July 31, 2009

Firefox: 1,000,092,204 Downloads


Firefox was on a track to pass one billion downloads at some point on Friday. That point is now, as the counter on the Spread Firefox site as well as the Firefox Counter Twitter account are sporting numbers in the 10 digits.

Mozilla plans to launch the website onebillionplusyou.com on Monday, but for now, has provided a number of graphics to mark the event. Of course, more important than total downloads is the actual percentage of active web users that use the browser. Recent stats peg Firefox with 22 percent of the browser market, up about 4 percent from this time last year. Meanwhile, Safari continues to grow, while upstart Google Chrome is slowly gaining adoption. All of this continues to come at the expense of Internet Explorer, which is still steadily losing market share.

1,000,092,204 downloads at 23.6 per second on 2009-07-31 15:51 UTC
[+] Keep Reading

China shuts down domestic social media

According to sources in Beijing and Shanghai, sites such as Twitter and Facebook have been inaccessible since early July following the mass outbreak of riots in Xinjiang province. But last week, reports surfaced that Chinese microblogging sites such as Fanfou, Digu and Jiwai have also shut down.

“This is the first time there has been a consistent order that censors both Western and Chinese sites,” one Shanghai-based digital analyst said, adding that the cause of the shut downs is unknown.

“Usually you see shut-downs occurring during times surrounding politically sensitive dates, but I don’t think there is any specific event coming up. The last time we really saw this was the time leading up to the 20th anniversary of the Tiananmen Square riots, but that affected access to Western social media websites,” said the source. “This may be part of a larger general movement to clean up content and the Chinese internet.”

“It’s happened to video-sharing sites in China in the past but it really is unusual for domestic sites to be temporary shut down,” added a Beijing source, further pointing out that censored Western sites are “blocked” while mainland sites are “temporarily shut down” and often display maintenance messages when users try to access their URLs.

Sources add that access to microblogging sites including Zuosa and Tencent's Taotao has not been restricted. Video-sharing sites such as Youku and Tudou are not thought to be affected.

Despite the censorship efforts, Chinese netizens have discovered alternative methods of accessing sites such as Twitter. “There are always alternative avenues to be found to access these sites. As soon as someone puts a wall or barricade around them, there’s always a way around it,” said Tim Haynes, general manager of Starcom IP China. “There are a bunch of smart people in China who can do that.”
[+] Keep Reading

July 18, 2009

A Silent Love :: what the true love is..


From the very Begining, the girl's family objected strongly on her dating this guy. Saying that it has got to do with family background & that the girl will have to suffer for the rest of her life if she were to be with him.

Due to family's pressure, the couple quarrel very often. Though the girl love the guy deeply, but she always ask him: "How deep is your love for me?"

As the guy is not good with his words, this often cause the girl to be very upset. With that & the family's pressure, the girl often vent her anger on him. As for him, he only endure it in silence.

After a couple of years, the guy finally graduated & decided to further his studies in overseas. Before leaving, he proposed to the girl: "I'm not very good with words. But all I know is that I love you. If you allow me, I will take care of you for the rest of my life. As for your family, I'll try my best to talk them round. Will you marry me?"

The girl agreed, & with the guy's determination, the family finally gave in & agreed to let them get married. So before he leave, they got engaged.

The girl went out to the working society, whereas the guy was overseas, continuing his studies. They sent their love through emails & phone calls. Though it's hard, but both never thought of giving up.

One day, while the girl was on her way to work, she was knocked down by a car that lost control. When she woke up, she saw her parents beside her bed. She realised that she was badly injured. Seeing her mum crying, she wanted to comfort her. But she realized that all that could come out of her mouth was just a sigh. She has lost her voice......

The doctors says that the impact on her brain has caused her to lose her voice. Listening to her parents' comfort, but with nothing coming out from her, she broke down.

During the stay in hospital, besides silence cry,.....it's still just silence cry that companied her. Upon reaching home, everything seems to be the same. Except for the ringing tone of the phone. Which pierced into her heart everytime it rang. She does not wish to let the guy know. & not wanting to be a burden to him, she wrote a letter to him saying that she does not wish to wait any longer.

With that, she sent the ring back to him. In return, the guy sent millions & millions of reply, and countless of phonecalls,.. all the girl could do, besides crying, is still crying....

The parents decided to move away, hoping that she could eventually forget everything & be happy.

With a new environment, the girl learn sign language & started a new life. Telling herself everyday that she must forget the guy. One day, her friend came & told her that he's back. She asked her friend not to let him know what happened to her. Since then, there wasn't anymore news of him.

A year has passed & her friend came with an envelope, containing an invitation card for the guy's wedding. The girl was shattered. When she open the letter, she saw her name in it instead.

