files that I hosted there. Either way, their homepage is appearing where my widget should be. Well, time to find another free host for my widget HTML files. Anyone know a *reliable* and *ethical* provider of HTML file hosting?

Sunday, December 21, 2008

Encryption, digital signatures

For a few weeks NextDB has had support for encryption via the CYPHER function, and sending email through the SENDEMAIL function. However, we didn't have support for providing application specific encryption keys, nor for digital signatures. Well, I spent today prototyping support for both of these two things. The CYPHER function now accepts a second argument, which is a 16-character string (128 bit privtate key). Digital signatures are accomplished through a new function called MD (Message Digest). A DECYPHER function allows you to decrypt whatever you encrypt. This creates a "round trip" model for your data, a lot like we do for our SURIDs. But you can put whatever applicaiton specific payloads you like inside the encrypted messages.

the impotus for this was being able to send out "confirmation" emails from NextQuery expressions, and not allow the content of the URL in the email to be tampered. The following is a NextQuery expression that I am using with a "5-star reviews" widget that I am developing. When the user posts a review, this query sends an email to the poster of the review, including a link to click to confirm (for sake of example, we are assuming the Reviews Widget has been places on '')

review.PK = ${pk}
'please confirm your review',
'click this link to confirm your review\n' ||

into email.status;

The SENDEMAIL function accepts the subject, body, to, and from parameters. The interesting thing here is the third parameter, the body of the email, which includes a URL. Part of the URL (the part after the question mark) consists of a cyphered and digitally signed concatenation of the review's title, and the author's screenname.

Where things get really mindbending, is that the content of is actually an HTML page with JavaScript embeded. The embedded JS can actually get access to parameters passed to the page, and thereby fulfil functions typcially handled on the serverside, even though they will run right there in the user's browser.

When the "reviewConfirm" JavaScript executes, it uses NextDB's JavaScript API to execute a query. Said query will use the DECYPHER function to decypher the URL's query parameter, and use the MD function to check the digital signature to be sure the confirmation email content has not been tampered. Said query returns a SURID with FOR UPDATE permission which allows the JS to change the value of the 'status' column of the row to 'approved'.

But what about replay attacks? That's the beauty of this technique. Because the CYPHER function's secret key can be different for each query, and because the content of the encrypted message can be used to confirm the presence of a row in the database, you can't "replay" a cyphered structure from your database against someone else's database.

Tuesday, December 16, 2008

Steal This Widget

Monday, December 15, 2008

Widget (Take I)

As you can see, I've added a rather oversized "signup" widget to my blog. I am experimenting with creating widgets using This one will add your "user" information into the NextDB database when you signup.


User registration is really "square one" of building any website. If we can encapsulate user signup into a widget, then we can encapsulate all other site functions as well. Then, with site functions "widgetized" you can essentially turn your blog, or really any web page into a full-featured AJAX site.

I've learned a bit about how best to do this. The first thing I learned is that sites like have a pretty friendly way for you to distribute your widget. It boils down to a simple button a viewer of your blog can press, and presto, they get the widget.

Second thing that took more messing around than it should was to find a webhost to host the HTML and image files for the widget. I intentionally didn't want to host any of the HTML or resources on, because I really wanted to behave as a nextdb user, who might be a graphic designer or someone in a dorm room, for whom a free webhost was their only option. I wound up creating an account at But it is lame that they don't support SFTP or a better batch upload. But it's good enough. And I think that's sort of the point. With an AJAX widget it really doesn't matter who hosts the HTML file is hosted.

Sunday, December 14, 2008

The Lapse of The Year

SPRING I am too soft of heart
Much to speak ere I depart
Ask the summer tide to prove
The abundance of my love

SUMMER looked for long am I
Much shall change or ere I die
Prithee take it not amiss
Though I weary thee with bliss

Laden AUTUMN here I stand
Weak of heart and warn of hand
Speak the word that sets me free
Naught but rest seems good for me

Ah shall WINTER mend your case
Set your teeth the wind to face
Bear the snow down, tread the frost
All is gained when all is lost

-William Morris

Saturday, December 13, 2008 Google Group now has a google group

We are hoping to get some good feedback from our user community. Small but growing.

Tuesday, December 09, 2008

St. Bride

This is a painting titled "St. Bride" by the Scottish painter John Duncan, from 1913. At the moment, this is my favorite work of art. I was fortunate enough to spend some time reflecting on this painting at the National Gallery in Scotland. It's is surprising that this painting is not more notable, considering how interesting it is (not to mention beautiful).

