September 30, 2002
Court rules up-skirt peep cams legal

In a ruling that could change fashions in Washington state, the supreme court there has ruled that "up-skirt cams" do not violate voyeurism laws.

Web server security

This article details how to secure dynamic content on an Apache Web server. Topics covered include general security issues pertaining to dynamic content, securing Server Side Includes, configuring Apache's Common Gateway Interface, and wrappering dynamic content. The article is targeted primarily at Webmasters and system administrators responsible for maintaining and securing a Web server; however, anyone with a need or desire to server dynamic content will benefit from the topics covered. A basic understanding of Linux commands, permissions, and file structures is assumed.

September 26, 2002
PERL and Setuid Scripts

When perl is executing a setuid script, it takes special precautions to prevent you from falling into any obvious traps. (In some ways, a perl script is more secure than the corresponding C program.) Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories or processes. Any variable that is set within an expression that has previously referenced a tainted value also becomes tainted (even if it is logically impossible for the tainted value to influence the variable).

Excerpts from Creating Applications with Mozilla

Creating Applications with Mozilla explains how applications are created with Mozilla and provides step-by-step information about how you can create your own programs using Mozilla's powerful cross-platform development framework. This book also shows examples of many different types of existing applications to demonstrate some of the possibilities of Mozilla application development. One of Mozilla's biggest advantages for a developer is that Mozilla-based applications are cross-platform, meaning programs work the same on Windows as they do on Linux or the Mac OS.

How to install a Mandrake Firewall (MNF) without a CD

This Howto explains all the steps required to install a full-featured MNF using a 8.2 CD-ROM, or a Cooker mirror without any CD-ROM.

FrontPage flaw places servers in jeopardy

In its 53rd advisory for the year, the software giant said a vulnerability in the SmartHTML interpreter could be exploited to cause a denial-of-service attack on the Web server if the computer had FrontPage Server Extensions 2000 running. For FrontPage Server Extensions 2002, the flaw could result in the attacker running the code of their choice, essentially taking control of the server.

In its 53rd advisory for the year...

I really shouldn't ask this, but, why is anyone running this stuff?

[quote]

Despite launching its Trustworthy Computing initiative in January, the software giant has racked up more than 70 vulnerabilities outlined in 53 advisories this year. Last week, Microsoft revealed three flaws in its Java virtual machine software.

The same day, the government unveiled the National Strategy for Securing Cyberspace . While the strategy urged companies and security researchers to solve vulnerability issues quickly and discretely, it didn't highlight software companies' problems in eliminating such problems.

[end quote]

Oh yeah... that government panel was made up mostly of Microsoft people... I remember now.

Flirting With Mac OS X

If you have been using Linux for some time and just love its stability and performance, and find it a natural platform for development, you'll feel right at home on the Mac OS X. On the other hand, if you feel at times frustrated by the difficulty with which modern devices (like wireless, DVD, or FireWire devices) work on Linux, then you might find Mac OS X to be what you've been longing for. I for one, am convinced: I am switching my laptop to Mac OS X. And best of all, you don't have to be ashamed to go to a Linux guru meeting with Mac OS X, because it's just a UNIX with a very nice GUI.

September 24, 2002
JavaScript FAQ Knowledge Base

Subject says it all...

How to write HTML forms

This document provides annotated links to tutorials, references, FAQs, and my specialized documents about HTML forms.

Cross-site scripting

Cross-site scripting is a potentially dangerous security exposure that should be considered when designing a secure Web-based application. In this article, Paul describes the nature of the exposure, how it works, and has an overview of some recommended remediation strategies.

Unattended, A Windows deployment system

This is a system for fully automating the installation of Windows 2000 and XP workstations, including the OS, hotfixes, and applications.

Features include:

* Full documentation and source code
* Support for floppy, CD-ROM, and "nothing but net" installs
* True unattended installation, not disk imaging
* No Windows servers required; use your Unix servers instead
* No Unix servers required; use your Windows servers after all
* Completely free

But be warned: This is not a ./configure && make install kind of project, and it is not a slick GUI app. You will need to understand at least a little of what goes on "under the covers", and you will need to perform some customization for your site.

September 23, 2002
Aussies protest MS security advice

"For good security you really need a vendor-neutral advisor who doesn’t have a vested interest in any particular product," he said. "Frankly Microsoft is the last place you would go to for security fixes. Microsoft products have had more security breaches than just about any other software company."