When she was about to ask her friend what's going on, she saw the guy standing in front of her. He used sign language telling her "I've spent a year's time to learn sign language. Just to let you know that I've not forgotten our promise. Let me have the chance to be your voice. I Love You. With that, he slipped the ring back into her finger. The girl finally smiled
[+] Keep Reading

July 12, 2009

AAA Logo 2009 Review

AAA Logo 2009 is one of the finest, easiest, reliable logo designing software. Any newbie can create logo using this software.

AAA Logo 2009 is just like using Ms word, there is nothing like entering code, or using any tools just in illustration any other logo designing softwares.

You have a huge resources of shapes, gradients and fonts which are mostly used to design logo.

Enjoy creating AAA logo 2009 and design logos for your company without hiring any other company or logo designer.

Help yourself by reducing cost for your company.

Cost : $69

http://www.aaa-logo.com/purchase.php
[+] Keep Reading

July 05, 2009

Hold or Fold: 5 Keys to a Profitable Internet Business

If you want a profitable Internet business, you need to know these important keys to winning the game.

1- Don't start until you know it's going to make money

This is the most important key to being profitable. Not every business idea is going to pay off. So do your due diligence (research) to make sure that there's a market, that they want what you're selling, and that you can beat your competition.

2- Fold when you can't beat your competition

Take a look at your competition. Can you tell what they're doing well? Are you better, cheaper or different? Is there a niche that you can dominate?

If you can't beat your competition, then is the market big enough for both of you? Fold when you're clearly holding an inferior hand.

3- Fold as soon as you know you can't make a profit

Once you have your marketing in place it's key for you to evaluate how much you're going to spend on marketing versus how much money you'll make.

If the profit is under 30% - look for ways to reduce your marketing costs; do more research and look at key #2.

4- Hold until the risk is higher than the payoff

Every business opportunity has some associated risk. You can't avoid it. If you think you have a sure thing then your opponent is bluffing you.

The questions are:

- How much are you willing to risk?
- How big is the potential payoff?

When you've answered those, do what you're comfortable with.

5- Hold on to a good product that's making money

This one is obvious. If you're winning, keep raising your bets until you know that you've dominated your market. Don't stop short. Milk that hand for all it's worth.

Notice that neither holding or folding is right or wrong. You don't fail if you fold. The only way to win is to play the game. The game is to fold as soon as you know you can't win and hold on to a good opportunity for as long as you're winning.

[+] Keep Reading

July 02, 2009

Secure Website Login Programming with PHP & MySQL

Introduction
If you are developing a web-based system whereby a user, or users, are logging in and staying logged in (sessions, cookies), the following ideas are written with you in mind. Making sure your authentication and authorization schemes are secure is going to be part of your task. All of those things fall under the umbrella term: security. Any competent, security conscious person should already know that most intrusions/attacks are undertaken as follows:

  1. Social Engineering (conning) - see the wikipedia definition
  2. An inside job, by an employee or trusted person

What it all means is that nothing is stopping one of your users from choosing an easy password, sharing it with others, or leaving themselves logged in as they step away from the machine. Nor can you completely stop an employee from misusing your internal system. However, it behooves you to implement the most basic security measures in your programming, in this case, website programming. That is why I have written this article. There are many books and courses covering security, below is a list of further reading that I recommend:

  • The Art of Deception: Controlling the Human Element of Security - ISBN 0471237124
  • Computer Security for the Home and Small Office - ISBN 1590593162
  • Building Secure Software - ISBN 020172152X
  • Security Engineering - ISBN 0471389226

There are a few more books out there that are very helpful, though not listed here. I felt the ones above would give you the best head start.
Last, but not least, this article is a living, breathing document that most likely has errors. Do not hesitate to second guess anything below, and please email me with any changes, fixes or updates.


Some Basic Rules

Rule #1 - Nothing is totally secure. Break-ins and compromises are inevitable.
Rule #2 - Segment your system/software in order to diminish the damage from said compromise.
Rule #3 - Log as much as you can.
Rule #4 - Never trust user input.

My definition of security
Slowing down an attacker long enough to capture them, and/or fix the security holes, while at the same time safeguarding a system that is segmented in order to lessen the degree of damage during a successful attack. In other words, make a system that is designed for security, defense and facilitates recovery from attack. (Think like kevlar, not concrete: be flexilble, absorb attack, recover and respond.)


