cn=Directory Manager

We have just released the 2.3.3 version of the UnboundID LDAP SDK for Java, with a number of improvements and bug fixes over the 2.3.1 release (NOTE: the only difference between the 2.3.2 and 2.3.3 releases is a fix to a javadoc formatting problem). You can get the latest release online at the UnboundID website or the SourceForge project page, and it's also available in the Maven Central Repository.

As usual, the release notes provide a complete overview of changes made in this release, but some of the most significant updates include:

• A number of connection pooling improvements and fixes, including: It is now possible to create a connection pool even if a failure is encountered while establishing the initial set of connections, which is useful for cases in which the target directory server is unavailable when the application is starting. You can establish and/or close connections in parallel, which helps speed things up if the pool has a lot of connections or the server is remote or otherwise slow to respond. Pooled connections that cache server schema information are established more quickly. Methods have been added to help undo the effects of processing a bind on a pooled connection so that connections stay authenticated as the account used when they were initially established.
  
  
• A number of persistence framework improvements and fixes, including: The default object encoder now provides generic support for Serialized objects. A new getAll method makes it possible to retrieve all objects of a specified type below a given base DN. Fix a bug related to generating an appropriate set of modifications for an updated object, and for generating filters to define criteria to use when searching for objects. Improve the output of the generate-schema-from-source tool.
  
  
• A number of In-Memory Directory Server and LDAP listener improvements and fixes, including: It is now possible to combine multiple schema files to create the schema for the in-memory directory server. The canned response request handler now has the ability to customize the entries and references to return for a search operation. The LDAP debugger tool now has the ability to accept SSL-based connections.
  
  
• A number of LDIF-related improvements and fixes, including: Add an LDIFWriterEntryTranslator interface that can make it easier to transform entries to be written to LDIF. Fix a bug that could cause problems reading LDIF records with comments that have been wrapped across multiple lines. Add a convenience method to get the entry to be added from an LDIF add change record (whereas previously it was only possible to get the DN and attributes separately).
  
  
• A number of tool-related improvements and fixes, including: Add a new multi-server command-line tool API which makes it easier to create tools that need to interact with multiple directory servers. Make it easier to register JVM a shutdown hook to invoke code when the JVM in which the tool is running begins shutting down.
  
  
• Add the ability to specify the default SSL/TLS protocol version when creating secure connections (or using StartTLS) for cases in which the caller doesn't explicitly specify a protocol.
  
  
• Dramatically improve the performance of the Attribute equals method for attributes that have a large number of values.
  
  

Within the last week, LinkedIn, eHarmony, and Last.fm have all announced security breaches that resulted in millions of user passwords exposed to the world. While the passwords were encoded with one-way digests, that didn't stop attackers from discovering the clear-text passwords for a large percentage of those accounts.

There's no such thing as a perfectly secure system, and brilliant and determined hackers have a lot of tricks up their sleeve, from technical assaults like exploiting unpatched software vulnerabilities and to social engineering cons like sweet-talking secretaries. But there are a lot of things that LinkedIn and the others should have done to help prevent this kind of breach.

Consider Using Third-Party Authentication

The best way to ensure that attackers can't break into your system and steal user passwords is for your system to not have any user passwords. Authentication systems like OpenID and OAuth allow you to push the responsibility for authenticating users (and securing their accounts) to a third party. If you're willing to leave the authentication to an organization like Google, Facebook, or Yahoo, and your users are willing to accept this solution, then you don't need to worry about storing credentials at all.

Note, however, that passwords may not be the only sensitive information that you need to store in your system. In fact, attackers generally don't care about user passwords themselves but rather the other information about users that passwords can be used to access. As a result, you should treat all the information that you store about users with the utmost care and sensitivity because any compromise of your system will be bad for both your users and your reputation, regardless of whether that compromise includes login credentials.

It is therefore important that you store your data in a repository that offers the kinds of security features you need to help ensure it is adequately protected. The UnboundID Directory Server offers a wide range of security features, including several that you won't be able to find in other products. Some of these features are primarily intended to help secure user passwords, but many can be applied for all kinds of information.

Use Salted Password Hashes

The people who designed the security systems at these companies knew enough to use cryptographic digests (also called hashing algorithms) to protect the passwords. These are mathematical algorithms that transform passwords in a way that is believed to be impossible to reverse. Good cryptographic digests (like the SHA-1 algorithm used by LinkedIn) offer a good level of protection because they prevent attackers from knowing useful information like how long a password is or what kinds of characters it might contain, and if they're guessing passwords then they won't be able to tell how close any guess is to being right.

