Jackson virus and spam spreads on Internet

San Francisco, July 3 (DPA) Security researchers warned Thursday of the increasing levels of viruses and spam using Jackson's name to snare unsuspecting users.

One e-mail carries the subject line 'Remembering Michael Jackson' was circulating with a worm in tow. The e-mail has a zip file attached that infects victims if downloaded.

'The e-mail, which claims to come from sarah@michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson,' Graham Cluley, senior technology consultant at Sophos, wrote on a blog. 'However, the reality is that opening the attachment exposes you to infection - and if your computer is hit you

will be spreading the worm onto other Internet users.'

Cluley said that the malware also spreads via USB memory sticks. Another e-mail promises an exclusive look at a YouTube video of the 'last work of Michael Jackson,' but instead installs a malicious program that steals passwords.

ANALYSIS - Cybercrime spreads on Facebook

Cybercrime is rapidly spreading on Facebook as fraudsters prey on users who think the world's top social networking site is a safe haven on the Internet.

Lisa Severens, a clinical trials manager from Worcester, Massachusetts, learned the hard way. A virus took control of her laptop and started sending pornographic photos to colleagues.

"I was mortified about having to deal with it at work," said Severens, whose employer had to replace her computer because the malicious software could not be removed.

Cybercrime, which costs U.S. companies and individuals billions of dollars a year, is spreading fast on Facebook because such scams target and exploit those naive to the dark side of social networking, security experts say.

While News Corp's MySpace was the most-popular hangout for cyber criminals two years ago, experts say hackers are now entrenched on Facebook, whose membership has soared from 120 million in December to more than 200 million today.

"Facebook is the social network du jour. Attackers go where the people go. Always," said Mary Landesman, a senior researcher at Web security company ScanSafe.

Scammers break into accounts posing as friends of users, sending spam that directs them to websites that steal personal information and spread viruses. Hackers tend to take control of infected PCs for identity theft, spamming and other mischief.

Facebook manages security from its central headquarters in Palo Alto, California, screening out much of the spam and malicious software targeting its users. That should make it a safer place to surf than the broader Internet, but criminals are relentless and some break through Facebook's considerable filter.

The rise in attacks reflects Facebook's massive growth. Company spokesman Simon Axten said that as the number of users has increased, the percentage of successful attacks has stayed about the same, remaining at less than 1 percent of members over the past five years.

By comparison, he said, FBI data show that about 3 percent of U.S. households were burglarized in 2005.

"Security is an arms race, and we're always updating these systems and building new ones to respond to new and evolving threats," Axten said.

When criminal activity is detected on one account, the site quickly looks for similar patterns in others and either deletes bad emails or resets passwords to compromised accounts, he said. Facebook is hiring a fraud investigator and a fraud analyst, according to the careers section of its website.

CANNOT GUARANTEE WEB SAFETY

But ultimately Facebook says its members are responsible for their own security.

"We do our best to keep Facebook safe, but we cannot guarantee it," Facebook says in a warning in a section of the site on the terms and conditions of use, which members might not bother to read. (http://www.facebook.com/terms.php)

"People implicitly trust social networking sites because they don't understand the real threats and dangers. It's like walking down the street and trusting everybody you meet," said Randy Abrams, a researcher with security software maker ESET.

Amy Benoit, a human resources manager in Oceanside, California, said she may stop using Facebook altogether after she became entangled in a popular scam: A fraudster sent instant messages to a friend saying that Benoit had been attacked in London and needed $600 to get home.

Yale University last week warned its business school students to be careful when using Facebook after several of them turned in infected laptops.

One of the most insidious threats is Koobface, a virus that takes over PCs when users click on links in spam messages. The virus turned up on MySpace about a year ago, but its unknown authors now focus on spreading it through Facebook, which is struggling to wipe it out.

"Machines that are compromised are at the whim of the attacker," said McAfee Inc researcher Craig Schmugar.

McAfee, the world's No. 2 security software maker, says Koobface variants almost quadrupled last month to 4,000. "Because Facebook is a closed system, we have a tremendous advantage over e-mail. Once we detect a spam message, we can delete that message in all inboxes across the site," said Schmugar.

Facebook's Axten said the site does not know how many users have been infected by Koobface.

A new website that follows Facebook news, www.fbhive.com, recently identified a vulnerability that made it possible to access any user's private information using a simple hack. The loophole has since been closed.

"We don't have any evidence to suggest that it was ever exploited for malicious purposes," Axten said.

Hackers even find ways to get into accounts of savvy users like Sandeep Junnarkar, a journalism professor at City University of New York and former tech reporter. Last month he learned his account was hacked as he waited for a flight for Paris. He quickly changed his password before boarding.

"Am I surprised that it happened? Not really," he said.

Opacity CSS Validation Using Javascript

I’ve always been annoyed by browser specific CSS properties. Not necessarily because of the purpose browser specific CSS properties serve, but more so the isolation of each property. For instance, applying opacity across multiple browsers requires something like the following:

#selector {

 filter:alpha(opacity=80); /* Internet Explorer */

 -moz-opacity:0.8; /* Mozilla Firefox (legacy) */

 -khtml-opacity: 0.8; /* Safari (legacy) */

 opacity: 0.8; /* CSS3 Standard */

}

Someday when CSS3 goes completely live, we won’t have to worry about opacity not validating; however, what about other browser specific styles that we need in order to support multiple browsers? If you don’t care about passing W3 CSS Validation, then this article is not for you. But for those of you whom require validation, or have a perfectionist nature, can workaround the validation engine using both JavaScript and CSS.

