Firefox 3.5 now allows you to make AJAX Requests, or more correctly XMLHttpRequests cross domain (in other words foo.com can make XHR requests to bar.com). When I heard about this, my first is that they would use the cross-domain.xml file that Flash has supported for years to achieve this. They took a different approach, and use a HTTP header instead, which I think makes more sense.

So how does it work...

When you make a request using the XMLHttpRequest object it sends an Origin header (this is new, I wrote a blog entry about the Origin header as well) which contains the domain of the requesting page. The HTTP Response can send a HTTP header: Access-Control-Allow-Origin: * which means that any domain can access this page. You could also send a response header like this: Access-Control-Allow-Origin: http://example.com which only allows the example.com as an origin. The Access-Control-Allow-Origin header should contain a comma separated list of acceptable domains or a *.

For POST requests, and requests that want to read response headers a HTTP OPTIONS request is made first, that sends headers such as # Access-Control-Request-Method: POST in the request.

You can read more about this feature here

FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.

For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends. The Origin header when your browser makes a request the following types of requests: scripts, stylesheets, form GET & form POST, redirects, XMLHttpRequest (XHR, ajax), and frames.

You may be thinking, ok how is this different than the HTTP Referrer header. First, it only sends the domain name of the page, and second it doesn't have many privacy concerns (so hopefully people won't turn it off).

So how can this improve security?

Web Servers can block requests that send invalid Origin headers, this will mitigate the risk of cross site request forgeries (CSRF), including JSON hijacking for people using browsers that support this feature.

You can read more about the origin header here.

Little by little I chip away at the workflow problems while developing OSGi applications. This evening I put the finishing touches on some refactoring and feature enhancements:

• Refactored core, non-UI, code in to its own plugin
• Finished the definition of my KarafTargetPlatformModel concept (more on this later).
• Added a new OSGi Framework definition in Eclipse for Karaf on Equinox
• Created an Eclipse Web Tools Platform Server Runtime for Karaf

All in all it was a very productive session. I will add the necessary code for the WTP Server Type soon.

The Karaf PDE integration now has preliminary integration for the Eclipse Web Tools Platform. The first step is to create a new runtime type which allows users download compatible installations of Karaf and have Eclipse WTP make them useable deployment targets. I believe I have completed much of that work this evening (you can see the screenshots below).

It turns out my refactoring to a core non-UI plugin had the added benefit of creating a very flexible framework for integrating in to the various components of Eclipse (PDE and WTP). The core of which is my Karaf Target Platform Model which understands the configuration and binary layout of the various bundles that comprise a Karaf installation.

This target platform model serves as an input in to the Eclipse PDE Target definition manager as well as the Debug Launch configurations and the WTP Server Runtime definition. This model provides convenient access to the configuration properties files, the bundles, the startup configuration resolved as a series OSGi metadata elements and knows how to determine if a candidate model is valid.

Next on my list:

• Connecting to a running Karaf instance via JMX
• Defining the necessary Server Type so that I can see the Karaf server in the Servers view
• A Karaf Log viewer (this should be relatively easy)

Once I can connect to a Karaf JMX instance and have the Server infrastructure the next thing I'll do is hot publish a bundle to the Karaf Server. From there I plan on adding a number of pages that will display bundles installed, services registered and whatever other information I can dig out of the running instance.

This actually wasn’t on a Friday (Friday I was making an iPhone app), but rather Saturday.

Since the Sanguino requires too many female headers (which cost money, and I don’t have any), I decided to switch up to the Arduino MEGA. It fits in the box that is already there, so it is all good.

Originally I thought that the Wave Shield would work on the MEGA, but it turned out that it didn’t. What I ended up doing instead, though was using one of the MEGA’s extra Serial lines to send a command to another Arduino to start playing music (on the Wave Shield).

I used my iHome speaker thing that I bought at Walmart for $20. Pretty good value, and it’s purple.

It was pretty fun. However, I only used the motions that I created a while ago when MANOI’s knees were broken. A blog post is coming shortly about the previous FNR where I fixed the gears

I even attached a wild duck to MANOI’s head for the occasion:

Here is a video, it is not too good:

See, the problem in the video (when I had to shake it) was that the TX line to the SSC was loose. It does this from time to time. Especially after switching boards!