But one of LinkedIn's big mistakes is that they didn't salt their passwords. One-way digest algorithms always generate exactly the same hash for a given input. This is essential for their use in applications like protecting passwords and verifying data integrity, but it also means that attackers can (and do) prepare ahead of time. I may not be able to look at the string "6367c48dd193d56ea7b0baad25b19455e529f5ee" and know that it's the SHA-1 digest for the string "abc123", but if I have a big dictionary of commonly-used passwords, I can just run each of the strings in that dictionary through the SHA-1 digest in order to get the encoded representation, and when I find an encoded password that looks like "6367c48dd193d56ea7b0baad25b19455e529f5ee", I can use my precomputed dictionary to do a reverse lookup and know that represents the password "abc123".

Password salting prevents this kind of attack because it adds a random element into each encoded password. When you're going to create a salted password, you first come up with some random data (for example, "kMPsCwaT") and prepend it to the clear-text password (like "kMPsCwaTabc123"). Then, you run that through the digest algorithm (to get a hash like "51c4125fe2e2e94bdefa8f7a8e5c12ebfd94833b"), and finally prepend the salt to the hash (e.g., "kMPsCwaT51c4125fe2e2e94bdefa8f7a8e5c12ebfd94833b"). When a user is authenticating, it then becomes necessary to pull the salt off the encoded password and prepend that to the clear-text password that they provide before running it through the digest algorithm.

Because salted passwords contain random data, it's not possible for an attacker to have a dictionary prepared in advance. Running through a dictionary (or using a brute-force approach to try every possible combination of characters) will take a lot longer to crack a password, and even if you are successful for one user, that won't help for any other user even if they chose the same password because it will have a different salt and therefore a different encoded representation.

The UnboundID Directory Server supports password salting out of the box in a manner that is completely transparent to clients. It can be used in conjunction with MD5, SHA-1, and any of the 256-bit, 384-bit, and 512-bit SHA-2 variants. It's on by default, and would have made it a lot harder (or at least taken a lot longer) for attackers to discover the clear-text representations of the stolen passwords.

Use Expensive Encoding Algorithms

If someone gets access to an encoded password and knows how it was encoded, then there really is no way to prevent them from discovering the clear-text password used to generate that hash. If they want it bad enough, they can simply try every possible combination of characters, and with relatively cheap access to distributed computing, it's possible to generate trillions of hashes per second. The only variables that affect this are the strength of the password (as will be discussed below), and the algorithm used to generate its encoded representation. For example, using the 512-bit SHA-2 instead of the 160-bit SHA-1 just about doubles the length of time required to generate a digest, which in turn means that it just about doubles the length of time an attacker will have to spend trying to crack a password.

To make the process even more expensive, you can have your password encoding process use multiple rounds of hashing. For example, take the clear-text password, salt it, and run that through the digest algorithm. Then take the resulting hash and run it through the digest algorithm again. And again. Repeat this process so that the final encoded password requires 5000 hashes. If you're using 512-bit SHA-2, then this process is now about ten thousand times more expensive than the simple SHA-1 process used for the leaked passwords, meaning that it will take an attacker ten thousand times longer to crack a password with this encoding scheme than with SHA-1.

The UnboundID Directory Server provides support for password encoding algorithms that employ thousands (or potentially even millions, if you're really paranoid) of rounds of hashing using the 256-bit or 512-bit SHA-2 algorithms. This algorithm is already available for use in holding login passwords for many Linux and UNIX systems, so it's been designed by and carefully scrutinized by many security experts and is considered extremely strong.

Reject Weak Passwords

If an attacker obtains an encoded password, then the biggest risk of that password being cracked comes from the strength of the password itself. A password that is a word from the dictionary or a name or date or other common string will almost certainly be broken in a fraction of a second. If a password is relatively short, then so also will be the time required to discover it even if it's necessary to try every possible combination of characters. For example, if a beefy system can generate 100 billion hashes per second, then it will only take about two seconds to try every possible combination of eight lowercase ASCII letters.

The two biggest factors in password complexity are the length of the password and the set of possible characters it may contain (which we'll call the password alphabet), and they're related by the mathematical formula a^l, where a represents the size of the password alphabet and l is the length of the password. For example, if the alphabet is the set of lowercase ASCII letters and the length is eight characters, then there are 26⁸ = 208,827,064,576 possible password combinations (which seems like a big number, until you realize how fast computers are at performing these computations). However, if you instead consider both uppercase and lowercase letters, numeric digits, and a number of symbols, then the alphabet can grow to about 95 characters, and there would then be 95⁸ = 6,634,204,312,890,625 possible values, which is nearly 32,000 times larger and would take the better part of a day to crack on a system capable of trying a hundred billion passwords per second. And increasing the length to ten characters takes the time to crack from a little over eighteen hours to a little over eighteen years.

