Wednesday, December 24, 2008

Happy Newton's Birthday

George just pointed me to a great article in the NYTimes titled "The Ten Days of Newton".

On the tenth day of Newton,
My true love gave to me,
Ten drops of genius,
Nine silver co-oins,
Eight circling planets,
Seven shades of li-ight,
Six counterfeiters,
Four telescopes,
Three Laws of Motion,
Two awful feuds,
And the discovery of gravity!

Happy Newton, everybody!

Tuesday, December 23, 2008

Histrator update

I received this email from Hostrator:

"Dear Geoff,

We have some redirection issues, Note all your files are there intact, the issue occurred while we were upgrading the bandwidth for each user (was our surprise). Again your sites (files) are there and no need to worry about it, your site will be back online in a couple of hours hopefully."

I guess they resolved their issue, because my widget's HTML files are back online.

Monday, December 22, 2008

asscrack hosting, inc!

Wow, notice that my signup widget on the right side of the page has been replaced by the hostrator home page? Either these guys are complete scumbags, and they trick you into using free hosting, then replace your own HTML files with their homepage, or they are so broken that they have genuinely lost the files that I hosted there. Either way, their homepage is appearing where my widget should be. Well, time to find another free host for my widget HTML files. Anyone know a *reliable* and *ethical* provider of HTML file hosting?

Sunday, December 21, 2008

Encryption, digital signatures

For a few weeks NextDB has had support for encryption via the CYPHER function, and sending email through the SENDEMAIL function. However, we didn't have support for providing application specific encryption keys, nor for digital signatures. Well, I spent today prototyping support for both of these two things. The CYPHER function now accepts a second argument, which is a 16-character string (128 bit privtate key). Digital signatures are accomplished through a new function called MD (Message Digest). A DECYPHER function allows you to decrypt whatever you encrypt. This creates a "round trip" model for your data, a lot like we do for our SURIDs. But you can put whatever applicaiton specific payloads you like inside the encrypted messages.

the impotus for this was being able to send out "confirmation" emails from NextQuery expressions, and not allow the content of the URL in the email to be tampered. The following is a NextQuery expression that I am using with a "5-star reviews" widget that I am developing. When the user posts a review, this query sends an email to the poster of the review, including a link to click to confirm (for sake of example, we are assuming the Reviews Widget has been places on '')

review.PK = ${pk}
'please confirm your review',
'click this link to confirm your review\n' ||

into email.status;

The SENDEMAIL function accepts the subject, body, to, and from parameters. The interesting thing here is the third parameter, the body of the email, which includes a URL. Part of the URL (the part after the question mark) consists of a cyphered and digitally signed concatenation of the review's title, and the author's screenname.

Where things get really mindbending, is that the content of is actually an HTML page with JavaScript embeded. The embedded JS can actually get access to parameters passed to the page, and thereby fulfil functions typcially handled on the serverside, even though they will run right there in the user's browser.

When the "reviewConfirm" JavaScript executes, it uses NextDB's JavaScript API to execute a query. Said query will use the DECYPHER function to decypher the URL's query parameter, and use the MD function to check the digital signature to be sure the confirmation email content has not been tampered. Said query returns a SURID with FOR UPDATE permission which allows the JS to change the value of the 'status' column of the row to 'approved'.

But what about replay attacks? That's the beauty of this technique. Because the CYPHER function's secret key can be different for each query, and because the content of the encrypted message can be used to confirm the presence of a row in the database, you can't "replay" a cyphered structure from your database against someone else's database.

Tuesday, December 16, 2008

Steal This Widget

Monday, December 15, 2008

Widget (Take I)

As you can see, I've added a rather oversized "signup" widget to my blog. I am experimenting with creating widgets using This one will add your "user" information into the NextDB database when you signup.


User registration is really "square one" of building any website. If we can encapsulate user signup into a widget, then we can encapsulate all other site functions as well. Then, with site functions "widgetized" you can essentially turn your blog, or really any web page into a full-featured AJAX site.

I've learned a bit about how best to do this. The first thing I learned is that sites like have a pretty friendly way for you to distribute your widget. It boils down to a simple button a viewer of your blog can press, and presto, they get the widget.

Second thing that took more messing around than it should was to find a webhost to host the HTML and image files for the widget. I intentionally didn't want to host any of the HTML or resources on, because I really wanted to behave as a nextdb user, who might be a graphic designer or someone in a dorm room, for whom a free webhost was their only option. I wound up creating an account at But it is lame that they don't support SFTP or a better batch upload. But it's good enough. And I think that's sort of the point. With an AJAX widget it really doesn't matter who hosts the HTML file is hosted.