Although it may not be the best method out there, using JavaScript to implement impossible-to-validate CSS works the best for me.

Why does it work? Well its simple. Most bots/spiders don’t render JavaScript, which I imagine is for a number of reasons. Perhaps rendering JavaScript would slow down the bots’ very purpose of data mining (or with bad bots, the purpose of infiltrating). In fact, there usually isn’t anything valuable to a bot that would come from having to render JavaScript. (As a side note, this doesn’t mean that their aren’t bots that seek out sites that have vulnerabilities in their JavaScript markup, but reading JavaScript and rendering JavaScript are completely different).

So first, its a matter of migrating browser specific code to its own spreadsheet (so our JavaScript can include it).

/* invalidable.css */

#selector {

 /* random properties */

 zoom: 1;

 -moz-border-radius

 /* opacity properties */

 filter:alpha(opacity=80); /* Internet Explorer */

 -moz-opacity:0.8; /* Mozilla Firefox (legacy) */

 -khtml-opacity: 0.8; /* Safari (legacy) */

 opacity: 0.8; /* CSS3 Standard */

}

Once you have your browser specific properties on its own stylesheet, its just a matter of creating a JavaScript file that will “dynamically” insert the <link type=”text/css” rel=”stylesheet” href=”/assets/styles/invalidable.css” media=”screen”/> into your page (thus keeping with XHTML Strict standards).

// invalidable.js <-- note the extension

//

// Dynamically Inserts CSS Link Tag

var headTag = document.getElementsByTagName("head")[0];

var linkTag = document.createElement('link');

linkTag.type = 'text/css';

linkTag.rel = 'stylesheet';

linkTag.href = '/assets/styles/invalidable.css';

linkTag.media = 'screen';

headTag.appendChild(linkTag);

Now all you have to do is throw in an JavaScript include tag:

<script type="text/<span class="searchterm1">javascript</span>" src="/assets/js/invalidable.js"></script>

Your done! Bots will now only get this:

<script type="text/<span class="searchterm1">javascript</span>" src="/assets/js/invalidable.js"></script>

…while visitors will get this:

<script type="text/<span class="searchterm1">javascript</span>" src="/assets/js/invalidable.js"></script>

<link type="text/css" rel="stylesheet" href="/assets/styles/invalidable.css" media="screen"/>

NOTE: It’s important to mention that visitors who have JavaScript DISABLED will NOT have the CSS file included, simply because the JavaScript won’t process; however, I will go on to say that its incredibly rare for you to have visitors that have JavaScript disabled. The only cases you’ll probably run into is visitors who visit your site from a cheap mobile phone (iPhone supports JavaScript), or a visitor who knows what their doing and has a Firefox plugin like “NoScript” installed.

On another subject, its important to mention that Google now penalizes for showing “different” content to search engines than to visitors. Would I classify an extra line in the section as different? Probably not. It’s my opinion that Google’s algorithm would check for differences in content, and not necessarily markup. I also haven’t seen very many cases where practices such as using JavaScript to “show/hide” content, be penalized in anyway.

Querying a SQLite 3 database using PHP

Previously, I detailed a way of creating a database in A basic hit counter using PHP and SQLite 3 using PHP Data Objects and PHP 5. For most web sites, SQLite would be fine, but for very high volume (as in many hundreds of thousands of hits per day), there are better options - Appropriate Uses For SQLite (SQLite.org) has more details on when SQLite is a good option.

Here is an example of how to query the data and display it on a page (to see which pages are popular for example).

<?

$dbfolder = $_SERVER["DOCUMENT_ROOT"]."/data/";

$dbname = $_SERVER["HTTP_HOST"]."_log.sq3";

$logdb = new PDO("sqlite:".$dbfolder.$dbname);

$starttable = "<table>

<tr>

 <th>Page</th>

 <th>Counter</th>

</tr>";

$endtable = "</table>";

$tablecontents = "";

foreach ($logdb->query("SELECT * FROM hits ORDER BY counter DESC") as $row)

{

 $tablecontents .= "

 <tr>

  <td>{$row['page']}</td>

  <td>{$row['counter']}</td>

 </tr>";

}

echo $starttable.$tablecontents.$endtable;

// close connection

$logdb = null;

?>

Pixie – small, simple, website maker

Recently, I have been looking at Pixie, to see how it works as a simple system for managing websites. It is open source (GPL v3), written to web standards (XHTML Strict, Microformats) and powered by jQuery and PHP/MySQL. 

It consists of several page types – dynamic (blog, news), static or module (e.g. contact form, events, links etc). Plugins add additional functionality to modules (like allowing comments on blog posts). Blocks allow you to add content alongside your content (e.g. display RSS content from BBC News). 

Easy enough to extend, with detailed guides for module development (so you can create additional ones to those that are bundled with Pixie) block development and theme development. 

A few additional blocks I have created: News (latest content from a page named ‘news’) and Google Maps. These can then be shown on any page (so you can see news on your home page for example).

Optimizing Page Load Time: Fixing Your HTTP Pipeline Problem

Defined here by Wikipedia.org, “HTTP pipelining is a technique in which multiple HTTP requests are written out to a single socket without waiting for the corresponding responses.”

Mozilla talks a bit more about the topic: “Normally, HTTP requests are issued sequentially, with the next request being issued only after the response to the current request has been completely received. Depending on network latencies and bandwidth limitations, this can result in a significant delay before the next request is seen by the server.”