The painting depicts two angels carrying Bridget to Bethlehem to swaddle baby Jesus. It's truly an amazing amalgamation of Christian and Celtic mythology; Briget becomes St. Bride and Christianity synthesizes the ancient beliefs.

"[The legend] ...goes further back than the days of the monkish chroniclers who first attempted to put the disguise of verbal Christian raiment on the most widely-loved and revered beings of the ancient Gaelic pantheon. Long before the maiden Brigida… made her fame as a 'daughter of God'… the Gaels worshipped a Brighde or Bride, goddess of women, of fire, of poetry… one whom the Druids held in honour as a torch bearer of the eternal light, a Daughter of the Morning."

This is a wonderfully rich posting on the "Celtic Twilight" movement. Apparently William Blake, JRR Tolkien, and John Duncan shared similar influences. The more I read about this painting, the more I understand why it resonates with me.

Thoughts and Pimps

Wonderful tiled mosaic: "THOUGHT: written words; Spoken words". I took this photo near Rockefeller Center.

Early anthropological evidence of pimps (American Museum of Natural History)

This is just too easy!

Wow, I am amazed how easy it is to wire up my new widget to I mean, I really shouldn't be surprised, given we've been developing NextDB exactly to be this easy, but I'm still stoked. Here is a screenshot of the admin site for my hosted database in NextDB (just created one table for storing the widget data). Next to the admin site, on the right, is my shiny black widget.

Here is the whole 10 lines of code I literally cut-and-pasted out of the NextDB JS Docs into my widget's HTML.

BOOM, press the button on the widget, the data is inserted into the database, and I can even see the row using the admin tool. And there it is! There's my row that I inserted:

Monday, December 08, 2008

Database feeds

I had an idea today that boils down to "RSS for Databases". I was inspired by the very geeky act of "server log watching". Basically, whenever you bring up a cool new database app, you wind up watching the logs just to get a blow-by-blow on what your users are doing. Now, obviously log watching is boring, and requires you to be logged in or ssh'd into the server. Why not apply the same "feeds" to the actual data in the database that we use to follow our favorite blogs or news sites? Obviously some filters would be required to avoid a torrent of data in the feed, but that's all do-able. I'm pretty excited about adding RSS Feeds as a native feature for NextDB database tables. I will probably work on it this weekend. At the moment I'm addicted to screwing with a new widget design in Adobe Fireworks.

Sunday, December 07, 2008


I am in the process of creating a series of widgets that can easily be re-skinned. These widgets will fulfill many basic site functions such as: user sign-up, login, user profile management, photo gallery, blog, forum, etc. Each widget can be easily re-skinned to suit the look and feel of your site, and they are pre-wired to communicate with Here is an example of a sign-in widget.

Saturday, December 06, 2008

Nice blog enrty in Wired

Looks like Wired did a blog entry on NextDB.

It's funny, if you look in the comments, there are already haters. They don't even have a clue what NextDB does, or how our security model works. That's a good sign. Haters are scared of change.

Big week for

On Thursday, Andres Ferrate, posted this article on Programmable Web titled "Mashups Get a Hosted Database With". We also got an entry on Programmable Web about our JavaScript API. Very quickly the wave of account signups poured in and it hasn't crested yet. I guess this a moment that every small startup has to cope with. Fortunately both Brent and I have been there before but it never gets old. You can't keep your eyes off the server logs, and it's almost a point of pride when you hit "Too many open files" and need to kick a "ulimit -n", which in fact happened yesterday as dozens of new databases were created on Well, it's not exactly what I'd call being slashdotted, but it was a fun ride. Our challenge now, is how to effectively collect feedback from these Alpha users in order to improve the service based on their experience.

Wednesday, November 26, 2008

SF Park

The new SF skatepark is pretty rad. It is growing on me. Here is some footy of parker I took on my point-and-shoot. This park is crowded. Note near collision with fat kid on bike (listen for the yell).


It doesn't seem to bother anyone else in the office that when you place a page on the copy machine, and hit the big green "copy" button, that this message appears:

READ-END? WTF is READ-END? This copy machine can send emails, but they can't just make it copy a page when you hit the green button?

