We all know enabling trusted cache improves performance, but I wasn't aware of the scope of performance increase.  As I understand it, it improves IO by keeping code in memory so CF doesn't have to read from the disk.  Apparently, there is a lot of IO overhead in the CreateObject.cfm file I'm using to test.  Performance increased dramatically, from 10797ms to 437ms.  The strange thing I discovered, when comparing these results to BD.NET with trusted Cache enabled, performance actually decreased.

The code I used to test is from Neil Middleton at http://neilmiddleton.com/2007/07/01/cf-8-and-performance-comparisons/.  He performed similar tests and came to similar results as I did at first.  After speaking with Josh Adams at Adobe, he suggested I try 1.5 JVM.  I gave it a try and there wasn't much change.  I wanted to know why BlueDragon.NET had much better performance for CreateObject than CF8.  When I was at CFUNITED, the guys from HostMySite.com said they were true believers in Jrockit by BEA.  I tested Jrockit 5 and 6 and noted similar performance as 1.6 jvm from Sun.  I'm sure my tests weren't exhaustive, and I haven’t done load testing yet, so things like memory leaks and garbage collection haven’t become an issue yet. 
One strange thing I discovered is that the "Trust Cache" feature in BlueDragon.NET actually decreased performance a little.  I’m not sure why this has occurred either.  But I’m sure someone will have an answer. 

My tests were conducted with BlueDragon.NET and CF8 installed on the same Windows Server 2003 Vmware VM with 2.4GHZ processor and 2 GB ram. 

First entry in quite a while.  Between work, 4 y/o son, and working on my MBA, I don't get much of a chance to update the blog.  But being at CFUNITED and meeting some great minds at the conference has given me inspiration to post again. 

This years CFUNITED was great in my opinion.  I got to meet a lot of talented and smart individuals, and lean a lot about ColdFusion and what Adobe has in store.  One of the things I'm most excited about is that Adobe has acknowledged a problem in growing the CF community.  Macromedia and until recently, Adobe has ignored the academic arena.  CF has been priced out of the reach of departments of CIS departments, which in turn has limited the influx of new blood into the CF development community.  .NET has taken over at my school as the primary web based language as well as Java.  CF was taught for a while in the advanced E-commerce classes, but due to cost, they scrapped that class and focused on .NET and Java.  But at CFUNITED 08, Adobe announced that CF will be freely available as a fully functioning product to students and professors for educational purposes!  This is a great move by Adobe, and I plan on getting on the advisory board of my university to push for CF. 

This leads me into my next revelation, and idea.  In my MBA studies, Kaizen is an important topic.  Lean in general is where business is going and has gone.  Traditionally, Lean has been relegated to manufacturing, and production floors.  But Lean can be applied everywhere, from HealthCare, to the office.  One place that Lean can be used to improve IT is in the software development life cycle (SDLC).  By choosing a RAD product to develop applications that are quick to develop and deploy, and are easy and cost effective to support.  Training time and money also come into play when thinking Lean or employing Kaizen.  Kaizen is continuous improvement through the elimination of waste. 

ColdFusion fits into Lean and Kaizen perfectly.  CF can be learned quickly, apps can be deployed quickly, CF apps can be easily diagnosed and the servers can be diagnosed easier than ever thanks to CF8.  Some may argue that the money spent on a CF license is waste.  Well I disagree, waste is not getting equal or greater value than the resources applied.  With CF, the value exceeds the cost.  On a stand alone server this is true due to all of the RAD features, and diagnostic tools such as debugging, and server monitor, but in a virtual environment, this is especially true.  CF is licensed per the physical CPU, if you buy one CF license, and have 4 VM slices on one physical machine, you can have 4 CF servers for the price of one.  The cost is decreased and the benefit is increased.  One of the greatest values in the CF world is the CF community.  I know I haven’t provided any numbers, but I plan to actually support this thesis with a proper cost benefit analysis and I will publish it if I feel it’s sufficient for public consumption.  I mentioned this idea at CFUNITED and I had many interested individuals asking about it.  So I plan to do a cost value analysis of re-writing apps from CF to .NET, and the cost benefit of CF in general.  

Posted by Tom Gantert | The Ann Arbor News October 17, 2007 08:00AM

ALAN WARREN/ANN ARBOR NEWSThe LED street lights provide a whiter light compared to the existing incandescent ones.

Mayor John Hieftje on Tuesday proclaimed Ann Arbor to be the first city in the country to pledge to fit all its downtown street lights with the more efficient LED light bulbs.

Then with the CTN cameras rolling at a afternoon press conference, Hieftje turned to Mike Bergren, the city's assistant field operations manager, and asked, "First in the world, maybe?"