I am pleased to release Karaf PDE Integration 3.4.2.20090613232

This update fixes a critical bug in how the target runtime plugin location was resolved as well as adding Java 1.5 support (it now works on my Mac which has been my litmus test for portability).

I am still working on my release engineering skills and have found the pde-maven-plugin. Hopefully I'll be able to fix it up so that a release is as simple as mvn install!

Using Karaf in Eclipse involves two steps:

1. Set the Eclipse Target Platform to Apache Felix Karaf
2. Create an Apache Felix Karaf launch configuration

From there you add / remove bundles in your workspace, install features in the Karaf CLI, you can also add more bundles by manipulating the target platform.

Since this is a very early release the workflow is a bit rough. I would like to make things much easier -- I have a very long list of things to do.

• Stop Password Masking (Jakob Nielsen's Alertbox)
  
  
  "Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures."
  
  A lot of truth in this article, especially for new users. What do you think?
  
  
  (tags: security passwords usability)
  
  

• Analysis of an Intrusion
  
  
  “Why do strong passwords matter?” “Who cares about my data? I don’t have anything worth stealing.” These are common arguments raised by users when presented with the requirement of using strong passwords. The strongest counter-example to these arguments came this week in the form of a compromised user account. Let’s travel back in time…
  
  
  (tags: security clarkson phd)
  
  

Allowing someone to upload a file on to your web server is a common requirement, but also a very risky operation. So here are some tips to help make this process more secure.

Don't rely on cffile accept attribute

The accept attribute gives a terrible false sense of security. Every time I present on CFML Security I ask the question: If I have this code is there any way I could upload a CFM file?.

<cffile action="upload"
  filefield="photo"
  accept="image/gif,image/jpeg"
  destination="#ExpandPath("./photos/")#">

The answer is YES, often to the surprise of most!

The cffile accept attribute uses the mime type that your browser sends to the server. Read that again... your browser tells cffile what the mime type is. It's very easy to spoof the mime type. For example:

<cfhttp url="http://target.example.com/upload" method="post">
 <cfhttpparam file="#ExpandPath("badstuff.cfm")#"
  mimetype="image/gif" 
  type="file"
  name="photo">
</cfhttp>

For this reason you need to ensure that cffile.serverFileExt is of an extension you allow, and one that your server will not execute.

Use a file extension whitelist rather than a blacklist, in other words you don't just check to make sure it is not a .cfm, make sure it is only one of: "jpg,png,gif". This way if someone installs PHP on your server, you don't have to update the code to block that file extension as well.

Validate that the File Extension matches File Format

You can use a Java API like JHOVE which reads the file contents to validate that it is of the asserted file format. It supports jpg, gif, pdf, tiff, and more.

In addition CF8 has the IsImageFile("path") and IsPDFFile("path") functions you could use. If you do use IsImageFile just make sure that you have upgraded your JVM to one that doesn't have the issue that can cause an image file to crash your server. See Mark Kruger's blog entry for details.

Always upload to a temp directory outside of the Web Root

Suppose I ran the same hack above with cfhttp but you now have code in place to delete the file if the extension is incorrect. There is a slight chance that I could execute that file before you can delete it if you uploaded it into the web root (and I could predict where it would be placed).

Once you have validated the upload, you can move it to its desired location.

Remove execute permissions from upload directories

The reason for this should be obvious, but is something we often forget to do.

Upload to a static content server

If possible upload content to a server other than the application server, a server that only serves static content (for example Amazon S3).

Don't trust on the client supplied file name

The client supplied file name could possibly contain SQL Injection, cross site scripting, or CRLF Injection.

It's best to strip out non alpha numeric characters (perhaps with the exception of dash and underscore).

ColdFusion Administrator Settings

There are a few Administrator Settings that you should pay attention to related to file uploads (and large HTTP POST operations). They are under Server Settings » Settings under the heading Request Size Limits:

The first setting is the maximum size of a POST, and therefor also a file upload. The default 100mb is probably bigger than needed for most web apps, you can lower it to mitigate DOS potential. Chances are your web server is also capable of limiting the post size, on apache you can use the LimitRequestBody directive to do this.

The next setting Request Throttle Threshold should probably be lowered to 1MB, this puts any request larger than 1mb into a throttle for synchronous processing.

