Goodies to Go (tm)
December 2, 2002-- Newsletter #209
Application Security Testing: An Integral Part of DevOps
Goodies to Go (tm)
December 2, 2002--Newsletter #209
This newsletter is part of the internet.com network.
* Goodies Thoughts
- Tighten Up and Fill Those Holes
* Q & A Goodies
* News Goodies
* Feedback Goodies
* And Remember This...
Just in case you missed it before, the new Beyond HTML Goodies book is now available!
|Goodies Thoughts -||Tighten Up and Fill Those Holes|
I talked a little bit last week
about an annoyance from which most of have suffered
at one time or another. This week I'll be discussing
another plague. This plague, represented by two
variants, originates with miscreants who have
nothing (or not enough) constructive to do with
their lives. I am of course, talking about hacker
attacks and viruses.
When we think about hackers these days, we are usually thinking of the folk who try to break into a computer system. That's not what the word traditionally meant. I dug out my 1979 Webster's Dictionary to see what it had to say about hacking. The book predates the common use of the Internet and although it gives no less than thirty-six different meaning for "hack", organized into nine categories, not one of them mentions a computer or anything related to it. How quickly things change! One meaning struck me in particular: "to chop or cut in a clumsy or unskillful way."
In the world of computers, hacking used to refer to the manner in which programmers would sit for hours on end at a console on a big old mainframe computer and work and work, foregoing sleep and food (but never foregoing coffee!) until a problem that had reared its ugly head was solved and the machine was humming along nicely once again. I was once just such a programmer and I know from experience that if anybody asked me how it was going, or what I was doing to solve the problem, I would invariably answer with something like "I don't know. Now leave me alone!" It wasn't that I actually didn't know, or that I was being anti-social; it was simply that I couldn't afford to have my concentration broken. Nevertheless, it created the impression of "unskillful chopping" at the problem, groping for a solution. If they eventually came to the conclusion that I was a hero for averting the crisis, I wouldn't know -- I was home sleeping!
These days, the impressions are just the opposite. Hackers are seen as using skill, but to ruin systems, not to solve problems. To my way of thinking, skill is something used in a creative process. When the objective is destruction, not creation, there can be no "skill" involved. What knowledge there may be involved in the task, loses all value because of its objective, and consequently loses its right to be called skill. I don't consider a burglar to be a "skilled home protection engineer".
I apply the same thinking to the so-called skills of the programmer who writes viruses (viri - !!) We have used the medical or biological analogy because of the manner in which the code can replicate itself, but I take it further. A disease is a disease. The programmer who writes a virus has diseased "skills". The only thing to be done is to correct the situation -- remove or disable the disease.
Corporations around the world spend huge amounts of money to protect themselves from the plague of these two diseases. When you connect to the Internet, you also need protection. Do not fall into the trap of thinking that since you turn off the computer most of the time, never bring in diskettes or CDs that were recorded on someone else's computer and are careful not to open email attachments, that you are immune. It only takes a moment for something to find its way through an open hole. You have got to close them up. A hole, by the way, in this context is any mechanism by which a feature of the software (including the operating system) in a computer system can be exploited for other than its originally intended use.
Make no mistake -- there is no complete block; no sure fire protection. With the number of people having destructive intent working on finding holes and communicating with each other over the net, there will be new holes discovered every hour of every day. What you can do, is to harden your system as much as possible; make it as difficult as possible to exploit and provide the most up-to-date virus protection you reasonably can.
Windows XP offers a much higher degree of protection than earlier versions, incorporating file security options and a built-in firewall. If you're using XP, check out "firewall" in help and make sure it's active in your system. For other systems I suggest you get a commercial firewall program such as Symantec's Norton Internet Security/Norton Personal Firewall (Windows/Mac) or McAfee's Personal Firewall Plus (Windows). There are also some pretty good products from smaller vendors such as BlackIce Defender (Windows). Symantec and McAfee are also vendors of the most popular antivirus products. Another is Panda Software. For both firewall products and anti-virus products I think there is value in using products from large vendors. They have sophisticated, automated update mechanisms and a lot of people involved in keeping the updates up-to-date. Also, the larger the user base, the quicker any problem in the product itself will be discovered (and hopefully, fixed!) All of the above mentioned vendors fit this category. Pay the (relatively small and definitely worth it) license fee and use the automatic update features to keep your products in fighting fit form. I do not recommend using any shareware products for security. (!!)
Once you rid yourself of disease, all that is left is ease!
Thanks for Reading!
- Vince Barnes
Questions are taken from submissions to our Community Mentors. You can ask a Mentor a question by going to http://www.htmlgoodies.com/mentors/.
Q. I have a page with thumbnails which
are linked to the full size images. I want the
full size images to open in a in-line frame on a
seperate html page. How do I get it to load a
new page and then have the image load in the
in-line frame of this new page?