Tuesday, November 18, 2008

Steve's Feedback on our UI

lots of issues with the "new user" concept. First time someone signs in have obvious links to getting started guide, creating a sample database, etc.

"import" has too much meaning to db guys. Make it say "create a sample database from template" WITH data.

"must match regex in" in tablename is not a good error message for invalid table names.

Suggested "nextdb for SQL database programmers".

Wants to know how to create the primary key.

Some kind of wizard to drive first time users.

tooltips on tabs with check box for "never show this again"

consider changing the query language parameter names and datatype names to 'human friendly' equivalents.

Steve would like to be able to set the default value.

wants to be able to use camel case in column names

relation name should be "relationship name". It also upper cases it.

show lines connecting related tables as an option.

thought he could not enter a query without having data.

did not like the interface for adding data.

wants a "data editor" tab along the top (loads table names along left hand side)

wants column types to be in parentheses.

Steve wants to be able to store HTML and edit it with a foldout editor. I want permalinks to the HTML and JS.

Great idea

trouble executing query with join

no way to relate rows

wants excel spreadsheet

wants a way to get his data out.

"You wouldn't want a mashup for your bank account."

I am watching the opening panel discussion at Mashup Camp. Hart Rossman, CTO at SAIC just said "You wouldn't want a mashup for your bank account."

That really struck a chord because it captures the inadequacy with today's mashup security model. In fact, building a banking system on NextDB is sort of the logical extent of where the NextDB SURID technology can go.

Another interesting statement from one of the panelists:

"SLAs can't be that strong because you can't have really strong remedies."
I agree.

"you're not going to get a new CRM system out of a mashup."

I disagree. Once the database is secure and mashable, the entire application software development lifecycle can be handled by mashups.

The proverbial Map Mashup came up again as a proof point for time savings.

"when the users become the developers, they are doing what they want to do, not what IT wants to do"

The discussion briefly touched on whether or not Amazon Web Services (S3) constitutes a mashup. That's really a point that requires discussion. Once you realize that Amazon Web Services is not Mashable, due to its "web 1.0 security model", you find yourself somewhat dissapointed.

"where we run into a real challenge is in converting the mashup mentality into the largescale systems engineering skillset. You don't see a lot of folks puting a large ampount of skill and discipline into building the backend." paraphrasing what he said later: We're going to see things going in that direction though, and it will drive Mashups into the enterprise.

Sunday, November 16, 2008

Mashup Camp 2008

Tomorrow is Mashup Camp! I'm excited about this year's Mashup Camp because I think there is going to be a lot of activity around trying to figure out how to fuse mashups with Cloud Computing. And that, of course, is exactly where has a sweet spot. NextDB is fundamentally a mashable relational database in the cloud. What does that mean for the programmer? It means NextDB is the ONLY relational database that you can securely mashup, without have to write ANY serverside code.

So check this out. I added this "guest book" to my blog to keep track of folks I meet at Mashup Camp. This guestbook is a Mashup with, which makes it a nice little example of a database mashup between NextDB and Originally, Brent wrote this guestbook as an example for our talk at ajaxworld. I just went to his page, grabbed the html, js, and css and threw them into my blog. The only tricky part was that's editor didn't like newline characters in the HTML and CSS. So I just saved them in a file without newlines, and pasted them back to my blog. Go ahead and sign in below, and watch the AJAX goodness! Here is a link to the JavaScript that the guestbook sources. Rather than use the nasty editor at (and its associated issues with spaces), I just uploaded the js file to Project Path, which is a nifty collaboration site that allows file hosting.

Mashup Camp Guestbook
first name *
last name *

Enter the text above into the box below. Click image to get a new one if you can't read it.

json view:

Wednesday, November 12, 2008

NextDB At AjaxWorld 2008 West

Brent and I recently presented about at AjaxWorld 2008 West, in San Jose CA.

I am going to pickup blogging a bit more regularly here. Anyway, the presentation went well. The message we hammered on was that NextDB has a fundamentally new security model that allows a hosted relational database to be exposed as a service. NextDB is the only relational database that is built from the ground up as a AJAX-programmable hosted service. As such, the round-trip security model is native; fundamentally "built in". This clearly differentiates NextDB from other pseudo-database or database services, because you can safely access it directly from JavaScript.

Monday, November 10, 2008

New York Family Vacation 2008

Times Square

Radio City Music Hall Christmas Spectacular stage