The best way to ensure that users have strong passwords is to configure your system to enforce restrictions around password length, the kinds of characters that may be used, and other kinds of constraints. The UnboundID Directory Server ships with support for a number of password validators, including:

• A dictionary validator, which can be used to ensure that users aren't allowed to supply passwords that exist in a given dictionary file (optionally including testing the reversed password).
• A length validator, which can be used to ensure that users aren't allowed to choose a password that is too short (or potentially too long, although there's little reason to configure a maximum length).
• A character set validator, which can be used to ensure that passwords include at least a specified minimum number of characters from a number of different character sets.
• A unique characters validator, which can be used to ensure that passwords contain at least a specified number of different characters.
• A repeated characters validator, which can be used to ensure that passwords don't contain repeated strings.
• An attribute value validator, which can be used to ensure that the supplied password does not match the value of any other attribute in the user's entry.
• A regular expression validator, which can be used to ensure that the supplied password matches (or alternately, does not match) a given regular expression.
• A similarity validator, which can be used to ensure that when a user is changing his or her password, the new password is not too similar to the previous password.

In addition, the UnboundID Server SDK can be used to develop additional custom password validators if those provided with the server by default are not sufficient. It also provides a password history feature that can prevent users from repeatedly using the same set of passwords.

When allowing users to choose their passwords, it is also important to ensure that those passwords are always supplied in clear-text. Some systems allow users to provide the password in a form that is already encoded in a manner that the server can interpret. This is undesirable, because if a user is allowed to supply a pre-encoded password, then the server has no idea what the clear-text representation is, and therefore cannot determine whether it satisfies all of the configured password quality requirements.

Of course, strong passwords aren't much good if users can't remember them. This is a very real problem that needs to be considered, and it is compounded by the fact that your users will likely need to have accounts in other systems. In reality, this means that users will probably choose one of the following options:

• They will use a password manager that automatically keeps track of all the usernames and passwords they use across all systems they access. This is the best solution, and one that you should probably recommend, since it means that they only have to remember one password for the password manager, and let it remember all the others. Unfortunately, less experienced users may find this prospect kind of scary.
• Write their passwords down or keep them in a file. This is kind of the low-tech version of a password manager, and as long as all copies of the password list is protected, then it's reasonably safe.
• Use the same password (or a small set of passwords) for all sites they access. This is dangerous, because if their password is compromised on one site, then it may be used to gain access to other sites. There's not much that can be done to prevent this (other than requiring multifactor authentication), but unless it's an account that has elevated privileges, it will be more likely to adversely affect that one user than the overall security of your data store.
• Forget the password they chose and rely on the "I forgot my password" mechanism to reset it each time they need to access your system. If the reset process is automated and requires them to receive an e-mail or SMS message, then it may be a relatively secure approach (assuming that the e-mail address and/or phone number were previously verified), but if it involves talking to a human then it will probably raise your support costs and may allow a skilled social engineer to convince the support personnel to grant them access to someone else's account.

It is unfortunate that non-technical users will be the ones who find strong password requirements to be the most onerous and unpleasant, but it is important to decide whether end user convenience is more important than end user security.

Prevent Online Access to Passwords

While it isn't clear exactly how the attackers were able to obtain these large lists of encoded passwords, it's likely that they were able to manipulating the identity store (or an application using it) into performing a query that exposed this information to the requester. For example, if they were using a relational database, then maybe they discovered a flaw in an application that allowed for an SQL injection.

Identity data stores (whether relational databases, LDAP directory servers, or some other kind of repository) should be like roach motels for passwords: passwords can go in, but they can't come out. It shouldn't be possible for even an all-powerful user to perform a query that can retrieve password information, and the system should also require that all passwords supplied to it (whether validating credentials during authentication or supplying a new password) be processed over a secure communication channel so that anyone with the ability to observe the network traffic cannot examine it in order to learn passwords.

The UnboundID Directory Server includes a sensitive attributes feature that makes it possible do exactly this for passwords and other kinds of sensitive information. You can easily configure the server so that passwords will be stripped from results even for requests from root users, and to require that any operations attempting to manipulate the values of such attributes will be allowed only over a secure connection. It is possible to configure this restriction to be in effect across the server, but it is also possible to tailor the behavior to the requester (based on a number of characteristics, like who's asking, how they're authenticated, where they're coming from, whether the connection is secure, etc.), so that if there is an application that does have a legitimate need to be able to retrieve this information, the server can be configured to only return the data to that application.

The UnboundID Directory Server also includes very powerful and flexible logging capabilities, and it is possible to configure the server to log information about any operation in which passwords (or other attributes which may contain sensitive data) is returned to the client. This can be useful for auditing purposes so that if an attacker is somehow able to issue a query that returns sensitive information, you can see exactly which entries and which attributes were accessed.

Encrypt Server Data, Including Backups and Data Exports

Even if they weren't able to get the data store to expose the passwords via a network request, it's possible that they were able to get the password data in some other way. For example, if they were able to obtain access to the system on which the data was stored, then perhaps they were able to examine the database files directly, or perhaps they were able to obtain a backup or export of the data that included passwords.

