Les Troyens: Early reviews in

Boston Globe: Glimpses of Fire, Passion at Symphony Hall. As I mentioned last night, Dwayne Croft’s cold was in evidence, and Jeremy Eichler mentions it, and is negative about Marcello Giordano’s performance as well. But he gives thumbs up to Yvonne Naef and practically glows about the TFC, giving the longest review mention (a full paragraph!) that we’ve had from the Globe in recent memory:

The hero of last night’s outing was the Tanglewood Festival Chorus, which sang, from the outset, with unflagging energy, commitment, and focus. The expansive contours and sheer tonal force required for the score’s massive climaxes were all present, but so were the delicacy and transparency necessary to bring across passages such as the beautifully tender prayer sung by the Trojan women at the outset of the second tableau of Act II.

Oh, and thanks to the angle the photographer took for the article photo, you can clearly see me. Look directly above Clayton Brainerd (the second standing soloist from the right) and I’m two rows up, with my mouth wide, wide open. Hey, it was a big scene.

And regarding the “rough-edged” comments about the work: we have three more performances, and history tells us that each one will be better and better.

Wow, that was something: Les Troyens

Opening night is past. Les Troyens, Part I is a magnificent beast, and it has already bloodied the cast—poor Dwayne Croft had a cold the likes of which I’ve never heard from someone singing a part like that. I think we all breathed a sigh of relief at the end of the duet. All the soloists were magnificent, but the prize has to go to Yvonne Naef, or as I called her in my Facebook status “Yvonne Fricking Naef” in homage to John Moltz’s Jennifer Fricking Connolly. Her Cassandra is vulnerable, fierce, and fey, and easily the strongest presence on stage. A close second would have to be our women: hats off to Fanw and other women of the chorus, whose second act number is one of the great heart-seizing moments in Berlioz (or in all women’s chorus literature, for that matter).

I’ve been overwhelmed with the rehearsals, but now I can’t wait to sing it again. Good thing we repeat Part I three more times!

The intersection of Barack and security

Netcraft: Hacker redirects Barack Obama’s site to hillaryclinton.com. Okay, folks, here’s the thing: never trust any place where a user can enter text into your website and have it displayed back at you. Never trust any text that comes from a form field on your site. Because if you do, smart and devious people like Mox here can use your trust to do embarrassing things to your visitors.

On the (very) slightly mitigating side, the attack was not against the main Obama website but his community blog platform, and the vulnerability that was exploited has already been closed. But this type of vulnerability, Cross Site Scripting, is insidious unless you begin your web application with the assumption that all user input needs to be sanitized. And even then, it’s not enough to check your code; you need to check all the third party code that makes up your site.

It would be immodest of me to mention that my company’s service can do just such a check, without requiring you to build security expertise inhouse and for a modest fee.

Performing for the Pope


My friends and colleagues in the Suspicious Cheese Lords have been busy lately. This weekend they sang for Pope Benedict XVI (Yes, seriously.) at the Pope John Paul II Cultural Center. The piece was a composition by George Cervantes, a setting of the Peace Prayer of St. Francis of Assisi, making the occasion that much cooler. Plus Skip was interviewed on CNN about the performance. And the video is prime Skip. Full video of the performance (starts at around 18:30). and other activities at the center is available through the EWTN Global Catholic Network site.

Way to go, guys. I expect to hear about your official appointment as choir in residence at the Sistine Chapel any day now. (But maybe not an appointment to be a CNN correspondent! Boy, they cut Skip off pretty fast in that interview!)

New mix: 2:42

My 2:42 mix is now posted at Art of the Mix. I decided to keep to the format of the original, and only included twelve songs.

I noticed, looking at Isis’s version, that some of her track lengths were different from mine—for instance, her version of “That Teenage Feeling” by Neko Case is 2:42, whereas mine is 2:43. A second’s difference is surprising—maybe it’s just the difference between buying the track digitally and ripping it. Or maybe different media players round differently, who knows.

I haven’t had a chance to take up Greg’s challenge and make a 4:33 mix yet. Who knows what that would turn out like? Very quiet, I expect.


Joshua Allen at The Morning News (via BoingBoing) writes about his deductive process of identifying the perfect pop song length, at two minutes and 42 seconds:

The scientists then dug up this song by a group that pretty much defines one-hit wonder: the La’s. The song is “There She Goes,” and is so flawless that it instantly made everything else the band did pointless. This ditty is two minutes and 42 seconds, and is all about songwriting economy….