The third setting Request Throttle Memory is the maximum size of request throttle queue. The default is kind of high, if you don't have a lot of large file uploads going on at the same time this should be lowered to say 50mb (it shouldn't be lower than the Maximum size of post data, or the Request Throttle Threshold, but it could be equal to the max size.). Consider that on a 32bit server, the max JVM size is typically not much bigger than 1GB, you could allow 1/5th of your server resources to be consumed by file uploads with the default setting.

Sandboxes

If you are using the Enterprise edition of ColdFusion you can setup a sandbox for your file upload directory, and remove execute permission. This only applies to ColdFusion template execution (not PHP scripts for example).

Do you have any additional tips?

The first app I seriously focussed on developing is now in the APP STORE!

You can check it out by searching for Instant Bacon, or clicking here.

Hooray!!!

I haven’t posted in an eternity, I know. It’s been over a month since I graduated from Clarkson and just about a month since I started my job in Liverpool, NY. Things are going well so far and I’m trying to learn as much as I can about my job each day. Joelle and I are getting married in just under 3 weeks! We’re really excited about it, though we still have a lot of little things to figure out.  If you got you’re invitation in the mail, please fill out the RSVP card and get it back to us ASAP.  We need them by the 27th of June so we can let our reception location know how much of each meal we need and such.

On another note, I went for a bike ride around the neighborhood today.  I thought I’d be able to last an hour, but I was wrong.  I rode for about a half hour before I was basically dead, which amounted to about 3.2 miles of riding, according to Google:

View Larger Map

I mapped out the following route after I got back (comes out to about 5.8 miles) and I’d like to be able to work up to it over the next week or so. We’ll see how that goes.

View Larger Map

• Browser Security - ACM Queue
  
  
  A nice article from Google Chrome developers on browser security.
  
  "There is no silver bullet for providing a perfectly secure browser, but there are several techniques that browser developers can use to help protect users. Each of these techniques has its own set of challenges.
  
  In particular, browsers should minimize the danger that users face using three techniques:
  
  Reduce attack severity by applying the principle of least privilege in the browser architecture. This technique limits the damage caused when an attacker exploits a vulnerability.
  Reduce the window of vulnerability by ensuring updates are developed and deployed as quickly as possible. This technique minimizes the number of vulnerable browsers an attacker can target.
  Reduce how often users are exposed to attacks by filtering out known malicious content. This technique protects users during vulnerable time windows.."
  
  
  (tags: security browser google chrome phd)
  
  

In the final Harry Potter book, it is mentioned quite often that HP depends on this simple yet extremely functional spell called ‘Expelliarmus’.

I often find myself comparing Expelliarmus in the wizarding world to the Bayes Filter Algorithm in my world. It is such a simple method to give your program a little AI.

Before I go on any further, I just want to say that I didn’t invent the Bayes Filter Algorithm, I found it in this book. It is also said in this powerpoint. Additionally, for good measure, here’s a citation:
The Bayes Filter Algorithm I am using is based on the one in the book Probablistic Robotics. (Thrun, Sebastien, Wolfram Burgard, and Dieter Fox. Probablistic Robotics. Cambridge: The MIT Press, 2006.)
OK, now I think I have all of my bases covered.

So, the Bayes Filter algorithm uses Bayes Law, some initial and conditional probabilities, and the actual probabilities, to give you the final probability.

The first thing that happens is that the prior belief is calculated by adding up the multiplication of the conditional probability table and the initial beliefs.

After that, you add up the multiplication of the probability table and the prior belief.

You then find the normalizer by taking that summation and inversing it.

FINALLY, you can get the final belief when you multiply the normalizer and the number where you multiplied the probability table and the prior belief.

If you want, you can even take it a step further by putting log odds to it based on the final belief and the prior belief.

Here is a class I created in Java (in Processing) that is the Bayes Filter Algorithm:

The Bayes Filter Algorithm is super handy because you can check it by hand. There are no ambiguities introduced into the algorithm. Some of the algorithms, like the Kalman Filter, use covariance in the algorithm to adjust the final belief. This is great, but definitely more tricky to calculate by hand.

I favour the Bayes Filter Algorithm right now because of its ease of use, and it gives me what I want. However, for more interesting results, the Kalman Filter would be a better way to go. If I have time at the end of this project, I’ll probably implement the Kalman Filter and use it instead of the Bayes Filter Algorithm.