I have accepted the fact that HTTP pipelining is pretty much disabled in all modern browsers, but that doesn’t mean I have to like it!

I have a widget in Firefox that allow me to bypass this missing “feature” and it sure seems to speed up my browsing quite a bit. However, why can’t everyone get together and work this problem out so we don’t need extensions/widgets/hacks to get around the limitations?

I attempted to harass Microsoft about it and never received an answer (I didn’t really harass them per say). Firefox isn’t mum on the subject (here), but it seems to come down to compatibility issues with certain servers, routers, et cetera in some specific cases (even if the HTTP/1.1 spec allows it).

So what does a web developer do (programmatically)?

Do we just accept the fact and move on or is there something we can do about it? How can we speed up our page loads to a world that can’t use pipelining?

It turns out there is a relatively simple way to “fake HTTP pipelining”. When I read through the article “Optimizing Page Load Time“�, I had a very revealing moment of self-inflicted-disrespect. The solution is so obvious, but it never dawned on me previously. Why not simply source content on the page from different locations? It doesn’t even have to be different servers, just different domains. Pretty simple right?

For example, we could do something like this for a single web page:

- Static Images: images.ashishlakhotia.com
- Javascript Includes: includes.ashishlakhotia.com
- CSS: css.ashishlakhotia.com
- Static Content: static.ashishlakhotia.com
- Dynamic Content: dynamic.ashishlakhotia.com

Now this is a pretty extreme example that I wouldn’t recommend for production (except in very specific cases), but let me explain what happens in simple terms. Instead of your browser making a request to one domain for all the content, data, files, and everything for a page; it splits up the requests amongst the various sub domains (of which could be hosted separately or together).

What does splitting up the content get us?

The advantage is that the browser isn’t sitting around waiting on previous requests to complete before moving on to the next item. It really only makes sense for larger pages. In fact there is a drawback, according to Aaron, “Beware that each additional hostname adds the overhead of an extra DNS lookup and an extra TCP three-way handshake. If your users have pipelining enabled or a given page loads fewer than around a dozen objects, they will see no benefit from the increased concurrency and the site may actually load more slowly. The benefits only become apparent on pages with larger numbers of objects. Be sure to measure the difference seen by your users if you implement this.”

Perhaps now you can consider playing around with this idea a bit on your own. Given plenty of tinkering time and careful examination, it could help decrease page load times noticeably.

If you’d like some more tips on this subject, check out Optimizing Page Load Time.

PHP Security - Ensuring A Safe PHP Setup

One of the inherent flaws with any popular web language like PHP is the serious potential of security vulnerabilities from improperly set up installations and servers. Although ensuring a secure server installation (whether Apache or IIS) is extremely important, that process is outside the scope of this article.

Instead, I’d like to recommend one simple tool that will should enable you to pro actively plug most “holes” in your PHP setup.

The ironic part about this article is that just a short while ago I thought I had everything “plugged” myself. I had done my reading up on PHP security and felt confident that I had a secure setup. Unfortunately, in an upgrade to a more recent PHP version, I accidentally overwrote my “secure” php.ini from the previous install. This caused one particular web site to be infiltrated by a nefarious ‘hacker’. Fortunately, there was no serious damage and I quickly found the problem.

However, if I had dropped PhpSecInfo onto the server and checked it out before going live, I would’ve immediately known there was a problem.

So here’s how it works: PhpSecInfo is just a single script and a small library that does the work. You simply drop the PHP files onto your server and execute index.php in your browser. You’ll be treated with a nice looking, clean, and easy-to-understand table of security information about your current PHP setup.

There are a mighty large number of security tests performed and all you have to do is analyze the results. Using the highly familiar red, yellow, green color schemes (from stop lights)… you know which tests have failed miserably, which ones you should probably check on, and which ones you can safely ignore. I realize that it’s not the end-all security check-up for a PHP installation, but I think it’s truly helpful to anyone operating a public facing PHP web server.

So, if you’re interested, check out PhpSecInfo from the PHP Security Consortium.

Whether or not you make any changes to your setup, it’s always good to be aware of your vulnerabilities. Oh yeah, it’s also totally free!

JQuery: The Best Javascript Library?

After stumbling across this article, I was in awe to see what has recently transpired in the world of Javascript libraries/frameworks. I had recently fell in love with Yahoo UI, but I was truly surprised to see that jQuery has gained remarkable traction in the market.

According to This Google Trend, it has leaped far ahead of even script.aculo.us in raw search volume. This is a particulary good sign for jQuery. As search volume increases, so will the number of pages related to jQuery obviously and vice versa.

In my experience, rapidly growing popularity is usually a pretty good sign of success for an open-source project. If problems exist with the project, usually the overwhelming interest helps to spur on solutions and increase the capability of the product because of the massive interest. I’ve seen this same trend previously with with CakePHP, an excellent framework alternative for PHP based loosely off of Ruby on Rails.

Regardless, it appears that I will start learning jQuery. Even if it turns out to lose the “battle”, it can’t help to learn more about advanced javascript without being forced to climb a steep learning curve.

Any truthfully, if this popularity trend continues, I think it’s safe to say jQuery is here to stay.

jQuery.com if interested.

Did you know that PHP has some pretty powerful type casting functionality built-in? It’s no surprise if you comprehend the roots of PHP (since it’s written in C), but I can’t help but think that casting is an often-missed tool when a PHP developer is trying to ensure data integrity.

