M-J. Dominus at The Perl Conference


This page is about what I did at the second annual conference in 1998. I also have pages about what I plan to do at the upcoming conference in 1999.


I'll be at the Second Annual O'Reilly and Associates Perl Conference this summer. They have me scheduled to do three different things.

  1. I'll be teaching a tutorial on WWW security
  2. I'll be giving an invited talk called The Perl Hardware Store
  3. I'll be doing a guru-is-in session.

Notes for the Hardware Store talk are on-line.

In addition, I plan to do a lot of unscheduled stuff too.

Security Tutorial

The actual contents of the talk are going to be a little bit different from what it says in the brochure or on the web site, because I changed my mind about some of the details while I was preparing the materials. The general structure is the same, however. The course will be in two independent parts:

  1. Deception and Disaster: What Can Go Wrong With Web Services
  2. The Gory Details: Making Your Web Services Secure

The two parts will have a little overlap, but not very much, so you should be able to attend both without feeling too much déjà vu, and you should be able to attend just one part without feeling left out.

Either way, you still get the full set of notes, which run to about 21,000 words. They cover most of the contents of the course, so if you read the notes, all you'll be missing are the question-and-answer periods and my wit and delightful presentation.

The outline of the tutorial looks something like this now:

Deception and Disaster: What Can Go Wrong with Web Service

  1. Introduction and Security in General
  2. Overview of HTTP
  3. CGI: The World's Biggest Security Hole
  4. Do not trust the browser.
  5. Authentication
  6. Securing the Machine Itself
  7. Summary

The Gory Details: Making Your Web Site Secure

  1. Introduction and Security in General
  2. Very Fast Overview of HTTP
  3. A Detailed Guide to perl -T
  4. Laundering Case Studies
  5. Browser Disasters
  6. Cryptographic Methods
  7. Authentication Revisited
  8. Internal Security
  9. Summary

My Credentials

The folks putting the brochure together messed up and left out my most important credential: I was the senior sytems engineer for Pathfinder, Time-Warner's internet service; I had to do security for the Time Magazine web site. Here's a summary of my WWW life:

I'm a professional Perl programmer, system administrator, and network security consultant. I've been developing applications for the WWW since 1994.

In 1994, I was working as a systems programmer and system administrator for the Department of Computer and Information Science at the University of Pennsylvania. NCSA Mosaic had just come out and I was very impressed. Because I was the technical staff member who was most interested in this new service, I became the department's first webmaster, and expanded my normal security duties to include security policy for our web service.

In late 1995, I answered a want ad that turned out to have been placed by Time-Warner, the media giant that publishes Time, Life, Sports Illustrated, and other magazines. They were starting a pilot internet service and they needed someone to head up the technical side. The web was still so new that it was hard to find anyone to manage it who wasn't a college sophomore. So I left Penn to do the technical work for Time-Warner's Pathfinder project. At Pathfinder, I did system and network administration, application development, security management, and technical consulting of all sorts.

After seven months, I decided that I didn't like working at Time-Warner enough to move to New York permanently, and commuting full-time from Philadelphia was no longer an option. I quit and went into business for myself, doing much the same sorts of thnigs for my clients that I had previously done for Penn and Time-Warner. Clients you may have heard of include Clinique (part of Estée Lauder) and Prudential (insurance and real estate.)

On-Site Training

Would you like me to come visit your company to do WWW security training? Send mail to mjd-perl-training@plover.com. I will be happy to tailor the course above to suit your needs.

Invited Talk: The Perl Hardware Store

This talk went through a lot of changes before I finally made up my mind what I was going to say. Consequently, the brochure description is not very accurate. Here's what I plan to talk about:

  1. Teflon Tape
  2. Schwartzian Transform
  3. Manual Exporting
    • Simplest Example: Import a Function from Another Package
    • Writing a Module that Exports a Function
    • Constants
    • Exporting Variables
    • Exporting Variables, Part II
    • Clone the Exporter
  4. Adding a New Method to a Package
  5. Semaphore Files
  6. Memoizing
    • Highly Recursive Functions
    • Automatic Memoization
    • Functions that Take a Long Time to Compute
    • Profiling Execution Speed
    • `Orcish Maneuver'
    • Dynamic Programming

This is pretty different from what I originally intended; I was going to do a lot of stuff with closures, show how to make message-passing objects so that you can roll your own object-oriented programming system with whatever inheritance semantics you want, how to build a dataflow programming system, contraint networks, a bunch of cool stuff like that mostly cribbed from Abelson and Sussman. And when I actually went to write the talk, I thought I'd deal with a couple of smaller items first, to get people sucked in before I turned to the abstruse parts. But the smaller items grew and multiplied, and then there wasn't any room for the abstruse stuff. So be sure to ask the conference folks to ask me back next year!

In issue #10 of The Perl Journal I threatened that the talk would be subtitled `Stop Programming in FORTRAN, Already', but I didn't end up doing what I thought I was going to, so it isn't called that. Here are the other rejected titles:

Most of these are more applicable to the original conception. If you want me to come speak to your group or company about any of these, send me mail and I'll rush right over.

Complete notes are now on-line.

I'll probably be giving this talk again at the 1999 conference, along with an all-new sequel.

The Guru is In

I don't know how I feel about being a `guru'. That always sounded bad to me, rather self-aggrandizing and silly. But in this case it means I volunteered to try to answer people's questions, and I like to try to answer questions.

All the other gurus are holding sessions dedicated to set topics. For example, they got Friedl (who else?) to do a Guru session on `Regular Expressions'. I said I didn't want to have a topic, so my guru session is called `Ask Me Anything'.

If you want, you can enter my betting pool on how long before some smartass comes to ask me about the air speed of an unladen swallow or some similar stupidity.

News Flash: Lorrie has made me a special Guru Hat to wear while I am acting as a guru. Watch for it.


Blues Jam

I play blues harmonica. Blues harmonica sounds a lot better with accompaniment.

Hint, hint.

What I Look Like

Here's the picture that they have in the brochure:

Actually I don't look very much like that. I wanted to look deadly serious so that lots of people would take my security tutorial seriously. I had three pictures taken, and I sent in the one that smiled the least. The conference folks tell me that at least 153 people signed up, so I guess I must have looked serious enough.


In reality, I look more like this:



Return to: Universe of Discourse main page | Perl Paraphernalia | M-J. Dominus at the Perl Conference

mjd@plover.com