I gave my talk at PechaKucha night a few days ago. It feels much shorter than 6:40 when you get up there! There was about 300 people, I presented first

I just want to show some pictures of the set up:

It’s really cool. There’s an area there that is separated from the other lounge areas by a curtain. In this area there’s 3 screens. Now, the 3 screens are extremely handy when you’re presenting because you don’t have to turn around completely to know that the slide changed. Also, when you’re looking at the presentation, for some reason it makes it feel more 3D when you see the slides from different angles. Pretty spectacular!

This is what one of the lounge areas looked like:

As you can also see by the screen, this was the 2 year anniversary! Woohoo!

It is also worth noting the efforts I went to to make sure I knew what I was talking about. I practiced an insane amount of times, and I even made an app that shows my slide notes, and I can just swipe through them. (Though, when I got there and decided to look at it, the app crashed just about at slide 10. LOL) But, when I got up there, I completely winged it. The key points were the same, but I have absolutely no recollection of what I said, exactly.

So yeah, PechaKucha was really fun, and the people there were amazing.

Oh yeah: My dad was going to record it so that I could share it with yall, but I forgot the batteries. ROFL! I know right, a roboticist forgot the batteries. Total shame!

The next day I went to McGill for this Multidisciplinary Symposium on Reinforcement Learning.

I had to sit on the floor because there were not enough chairs. I also found the general attitude of some of the presenters was ‘my way, or the highway’.

With that being said, it was all worth it in order to listen to Andrew Ng’s talk (Ng doesn’t have the attitude of ‘my way or the highway’). He was most definitely the only person there that had a great in-depth and practical knowledge of what RL is all about. He was leaps beyond many of the other presenters.

It’s funny though because it felt like the other presenters (who thought that they were all the key to the earth), thought that Ng was using the wrong principles, not RL, in his Little Dog algorithms. They didn’t catch on what it was all about. I lol at them!

In any case, I didn’t go back the next day because I figured I could learn more online and do some of my own research, where I would be learning more.

I like AI & ML more than RL. To me, RL is just AI + ML but in a loop. Long live AI & ML!

There were some problems with the plugin's installation -- I'm not sure what was going on but I have created a new version and packaged it as a feature instead of a full update site. I also recompiled in using Java 1.5 bytecode in the hopes that I can get it running on my Mac.

In any case, I was able to install this plugin successfully on a fresh download of Eclipse 3.4 with no additional plugins.

Get Karaf PDE Integration 3.4.2.1 here

Wow! I am surprised at the number of people that are interested in the Karaf PDE plugin. Unfortunately my understanding of how the Eclipse feature and update site tooling works is lacking so there are some gotchas with installation.

I am downloading a fresh copy of Eclipse (I can't find my original tarball) and will install my plugin to see what is going on.

Lately I’ve been working a lot on the Thunderbird add-ons developers user experience.  Often times designers don’t get to work on developer experiences because developers tend to do those pieces themselves without much design.  With a lot of others I’ve spent a good amount of time working on the whole experience of development, docs, and extension types so hopefully the Thunderbird 3 add-on developer experience will be significantly better.

To get into the user experience of an add-on developer I recently made a Jetpack, Bugzilla Air Traffic Control, to examine what it is like to develop inside Jetpack.  I’ve also been creating a number of example extensions that take advantage of the new code that has landed in Thunderbird recently and learn the pitfalls of extension development.

So in honor of the hacks.mozilla.org recent article called 3D transforms in Firefox 3.5 – the isocube I added a similar hack to my tabbed message example extension.  I give you…

Cubed Email Messages

To demonstrate the awesome interactiveness that I didn’t add to my email extension I also have a pure HTML demo available.   Try out the email cube test demo for yourself.  This demo requires Firefox 3.5, go get it if you don’t have it.

If you’re asking “why email in a cube,?” then I’ll ask you why not?  This demo reminds me that Thunderbird has all the same Firefox goodness that’s coming out in 3.5 but we have yet to take advantage of much of it.  Hopefully as we make more progress in the coming months we’ll do just that.

And if you’re asking yourself… Is this what Bryan gets paid to do?  Well then we’re asking ourselves the same question; though I don’t think I’m referring to myself in the third person.