Bergren shrugged. "Possible."

As part of its goal to be a national leader in energy efficiency, the city announced that it will replace all 1,046 of its 120-watt incandescent street lights downtown with the 56-watt light-emitting diode. Hieftje estimated that would take two years.

It will cost $630,000 to do the installations, which is being paid for by the Downtown Development Authority. Eventually, Hieftje said the entire city will have LED lights.

Once completed, project officials estimate converting all its downtown lights will save the city $100,000 a year in energy costs and reduce greenhouse gas emissions by the equivalent of taking 400 cars off the road for a year. The LED lights also provide better light quality for improved visibility and safety, according to LED City, an
organization of government and industry parties that is promoting their use.

Raleigh, N.C., and Toronto are two other cities that have installed LED lights in their downtown, according to Greg Merritt, a spokesman for CREE, the company that manufacturers semi conductors in LEDs. They just haven't committed to doing the entire downtown like Ann Arbor has, Merritt said.

Ann Arbor recently completed converting all of its traffic signal lights to LEDs.

Like those traffic lights, a big savings with the street lights will be with maintenance, Bergren said.

The older street lights have a two-year life after which they all had to be replaced. The LEDs have a seven-year warranty and are expected to last as long as 10 years.

The LEDs also don't contain mercury, something that is in the city's common street lights, Bergren said.

Tom Gantert can be reached at tgantert@annarbornews.com or 734-994-6701.

Originaly posted at;

http://www.pcworld.com/article/id,122871-page,1/article.html?RSS=RSS

Windows XP SP3 Preview Surfaces Online

"Unofficial" preview pack includes log-on improvements and network fixes for Windows XP PCs.

Though Microsoft still won't confirm that it will release a third service pack for its Windows XP operating system, a preview version of the software update has been made available on the Web.

An "unofficial" preview pack of Windows XP Service Pack 3 is available at The Hotfix, a software download site and discussion forum that focuses on patches and software updates.

Info Avaiable, but Hidden

Ethan Allen, creator and administrator of The Hotfix, said Wednesday that he assembled the preview pack from software updates sent by an internal Microsoft source that are expected to be released in SP3.

The updates include Windows log-on improvements and features that fix current problems with connecting Windows XP computers to various networks, according to the SP3 forum on the site.

Allen, a Microsoft beta tester who previously worked on a contract basis for the Redmond, Washington-based software company, updates the list of technologies for Windows XP SP3 daily based on information found on Microsoft's Web site.

"Microsoft makes it freely available about what's going to be in the next hot fixes, but they hide it," Allen said. He said he found information on updates that will be made available in Windows XP SP3 by using keywords contained in articles on Microsoft's Web site. This is the same way he discovered the technologies that were released in Windows XP SP2. He posted those updates on a Web site before that service pack was released in August 2004.

Allen now works in software assurance for a Bellevue, Washington-based high-tech company that he declined to name. He said Microsoft has not contacted him about The Hotfix, which he launched in July.

Allen's site has also published a transcript of a chat discussion in which Microsoft engineers fielded questions from beta testers about whether Internet Explorer 7 will be included in SP3. According to the transcript, Anurag Jain, a program manager on the Internet Explorer team, said that the service pack won't include IE 7 but will "support" it. Instead, Internet Explorer 6 will be a part of Windows XP SP3.

SP3 or No SP3?

Microsoft provides service packs to add what the company and its users think are important updates to the current releases of its software. For example, Windows XP SP2, which significantly updated Windows XP, included software intended to make the OS more secure.

Reports published last week quoted Microsoft France's technical and security director Bernard Ourghanlian as saying that a third service pack for Windows XP will become available after the next version of the client OS, Windows Vista, ships at the end of 2006.

A Microsoft spokesman Wednesday insisted that Microsoft still hasn't decided whether to release SP3 for Windows XP.

"We have not confirmed plans for a Service Pack 3 for Windows XP yet," said Michael Burk, product manager for Windows Vista. "At this point, the Windows servicing team is reviewing the feedback on Windows XP SP2 and is still evaluating timing and alternatives for the next Windows XP servicing release."

The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: "230 dead as storm batters Europe." Those who opened the attachment became infected, their computers joining an ever-growing botnet.

Although it's most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It's also the most successful example we have of a new breed of worm, and I've seen estimates that between 1 million and 50 million computers have been infected worldwide.

Old style worms -- Sasser, Slammer, Nimda -- were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.

Worms like Storm are written by hackers looking for profit, and they're different. These worms spread more subtly, without making noise. Symptoms don't appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

Storm represents the future of malware. Let's look at its behavior:

1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
3. Storm doesn't cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won't notice any abnormal behavior most of the time.
4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn't have a centralized control point, and thus can't be shut down that way.

