Thought and Freedom

Have you ever wondered what a cross site scripting (XSS) attack is all about? OWASP rated such an attack number two in their top ten vulnerabilities of last year.  View the video, then defend yourself against such attacks!

While surfing the net, there are a number of times that you don’t want to give out your real email address. For example, you come across a site that says you must enter an email address to view the content of a help article. Why do they need your email address?

Now, there is an easy solution: Disposable email addresses!

Just enter any address at mailinator.com, then go to their site, type in the address, and presto, your mail awaits.

1. Make it unique: Of course the catch is that none of the email is password protected. So you may want to choose a unique name that someone will not guess. Don’t choose bob@mailinator.com. Instead, choose bobddcc8888d3df@mailinator.com. That way,
2. Don’t use for private information: Someone could view the email besides you, so don’t use it for private information.
3. Delete the message: It works when camping. Leave the site as you found it! You can delete the messages. So if you really want to hide your trail, just delete it.

Programs inevitably have bugs. No matter how thorough a person is in their coding, there will almost always be some bugs in the code.

Besides running through known possible errors, you can also use software to test your code. A lot of times, the testing software can be expensive. For open source developers, expensive testing software is out of the question.

As announced yesterday, Fortify Software is in the process of opening their Software testing tools to Open Source Developers. They will test the code for free, and give a detailed report on the errors. For non-contributers to a project, they will only see basic information about number or percent of errors.

The tools that will be used include FindBugs and Fortify SCA. These tools are highly acclaimed in software testing.
Some of Fortify’s current customers for professional analysis include Charles Schwab, U.S. Navy, Microsoft, Adobe, CitiGroup, and Digital River.

On Friday, December 2, this site, along with JessicaDPearson.com and SmsuPolitics.com were all down for a while. These are all hosted on my same server. But the downtime was not caused by problems with my web server. It was caused by problems with the company that hosts my domain name server.

My DNS server is hosted through EveryDNS.net. On Friday a massive Denial Of Service attack was launched against their servers. A sister site of EveryDNS, OpenDNS.com also went down. On their blog, OpenDNS explained the situation and said it was resolving the DoS attack.
They also said that the DoS attack is still happening, but they have found ways to better cope with the situation. Hopefully, the attack subsides and all the websites that rely on their services will continue to function.

I will say that EveryDNS is one of the best sites available to use as a DNS Server. They are free (as in they accept donations) and you can use them as a primary or secondary DNS. Anyway, things are working properly right now, and hopefully they will be able to completely stop those people who perpetrated the attack.

I am sure that you have gone to websites that require you to “type the letters that you see in the picture.” This is often done before you apply for an account on a website.

This technique of showing you letters in a picture and expecting the user to tell the computer what the letters are is a form of CAPTCHA. To explain CAPTCHA, I will need to give you some background.

CAPTCHA, or “Completely Automated Public Turing Test to tell Computer and Humans Apart” is a system designed to make sure that the person visiting a page is human.

Believe it or not, there are robot programs that surf the internet. The bad ones are designed to harvest email address from websites, attempt to exploit commonly known security vulnerabilities on servers, and to sign up for email and forum accounts and produce spam like crazy.

Email and Forum websites have answered these robots by producing “tests” that only humans should be able to do. The simplest way to test this is by providing a picture, that the human can quickly interpret as text, but a computer would think was just another picture.

A site called “Coding Horror” has a really good article on how to make your CAPTCHA most effective.

A Fox News Story came out today saying that one in three individuals writes down their passwords. At first glance, this shows responsibility, and carefulness.

But, a closer analysis will reveal something completely different. Though people have good intentions, writing down passwords is a very bad idea. If you write down your password, someone can view it.

It may not even be in your office, or wherever you keep it. It could be that you accidentally throw your password away. After going out to the trash, it is basically fair game for everyone.

There are individuals who “dumpster dive” for such things. They know that most “secret” documents end up getting thrown away without a care in the world.

So, do yourself a favor, memorize your passwords. And change them every once in a while as well!

If you followed the links on my last post, one of them would have taken you to the Torpark web browser download page. When downloading Torpark, you are given an md5 checksum number. I am sure that a lot of people do not use checksums, and really do not understand their importance. Checksums are used to verify that a file that you downloaded is actually the original.

To put it in basic terms, a checksum number is a unique number generated from a certain algorithm that is run on a file. If the file has any differences at all from another file, the checksum will be different.

These checksums can be important. Let’s say that I broke into some download mirror, and replaced one of their popular files with one of mine. Maybe the software ran the same, but I added a basic instruction to log keystrokes and send them to a server of my choosing. Since you just innocently downloaded the file (and from a trusted source) you have no idea of this added functionality found in the program.

If you had checked your download against the checksum located on the website, you would have noticed that a different number resulted from the checksum. You would have known right off the bat that the file was corrupt, and that you should try to download it again.

In order to use an md5 checksum, all you need is a program to check the md5 that results from a given file. I would recommend ChaosMD5 2.0 by Elgorithms. There are many other great MD5 checkers, this is just the one that I use.

To use it, click the folder icon on the right to browse to a file that you wish to check. This should be the original downloaded file. After selecting the file, click the “Generate MD5” button. A few seconds later, your MD5 should be generated. Compare it with your original (from the download website). If they are the same, your file is OK. If you have different numbers, DO NOT use the file. Get rid of it and try again.

Ever feel like you are being watched? Well now the folks at Hacktivismo have created a web browser that makes your surfing much more anonymous.

Hezron at smartbro.blogspot.com has more details on this great new product. They explain a brief overview of the product that is easy to understand.
It uses an encrypted connection to a proxy server, changes your ip address every few minutes, and never installs onto your computer. It is designed to be used with a usb drive. The entire program runs right from there.

Hacktivismo created the program to help individuals in countries that monitor internet traffic to surf and communicate without being detected by the authorities.

It is strange to think that some things as basic as being able to email your friends about any topic you want is banned in some countries. Could you imagine how strange it would be to not be able to choose your news sources? This is the censorship that Hacktivismo is trying to prevent.

You can Download Torpark Here.

My job as a web developer often consists of finding ways that I can break the site. I want to know if there are potential problems, so that the can be fixed.

To do this job, I use tools such as XHTML and CSS2 Validators. They tell me if my code is up to standards.

I recently came across a posting by Pam Blackstone that talked about a website called “The Scrutinizer.” It sounded like it really looks at a website with a finetoothed comb. So, I decided to investigate it for myself. I think you will really like what you find there. If you are into testing your websites, this could be an indespensable tool.