I've been having some trouble building my Eclipse Update site for the Karaf PDE Integration feature. The tooling is not exactly efficient or easy to use. In any case, here is the update site for the feature:

http://stephen.evanchik.com/software/karaf-pde-integration-site/

If you’re in Montreal tonight, come be inspired!

I’m giving a talk about my research at PechaKucha night. It’s at La SAT (Société des arts technologiques), starts at 8:00PM and is only $5.

Drop by and say hello!

I am pleased to announce that the Eclipse PDE integration for Apache Felix Karaf is finally ready for others to use.

Notable features include:

• A Target Platform Definition that allows developers to target only the bundles found in Karaf distributions.
• An Eclipse Run/Debug launcher configuration that configures Karaf to run inside the workbench transparently to the developer
• A context menu item "Run on Apache Felix Karaf"
• Automatic deployment of workspace projects to running Karaf instances without copying files

There is still work to be done but at this point the integration is very functional and saves time developing applications that run on Karaf.

I'm currently working on:

• Prototyping a feature manager that allows the developer to run Karaf and have it provision various features just like in the features command group on the console
• Integration with the Web Tools Platform project to support "Run on Server"
• UI work that monitors the running server instances
• Better integration with Maven projects

Unfortunately a lot of the work is in UI development and I'm not an expert in Eclipse UI development so it is going to be a little slower than the week I have spent putting all of this together (while learning!). The only exception is the better integration with Maven projects: I hope I'll get that done in an evening or two this week.

• German Design Firm Calls Its Car Concept "Open Source"
  
  
  "is based on a core chassis which can accommodate many modular types of exterior designs. Going further with the modularity concept, it has daisy-chained organic light-emitting diodes (OLEDs) under its surface that allow the user to configure the look of everything from headlamps to brake lights to the car's interior. Although EDAG is approaching other companies to help with the design, it's a stretch to call this car open source, but it does leverage open source concepts."
  
  
  (tags: opensource writing cars)
  
  
• Riversimple to Unveil Open Source Car in London This Month
  
  
  "The team decided to release the car's designs under an open source license in order to speed up the time it takes to develop the vehicle while also driving down the cost of its components. There's an altruistic value to the idea as well:
  
  Human society is facing the twin challenges of peak oil and climate change, and transport represents a significant proportion of global emissions.We urgently need more fuel efficient vehicles, and by sharing our ideas and our designs we hope to encourage others to adopt this novel technology. "
  
  
  (tags: opensource car fuel technology)
  
  
• The inside story of the Conficker worm - tech - 12 June 2009 - New Scientist
  
  
  A really good explanation of the Conficker worm's evolution
  
  They call it the worst they have seen, but we have been hearing about these types of things for a long time.
  
  A good defense: don't use the most popular systems
  
  
  (tags: security conficker worm botnets phd)
  
  

I think in my entire blog, there’s more stories of failures than successes. That’s cool by me though, because if there wasn’t anything to fail at, there would be nothing to succeed at. Either that, or it just emphasizes the successes. (lol)

So this Friday I tried to make my humanoid draw a happy face. I planned all 36 of the frames out on paper, it was super flawless.

Two hours after I code in the frames and try it, it clearly does not resemble a happy face!!!!

What are some of the problems, I think?:

- I didn’t do the test where I would just draw dots like I thought I would, so my understanding of how well MANOI can draw only extends as far as a rectangle.

- MANOI cannot stand up, I have to hold it upright. The gears were supposed to arrive on Friday! However, RoboSavvy said that it was shipped, but it was not. Hopefully it will be here on Wednesday or something!

- The height of the drawing surface moves, and it’s hard to make it remain constant. I should use a wooden block, however the measurement is unknown at the moment as MANOI is not standing properly because of the knees.

So yeah, all in all, super frustrating!

However, I will be sure to try it again when I get the knees fixed.

In any case, since I’m in the Honors program I get $300 to buy stuff for research! I ordered an Arduino MEGA, two XBees (and two XBee adapter boards). I’m not sure what I will order next…

Check out the LED bling that I set up with the MEGA:

It is a truly awesome controller.

I hope to blog more about my research later on in the week, however it is crucial that I maintain my focus for a little bit longer until I finish off the underlying framework.

Wow I can't believe its been seven years since I started blogging! I started blogging back in 2002 when Jeremy Allaire asked Where are the ColdFusion Blogs?