It is important to ensure that adequate protection is in place for all copies of the server data, whether on the live running system or in backups. Certainly this includes things like restricting access to systems which can access this information and ensuring that only authorized users are able to access the data files, but it is also recommended that you encrypt such information so that even if an attacker does gain access to it, they won't be able to extract anything useful from it.

The UnboundID Directory Server makes it easy to enable encryption for all data so that it is never stored in the clear. It also provides the ability to encrypt backups and LDIF exports so that the information is protected in these forms as well.

Prevent Repeated Authentication Attempts

If you have adequately protected your system to prevent retrieving passwords from the data store, and if all copies of the data are encrypted, then attackers should be prevented from obtaining encoded passwords for users. However, there may be other ways to crack user passwords. The most common of these approaches is simply to try to repeatedly authenticate as that user with different passwords until you finally get it right. This will be much slower than the offline attacks that are available with access to encoded passwords, but given enough time, determination, and luck, it may just work. Of course, these kinds of attacks can be thwarted by limiting the number of unsuccessful authentication attempts that will be allowed for a user account before that account is locked.

The UnboundID Directory Server can be configured to lock accounts after too many authentication failures so that any subsequent attempts will fail even if the right credentials are given. This lockout can be either temporary (so that additional login attempts will be allowed after a specified period of time) or permanent (so that the user will not be allowed to authenticate at all until an administrator resets the password). It can also be configured to log and/or notify administrators when an account is locked as a result of failures, along with a number of other significant password policy events.

Enforce Authentication Restrictions

In many environments, it is common for each application to have its own account that will be used to perform operations in the server, and that application account may have more rights than normal user accounts. If an attacker is able to compromise an application account, then he or she may be able to wreak more havoc than with other user accounts.

To help prevent this, it is advisable to restrict application accounts so that they are less likely to be useful to attackers even if their credentials are discovered. For example, you may want to restrict their use to a certain range of IP addresses and/or to only allow them to authenticate in certain ways. The UnboundID Directory Server provides a number of features like this, including restrictions based on client address, authentication type, and communication security, as well as restrictions around the use of proxied authorization. In addition, client connection policies can also be used to permit or restrict operations based on a number of characteristics about the client.

Support Multifactor Authentication

One great way to mitigate the risk of compromised passwords is to make use of multifactor authentication, which require the user to provide multiple pieces of information to confirm his or her identity. This is usually manifest as two-factor authentication combining something you know (like a password) with something you have (e.g., some kind of device capable of generating one-time passwords or PINs). In a system that uses multifactor authentication, if an attacker discovers a user's password, then they won't be able to do anything with it unless they also have a way of obtaining the other credentials.

Multifactor authentication used to be a rather inconvenient prospect because it required that you actually provide your users with a physical device like a SecurID token (which has a numeric display with numbers that change every minute), and if you didn't have that token with you, then you couldn't authenticate. However, the proliferation of mobile phones has made this a much more realistic possibility. For example, you can configure your Google account to require multifactor authentication, combining a password with a one-time code obtained in one of the following ways:

Using the Google Authenticator app, which uses the time-based one-time password (TOTP) algorithm defined in RFC 6238. This option does not require any kind of network communication. By having a one-time password sent to your mobile phone as a text message. By having a one-time password read to you by a speech synthesizer over a voice call.

With multifactor authentication support enabled, an attacker will need to get access to your mobile phone in addition to figuring out your password before they'll be able to access your Google account.

Similarly, Facebook can be configured to require a one-time code sent as an SMS message any time you log in from a system it doesn't recognize. There are a number of other applications which provide some level of support for multifactor authentication, but it's unfortunate that there are still so many who do not offer it as an option so that their more technical and security-conscious users can take advantage of the additional security that it can provide.

At present, the UnboundID Directory Server supports multifactor authentication in the form of a password combined with a PIN generated using the TOTP algorithm (and is therefore compatible with the Google Authenticator app, along with other software capable of generating these codes). However, support for additional multifactor authentication schemes may be added in the future.

Plan for Disaster

No matter how tightly locked down your system may be, you should have a plan for dealing with a security breach in which an attacker is able to successfully obtain passwords and/or other sensitive information from your system. Hopefully you'll never have to put this plan into action, but it's far better to have a strategy you may not use than to find yourself without one when you really need it.

The first thing that you should do is to identify what information may have been compromised, and then tell your users about it. Trying to cover it up may be illegal, and it prevents affected users from trying to mitigate the risk of the attack while giving the bad guys more time to use the data they stole. It will also likely be more damaging to your reputation if users hear about a breach in your systems from someone else before they hear it from you.