A. The new page that loads needs to itself be a frameset page. With an inline frame, that means building a unique page for each image. However, you can use server side includes for code you reuse. This tutorial will explain that: http://www.htmlgoodies.com/beyond/ssi.html
A. There are a few ways to do that. One way is the <blockquote> tag, which adds an indent each time but indents both left and right. The <ul> and <ol> tags indent to make a list, but you can use them just to indent and not get bullets or numbers unless you add <li> tags. You can also use a stylesheet to specify the amount of indentation: http://www.htmlgoodies.com/beyond/css.html
Q. I need to learn how to pass a variable(s) from web page to web page. Do I use a cookie? Do I use a file and perl? Can it be simply done with the hidden fields in a form?
A. There's a tutorial on just that subject: http://www.htmlgoodies.com/beyond/jspass.html
Q. I have a question regarding the "on click" command, which I've used successfully in the past with form buttons, but how can I use the same command to work with a image in place of the form button?
A. To use it with an image you would use the onClick like this: <A HREF="#" onClick="some_function()"><img src="mypic.gif"></A>
If you want to use an image to submit a form then you can just specify the
type as image like this:
<INPUT TYPE="image" SRC="subpic.gif">
Also with the first example you can simulate the onClick this way:
The above is preferable because of a bug in IE5.0 version browsers with the
void "#" character in the HREF causing an error.
Get Ready, Get Set, Shop!
[December 2, 2002] Black Friday was a nice boost for online sales as lots of consumers avoided mall madness and simply shopped the Web; one estimate shows a 61 percent spike in online sales.
Adobe Jumps Gun on Microsoft's Xdocs
[December 2, 2002] Adobe rolls out two server-side products in a bid to get a headstart on Microsoft in the market for XML-based network publishing.
Jury Selection Begins in ElcomSoft Case
[December 2, 2002] U.S. prosecutors bring first criminal case in four-year history of DMCA (Digital Millenium Copyright Act) against Russian-based software developer.
Nokia Phones Cover Cingular's GSM Strategy
[November 27, 2002] Hoping to advance its strategy to support GSM/GPRS networks in the United States, Nokia Tuesday took the wraps off of three new handsets, two of which target business users.
Spammed For The Holidays
[November 27, 2002] It's the holidays, which means no rest for weary retailers -- or for consumers deluged by spam. In fact, the holidays could actually prompt an increase in unwanted commercial e-mail, according to several anti-spam operations.
Did you ever wish your newsletter was an easy two way communications medium? Ploof! It now is!
If you would like to comment on the newsletter or expand/improve on something you have seen in here, you can now send your input to:
We already receive a lot of email every day. This address will help us sort out those relating specifically to this newsletter from all the rest. When you send email to this address it may wind up being included in this section of the newsletter, to be shared with your fellow readers.
Thanks for all the feedback about pop-ups. Clearly this was a problem that many of you dislike. There were a few suggestions for additional Pop-up ad preventer software products, including notes that some Norton and McAfee products offer protection of this sort. I had mentioned that Panicware ( http://www.panicware.com ) was the only company specializing is this kind of software that I had found. Specializing is a key word here! Even if you have NIS or McAfee, you might want to check out Panicware anyway, because their products have some very interesting additional features that I'm sure you'll see the value of when you look at them!! You'll see what I mean! Thanks also to Mayra Labrie for pointing out http://www.thiefware.com which is a site dedicated to educating folk about "unethical" software or "scumware".
Philippe Lhoste, a programmer in France, pointed out that the Q&A example for linking to a specific scripture within a web page was missing a closing </A> tag. Absolutely correct, Phillipe. Merci! The code should have read:
<A name="1st_th517"></A> is placed around the word.
Robert Mortimer also made an interesting point. There was a Q&A question about concealing passwords being typed on a web page. Robert points out that "unless the user establishes a https connection the password will go in clear text across the internet." This is certainly something to bear in mind. The solution provided protects against an "over the shoulder" snoop, Robert's suggestion provides protection from an "on the wire" snoop.
And Remember This . . .
On this day in...
1954: Senate Condemns McCarthy
By a vote of 65 to 22 the US Senate condemned Senator Joseph R. McCarthy (R. Wisconsin) for conduct "unbecoming a Senator" and "contrary to senatorial traditions" in his investigations of "communists" in the USA. What started as a publicity stunt in Wheeling, West Virginia, and grew to become known as "McCarthyism", was at first a claim by McCarthy that he had a list of 205 communists who had "infiltrated the US State Department." A series of allegations over the next three years fired up the public until in 1953, when the Republican Party gained control of Congress, McCarthy was appointed chairman of the Committee on Government Operations and its Subcommittee on Investigations. Hundreds of officials, members of the public, famous personalities had their careers and reputations destroyed by the heavy handed and illegal badgering of McCarthy's committee. People being investigated found no relief until they named friends and acquaintances who were "members of the communist party". President Eisenhower pushed for televised hearings which led to the public realization that McCarthy was reckless and tyrannical, and that he never produced substantiation for his claims. McCarthy attacked a member of the law firm which also included Joseph Welch, the special attorney for the army. On June 9th Welch faced McCarthy saying "Until this moment, senator, I think I never really gauged your cruelty or your recklessness. Let us not assassinate this lad further, senator. You have done enough. Have you no sense of decency, sir? At long last, have you no sense of decency?" The crowd applauded and Congress debated, often heatedly, until the December 2nd condemnation.
Thanks for reading Goodies to Go!
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...