Just for a moment, let me define type casting in case you weren’t “in the know”:

According to Wikipedia, “in computer science, type conversion or typecasting refers to changing an entity of one data type into another. “

So, in laymen terms, casting is an easy way to turn one type of data into another type. For example: converting a “string” variable filled with essentially text into an integer variable containing the same numbers but now representing a value. This makes it easy to do math with the value of what once was just a random string of characters.

The following cast types are allow in PHP:

• String - (string)
  
• Boolean - (bool), (boolean)
  
• Integer - (int), (integer)
  
• Binary - (binary) [PHP 6]
  
• Floating Point - (float), (double), (real)
  
• Array - (array)
  
• Object - (object)
  

So, in the real world, when does casting actually come in handy?

Normally, PHP handles all this stuff automatically behind the scenes. But, as is normal, dealing with MySQL database interaction is something to always take seriously — and type casting can help you out!

We’re going to assume your aren’t using the PDO Prepare statement (though you should be). As a PHP developer, a major part of your job is containing the inherent security risks of user input. It’s especially important when these inputs interact directly with the database.

So, your simplified (e.g. - don’t complain) database interaction code might look something like this:

$id = mysql_real_escape_string($_POST['input']);

$SQL = 'SELECT * FROM table WHERE id = ' . $id;

Call me an overly nervous Ned, but I’d prefer to use the following code:

$id = mysql_real_escape_string($_POST['input']);
$SQL = 'SELECT * FROM table WHERE id = ' . (int)$id;

Did you notice the subtle change? See the ‘int’ cast of the $id in the SQL statement?

This should certainly help to ensure that I haven’t missed any security holes for this query. Some might say it’s overkill, but I just wanted a simple explanation for using casting, so get off your almighty soapbox already.

Anyways, as you can see, type casting in PHP has real-world uses. Delve into type casting a little more and you’ll find a huge number of cases where it can make your code that much more bullet-proof.

So seriously, try out PHP Type Casting.

Open-Source vs. Home-Brewed PHP CMS

I’ve had a slew of requests lately from clients needing small web sites they can manage themselves (mostly small businesses).

Truthfully though, I simply prefer the client to manage their content themselves; so essentially we are looking at content management systems (CMS). I’ve had some mild success with CakePHP using my own “home-brewed” CMS for a few sites (thanks for the help Arthur). It works pretty well, but I keep wondering if I’m just reinventing the wheel by building a CMS myself.

So, after weighing the options, here’s my general winner/loser comparison:

Admin Interface Flexibility

• Home-Brewed CMS
  
  • I can create an extremely simple administrative side, one that is logical for the client. This allows me to create a dynamic and powerful site, but still allow the client to manage it. I think this aspect is extremely important and often-overlooked in most CMS’s.
  
  
• Open-Source CMS
  
  • Most of the good ones have too many features for the average client I see. They tend to allow extreme flexibility on the public side of the site (obviously important), but there is little or no flexibility on what admin functions are available. Basically, I need something that is simple to administrate, but has “advanced” options hidden away somewhere. It’s great to have a lot of complex configuration settings for design and administration, but not if that means the client will be calling me every day for help adding a new employee.
    

    Winner: Home-Brewed CMS
    

Relative Costs

• Home-Brewed CMS
  
  • It will certainly take some time to develop this product fully on my own. Calling this time “free” isn’t particularly accurate when my time could be spent making money in other ways. However, doing it on my own does guarantee I won’t ever run into any licensing or “upgrade pricing” issues in the future.
    


• Open-Source CMS
  
  • Free (mostly GPL) and generally easy to resell. There might be some issues with licensing in the future, but for the most part, pretty doubtful.
    

    Winner: Open-Source CMS
    

Learning Curve

• Home-Brewed CMS
  
  • Obviously becoming a relative expert of my own software is a fairly easy goal. However, the other consideration is the effort required for my graphic designer to adapt to my CMS. In general, it probably wouldn’t be much of a concern in a home-brewed situation (because I can be flexible).
    


• Open-Source CMS
  
  • Certainly a learning curve involved in becoming an expert. Knowing how to install & configure the CMS properly is one aspect, but I’m much more concerned about digging into the code. If I have an issue and I REALLY need it solved, it might be nearly impossible for me to figure out how to solve it quickly. On top of that, it’s likely the templating system the CMS uses would have a bit of a learning curve for my graphic designer.
    

    Winner: Home-Brewed CMS
    

Testing, Security, And Debugging

• Home-Brewed CMS
  
  • It’s extremely important to plan for and spend a considerable amount of time testing and debugging. In fact, on most projects, I spend a majority of my time testing. With that being said, the amount of time it would take me to fully test, debug, and check for holes in my own CMS… well, it would consume my life for a very long time. Even after that, there’s very little certainty that I would’ve done a good enough job. It’s just tough to compete with the experienced developers out there who have real-world ideas on things I haven’t thought of yet.
    


• Open-Source CMS
  
  • A single programmer simply cannot compete with open-source testing and debugging of a project. Multiple configurations, multiple types of hardware, multiple security situations… the combinations are mind-boggling. Plus, these projects are frequented by people who are insanely talented experts in areas such as database design, Javascript, XML, and even PHP. I have a good basis on all this stuff, but these people use their hords of pent-up knowledge to help the project achieve much more than I could have on my own… especially in the testing & debugging arena.
    

    Winner: Open-Source CMS
    

Future Growth (Extensibility)

• Home-Brewed CMS
  
  • I just have to face it: my own CMS will require constant maintenance and changes as it grows and evolves over the years. I will be rebuilding it constantly and reworking it to solve bugs, issues, and new features.
    


