 setting
standards |
by
Jeff Stewart
SENCAW | AUTHOR
|
Another blow for Flash. As Adobe is stating that they will make the best tools for HTML5, another major website using Flash has announced they’re switching over to HTML5. Scribd, which provides in-browser access to all sorts of documents and e-books uploaded by users, will ditch its Flash-based website in favour of a brand-new HTML5 version.
Scribd is the largest website of its kind, hosting tens of millions of documents uploaded by users; a sort of YouTube for documents, if you will. Scribd works by converting uploaded documents into a what was formerly called iPaper, a PDF-like document technology for the web, which would then be displayed inside users’ browsers using Flash. Supported source document formats include any Microsoft Office or OpenOffice.org format, PDF, PostScript, rich text, and plain text.
This is about to change, starting today. “We are scrapping three years of Flash development and betting the company on HTML5 because we believe HTML5 is a dramatically better reading experience than Flash. Now any document can become a Web page,” Scribd co-founder and CTO Jared Friedman told SENCAW.
Initially (which means today), only 200000 of the most popular documents will be made available as HTML5, but eventually, everything on Scribd will be converted to the new format – turning them into actual, real-world web pages, instead of walled-off Flash elements. “Right now the document is in a box,” Friedman said, “a Youtube-type of experience. There is a bunch of content and a bunch of stuff around it. In the new experience we are taking the content out of the box.” It allows users to completely bypass the concept of an online e-book store, and no longer will users have to download PDF files onto their mobile devices or computers. They can just go to Scribd to read Alice’s Adventures In Wonderland (if you haven’t read it yet, shame on you, you’re missing out on a vital experience) as if it were a web page. Scribd has partners such as The New York Times, New Yorker, Fortune, various publishing houses, as well as Ford, Accenture, and the FCC.
This news comes on the same day Adobe’s CTO, Kevin Lynch, stated that his company will create the best tools for HTML5. “We see whatever people are using to express themselves,” he said, “We’re going to make great tooling for HTML5. We’re going to make the best tools in the world for HTML 5.” In other words, it seems like Adobe is considering creating software designers can use to create compelling HTML5 stuff – much in the same way they today use Adobe’s software to do the same with Flash.
Posted in PDF, Uncategorized | No Comments »
|
setting
standards
|
by
Jeff Stewart
SENCAW | AUTHOR
|
Here’s a simple example of a script that sniffs an ethernet line for all TCP/IP packets bound to/from a particular host and dumps out the source/destination IP address/port and a hex dump of the packet’s contents:
Here’s a simple example of a script that sniffs an Ethernet line for all TCP/IP packets bound to/from a particular host and dumps out the source/destination IP address/port and a hex dump of the packet’s.
#!/usr/bin/perl -w
use strict;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Data::HexDump;
Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip host 192.168.1.252')
+;
my $i=0;
sub process_pkt {
my ($user_data,$hdr,$pkt)=@_;
my $eth=NetPacket::Ethernet->decode($pkt);
if($eth->{type} == 2048){
my $ip=NetPacket::IP->decode($eth->{data});
if($ip->{proto} == 6){
my $tcp=NetPacket::TCP->decode($ip->{data});
print "\n\n$i $ip->{src_ip}($tcp->{src_port}) -> $ip->{dest_ip}(
+$tcp->{dest_port})\n";
print HexDump $ip->{data};
$i++;
}
}
}
Posted in Uncategorized, access, address, apache, hex, inection, perl, port, queries, tcp | No Comments »
Department of Computer Science and Information Engineering,
National Chiao Tung University As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security. More
ABSTRACT by Chung-Hung Tsai
Department of Computer Science and Information Engineering, National Chiao Tung University
As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.
More
Posted in Uncategorized, apache, inection, mysql, queries, software protection, sophisticated applications, sql | No Comments »
|
setting
standards
|
by
Gary Wassermann
SENCAW | AUTHOR
|
ABSTRACT by Gary Wassermann
Department of Computer Science
University of California, Davis
Software systems interact with outside environments (e.g., by taking inputs from a user) and usually have particular assumptions about these environments. Unchecked or im- properly checked assumptions can affect security and reli- ability of the systems. A major class of such problems is the improper validation of user inputs. In this paper, we present the design of a static analysis framework to address these input related problems in the context of web applica- tions. In particular, we study how to prevent the class of SQL command injection attacks. In our framework, we use an abstract model of a source program that takes user in- puts and dynamically constructs SQL queries. In particular, we conservatively approximate the set of SQL queries that a program may generate as a finite state automaton. Our framework then applies some novel checking algorithms on this automaton to indicate or verify the absence of security violations in the original application program. Work is in progress to build a prototype of our analysis. Mor
Department of Computer Science
University of California, Davis
Gary Wasserman
Software systems interact with outside environments (e.g., by taking inputs from a user) and usually have particular assumptions about these environments. Unchecked or im- properly checked assumptions can affect security and reli- ability of the systems. A major class of such problems is the improper validation of user inputs. In this paper, we present the design of a static analysis framework to address these input related problems in the context of web applica- tions. In particular, we study how to prevent the class of SQL command injection attacks.