If information about passwords may have been exposed, regardless of whether the passwords were encoded, then you should encourage or require users to change their passwords as soon as possible (and the UnboundID Directory Server offers a feature that can be used to require users to change their passwords by a given date/time). However, you should also assume that if login credentials were obtained, an attacker could have authenticated using those credentials and obtained access to other information about the account.

You should also try to determine how the attack was conducted so that you can make any changes in your system to help prevent the attack from recurring. If there isn't enough information available to determine the attack vector, then you may need to make broad changes to tighten the overall security of the environment. You will likely also want to ensure that appropriate logging is in place to make it easier to discover and analyze attacks in the future.

Finally, you should work with the vendors of any software that attackers were able to breach so that they can better understand how their software is being targeted and identify whether any changes may be needed to help prevent future problems. Even if the software you're using has features which could have prevented the attack from succeeding, the vendor may wish to consider enabling those features by default or better highlighting them in their documentation. Certainly we at UnboundID would be very interested to hear of attacks (whether successful or not) against our software so that we can continue to reevaluate the product features and default configuration. And if you have suggestions for improvement, we'd love to hear them as well.

The 2.3.1 release of the UnboundID LDAP SDK for Java primarily includes a number of bug fixes and minor functionality enhancements, many of which are in direct response to requests from users. You can get the latest release online at the UnboundID website or the SourceForge project page, and it's also available in the Maven Central Repository.

As usual, the release notes provide a complete overview of changes made in this release, but some of the most significant updates include:

• The 2.3.0 release added the ability for the LDAP SDK to respect client-side timeouts for operations invoked via the asynchronous API. Unfortunately, for applications which had a very high rate of asynchronous operations, a bug in this implementation could cause excessive memory pressure (potentially including out of memory errors). That bug has been corrected.
  
  
• Also in the 2.3.0 release, a change was made to prevent simultaneous use of the socket factory associated with the client connection. This was done in response to the discovery that some socket factories in the IBM JVM (at the SSL socket factory, if not others) may fail if an attempt was made to use them concurrently by multiple threads. Unfortunately, while this change made the LDAP SDK safer to use on such platforms, it also introduced a problem for other JVMs that could cause long delays in the ability to establish a connection following an attempt to connect to a server that is either unresponsive or slow to respond. In an attempt to strike a balance between these problems, concurrent use will be allowed on JVMs known to be threadsafe (including those provided by Sun, Oracle, and Apple), while still defaulting to single-threaded use on other JVMs. In addition, it is now possible to configure whether this should be allowed on a per-connection basis using a new setting in the LDAPConnectionOptions class.
  
  
• A number of new SSL trust managers have been added, including one which looks only at the validity dates of the presented certificate, another that looks at the hostname of the certificate (either in the CN subject attribute or a subjectAltName extension), and an aggregate trust manager that can be used to decide whether to trust a certificate based on the combined results of a set of trust managers. Also, the prompt trust manager has been updated to display additional information about the certificate to allow the user to make more informed decisions about whether to trust the certificate.
  
  
• Support for the SASL EXTERNAL bind request has been updated to make it possible to either include or exclude the SASL credentials element. This makes it possible to work with directory servers which require SASL credentials as well as those which do not expect them for EXTERNAL requests.
  
  
• We have added a new server set implementation which will attempt to simultaneously connect to multiple servers, and will return the first connection it was able to establish. While this may increase the load across all servers at the time of the connection attempt, it helps ensure the lowest possible delay when trying to establish a connection to one of a set of servers.
  
  
• The LDIF reader has been updated to provide better control over how to handle lines with unexpected trailing spaces, and also to make it possible to handle reading data from file with relative paths rather.
  
  
• The searchrate, modrate, and search-and-modrate tools have been updated to make it possible to periodically close and re-establish connections to the server after a specified number of operations.
  
  
• Fixed a corner case bug resulting from an application which attempted to use multiple resource files with the same paths. For example, if an application tried to use a properties file named "ldap.properties" or "util.properties", there may be a conflict between the version of that file used by the application and the one provided by the UnboundID LDAP SDK for Java. The names of the properties files used by the LDAP SDK have been renamed to avoid the possibility of conflicting with those which may have been used by other applications.
  
  

We have just released the UnboundID LDAP SDK for Java 2.3.0. It's been about six months since the last release, and there are several new features and bug fixes. It is available for download now from the UnboundID website and the SourceForge project page, and it's also available in the Maven central repository.

The release notes contain a pretty comprehensive set of changes since the 2.2.0 release, but some of the most significant changes are as follows:

• It is now possible to use DNS SRV records (as described in RFC 2782) to automatically discover available LDAP servers in the environment. The implementation will respect defined priorities and weights, and can be used for individual connections or connection pools.
  