Basic Security Methods
The following should be in place in your system, as a minimum.
  1. Login names and passwords should be 6 characters long, or more
  2. In the event of login failure, be very uncooperative
    Tell the user "Your login attempt was unsuccessful", not "Your password was missing the letter x" or "Your username is not in our system". Give very few leads as to why the login failed. They only serve to help intruders.
  3. Handle errors gracefully
    Place the ampersat symbol (@) in front of many of your PHP function calls. If they fail, the ampersand will stop from from showing that failure in the browser window. This is very useful when making database calls but your database is down, or the SQL statement returns an error. Such messages would only give feedback to intruders, or look unprofessional to regular users.
  4. Passwords in the user account table of your database must be encrypted (SHA-1)
    If someone were to somehow gain access to the database itself, and view all of the user accounts, they would be able to see logins, but not passwords. Unless they changed the password, which would alert the user once they realized they couldn't log in, or they tried to crack the encrypted password (possible, but hard) they would have no way of using their newly found information.
    To accomplish this, the "password" field in your SQL datbase should be 40 characters long, which will hold an SHA-1 encrypted string. Before you compare the user input password to the one stored in the database, use the PHP sha1() function to encrypt it.
    Example: $encrypted = sha1($password);
    Sample database data:
    Login name: bobsmith
    Password: d0be2dc421be4fcd0172e5afceea3970e2f3d940
  5. Never use "admin" or "root" as your adminstrator login name
    Try to use something else, one that gives the same idea, but is more unique. Some examples are: superman, wonderwoman, allpower, etc...
  6. Log the total number of logins for each user, as well as the data/time of their last login
    Logging the total is just a good indicator, and *may* be useful for security purposes depending on your system. Keeping track of their last login is very useful in the event that someone logged in using their account, without permission. You now know the time it happened, and if you log the date/time of any changes in your database and by whom, you can track what that intruder did while logged in.
    In order to accomplish the above, the user account table in your SQL database should have three extra fields:
    Logincount of type INTEGER
    Lastlogin of type TIMESTAMP (or datetime)
    Thislogin of type TIMESTAMP (or datetime)
    When the user logs in, in PHP, update that user's information in the database by incrementing their login count and by getting the timestamp using PHP's built in date() function. After successful login, first transfer the info stored in 'Thislogin' to the 'Lastlogin' field, and then insert the new date/time into 'Thislogin'.
  7. Strip backslashes, HTML, SQL and PHP tags from any form field data
    If someone maliciously tries to send HTML, SQL or PHP code through a text field entry not meant to expect it, they can disrupt or break your code. Use the following PHP functions to strip out such text:
    strip_tags(), str_replace() and stripslashes()
    Example: $login = @strip_tags($login);
    Example: $login = @stripslashes($login);
  8. Add "LIMIT 1" to the end of your SQL statements
    That will limit the number of results to just 1. If someone successfully hijacks your site, and is able to run a SQL statement that returns data, or deletes it, placing "LIMIT 1" at the end of any SQL string will help limit the amount of data they are able to see or damage.
    Example: SELECT * FROM useraccount WHERE Login='$login' AND Password='$encrypted' LIMIT 1
  9. Use the "maxlength" option in your HTML form elements
    Limit the user to the allocated input size. If an login field in your SQL schema is of size 8 characters, limit the text field input to 8 using maxlength.
    Example: < type="text" name="login" size="8" maxlength="8">
  10. Trim any and all form field data
    Trim down the length of any form field data. If you expect a string of length 8, don't rely on the HTML maxlength (above), or the kindness of the user to pass you a string that long. Cut it down to size. Always.
    substr()
    Example: $login = @substr($login, 0, 8);
  11. Check the referrer
    Make sure the login script checks the HTTP_REFERER to see where the request came from. It should come from your HTML form, on the same server. If not, reject the login attempt. Though, I must tell you the HTTP_REFERER is easy to "spoof", or fake, so this security measure is easy bypass. It will only stop simple spam bots, or the most amateur of attackers.
  12. Use $_POST not $_REQUEST
    If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST, and not $_REQUEST. The latter would allow someone to pass data via GET, on the end of the URL string.
  13. SSL Encryption (https)
    To better ensure the privacy of the data being sent across the internet, purchase an SSL certificate to encrypt the login page, and any others.
  14. In general, limit user access according to their role
    Design your system to give users specific layers, or subsets of access. Not everyone needs to be all powerful, nor all knowing. Using the unix group idea as your starting point. Classify users and give them features based on that. If you have a system with multiple users who have different roles, give them functionality based on those roles. Accountants, and only allow accountants can see financial data, not warehouse inventory or much else. The person at the cash register can enter in a sale, but not delete it. That is a managers job, and needs override permission. Etc....

More Extreme Methods
In page 1 of this article, I listed the most basic methods necessary for security. What will follow are some more extreme measures, which I refer to as "paranoid". I like that word, and in the security arena, it's a very good attitude to have. Don't mistake a paranoid security measure with a roadblock or hindrance. Though they can be one in the same, they don't have to be. What do I mean? For example, a paranoid company may tell you that the only time you can enter a server room is from 3:30 PM to 5:00 PM, one person at a time. Such a rule would no doubtedly hinder you're ability to do work. A counter example may be a paranoid company that logs *every* single failed login attempt into their system. It does not hinder your work, but sure does go above and beyond the most basic security.