Too bad or president doesn't understand this...

Speeding Up SpamAssassin

SpamAssassin (link above) is a great program for stopping almost all spam.

It is written in Perl, and thus runs on pretty much any Unix platform. On my OpenBSD systems, it appears to consume about 11MB of RAM.

The defaults are quite good, but it can be a little slow. Here are three ways to speed it up.

Writing Perl Modules for CPAN

[T]he review below of Writing Perl Modules for CPAN, which explains at a level "between novice and intermediate user" (and in a minimum of space) how to contribute to Perl's own Library of Alexandria.

Google Does the News

rizen was among the countless readers who submitted that google does the news. They've added a new tab to their interface, and a CNNish sorta web page that indexes thousands of online news sites. Their technology section is showing some Slashdot stories too (sweet!). I like that they combine related stories on the same subject. Nifty setup.

This is *very* nice!

Go here (http://news.google.com) for the front page.

September 22, 2002
On Joel on Software

Picking apart Spolsky’s argument bit by bit, while fun, misses the forest for the trees. Windows software ported to the Mac almost always fails. Mac software ported to Windows very often succeeds . On the Mac, in any given software category, the best app usually wins. On Windows, in any given software category, Microsoft usually wins.

September 19, 2002
Microsoft offers source code to 2,300 parties - 150 say yes

Despite the apparent fervour surrounding software source code only 150 organisations worldwide have taken up Microsoft's offer to share the inner secrets of the Windows operating system.

If you can't modify the code... it is worthless.

And, so is the offer to the code!

Microsoft urges users to patch flaws in its VM for Java

"Microsoft's virtual machine overall is fundamentally insecure," Larholm said. "Java usually enforces a sandboxing model so you can run code in a safe manner. But Microsoft's VM allows any programmer to escape that secure model."

September 17, 2002
Headed in reverse

SUPPOSE YOU'RE A software developer with the good habit of keeping an eye on what the competition is doing. And suppose you find a new feature in your competitor's latest release that your customers would probably like. Can you implement a similar feature, or would that make you guilty of violating the "no reverse engineering" clause in your competitor's shrink-wrap license?

Outlandish as it may seem, a recent federal appellate court ruling appears to be saying that you indeed would be guilty of violating a contractual obligation in such circumstances. On Aug. 20, the Federal Circuit Court of Appeals issued a decision in the Massachusetts case of Bowers vs. Baystate Technologies, upholding the enforceability of a standard on reverse engineering in Bowers' shrink-wrap agreement. Quite simply, if the court's decision truly becomes the law of the land, it has the potential to destroy the software industry in this country.

Re: Mandrake Update

Recently "Scallica" wrote:

> Is there a Mandrake Update utility for the console? I would like to
> upgrade some packages, but its tedious searching through ftp sites.
> > -Scallica-


Yes, It's urpmi
urpmi.update -a updates the hdlists.
urpmi --auto-select updates the packages
urpmi installs

--
Marcel Pol
news@chaosmongers.org

September 13, 2002
Web server security

This article details how to secure dynamic content on an Apache Web server. Topics covered include general security issues pertaining to dynamic content, securing Server Side Includes, configuring Apache's Common Gateway Interface, and wrappering dynamic content. The article is targeted primarily at Webmasters and system administrators responsible for maintaining and securing a Web server; however, anyone with a need or desire to server dynamic content will benefit from the topics covered. A basic understanding of Linux commands, permissions, and file structures is assumed.

September 11, 2002
99.9% of Websites Are Obsolete

An equal opportunity disease afflicts nearly every site now on the Web, from the humblest personal homepages to the multi-million-dollar sites of corporate giants. Cunning and insidious, the disease goes largely unrecognized because it is based on industry norms. Though their owners and managers may not know it yet, 99.9% of all websites are obsolete.

These sites may look and work all right in mainstream, desktop browsers whose names end in the numbers 4 or 5. But outside these fault-tolerant environments, the symptoms of disease and decay have already started to appear.

September 06, 2002
Financial Software for Linux

Applications are available for Linux to help with everything from balancing your checkbook to managing payroll and inventory for a Fortune 500 megacorp. This review hopes to point you in the right direction for whatever you need to do.