  
• Experimental support has been added for the password policy control (as defined in draft-behera-ldap-password-policy) and the no-operation control (as defined in draft-zeilenga-ldap-noop). Even though these drafts are not necessarily finalized, some servers (including the UnboundID Directory Server) have implemented support for them, so it is useful to be able to access them through the LDAP SDK.
  
  
• The schema caching mechanism (which makes it possible for client-side determinations to use server schema for more appropriate matching) has been made much more efficient so that multiple connections to the same server and with equivalent perceptions of the schema will reference the same object rather than having separate equivalent objects.
  
  
• Updated the LDAP SDK so that operations invoked via the asynchronous API will still respect client-side timeouts.
  
  
• A number of schema-related changes have been made to the in-memory directory server. You can now update the schema dynamically through LDAP modify operations. Supported syntaxes and matching rules are now advertised (at least when using the default standard schema). You can configure the server to allow attribute values which violate the associated attribute syntax, or to allow entries with multiple structural object classes (or no structural class at all).
  
  
• The in-memory directory server has been updated with support for equality indexes to help speed up certain kinds of search operations (particularly when dealing with more than a handful of entries).
  
  
• The in-memory directory server has been updated to always use the "dn:" form in authorization identity response controls. Previously, it could use the "u:" form in responses to SASL PLAIN binds that used the "u:" form in the request. It will also now use the correct value of "" instead of "dn:" to indicate the anonymous authorization identity.
  
  
• It is now possible to customize the values that will be displayed for the vendorName and vendorVersion attributes in the root DSE. This can help the server more effectively fool applications which are coded to only work with certain directories.
  
  
• The LDAP SDK persistence framework has been updated so that it supports attributes with options (e.g., "userCertificate;binary"). It is now also possible to specify superior object classes that should be included in entries that are created.
  
  
• The connection pool implementation has been updated to provide better closed connection and unsolicited response detection for connections operating in synchronous mode.
  
  
• The 2.2.0 release added support for using a newly-created connection to retry operations that failed in a manner that indicated the connection may no longer be valid. In the 2.3.0 release, it is now possible to configure that capability based on the type of operation being processed, whereas in the previous version all operation types were handled in an identical manner.
  
  
• The LDIFReader has new convenience methods that can be used to read the contents of an LDIF file and retrieve the contents as a list of entries. This can be convenient when working with small LDIF files, especially for testing purposes.
  
  
• The LDAP SDK now supports parsing LDAP URLs with an "ldapi" scheme. The LDAP SDK does not provide support for LDAPI (LDAP over UNIX domain sockets) in the out-of-the-box configuration, but it can now parse URLs using an "ldapi" scheme.
  
  
• Command-line tools have been updated so that they can specify a tool version. If this is used, then the LDAP SDK can automatically add a "--version" argument to such tools which will cause the version string to be printed to the terminal.
  
  
• Some changes were made to help the LDAP SDK be more fully functional on IBM Java VMs. This includes necessary changes to support GSSAPI on IBM VMs, and a workaround for an apparent bug that could result in exceptions from concurrent calls to SocketFactory.createSocket methods.
  
  

At the beginning of 2010, I decided to start writing up my thoughts on all of the first-run movies that I see in the theater. It's debatable about whether those reviews are any good, but I know that at least some people read them. All of my reviews from the last year and a half are available at http://www.viewity.com/.

Last Thursday, I saw (but did not particularly enjoy) J.J. Abrams' new movie Super 8, and last night I finally got around to writing my review of it, which I posted at http://www.viewity.com/reviews/super-8.html. I use Squarespace to host the reviews, and one of the services it provides is the ability to define a shorter URL that can be used to reference the content. I took advantage of this and created the path "/Super8" instead of "/reviews/super-8.html". Squarespace also offers support for using multiple domains with the same account, and I have "vwty.us" in addition to "viewity.com". What this ultimately means is that going to "http://vwty.us/Super8" will take you to "http://www.viewity.com/reviews/super-8.html".

Whenever I post a new review, one of the ways I let people know about it is by Twitter. The whole reason that I offer the shorter version of the URL is that Twitter limits posts to a maximum of 140 characters, and at 21 characters, the short version of the URL is less than half the size of the 43-character long form. This gives me more space to say something about the movie in addition to merely providing the link, and I try to give at least a hint about whether I liked it. For Super 8, the tweet that I composed was:

Super 8 is super underwhelming. http://vwty.us/Super8

However, what actually got tweeted was:

Super 8 is super underwhelming. http://t.co/TZ43SmY

I will grant you that what Twitter actually made available on my behalf is a whopping two characters shorter. However, it is also much worse than what I had originally written, for many reasons.

First, it's completely unnecessary. As I mentioned before, Twitter places restrictions on the length of your tweets, but I wasn't anywhere near that. What I originally wrote was 89 characters, which means that I could have written up to 51 more characters before running out of space. I could have even used the original 43-character URL if I had wanted to and still had plenty of space left.