What else is at 2:42? “Don’t Do Me Like That” by Tom Petty. “Divine Hammer” by the Breeders. “Helplessly Hoping” by Crosby, Stills & Nash. “Get Up” by R.E.M. “California Dreamin’” by the Mamas & the Papas. “This Charming Man” by the Smiths.

You need more proof? Jerk. Let’s look at Sgt. Pepper. “Lovely Rita” is two minutes, 42 seconds. It delivers that psychedelic vibe and a coda but then gets the hell out of your life.

Allen then lays down the challenge with a mixtape of twelve songs that clock in at exactly 2:42. Which sounds like a meme waiting to happen. Unfortunately my iTunes library is at home so I can’t try the experiment, but I’ll put it out there for the usual suspects. Can you top his mix?

Edit the Oklahoma Sex Offenders Registry!

In what is shaping up to be a fine security trifecta (see yesterday’s post about an as-yet unpatched cross-site scripting vulnerability at CIA.gov), yesterday’s Daily WTF posting concerned a naked SQL Injection vulnerability on the Oklahoma Department of Corrections website. The vulnerability allowed anyone who cared to download lots of details from Oklahoma’s sex offender registry that shouldn’t have been accessible, including social security numbers (identity theft, anyone?), and also allowed access to other tables in the database, including information on corrections staff members. The page is now, mercifully, offline, though not before a commenter claimed that he was able to insert someone’s name into the database using a different SQL statement in the URL.

Little Bobby Tables at xkcd illustrates this type of vulnerability as well. Moral of the story: don’t trust user input!

Cross-site scripting, illustrated

Wired ThreatLevel Blog: Look Ma, I’m on CIA.gov. Wired’s security blog reports a cross-site scripting vulnerability in the CIA’s web site and gives a convenient demo exploit. The exploit is benign enough, illustrating how JavaScript can be used to load an iframe on the CIA’s search results page containing arbitrary content. But the potential for mischief is significant. Imagine loading a phishing site this way. Or imagine this vulnerability on your bank’s home page.

Too often security vulnerabilities are abstract. This one, thanks to Wired, is pretty real. I’m surprised it’s still up, actually.

Fun with Berlioz

We had an unusual rehearsal the other night. Instead of being in the chorus room in the bowels of Symphony Hall, we were on stage, and we had cameras on us. It was for the BSO’s podcast series, and the episode is now out: an interview with our fearless leader John Oliver, with shots of the Tanglewood Festival Chorus rehearsing the Berlioz Les Troyens and some footage from the recent Met staging of the opera. I think it gives good insight into both the piece and the chorus (as well as some amusing photos of John in the 1970s).

What’s that? You didn’t know the BSO had a podcast series? Well, that might be because the podcast link is ill-placed on the front page, is not autodiscoverable, and isn’t in the iTunes directory. Not to mention, the podcast URL has a session ID in it. Hey BSO webmaster—fix it, won’t you?

The danger of outsourcing…

…your bookmarks. Del.icio.us is offline and my whole morning routine is off. Okay, so instead of tagging these two links I’ll post them to my blog instead.

First, for those new product managers out there, as well as those that have been the copy machine once too often, check out the free ebook from Pragmatic Marketing, The Strategic Role of Product Management. There’s nothing new here; in fact, it’s all stuff you’ve seen before, on Steve’s blog or in other Pragmatic publications. But it distills a bunch of lessons on why product management matters to a single document that makes a compelling story.

Okay, but once you get management buyin of the strategic importance of product management, how do you avoid getting bogged down in minutiae? How can you stay strategic? One answer comes courtesy of the Good Product Manager: Delegate tactical responsibilities. The methods to do so are simple even if you don’t have direct reports: transfer knowledge, teach to fish, and examine priorities constantly to ensure that the “urgent task” really needs doing.

We love it when our friends become successful

In another of an intermittent series of posts about past acquaintances of mine who are now Doing Great Things, I happened to think the other day about Darius Van Arman. Darius and I went to the University of Virginia at around the same time, and primarily bumped into each other in the basement of Peabody Hall, where all the University publications were at that time. I was getting a poetry magazine called Rag & Bone off the ground; he was working on a music and creative magazine called 3.7. I publicly disclaimed some things the magazine did (spending lots of money on heavy cover stock, lookalike black covers, extremely goth fiction and illustration, heavy reliance on distorting type on a path in Quark—the latter was a Darius trademark) and privately admired the magazine’s confidence in its own aesthetic and their ability to get interviews with musicians and artists, a real differentiator between the magazine and anything else that was going on.