In our framework, we use an abstract model of a source program that takes user in- puts and dynamically constructs SQL queries. In particular, we conservatively approximate the set of SQL queries that a program may generate as a finite state automaton. Our framework then applies some novel checking algorithms on this automaton to indicate or verify the absence of security violations in the original application program. Work is in progress to build a prototype of our analysis.
Posted in SQL command injectio attacks, SQL queries, Uncategorized, queries, security violations | No Comments »
SCO | RIP
Why SCO won’t show the code – At SCO’s annual reseller show, the company’s executives put up a couple of slides as a way of demonstrating how Unix code had been “stolen” and put into Linux. The two slides were photographed and have since appeared on Heise Online; see them here and here. The escape of these slides has allowed the Linux community to do something it has been craving since the beginning of the SCO case: track down the real origins of the code that SCO claims as its own. The results, in this case, came quick and clear. They do not bode well for SCO. More Abstract This paper reports on the design rationale and formative evaluation of an intelligent tool to aid intermediate and advanced student programmers, who already have knowledge of another programming language, in acquiring a working knowledge of key parts of the Ada programming language. Research on transfer between programming languages has shown that, while previous programming experience helps students to learn subsequent languages, it also can be a source of negative transfer. In particular, students have little trouble with the syntax of the new language, but they do have difficulty in planning a solution which takes advantage of the features of the new language. Our tool, ADAPT, applies existing artificial intelligence technologies to the pedagogical problem of transfer between programming languages, with emphasis on the problem of developing programming plans which are appropriate to Ada. ADAPT was designed based on the findings of research in the cognition of programming. A prototype of the tool was developed, and a formative evaluation was carried out to evaluate the cognitively-based design decisions guiding ADAPT.
More
Posted in ADAPT, SCO, Uncategorized, code, programming, show the code, syntax, vulnerability | No Comments »
The following is Gary Edwards’ response to the Microsoft Apache POI news. Verbose, but nonetheless interesting.
Rather than providing a generic application-neutral format for MSOffice documents and business process information workflows, Microsoft is providing a universal reader for their application specific format.
They need to own the interoperability factor. And if it means distributing the reader to other platforms and the web app services developers working those platforms, so be it. They key is in owning the interop.
I continue to believe that the only way anyone can understand what Microsoft is doing is to imagine that the choice for Microsoft is that of provisioning MSOffice with W3C compliant XHTML-CSS capabilities OR, following the ODF path and creating a standardized format out of an application specific XML encoding of MSOffice in-memory-binary-representation.
More
The following is Gary Edwards’ response to the Microsoft Apache POI news. Verbose, but nonetheless interesting. Rather than providing a generic application-neutral format for MSOffice documents and business process information workflows, Microsoft is providing a universal reader for their application specific format. They need to own the interoperability factor. And if it means distributing the reader to other platforms and the web app services developers working those platforms, so be it. They key is in owning the interop.
I continue to believe that the only way anyone can understand what Microsoft is doing is to imagine that the choice for Microsoft is that of provisioning MSOffice with W3C compliant XHTML-CSS capabilities OR, following the ODF path and creating a standardized format out of an application specific XML encoding of MSOffice in-memory-binary-representation.
Posted in MSOffice, POI, Uncategorized, hxtml-css, microsoft apache, w3c compliant, work flows, xml encoding | No Comments »
NIST
The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), “Securing Agency Information Systems”, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.
This guideline has been prepared for use by Federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright, though attribution is desired. Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official.
More
Posted in NIST, Uncategorized, access, apache, security violations | No Comments »
|
setting
standards
|
by
Jeff Stewart
SENCAW | AUTHOR
|
Here’s a simple example of a script that sniffs an ethernet line for all TCP/IP packets bound to/from a particular host and dumps out the source/destination IP address/port and a hex dump of the packet’s contents:
I recommend checking out Net::Pcap, Net::PcapUtils, and the NetPacket CPAN
modules. Net::Pcap is an perl interface straight into libpcap (libpcap is a
packet sniffing library on which most UNIX sniffers are based; tcpdump is
written using libpcap). Net::PcapUtils is a more perl-like interface to
Net::Pcap that is a bit easier to use than raw Net::Pcap. The NetPacket
module provide parsing for a few (but the most common) layer 2, 3, and 4
protocols (ICMP, IP, TCP, UDP, ARP, Ethernet, etc…). With these tools you
can put together custom sniffer utilities very quickly.
Posted in ARP, Ethernet, ICMP, Net::Pcap, Net::PcapUtils, NetPacket CPANmemcache-server-hashes modules, UDP, UNIX sniffers, Uncategorized, ip, perl, tcp, tcpdump | No Comments »
by Alan Herrell
Low tech, high yield: A funny thing happened on the way to the shopping cart. One Web designer found a simpler way to make e-commerce pay. Alan Herrell shows you The Money Page.
More
Posted in Uncategorized | No Comments »
Flexible Fuel: Educating the Client on IA
by Keith LaFerriere
Educating the client on standard processes and deliverables is tantamount to the success of a project. By using these standards, IA can more easily help manage both the decision-making process and the overall cost. More
by Keith LaFerriere
Educating the client on standard processes and deliverables is tantamount to the success of a project. By using these standards, IA can more easily help manage both the decision-making process and the overall cost.
More
Posted in Uncategorized | No Comments »