Second, Twitter's change dramatically obscures the URL. From the URL that I provided, you can tell that it goes to the vwty.us domain (which is a brand that I control and want to be associated with), and the "/Super8" path gives you a pretty good idea what it might be about. On the other hand, with what Twitter actually provided, you can see that it goes to the "t.co" domain (which is known to be a redirect farm so you have no idea where the content actually resides), and the path "/TZ43SmY" tells you nothing about the content. The original URL is very useful. The shortened version is not.

Another significant problem is that the new URL shortener can have a dramatic impact on the availability of your content. Twitter has such a bad reputation in this area that their "fail whale" page is a well known Internet meme. Because a click on the shortened URL must go through Twitter's servers before sending you to the ultimate destination, if Twitter is having a problem then it can make your content unavailable. As if by fate, when I clicked on the t.co link earlier this morning, I got exactly that failure page telling me that Twitter was over capacity. Nice. Even if it had worked, it still requires an extra HTTP request and more data over the wire, and an unnecessary delay in getting to the actual content.

The requirement to go through Twitter's service creates even more ways that the content could become unavailable. It's likely that tweets will outlive Twitter itself. They're being archived in the Library of Congress (in addition to a number of other sites), and although future generations probably don't care how I feel about a movie, there could be long-term value in tweets, and links contained in them. If Twitter goes out of business or is otherwise shut down, then their links won't work anymore even if the content they referenced is still available. Also, it's worth pointing out that the ".co" TLD is controlled by the government of Columbia, and that government can shut down such URLs at any time. The government of Lybia has done this for ".ly" domains, so it's certainly not beyond the realm of possibility.

Twitter's reason for providing this service is that it can "better protect users from malicious sites that engage in spreading malware, phishing attacks, and other harmful activity". While this sounds noble, it is also completely ineffective against everyone except the most extreme idiots. They've already stated that they won't shorten URLs that were already shortened using other services like bit.ly, so there's nothing to prevent people doing suspicious things from using one of them for their posts. Further, there's nothing to prevent me from serving up different content from my server when I can see that the request is coming from Twitter's malware detection service versus some other content, so I could still serve up bad stuff to people following the links. On the other hand, the fact that they are trying to verify that content is safe introduces a very real possibility for false positives. My site could have completely legitimate and safe content, but if Twitter thinks that it's bad for some reason then that may significant inhibit the likelihood of people to go there. Given the unacceptably high percentage of false positives I see from other services like this (e.g., Google mail's spam detection frequently flags things that aren't spam), this is far from an impossibility.

Finally, in the ultimate act of inanity, Twitter's URL shortener can actually produce URLs that are longer than the original URL. For example, when I entered a URL of "http://t.co", Twitter "shortened" it to be "http://t.co/IzZPmi2".

I realize that Twitter will show an expanded version of the URL in its web interface, but that doesn't work for alternate clients. For example, when I use Seesmic on my Android phone, I get the t.co version. And even if I'm using a client that automatically expands that URL, it will only work if the shortening service is available.

Great job, Twitter. This "feature" that I can't disable has made my links less available, less recognizable, and more likely to be flagged as malicious content. I don't need any more hurdles to have to get by for people to read the useless drivel that I write.

I've mentioned in the past that I like to watch movies. I watch a lot of movies at home (on DVD/Blu-Ray, TV, Netflix streaming, Amazon Video on Demand, Hulu, etc.), but the home experience just can't match seeing a movie on the big screen. Fortunately, I live in Austin, TX, which is the home of the Alamo Drafthouse cinemas, some significant film festivals (including SxSW, Fantastic Fest, and Austin Film Festival), and a decent arthouse theater. This means that I have plenty of opportunities to see a wide variety of movies, and I take advantage of them. Last year, I saw a little over 100 movies in theaters. Back in 2007, I saw nearly 130. But this year, a combination of factors made the number a bit higher. I expanded the range of theaters I attended on a regular basis, I was a badge holder at Fantastic Fest for the first time (and took full advantage of that), and I started watching less TV. But all that together still doesn't quite account for my final in-theater movie count for the year. I really don't know how, and I'm kind of embarrassed to admit it, but I attended 512 theater showings in 2010.