• Open-Source CMS
  
  • The growth and expansion factor is built-in. New versions will be coming out consistantly and will require little or no work on my part (except for dealing with upgrade bugs).
    

    Winner: Open-Source CMS
    

Extendability

• Home-Brewed CMS
  
  • Not quite as easy as it could be with an open-source system. With the except of JS scripts and PHP frameworks, cool new features are going to require blood, sweat, and tears on my part.
    


• Open-Source CMS
  
  • The clear winner. It doesn’t take long exploring any of the major CMS extension pages to realize the immense number of plugins available to achieve almost any goal. In fact, I was almost overwhelmed with the number of choices.
    

    Winner: Open-Source CMS
    

Monetary Viability

• Home-Brewed CMS
  
  • This is an awkward issue to discuss, but essentially, I am more valuable and can charge more to develop/use my own CMS. It comes down to billable hours and it just takes more to go with the home-brewed route.
    


• Open-Source CMS
  
  • Yes I know I can still charge the same amount for an open-source CMS, but somehow I just don’t think it will work out that way. Just call it a hunch I suppose, but using a pre-existing system just isn’t as valuable (though I realize that for the most part most clients wouldn’t know or care about the difference). Maybe it’s just my consciense?
    

    Winner: Home-Brewed CMS

So, by adding up the wins and losses, it appears that the open-source content management system has won the battle, but by just a hair.

Stay tuned for further articles as I delve into reviewing the major open-source PHP-based content management systems available right currently. I might be proven completely wrong once I really start delving into them again, but I hope that’s just my pessimistic nature.

Installing CakePHP

Over the past few months I have been getting to grips with CakePHP, a rapid development framework written in PHP that uses the Model, View, Controller (MVC) software design pattern. If you are a PHP programmer then give this framework a try because quite frankly it’s the bee’s knees.

Although it does have quite a steep learning curve once you become familiar with the concepts it will help to improve your programming skills and will also get your database-driven websites up and running extremely quickly. This post is going to be the first of many regarding CakePHP and my plan is to release posts quite regularly that build upon the Blog tutorial found in the manual.
Downloading and Installing CakePHP

Currently there are 2 versions of CakePHP available, 1.1 and 1.2. Version 1.2 is in a pre-beta stage and limited documentation exists and therefore I’m going to be dealing with the stable 1.1 release. Go to the download page and grab the 1.1 zip file. Extract the files to a folder in your local web server (read my previous post about setting one up) , I’ve renamed the folder to “cakephp” and inside you will have a number of folders and files including “app”, “cake”, “docs”, “vendors”, “.htaccess” and “index.php”.



One of the first things you should do when starting with CakePHP is read the manual, especially the first few chapters about the basic concepts and installation. It will help to get your head around everything and although things may seem confusing at first it does get easier.

I setup CakePHP to use the production setup right from the start this makes everything easier when you need to upload your finished site, I do this by setting up a virtual host.
Setting up a Virtual Host

I’m running the excellent Xampp webserver and I use virtual hosts for developing all my websites. Open the Apache Virtual Host file (located at C:\server_directory\apache\conf\extra\httpd-vhosts.conf) and create a new host:

1.
2. DocumentRoot C:/server/htdocs/cakephp/app/webroot
3. ServerName cakephp:80
4.


Don’t forget to add “cakephp” to you Hosts file (C:\windows\system32\drivers\etc\hosts), restart your webserver if you already have it running and you will be able to access your new installation of CakePHP by going to “http://cakephp” in your browser.
Mod_Rewrite

Just a quick note on mod_rewrite, if you have installed Xampp as your local server or use Apache then its best if you enable mod_rewrite, simply open the “httpd.conf” file located at “C:\server\apache\conf” and uncomment the following line by removing the ‘#’ symbol:

1. #LoadModule rewrite_module modules/mod_rewrite.so


There is some more information regarding mod_rewrite in Section 5 of the “Installing CakePHP” part of the manual. Remember to restart Apache when you make any changes like this.
Testing CakePHP in your Browser
CakePHP Image

If you have set everything up correctly then you should be seeing a CakePHP page when you go to “http://cakephp”, if you are not seeing any images or css styling then make sure that you have mod_rewrite enabled and that your virtual host is pointing to the “/app/webroot” directory (with no trailing slash). The page is telling you that you have not set up your database configuration file so we will be doing this next.
Setting up the Database Connection
CakePHP Image

The database configuration file is located at “C:\server\htdocs\cakephp\app\config”, rename the “database.php.default” file to “database.php” and open it in your editor. You need to enter your database username, password and database name into the “$default” connection. If you have not yet created a new database open phpMyAdmin in a browser and create a new database, doesn’t really matter what you call it but I’ve created one called “cakephp”.
CakePHP Image

Reload “http://cakephp” in your browser and CakePHP will now be able to see your database configuration file and it will also be able to connect to your database. Everything is looking good and you now have a fresh install of CakePHP up and running on your local web server.

Microsoft to Release !exploitable Crash Analyzer as an Open Source Tool and more …

On Friday, March 20, Microsoft’s Security Science team will release the!exploitable Crash Analyzer tool as an open source tool on CodePlex at CanSecWest in Vancouver, British Columbia. The tool will be available as a free download on the Microsoft Security Engineering Center (MSEC) Web site, http://www.microsoft.com/security/msec, later that day.

