Guide to SMS and Texting Addresses

As a public service, here is a guide to sending text messages between various phone network providers. Please don’t send this to my niece! Thanks to Dave Nathanson for collecting these.

AT&T Wireless
(your number)

(your number)

(your number)

(your number)

(your number)

(your number)
(if you set up a name, it is

(your number)

SQL Injection Resources

I am doing some research for a client and writing a paper on SQL Injection and what you can do to prevent this well-known exploit. Here are some of the more useful resources that I have found. If you know of others, plmk.

  1.  SQL injection isn’t new. The earliest mention that we could find was an article in Phrack magazine by “Rainforest puppy” that was published in 1998!
  2. A basic step-by-step introduction on the topic, showing you how to assemble information on a target’s data structure using a simple Web form by Steve Friedl (Jan 2005).
  3. Oracle-specific examples of SQL injection from Security Focus (Nov 2001) and (Jan 2004) contain lots of good information for other types of SQL servers as well.
  4. SPIDynamics’ white paper on the subject goes beyond the basics (Sept 2005).
  5. A more complete step-by-step walkthrough of various exploits.
  6. More complete walkthrough of exploits, along with a nice description at the end of the paper on methods to lockdown your SQL Server (2002).
  7. A more general resource on SQL Server security, including articles, free assessment tools and a nice lockdown script, all from Chip Andrews.
  8. ODBC error messages by David Litchfield, given at a Black Hat conference.

Grading various browsers

Nate Koechley, a senior Web developer at Yahoo, has written an interesting paper that describes Yahoo’s efforts toward supporting various browsers on their site. He groups all 10,000-plus versions of browsers into three different categories: C, A, and X. The A grade ones are the most modern and the ones that are the most capable of delivering an advanced Web experience.

I like what he says. I never was happy with “this page best viewed by this browser” buttons that cropped up in the late 1990s. And as the browsing experience becomes more complex with all sorts of tie-ins, helper apps, and new ancillary software programs, it is nice to have a statement of direction on the issue.

Application Mobility Strategies at Interop Vegas May 06

What does it take to make an application mobile? This session will examine possible strategic directions for remote access and distributed applications in a mobile and wireless environment. We will also look at available tools to implement mobile applications, common design and deployment pitfalls and the network and subscriber-unit requirements. I will be moderating this panel, along with participating in the Best of Interop judging. This session will be held in Vegas on Tuesday, 2 May from 3:30-4:30pm.

The End of Active X and the Microsoft Internet

Microsoft’s attempts to take control over dynamic Web content are officially over. My proclamation comes after hearing from Marty Focazio, who works for The company offers a service for users to quickly create, package and publish their own dynamic content, such as e-Learning Programs, video seminars and multimedia presentations.

Marty is just one of many people that changing their Web sites over from Active X and popups to display dynamic and interactive content. I’ll let him explain.

While I was not here when that decision was made, I am faced with dealing with the downstream effects of having a service that won't run on Firefox, occasionally requires the installation of an Active-X control, is Mac-hostile and requires people to explicitly allow pop-ups. So what's the alternative? In a word, Ajax.

In many ways, we have to go Ajax, just to reach our corporate customers, because we're seeing flat-out bans on Active-X, a pretty substantial move away from IE, and an increasing number of Mac systems. Not to mention that a site that uses unrequested pop-ups, whether it's our own or the US Postal Service, can't be around that much longer. So we're fixing these issues. It's not pleasant and it's not fun.

The reasons for the use of Active-X and Pop-ups were essentially that the user needed to be able to interact with the server and stored data in a way that wasn't really possible without Active-X, or at least not to the level of interaction that's more like a "local" application, in terms of things you can do with the data on your computer and on the web server.

For example, we have a really nice text editor - word processor, really, that is pretty much the same as the Writely product Google recently bought. But again, that's an Active-X control, not an Ajax-y thing, so that's gotta go. That's the root of the issue -- our application lets people create online versions of their courses, events and presentations, and there's a huge amount of data interaction involved, so the ability to extend the user's computer into our servers and vice versa is at the heart of the matter.

In the end, it's kind of the whole "network is the computer" model that's making Ajax compelling for us. Yeah, that's old news, but when you treat a web browser as a "sandbox" for your application, and you have what feels like live data interaction, you can begin to do what Java promised and never delivered. Instead of slow-loading, jerky applets with annoying interfaces and horrendously pokey jsp servers, with Ajax like development, I have a "never stop writing, run almost anywhere" environment which is less sexy than "Write once, run anywhere" but is more pragmatic and fits the reality of the market.

Does anyone still use Solaris?

Apache Foundation does, but then, they got a free box. I recently got a tour of Stanford’s data center, and was interested to see that they are moving off of Sun platforms for a variety of reasons: cost, lack of timely support from their Sun reps, Linux is almost as good, and did I mention cost?

I went to Stanford grad engineering school back in the dawn of the personal computing era in year [mumble]. Back then if I could have gotten into Forsythe Hall I would have seen a lot of DEC and IBM gear. Now there is a single IBM mainframe, and DEC is long a memory. Ironically, the robotic tape library that supports it dwarfs the mainframe itself, and the clusters of Intel boxes occupy most of the floor.

Even though the Stanford data center is in an air-conditioned, raised floor type of place, the technicians have to be careful where they place the gear because the PC platforms can output plenty of heat. I was interested to see that there are “hot” and “cold” rows of gear in alternating rows around the floor: depending on the server, you might not be able to densely pack them on racks because they will cook.

Beware of the PIN pad

If you have a debit card and make purchases use those little terminal point-of-sale thingies that have a small keypad to enter your PIN number for your transaction, a rule of thumb:

Don’t enter your PIN on these terminals. The latest round of thefts, according to MSNBC, hacks into these terminals and retrieves the stored PINs from the system.

Most people don’t know this, but when you go to use a debit card for a transaction, you can still choose the “credit” option and sign your receipt. The purchase still gets posted to your bank account as if it were a debit transaction, but at least you don’t have to use your PIN.

I don’t like the POS machines anyway — I always forget which way to slide my card through, and sometimes the screen is hard for these old eyes to read. But now you have even more motivation not to use them.

Blogging and the mainstream media: one comment

Those of you that don’t live in LA probably don’t realize how sucky our local print media coverage is. We have numerous newspapers, but none really offer what is going on outside of The Industry, that small segment of the population that we all aspire to be, or at least aspire to have multi-million dollar paychecks and homes perched precariously over major fault lines, but with fabulous ocean views.

Anyway, Mack Reed publishes the LAVoice, a fledgling effort that has some quite good journalism and is always entertaining. Here is a post of his about how blogs are not The Next Big Thing:

Blogs are the CB radio of the '00s. Those who know how to use 'em, and need to, will do so, and they'll be as commonly accepted as part of the mediastream as hey-looka-this irritainment e-mails are now.

Come to think of it, most of what is published in the mainstream press is irritainment. A great high concept!