Paranoid Methods

  1. Every login failure alerts an administrator
    It doesn't have to be a siren going off, it could be a simple email detailing the date, time, IP address, and attempted login name.
  2. Store/log every user login
    Instead of storing only the last login, and the current login of each user, create a table in your database soley for the storing of *all* logins. Give it fields to store the user name, password, date, time, and IP address.
  3. Third login failure disables the account, and/or disables by IP address
    After three tries.....
    If someone fails to log in while using a valid login name, disable that account and alert an administrator.
    If someone tries to log in while using a login name not found in the system, log that IP address and block logins from that IP address.
    Note: For the first to be accomplished, your user account table needs to have a field called "disabled" of type TINYINT (to set it to 0 or 1) or ENUM (to store "Y" or "N").
  4. Use .htaccess and .htpasswd to double protect a site
    In addition to a basic PHP login page that asks for authentication, put in place .htaccess and .htpasswd restrictions. It's pretty flimsy, but adds that little bit of extra security to make you feel safe at night.
  5. Authenticate by IP address, in addition to login and password
    Not only should you authenticate a user by their login name and password, but you can also put in a third element: their IP address. If the user is always going to be logging in from the same computer (or subnet) you can also check their IP address to see if it matches one allowed by the system. This will protect you from someone trying to log in at an unauthorized location, such as from their home. Or, it will stop an outsider from using a login/password they got using devious means. However, as with *any* other security measure, this can be circumvented by spoofing an IP address. Don't let that stop you though. This paranoid method would add a third wrench in the works of any intruder, making it just that much more difficult to break in.
  6. Create separate, role based MySQL accounts
    In page one of this article, I recommended you give users limited access depending on their role or job. The same should happen for the MySQL accounts your PHP code uses behind the scenes. For example, there should be a MySQL user account that is restricted to only SELECT access on the user account table. It's main purpose is to be used in the login authentication. Because the login page is the most visible to intruders, its parts are the most vulnerable. If intruders somehow find out the MySQL username/password in its PHP code, they may be able to use that to run their own SQL queries. For the other portions of your site, the same rules above apply. Create MySQL accounts with restricted access, depending on the code they are meant to be used in. Portions of your site that allow people to view data should internally use MySQL user accounts that only have SELECT access. Etc.... you get the idea.
  7. Use stored procedures (similar to user defined functions)
    In MySQL 4.0 (and below) there are functions that can created by using the CREATE FUNCTION statement. In MySQL 5.0 and above, there will be the ability to create stored procedures by using the CREATE PROCEDURE statement. If you create your own stored procedure to authenticate a login, you minimize the ability for someone to see the internal structure of your database. It also allows you to minimize the data returned, especially if someone is able to insert a malicious SQL statement into your code. However, using just stored procedures is not the end all solution. It should be use in conjunction with a limited-ability MySQL user account (see above).
  8. Gracefully handle CRITICAL failures
    This is more of an idea for exception handling than for security, but it can be for both. Often times a critical failure is the result of an intruder trying to do something they shouldn't be, which then "breaks" your site. Instead of dying ( using the die() function ) try something else.

    For example, many PHP programmers will do this:
    $result = @mysql_query($query, $db) or die("Could not get data");

    That's a good thing to do, it allows the code to die gracefully. However, the above will alert the intruder that the error was caught, giving them feedback and allowing them to try something different next time. Or, it will look *unprofessional* to a normal user when your site dies.
    Create your own function called "capturecritical()" and in addition to aborting all further processes, that function should log information and email it to an administrator. An improved example would then be:
    $result = @mysql_query($query, $db) or capturecritical("MySQL Query Error in XYZ.php, line 24", mysql_error(), $user, time());

    Your function would accept as varaibles a basic title, in this case the default "MySQL Query Error", then a more verbose description (in this case, the mysql_error() data), the user account that instigated it, and the date/time it happened. The function would then email an administrator with that data, or log it to a log file. It will also tell the user a critical error has occured.
Conclusion
You should now have a somewhat complete picture of what can be done to create a secure, login based site. Most of what I have discussed refers to programming, and your code. I have not discussed the finer points of security, which I briefly mentioned at the introduction and have to do with our most human failings. Outside of the scope of this article are additional security measures such as requiring your users to choose non-obvious passwords, forcing users to change passwords every 30 to 90 days, training them not to give out their password over the phone, and so on..... I will leave all of that to another article.

Always keep in mind, security is meant to slow down an attack enough for you to capture the intruder, or fend them off and then correct the security hole. If you think your site is 100% intruder proof, think again.
[+] Keep Reading
 

Viewers Online


Powered by: ShoutMix

i101dotcom | think.learn.innovate Copyright © 2009. All Rights Reserved