!exploitable Crash Analyzer is a Windows Debugger extension that determines the uniqueness of crashes produced during development and testing, identifying those that have security implications and how exploitable they are. For more information, including a fact sheet on the tool, please visit Press Pass, http://www.microsoft.com/presspass/newsroom/security/default.mspx.

The Security Science group is part of Microsoft’s Trustworthy Computing organization, focused on protecting its customers and the industry by improving the security of Microsoft products, services and platforms through applied security research. This group of elite researchers and developers tracks and provides early warnings for new exploits, develops more effective ways to find vulnerabilities, and using its internal research, integrates innovative exploit mitigation techniques and tools to Microsoft products and in some cases, shares those tools with the broader industry.

Additionally, Trustworthy Computing will give two other presentations at the event focused on the Security Science team’s exploit mitigations, how they have been employed, why they were chosen, and how Microsoft systematically thinks about mitigations coverage.

About Enhanced GS

Enhanced GS is a mitigation designed to make it harder to exploit security vulnerabilities when they occur.

/GS (pronounced “slash GS”) is the current buffer security check feature of the Microsoft Visual Studio C++ compiler. It detects common classes of buffer overruns by injecting security checks into code compiled with this feature. Enhanced GS is the enhanced version of /GS that improves stack buffer overflow mitigation by analyzing and helping protect more functions.

Enhanced GS does deeper function analysis than /GS. Enhanced GS more accurately identifies potential hazards, thus making vulnerabilities more difficult to exploit when they occur. This enhancement enables protection to be deployed in the right places and reduces redundant protections.

Tool Release

Microsoft Corp. plans to release Enhanced GS to developers in Visual Studio 2010. In addition, Enhanced GS will be included in the Security Development Lifecycle after it is released with Visual Studio 2010.

Given that Enhanced GS is an update of the current compiler, anyone who receives the compiler update will get the new version, Enhanced GS.

Benefits

Microsoft and third-party developers will use this built-in mitigation whenever they use Visual Studio 2010. Customers will benefit from more secure products. Products built with the new Enhanced GS will be less vulnerable to buffer overflows as there will be fewer exploitable stack overflow vulnerabilities.

Microsoft plans to release this mitigation with Visual Studio 2010, which means customers will see the benefit when the next wave of products comes out after Visual Studio 2010 is released.

The History of Valentine's Day

Every February, across the country, candy, flowers, and gifts are exchanged between loved ones, all in the name of St. Valentine. But who is this mysterious saint and why do we celebrate this holiday? The history of Valentine's Day -- and its patron saint -- is shrouded in mystery. But we do know that February has long been a month of romance. St. Valentine's Day, as we know it today, contains vestiges of both Christian and ancient Roman tradition. So, who was Saint Valentine and how did he become associated with this ancient rite? Today, the Catholic Church recognizes at least three different saints named Valentine or Valentinus, all of whom were martyred.

One legend contends that Valentine was a priest who served during the third century in Rome. When Emperor Claudius II decided that single men made better soldiers than those with wives and families, he outlawed marriage for young men -- his crop of potential soldiers. Valentine, realizing the injustice of the decree, defied Claudius and continued to perform marriages for young lovers in secret. When Valentine's actions were discovered, Claudius ordered that he be put to death.

Other stories suggest that Valentine may have been killed for attempting to help Christians escape harsh Roman prisons where they were often beaten and tortured.

According to one legend, Valentine actually sent the first 'valentine' greeting himself. While in prison, it is believed that Valentine fell in love with a young girl -- who may have been his jailor's daughter -- who visited him during his confinement. Before his death, it is alleged that he wrote her a letter, which he signed 'From your Valentine,' an expression that is still in use today. Although the truth behind the Valentine legends is murky, the stories certainly emphasize his appeal as a sympathetic, heroic, and, most importantly, romantic figure. It's no surprise that by the Middle Ages, Valentine was one of the most popular saints in England and France.

While some believe that Valentine's Day is celebrated in the middle of February to commemorate the anniversary of Valentine's death or burial -- which probably occurred around 270 A.D -- others claim that the Christian church may have decided to celebrate Valentine's feast day in the middle of February in an effort to 'christianize' celebrations of the pagan Lupercalia festival. In ancient Rome, February was the official beginning of spring and was considered a time for purification. Houses were ritually cleansed by sweeping them out and then sprinkling salt and a type of wheat called spelt throughout their interiors. Lupercalia, which began at the ides of February, February 15, was a fertility festival dedicated to Faunus, the Roman god of agriculture, as well as to the Roman founders Romulus and Remus.

To begin the festival, members of the Luperci, an order of Roman priests, would gather at the sacred cave where the infants Romulus and Remus, the founders of Rome, were believed to have been cared for by a she-wolf or lupa. The priests would then sacrifice a goat, for fertility, and a dog, for purification.

The boys then sliced the goat's hide into strips, dipped them in the sacrificial blood and took to the streets, gently slapping both women and fields of crops with the goathide strips. Far from being fearful, Roman women welcomed being touched with the hides because it was believed the strips would make them more fertile in the coming year. Later in the day, according to legend, all the young women in the city would place their names in a big urn. The city's bachelors would then each choose a name out of the urn and become paired for the year with his chosen woman. These matches often ended in marriage. Pope Gelasius declared February 14 St. Valentine's Day around 498 A.D. The Roman 'lottery' system for romantic pairing was deemed un-Christian and outlawed. Later, during the Middle Ages, it was commonly believed in France and England that February 14 was the beginning of birds' mating season, which added to the idea that the middle of February -- Valentine's Day -- should be a day for romance. The oldest known valentine still in existence today was a poem written by Charles, Duke of Orleans to his wife while he was imprisoned in the Tower of London following his capture at the Battle of Agincourt. The greeting, which was written in 1415, is part of the manuscript collection of the British Library in London, England. Several years later, it is believed that King Henry V hired a writer named John Lydgate to compose a valentine note to Catherine of Valois.