   This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn't show up as a spike. Communications are much harder to detect.

   One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won't work with Storm: An infected host may only know about a small fraction of infected hosts -- 25-30 at a time -- and those hosts are an unknown number of hops away from the primary C2 servers.

   And even if a C2 node is taken down, the system doesn't suffer. Like a hydra with many heads, Storm's C2 structure is distributed.

5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called "fast flux." So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.
6. Storm's payload -- the code it uses to spread -- morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
7. Storm's delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites -- anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.
8. The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: "A killer at 11, he's free at 21 and ...," "football tracking program" on NFL opening weekend, and major storm and hurricane warnings. Storm's programmers are very good at preying on human nature.
9. Last month, Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater and so on -- and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy's reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.

Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can't imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn't work in any case: Storm's creators could easily design another worm -- and we know that users can't keep themselves from clicking on enticing attachments and links.

Redesigning the Microsoft Windows operating system would work, but that's ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it's a really bad idea in real life. We simply don't know how to stop Storm, except to find the people controlling it and arrest them.

Unfortunately we have no idea who controls Storm, although there's some speculation that they're Russian. The programmers are obviously very skilled, and they're continuing to work on their creation.

Oddly enough, Storm isn't doing much, so far, except gathering strength. Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing.

Personally, I'm worried about what Storm's creators are planning for Phase II.

This essay originally appeared on Wired.com.

One way to reduce spending may be salary cuts for Michigan’s legislators themselves, who earn a whopping $79,650 per year, plus an additional $12,000 “expense allowance.” This puts Michigan legislators behind only California for highest legislative salaries in the nation.

On top of this, the Michigan legislature has been ranked as a “red legislature” by the National Conference of State Legislatures, a rank given to legislatures that have the longest sessions, highest salaries, and the most staff. It’s unclear what Michigan legislators have been doing with all this time and resources, however, because Michigan’s economic performance is one of the worst in the country.

Michigan’s problems run deeper than just this, but it’s clear big salaries for legislators mean big losses for taxpayers."

If this doesn't get you fired up, then what will?  Michigan is out of control and something needs to change.  Here are some more details from WikiPedia;

"There is no minimum or maximum number of days for which a session of the legislature must meet each year. Although there is no universal definition as to what constitutes a full-time legislature, the Michigan Legislature is one of only eleven full-time state legislatures in the nation.[1] ( http://en.wikipedia.org/wiki/Michigan_Legislature#_note-0)Michigan's legislators receive a base salary of $79,650per year which makes them the second-highest paid legislators in the nation, after California. Legislators also receive a $1,000 per month per diem in addition to their base salary. [2] ( http://en.wikipedia.org/wiki/Michigan_Legislature#_note-1) Unlike those states which are considered to have a part-time legislature and whose members are paid only for actual days in session, Michigan's legislators are paid an annual salary regardless of the number of meeting days and are considered to be full-time."

Yesterday I wrote about my Home Theatre setup and described some of the troubles I’ve had.  Today, I will write some more about it and show some pictures such as the masterpiece of my 3yr old.  The screen has been fixed, but the art on the wall still shows.  

This is what my wall below the screen looks like after my 3 yr old son (2.5 at the time) found a Sharpie, and decorated the wall.  The scribble went up to the screen and made it impossible to watch movies w/o enjoying his lovely artwork.  The genius that I am, tried to clean it off with some chemical and ruined the screen even more, if I can find a picture of that, I’ll display it. 

Here is the screen,  It’s 100” diagonal, and fills up this space nicely.  I built the screen out of poplar wood, black velvet, and blackout cloth. 

In front of the screen is the projector, it’s about 14’ in front to fill the screen with a nice image.

The projector is connected to my desktop PC with DVI-D cable.  I currently launch movies off my server, and display them from the desktop to the projector. 

This is the heart of my network,  this cabinet contains 500GB Raid 5  in a storage array below the monitor, UPS to keep it all safe, a rack mounted power strip, 4 U server with 400GB mirror, and a few other drives for prosperity, 2 Nortel 350-24T switches.  One switch is connected to the wire harness in the rear of the cabinet; the house is wired into the harness, and then fed into the lower switch.  The top switch is where cabinet devices are connected, and space for future expansion.  Above the switches lies a Cisco 4700 router.  I was using this as my gateway, but went back to a Linksys WAP/Router for ease of configuration.  Thinking of going back to the Cisco router, it was much more stable.  The monitor sits there when I need access to the console on the server.  I very rarely need it, but it’s nice to have. 

I need to run dedicated power to the cabinet and projector, I have all of the supplies, but I lack the time.  Too much to do, so little time.  Maybe this weekend, I will find time to do something. 