I bumped into Darius a little while after graduation. He was still living in Charlottesville but was working on starting a label, which he was going to call Jagjaguwar.

This week I decided to search for Jagjaguwar and see what I could find. What I found was: Jagjaguwar is the home of bands like Okkervil River, Black Mountain, Bon Iver, Wolf Parade side project Sunset Rubdown, and Ladyhawk. They’s got a good nationwide scope through a distribution deal with indie label Secretly Canadian. Heck, I’ve been listening to Jagjaguwar cuts on the KEXP podcasts for a year or more without knowing it. Darius has made it… well, not big, but he’s made something real without compromising his credibility. Heck, he even did an NPR interview with ex-Sleater Kinney guitarist Carrie Brownstein. Back in the Hook, that would have gone the other way around.

Veracode: Cool Vendor

Quick pointers to a few awards Veracode has won recently:

  1. Readers Choice Award, Information Security Magazine and SearchSecurity.com
  2. Gartner Cool Vendor Award, Application Security and Authentication category

It’s great for Veracode to get this kind of recognition. I’m really proud to work at a company that can make a difference to how companies address application security.

—Oops. Almost forgot to mention: Looks like I’ll be at the Gartner IT Security Summit in early June in Washington, DC. I’m looking forward to getting the long view on the industry. And from the speaker list, it looks like I might get a chance to get Bruce Sterling’s signature next to William Gibson’s on my copy of The Difference Engine.

New lenses on the world

A few weeks ago my eyes turned bright red. They didn’t hurt but something was clearly wrong. I stopped wearing my contacts for a few days and got rid of the infection that had settled in. In the meantime, I relearned what I already knew: my glasses prescription was woefully out of date. Like, when I got these glasses, Clinton was beginning his second term. They didn’t correct for my astigmatism and I had a headache after a few hours wearing them. And the frames were loose to boot.

So I bit the bullet and got new glasses. They’re a departure—I went to heavier Italian black frames, about ten years after everyone else did, and the effect is a cross between young Peter Sellers and early 1950s British Health birth control glasses. This post is, as they say on Fark, useless without pictures, so I’ll see what I can do about that.

But I had forgotten what it’s like getting used to new glasses. I need to keep my head very still or the distortions moving in my peripheral vision give my stomach flip flops. And trying to glance down at my iPod while driving in was a whole different experience again. Like: if I ever give up contacts for good, I might need to go to bifocals.

So: not exactly the total stylish package that I imagined. But at least I can see through them, when I look straight ahead. I think the bottom line is that I’m really glad that I can switch back to my contacts.

Why does Microsoft push unpatched software via Windows Update?

It is, for a change, a very good question from CNet. If you know that security vulnerabilities exist in your software, and you’ve already patched those vulnerabilities, and you have a well-documented process for slipstreaming patches into existing installs, and you have an automatic update process

… why in the hell would you have that automated update service push the unpatched software rather than fully patched versions?

The short time between install and patch isn’t a good enough reason. Even if Microsoft automatically forced a re-run of Windows Update after each update session, as Mac OS X does, history shows that it doesn’t take long for unpatched, vulnerable software to be exploited. There is relatively little cost to Microsoft to prepare fully patched downloads, and the payback is huge risk avoidance. Fix it, already, guys.

Google opens the Cloud

Google App Engine appears to be Google’s answer to Amazon’s web services—a simple, highly scalable development and deployment platform for web apps that need to scale. It’s an interesting offering that takes a slightly different tack from Amazon, with the requirement to build an app as a fully integrated stack (not to mention, the application needs to be in Python, at least for the first iteration). But I like it nonetheless, especially at the entry pricing: as Dave Winer pointed out in a prescient piece last week, web services should be free at the low-bandwidth end of things; it’s a great way to build an ecosystem. Having one player in the cloud business is an experiment. Two makes it competitive, and that means that the offerings for developers will only get better and better.

It begs the question, of course, of when Redmond will wake up and realize that the last remnants of its Old Republic are being swept away.

Congrats to Google product manager and Sloanie Tom Stocky, who seems to be at the center of a lot of good things from Google these days.