Some basic statistics about the movies that I saw this year:

• I saw 254 different movies during or before what I consider to be their initial theatrical run. I wrote up my thoughts on nearly all of them at http://www.witamis.com/.
• An additional 43 showings were repeats of those first-run movies.
• An additional 3 showings were repeats of first-run movies I first saw in 2009.
• I saw 97 additional movies that were not in their first theatrical run but that I had never seen before.
• I saw 39 different movies at Fantastic Fest, which is the most a non-press attendee was able to attend.
• I saw 26 different movies at Austin Film Festival, which I believe to be the most an attendee was able to attend.
• 98 of the showings (nearly 1 in 5) included someone directly involved with that movie (e.g., an actor, writer, director, producer, or other crew member) in attendance.
• I attended 20 other showings with some other notable guest who wasn't directly involved in making the movie but added significantly to the experience.
• I attended 20 Master Pancake presentations (a showing in which the movie was mocked by comedians in the style of Mystery Science Theater 3000).
• I attended 22 quote-along presentations, in which the audience is encouraged to recite key lines from the movie at the same time it's said on screen.
• I attended 39 Terror Tuesday showings and 20 Weird Wednesday showings.
• I attended 2 Alamo Drafthouse Rolling Roadshow presentations, in which a classic movie was shown in a symbolic location.
• 61 of the movies I saw were primarily in a language other than English.

My Favorite Movie of the Year

This one is easy: Scott Pilgrim vs. the World. This is the only movie that I've ever seen twice in the theater on the same day, and it's the only movie I've seen in the theater seven times during its initial run. The first time I saw the movie was a special presentation with writer/director Edgar Wright, co-writer Michael Bacall, and cast members Michael Cera, Mary Elizabeth Winstead, Anna Kendrick, Brandon Routh, and Jason Schwartzman, and that was my favorite single showing and favorite Q&A of the year. I got the Blu-Ray/DVD set on the day it was released and have seen it many times, including all four commentaries, and most of the other extra features. I bought the soundtrack and have listened to it many times. I bought and read all six graphic novels on which it was based, and it may be somewhat sacrilegious to say but I actually think that the movie is better than the comic (despite a line in the movie which states otherwise).

I was extremely excited about this movie before it came out, and my expectations were greatly exceeded when I saw it. The more times I see it, the more I'm impressed by the tiny details that the vast majority of people will miss. It has a truly unique visual style that's impossible to adequately describe without actually seeing it. It's an absolute travesty that it didn't even make back its budget, but for some reason people just didn't go to see it. Hopefully it will make a ton of money from people buying it on DVD and/or Blu-Ray.

The Overall Best Movie of the Year

This one is also easy: Bedevilled. I saw it at Fantastic Fest and was blown away. I love Korean vengeance movies, and this is one of the best. It's the first effort from director Jang Cheol-so (who was in attendance to introduce the movie and provide a Q&A afterward), and I can't wait to see what else he has in store in the future.

Although neither The Man From Nowhere nor Kidnapped were quite as good as Bedevilled, they were both better than any other new movie I saw in 2010. Incidentally, I also saw both of them at Fantastic Fest.

The Best Mainstream Movies of the Year

Unfortunately, many of the movies that I consider among the best of the year were ones that only played at arthouse cinemas (and were therefore available only to people fortunate enough to live in a city with such a theater) or film festivals (and were therefore only available to an even smaller population). However, there were still a number of very good movies that I consider to be more "mainstream" and widely available. In my opinion, the following are the ten best movies that grossed at least 10 million dollars at the US box office and that I first had the opportunity to see this year:

• 10. Kick-Ass
• 9. The Town
• 8. The Girl with the Dragon Tattoo
• 7. The Social Network
• 6. Toy Story 3
• 5. The Book of Eli
• 4. Inception
• 3. Scott Pilgrim vs. the World
• 2. Black Swan
• 1. True Grit

There are a couple of honorable mentions that would have been on this list if they hadn't fallen just short of the $10M cutoff. They include 127 Hours (which made $9.86M) and Get Low (which made $9.11M). And if The King's Speech had been released a little earlier it might have also crossed the threshold before the end of the year. But I am both shocked and happy that The Girl with the Dragon Tattoo did make the cut with just over $10M in the US (and another $100M worldwide) despite a runtime over 2 and a half hours and being entirely in Swedish with English subtitles. Incidentally, it is available for streaming on Netflix, along with its sequel The Girl Who Played with Fire, and the third movie of the triology The Girl Who Kicked the Hornet's Nest should be available for streaming by the end of January 2011.

Other Movies Worth Mentioning

All of the following movies made far less than they should have and/or weren't as widely available as they deserved to be, but are still worth checking out if you get the chance. Many of them are already available on DVD and/or Blu-Ray, and a couple of them (Mother and The Good, the Bad, the Weird) are available for streaming on Netflix.

• A Somewhat Gentle Man
• Best Worst Movie
• Birdemic: Shock and Terror
• Drones
• Exporting Raymond
• Four Lions
• Golden Slumber
• I Didn't Come Here to Die
• Marwencol
• Micmacs
• Mother
• Stingray Sam
• Temple Grandin
• That Evening Sun
• The Good, the Bad, the Weird
• The Secret in their Eyes
• The Square
• Under the Boardwalk: The Monopoly Story
• Winnebago Man
• Winter's Bone