In Great Britain, Valentine's Day began to be popularly celebrated around the seventeenth century. By the middle of the eighteenth century, it was common for friends and lovers in all social classes to exchange small tokens of affection or handwritten notes. By the end of the century, printed cards began to replace written letters due to improvements in printing technology. Ready-made cards were an easy way for people to express their emotions in a time when direct expression of one's feelings was discouraged. Cheaper postage rates also contributed to an increase in the popularity of sending Valentine's Day greetings. Americans probably began exchanging hand-made valentines in the early 1700s. In the 1840s, Esther A. Howland began to sell the first mass-produced valentines in America.

According to the Greeting Card Association, an estimated one billion valentine cards are sent each year, making Valentine's Day the second largest card-sending holiday of the year. (An estimated 2.6 billion cards are sent for Christmas.)

Approximately 85 percent of all valentines are purchased by women. In addition to the United States, Valentine's Day is celebrated in Canada, Mexico, the United Kingdom, France, and Australia.

Valentine greetings were popular as far back as the Middle Ages (written Valentine's didn't begin to appear until after 1400), and the oldest known Valentine card is on display at the British Museum. The first commercial Valentine's Day greeting cards produced in the U.S. were created in the 1840s by Esther A. Howland. Howland, known as the Mother of the Valentine, made elaborate creations with real lace, ribbons and colorful pictures known as "scrap".

INVESTMENT CLOCK

The investment Clock – My friends at Bourse Communications investor relations services sent this over yesterday. It is the Investment clock first published in the Evening Standard in London in 1937. The World is probably a little bit after four. In December this clock was published in the Herald Sun and it was half past one. Here are Bourse Communication’s comments on the clock…as good (better) than anything I could write:



“Financial markets continue to be in a daily tailspin, their direction dependant on the receipt of good or bad news. The stock market remains vulnerable as many companies struggle to maintain earnings in a recessionary cycle and even the Aussie dollar has fallen substantially against the greenback- Investors should now be asking themselves, what time is it?

Investment experts have often looked to a well respected technique called The Investment Clock to work out what they should do with their money next and in order to determine where we are in the current investment cycle.

We were first introduced to The Investment Clock concept as share broking rookies in the early 1980s and were often struck by how accurate it was at predicting what might lay ahead. The real difficulty was determining exactly where the hand on the clock should be placed at any given point in time.

The Investment Clock has been around since it was established and first published in London's Evening Standard in 1937.

While not flawless, the clock often provides a useful guide for making investment decisions.

HOW TO DETERMINE THE TIME

‘The economic climate at Twelve O’clock is boom time’. At One O'clock interest rates are rising. By Two, share prices start to fall and by Three commodity prices are decreasing as un-employment levels increase. At the moment, we are seeing commodity prices fall as part of the current cycle.

At Five O’clock, real estate beings to feel the pinch and at Six O'clock it is recession time.

At Seven O'clock the Reserve Bank begins to cut interest rates to kick-start the economy and by Eight share prices, anticipating an improving economy, begin to rise.

Commodity prices perk up at Nine O'clock and, as unemployment falls, real estate makes a comeback at about Ten or Eleven O'clock.

So, what's the time right now?



We're probably well past Four O'clock, where commodity prices and overseas reserves have already begun to fall. Our currency is presently under enormous pressure and this could be followed by the labour market contracting, money getting tighter and further falls occurring in real estate. These are the classic signs of a bear market in full swing with investor sentiment on knifes edge.

Importantly, however, time does not always divide up evenly on The Investment Clock, like a real timepiece. The actual times between Three and Six can be indirectly determined by special factors like demand for commodities, driven by China and India.

The US Central Bank and our own Reserve Bank now have a vital job - to cut rates enough to prevent a recession without letting the inflation genie come any further out of the bottle.

It is entirely your subjective judgment as to exactly what time it is now on The Investment Clock, yet this decision could prove to be very significant in terms of what might be ahead for investment markets and how this will impact on investors benefiting from getting the time right.

The following factors need to be considered in selecting the current time on The Investment Clock:

* Share prices are continuing to fall
* Many companies are finding it hard to maintain earnings and possibly their dividends over the next year or so
* Capital is now hard to raise, unless the company has or is close to achieving an earnings profile
* Investor sentiment continues to be precariously placed, with 'fear' well and truly taking over from 'greed'
* Commodity prices have now fallen significantly
* The property market is under huge pressure with clearance rates at auctions hovering around 50% and many vendors unable to sell due to unrealistic price expectations
* Retailers are having the worse time in many years as consumers have stopped spending
* The Reserve Bank has now dropped the cash rate by 300 basis points. Further easing is likely to occur up to March/April 2009
* Employment begins to be an issue with a downsizing in the labour market a real possibility
* Greater scrutiny of executive pay and a higher level of accountability expected
* Fund managers are waiting with baited breath for a signal to move from a cash weighted position back into the share market
* The inauguration of the new president in the US may well herald the commencement of the recovery cycle
* No one can accurately pick the bottom of the market. Those that get close to picking it will benefit greatly in the years ahead”