This blog was busier some years than others, 2005 was the busiest year thus far. At that time this blog was listed in the top 1000 blogs on Technorati, made the front page of digg, and del.ici.us/popular several times.

Here are some of the best/most popular entries:

• 20 Ways to Secure Your Apache Server - 2005
• CheatSheet Roundup - 2005
• Howto Create a RSS 2.0 Feed - 2005
• Returning TOP N Records - 2003
• Turn off Autocomplete for CC Numbers - 2005
• 15 Most Important UNIX Commands - 2005
• Mastering CFQUERYPARAM - 2008
• Unix Utils (eg grep, find) For Windows - 2004
• 8 Ways to Save Bandwidth on your RSS Feed - 2007

Did you know that you can catch java exceptions by class name with cfcatch? It's not documented on the cfcatch tag documentation (as of CF8), but it works... Here's an example:

<cftry>
 	<cfset list = CreateObject("java", "java.util.LinkedList")>
 	<cfset list.get(5)>
 	<cfcatch type="java.lang.IndexOutOfBoundsException">
  	Index outta bounds
 	</cfcatch>
</cftry>

There is one special exception that Mark Mandel has blogged about, and that is if the exception is caused by a class that was loaded by a different classloader, cfcatch won't be able to catch it by type. Perhaps that's why this feature is undocumented?

Tonight is very exciting! I just finished off the initial work to get my Eclipse Karaf Launcher loading bundles from the workspace. This means that a developer can use PDE to write bundles and deploy them seamlessly to the Karaf/ServiceMix/NMR targets.

I still have some tasks left to do: the first is locating a suitable place to host the code! But it is getting late so I'm off to bed!

Screenshots below.

Apache Felix Karaf is an OSGi based application framework that is the core for the Apache ServiceMix projects. I use Eclipse for my Java developement and wanted to have the benefits of development in the Eclipse PDE with the Karaf platform features (hot deploy, GShell based console among other things).

This little project service two purposes: I get to learn about Eclipse plugin development and I get Apache Felix Karaf running in PDE!

I have a first version working with the following features:

•  My Eclipse plugin builds are based on the Karaf Maven artifacts and require no changes to Karaf
•  An Eclipse Target Platform definition plugin is created with the exact system bundles as in Karaf (including both Felix and Equinox OSGi frameworks)
•  Configuration is done using native Karaf configuration files -- no special  magic is used
• Launching is done via the org.apache.felix.karaf.main.Main class
• The boot classpath is the same during the Eclipse launch as is the set of packages exported by the system which keeps the development and deployment environments in sync. You'll appreciate this if you have done any significant OSGi development.

Things that are left to do:

• Provide a Karaf specific tab to make it easy to configure common Karaf options
• Easy access for starting the Remote Console along with the port to listen on
• Easy access for starting the Local Console
• Pull in more features for NMR and ServiceMix support so that a features profile can be selected
    

Here are some screenshots to get you started:

Just a quick update to running Apache Felix Karaf in Eclipse PDE: I now have it launching Karaf with proper configuration synchronization. This means that there are no longer any exceptions during startup due to missing configuration files and the files are only synchronized if they are missing.

Developers can freely modify the default configuration files or provide their own entirely and the launcher will preserve those changes between executions.

I am one step closer to having this working well enough to develop against. The remaining tasks:

• Synchronize workspace and additional Target Platform bundles to the configuration
• Add a proper source bundle to the Target Platform definition for Karaf
• Create the Karaf specific property pages to make configuring things easier

Here's a screenshot:

• eChannelLine USA - Palo Alto Networks announces new breed of firewall software
  
  
  "Any application can use any port and firewalls tend to make all policies and assumptions based on ports so they don't really do anything anymore," said Chris King, Palo Alto Networks director of product marketing. "You've got this whole crop of firewall helpers that came up into orbit around the firewall and our contention is if you fix the firewall . . . you can rip off a lot of the band-aids."
  
  
  (tags: security firewall phd)
  
  

Largest Bankruptcies in History

Just an excellent view of GM and the other largest bankruptcies in history. I love info graphics and in general the ones from GOOD magazine are some of the best out there. The sinking ship metaphor is particularly effective.

http://www.freedomfromaddiction.org/site/Mike.html