Sunday, December 14, 2008

The Lapse of The Year

SPRING I am too soft of heart
Much to speak ere I depart
Ask the summer tide to prove
The abundance of my love

SUMMER looked for long am I
Much shall change or ere I die
Prithee take it not amiss
Though I weary thee with bliss

Laden AUTUMN here I stand
Weak of heart and warn of hand
Speak the word that sets me free
Naught but rest seems good for me

Ah shall WINTER mend your case
Set your teeth the wind to face
Bear the snow down, tread the frost
All is gained when all is lost

-William Morris

Saturday, December 13, 2008 Google Group now has a google group

We are hoping to get some good feedback from our user community. Small but growing.

Tuesday, December 09, 2008

St. Bride

This is a painting titled "St. Bride" by the Scottish painter John Duncan, from 1913. At the moment, this is my favorite work of art. I was fortunate enough to spend some time reflecting on this painting at the National Gallery in Scotland. It's is surprising that this painting is not more notable, considering how interesting it is (not to mention beautiful).

The painting depicts two angels carrying Bridget to Bethlehem to swaddle baby Jesus. It's truly an amazing amalgamation of Christian and Celtic mythology; Briget becomes St. Bride and Christianity synthesizes the ancient beliefs.

"[The legend] ...goes further back than the days of the monkish chroniclers who first attempted to put the disguise of verbal Christian raiment on the most widely-loved and revered beings of the ancient Gaelic pantheon. Long before the maiden Brigida… made her fame as a 'daughter of God'… the Gaels worshipped a Brighde or Bride, goddess of women, of fire, of poetry… one whom the Druids held in honour as a torch bearer of the eternal light, a Daughter of the Morning."

This is a wonderfully rich posting on the "Celtic Twilight" movement. Apparently William Blake, JRR Tolkien, and John Duncan shared similar influences. The more I read about this painting, the more I understand why it resonates with me.

Thoughts and Pimps

Wonderful tiled mosaic: "THOUGHT: written words; Spoken words". I took this photo near Rockefeller Center.

Early anthropological evidence of pimps (American Museum of Natural History)

This is just too easy!

Wow, I am amazed how easy it is to wire up my new widget to I mean, I really shouldn't be surprised, given we've been developing NextDB exactly to be this easy, but I'm still stoked. Here is a screenshot of the admin site for my hosted database in NextDB (just created one table for storing the widget data). Next to the admin site, on the right, is my shiny black widget.

Here is the whole 10 lines of code I literally cut-and-pasted out of the NextDB JS Docs into my widget's HTML.

BOOM, press the button on the widget, the data is inserted into the database, and I can even see the row using the admin tool. And there it is! There's my row that I inserted:

Monday, December 08, 2008

Database feeds

I had an idea today that boils down to "RSS for Databases". I was inspired by the very geeky act of "server log watching". Basically, whenever you bring up a cool new database app, you wind up watching the logs just to get a blow-by-blow on what your users are doing. Now, obviously log watching is boring, and requires you to be logged in or ssh'd into the server. Why not apply the same "feeds" to the actual data in the database that we use to follow our favorite blogs or news sites? Obviously some filters would be required to avoid a torrent of data in the feed, but that's all do-able. I'm pretty excited about adding RSS Feeds as a native feature for NextDB database tables. I will probably work on it this weekend. At the moment I'm addicted to screwing with a new widget design in Adobe Fireworks.

Sunday, December 07, 2008


I am in the process of creating a series of widgets that can easily be re-skinned. These widgets will fulfill many basic site functions such as: user sign-up, login, user profile management, photo gallery, blog, forum, etc. Each widget can be easily re-skinned to suit the look and feel of your site, and they are pre-wired to communicate with Here is an example of a sign-in widget.

Saturday, December 06, 2008

Nice blog enrty in Wired

Looks like Wired did a blog entry on NextDB.

It's funny, if you look in the comments, there are already haters. They don't even have a clue what NextDB does, or how our security model works. That's a good sign. Haters are scared of change.

Big week for

On Thursday, Andres Ferrate, posted this article on Programmable Web titled "Mashups Get a Hosted Database With". We also got an entry on Programmable Web about our JavaScript API. Very quickly the wave of account signups poured in and it hasn't crested yet. I guess this a moment that every small startup has to cope with. Fortunately both Brent and I have been there before but it never gets old. You can't keep your eyes off the server logs, and it's almost a point of pride when you hit "Too many open files" and need to kick a "ulimit -n", which in fact happened yesterday as dozens of new databases were created on Well, it's not exactly what I'd call being slashdotted, but it was a fun ride. Our challenge now, is how to effectively collect feedback from these Alpha users in order to improve the service based on their experience.