Squidalyser 1.0a

Squidalyser is a squid traffic analyser designed to allow per-user scrutiny and analysis of squid logfiles. The program allows a non-technical user to extract information about web usage patterns, the type of information downloaded, the sites visited by users, the graphics downloaded, and the amount of information (per-byte or per-file) accessed.

Microsoft: "Our products aren't engineered for security"

Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server .net developer conference in Seattle, USA.

"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.

duh...

The Art Of Software Development (part 2)

With that first phase out of the way, it's time to move on to what I personally find to be the most challenging phase of any software project: design. This is when you meditate on the requirements defined previously and design the architecture of your application so that it satisfies all of them, while simultaneously meeting the goals of stability, security, performance and maintainability. Needless to say, this isn't easy - but it will get your creative juices flowing. Keep reading!

The Art Of Software Development

In this creatively-titled five-part series, I'll be looking at some rules you can follow to make your chosen profession a little simpler. Each section of this tutorial discusses a specific part of the application development timeline, and shows you some basic tips and rules you can follow before, during and after the code implementation phase of a Web project, in the hope that it will streamline your workflow and get you up to speed on the processes and practices needed to effectively handle a small- to medium-sized project.

This introductory piece focuses on the first part of the application development cycle, explaining some of the things you need to do before you sit down to write your first line of code. In the subsequent parts, I'll be discussing a few techniques you can use to improve your code and build a more robust application, together with what happens once you've finished coding the application and are ready to release it to a customer.

LAMPS Tutorial - Linux, Apache 1.3, MySQL, PHP4, Mod_perl, PostgreSQL, PDFLib and Mod_SSL HowTo

This tutorial is about the compilation, installation and configuration of a LAMPS server. It explains, among other things, the installation of Apache 1.3, Mod_Perl, PHP, Mod_SSL, MySQL, PostgreSQL and PDFLib, gives examples and shows how to test the components. The operating system is Linux. The LAMPS tutorial is intended for webmasters and web developers who want to set up a test system.

September 04, 2002
Lessig on Freedom: Use It or Lose It

Technology conference keynotes tend to be as forgettable as press kits and often are produced by the same mill. But there are exceptions. One of the biggest ever was "Freeing Culture", a passionate half-hour call to battle by Lawrence Lessig, Professor of Law at Stanford University and author of Code and Other Laws of Cyberspace and The Future of Ideas. The conference was the O'Reilly Open Source Convention 2002 in San Diego.

Lessig, who usually speaks without visual aids, not only added them for this talk, he elevated the art form in the process. The combined effect was exceptionally powerful. As a call for the defense of freedom, it was the geek culture equivalent of Martin Luther King's "I have a dream" speech.

Mac OS X Hints - Use LDAP instead of NetInfo on Jaguar

So I am excited, because I have waited for this moment since the first release of OSX. Finally I got everything working to replace my network NetInfo with LDAP. The new Jaguar LDAP support is great. I just replaced my NetInfo network domain with a central LDAP server running OpenLDAP on Gentoo linux.

September 03, 2002
Architectural Principles of the World Wide Web

The World Wide Web is a networked information system. Web Architecture is the set of principles that all agents in the system follow to create the large-scale effect of a shared information space. Identification, data formats, and protocols are the main technical components of Web Architecture, but the large-scale effect depends on social behavior as well.

This document strives to establish a reference set of principles for Web architecture.

Apple Keeps x86 Torch Lit with 'Marklar'

As Apple Computer Inc. draws up its game plan for the CPUs that will power its future generations of Mac hardware, the company is holding an ace in the hole: a feature-complete version of Mac OS X running atop the x86 architecture.

According to sources, the Cupertino, Calif., Mac maker has been working steadily on maintaining current, PC-compatible builds of its Unix-based OS. The project (code-named Marklar, a reference to the race of aliens on the "South Park" cartoons) has been ongoing inside Apple since the early days of its transition to the Unix-based Mac OS X in the late '90s.

Sources said more than a dozen software engineers are tasked to Marklar, and the company's mainstream Mac OS X team is regularly asked to modify code to address bugs that crop up when compiling the OS for x86. Build numbers keep pace with those of their pre-release PowerPC counterparts; for example, Apple is internally running a complete, x86-compatible version of Jaguar, a k a Mac OS X 10.2, which shipped last week.