Google Chrome has Microsoft's code inside

A great post over at Scott Hanselman's blog goes into some detail of the Microsoft code Google has included in Chrome. It's all street-legal: the code was made available under a very permissive open source licence back in 2004, and may be the first of Microsoft's steps in that direction.
Hanselman is a senior program manager at MS, and clearly enthusiastic about the whole business. He also writes a mean blog--if you've got any curiosity about some of the gnarly bits inside Chrome, including how it works securely with multiple versions of Windows, then give this the once-over.
Even more interesting than Chrome's internals is this statement:
"One of the reasons I wanted to work for ScottGu was because of Microsoft's always improving attitude about releasing source. It's a big company and sometimes moves slow, but more people "get it" now than before."
I do so hope this is true. Can't happen quickly enough.

Tips to Protect your WiFi from hackers

1. Disabling the SSID broadcast. To some extent this makes it difficult for the hacker to detect the presence of a WiFi access point.
2. Enable MAC address filter. Each network interface has a unique MAC address, by filtering it, one can to an extent control which machines can use the access point.
3. Turn on WPA/WEP encryption. This ensures that traffic between a legitimate machine and an access point is not readable.
4. Change default admin passwords for access points.
5. Ensure access points are placed securely. In the centre of a room/office etc to minimize its signal strength outside the office.

Even after following the above precautions, your WiFI account could be compromised and hence, the things to look at are:

* Monitor usage of the access point. Have a clear inventory and knowledge about the position of each access point.
* Monitor the usage of the Internet link, to know what traffic is going out. For example, some corporate block e-mail providers like yahoo or hotmail. Hence, even if the access point is compromised, the hacker may not be able to use public e-mail systems.
* Consider a specific security policy for wireless networks. For example, most companies primarily use wired networks in the office as the primary media. Access points are used in common areas like conferences rooms etc. Hence, strict policies can be deployed on wireless networks as compared to wired networks.

SpotM

IT IS better late than never for Yahoo! as the California-based Internet giant plans to launch a social networking site this year, made in India - and for India. "We will be launching our social networking platform SpotM this year," said a Yahoo official who did not wish to be identified. Yahoo already has Internet message boards like Yahoo Groups that allows users to post messages. Through this launch, the company wants to compete with hugely popular social networking platforms Orkut and Facebook. The company's research and devel- opment centre in Bangalore has designed and tested the website. This will only cater to Indian Internet users. Yahoo is expected to roll out an invite-only beta (trial) version soon followed by an open-for-all community later this year SpotM wW enable a "seamless marriage" between mobile and web interface, the official said. It is expected to offer features like anonymous chat that will allow users to chat via a text message while keeping their mobile numbers intact. Gopal Krishna, vice-president and head of audience for the emerging markets is heading the team working on SpotM. Social networking enabled by interactive Web 2.0 technology enables users to not just receive information from the web but also add and share content. It is expected to be one of the biggest drivers of Internet usage in the coming years. In the list of top 10 websites in India measured by Alexa that provides information on we traffic, Google leads followed by Yahoo in terms of both traffic and page views. Interestingly Google's other content sharing sites such as Orkut and You Tube also feature on the list while there is none that Yahoo can claim.

Noah in 2009

In the year 2009, the Lord came unto Noah, who was now living in the
United States , and said, "Once again, the earth has become wicked and
over-populated, and I see the end of all flesh before me.

Build another Ark and save 2 of every living thing along with a few good humans."

He gave Noah the blueprints, saying, "You have 6 months to build the Ark before I will start the unending rain for 40 days and 40 nights."
Six months later, the Lord looked down and saw Noah weeping in his yard
- but no Ark.

"Noah!" He roared, "I'm about to start the rain! Where is the Ark ?"

"Forgive me, Lord," begged Noah, "but things have changed. I needed a
building permit. I've been arguing with the inspector about the need
for a sprinkler system. My neighbors claim that I've violated the
neighborhood zoning laws by building the Ark in my yard and exceeding
the height limitations. We had to go to the Development Appeal Board
for a decision.

Then the Department of Transportation demanded a bond be posted for the
future costs of moving power lines and other overhead obstructions, to
clear the passage for the Ark 's move to the sea. I told them that the
sea would be coming to us, but they would hear nothing of it.

Getting the wood was another problem. There's a ban on cutting local
trees in order to save the spotted owl. I tried to convince the
environmentalists that I needed the wood to save the owls - but no go!

When I started gathering the animals, an animal rights group sued me.

They insisted that I was confining wild animals against their will.
They argued the accommodation was too restrictive, and it was cruel and
inhumane to put so many animals in a confined space.

Then the EPA ruled that I couldn't build the Ark until they'd
conducted an environmental impact study on your proposed flood.

I'm still trying to resolve a complaint with the Human Rights
Commission on how many minorities I'm supposed to hire for my building
crew.

Immigration and Naturalization is checking the green-card status of
most of the people who want to work.

The trades unions say I can't use my sons. They insist I have to
hire only Union workers with Ark-building experience.

To make matters worse, the IRS seized all my assets, claiming I'm
trying to leave the country illegally with endangered species.

So, forgive me, Lord, but it would take at least 10 years for me
to finish this Ark. "

Suddenly the skies cleared, the sun began to shine, and a
rainbow stretched across the sky. Noah looked up in wonder and asked,
"You mean you're not going to destroy the world?"

"No," said the Lord. "The government beat me to it."