 I have been slowly working on a home theatre for a while. I started planning it while I was looking to buy my house.  In my house I have a finished basement with a perfect wall for a 100" diagonal screen.  I built the screen using poplar for the frame, black velvet wrapped the frame and used blackout cloth for the screen material.  The screen cost me about $100 the first time I built it.  I came home one day and found my son had taken a Sharpie and decided he would redecorate with some art work.  He noticed a wonderful plain white canvas and decided it needed something to liven it up.  He had scribbled all over the wall and lower part of the screen with the sharpie, making it impossible to be used as a projection screen.  So another $25.00 and about 30 minutes, I replaced the screen material. 

My projector is a BenQ W100 and for the first few months it worked great. The picture was bright, color was vibrant, and all seemed wonderful in the world. I watched several movies, hosted a SuperBowl party, and watched TV.  Then one day I noticed the picture was starting to dim.  I kept having to make the room darker and darker.  I checked the number of hours the bulb has been used and it was less than 100.  At 96 hours the bulb was so dim, that a pitch black room wasn't dark enough to watch a normal movie.  I contacted BenQ and they told me the bulb was only under warranty for 3 months and the projector was 1 year.  I was pretty upset.  These bulbs are not cheap!  I have a sneaking suspicion that the power supply in the unit is failing, not the bulb, so I should get another bulb before my year is up just to make sure.  But I call on you, the readers to assist me in this dilemma for answers.

At the moment I have the projector at 14' 2" from the screen.  I used the projection calculator from Projection Central. The size of the movie is awsome!  I loved watching movies on this thing before the bulb issue.   I need to get a decent sound system.  Since i play the movies over my  home network, through my PC, I use my 5.1 surround sound on my PC.  It works, but it isn't as good as a dedicated home theatre sound system.  I'm exploring those options, and will add that later. 

The next step is to setup a media server to serve up DVD ISO's to the projector and a media server to the main TV in the living room.  The house is wired with 100MB CAT5E, I don't see any need to upgrade to 1GB yet, My backbone is pretty solid with 2 Nortel switches.  I'm testing Windows XP Media Center 2005, and using my XBox360 as a Media Center Extender.  I want to find a way to watch DVD ISO's from the 360, I heard of a Media Center plugin called TransCode360 that will allow DVD ISO playback, but I read that it will only play ISO's that were created with the main movie, not ISO's with the full DVD such as menu's and extras.  So I'll give it a shot and see how it goes.  I may need to drop some coin and build a dedicated machine and use MythTV or something like that. 

I hold all of my ISO's on a 400GB mirror in a 4 U rack mounted server.  I use 2 350 24T Nortel switches for the back bone.  This has proven to work just fine to date.  If I ever get into HD-DVD, then I may need to upgrade.  but we'll cross that bridge when the time comes. 

Please leave comments and or suggestion for a low cost, effective home theatre system with media servers.

A project I am working on is setting up 2 load balanced web hosting environments.  One is for an external audience; the other is for the intranet.  The servers are IIS6, the application language is CFML and the application engine is ColdFusion MX7.  There are 2 web servers in each environment and the database servers are clustered as well.  So in total 4 web servers (2 sets of 2), 2 DB servers - MSSQL 2k5 configured in a cluster failover.  The web servers sit behind a Cisco loadbalancing device.  The web environment is going to host a CMS developed by a third party written in CFML that supports CFMX7, but not the multi server configuration of CFMX (don't ask because I don't know, I've already asked them).  

The problem is CFMX and file based replication.  The CMS has an administrative interface where users can build new pages, and create new content.  When new sites are created in the CMS, it automaticly creates a site in IIS, creates the DSN in CFMX, sets custom tag paths, and creates new files.  If the content creators never planned on creating a new site, then there would be no problem.  However, I don't live in that fantasy world. 

But alas, I did find a product that can handle all of this replication.  R-1 from Repliweb can do the file based replication, and IIS6 configuration replication.  they even have an add on called Continuous Update, that will replicate in real time.  This is a fully automated replication system.  I don't have to do anything once it's configured.  Since CFMX settings are just files, R-1 will keep both web servers mirrored so configs will be identical on each box, and since R-1 can replicate IIS settings, no need to write custom scripts.  All R-1 would need to do after replication is restart the CFMX service on the server for the settings to take effect.

The image above is a visual representation of how the replication will look.  The database content doesn't need to be replicated because each environment uses the same data, and sites that are internal only have their own database. 

I am not sayng I have found the best solution in the world, but it's one that I've found that seems to work.  I'd be interested if others had any other suggestions on how to replicate IIS6 settings, CFMX7 configs, and file level content.