Open APIs, continued: Not Microsoft!

Yesterday’s keynote address by His Billness made it crystal clear. Microsoft isn’t going anywhere with opening any APIs for its Web programming. See some excellent reporting by Scott Fulton at my old haunt here:


The question was literally shouted at him, will you open your API the way Google does? The answer is no. ... For the first time in years, other players are setting the rules, and Microsoft is choosing not to play by those rules. All of a sudden, Microsoft finds itself the outsider, the holdout, the would-be up-and-coming player, and Bill Gates finds himself playing the role of the conservative stalwart, resistant to change, impervious to the winds of history.

Today, we learned that Vista isn’t going anywhere, either. At least not this year.

SQL Injection Resources

I am doing some research for a client and writing a paper on SQL Injection and what you can do to prevent this well-known exploit. Here are some of the more useful resources that I have found. If you know of others, plmk.

  1.  SQL injection isn’t new. The earliest mention that we could find was an article in Phrack magazine by “Rainforest puppy” that was published in 1998!
  2. A basic step-by-step introduction on the topic, showing you how to assemble information on a target’s data structure using a simple Web form by Steve Friedl (Jan 2005).
  3. Oracle-specific examples of SQL injection from Security Focus (Nov 2001) and Net-Security.org (Jan 2004) contain lots of good information for other types of SQL servers as well.
  4. SPIDynamics’ white paper on the subject goes beyond the basics (Sept 2005).
  5. A more complete step-by-step walkthrough of various exploits.
  6. More complete walkthrough of exploits, along with a nice description at the end of the paper on methods to lockdown your SQL Server (2002).
  7. A more general resource on SQL Server security, including articles, free assessment tools and a nice lockdown script, all from Chip Andrews.
  8. ODBC error messages by David Litchfield, given at a Black Hat conference.

Grading various browsers

Nate Koechley, a senior Web developer at Yahoo, has written an interesting paper that describes Yahoo’s efforts toward supporting various browsers on their site. He groups all 10,000-plus versions of browsers into three different categories: C, A, and X. The A grade ones are the most modern and the ones that are the most capable of delivering an advanced Web experience.

I like what he says. I never was happy with “this page best viewed by this browser” buttons that cropped up in the late 1990s. And as the browsing experience becomes more complex with all sorts of tie-ins, helper apps, and new ancillary software programs, it is nice to have a statement of direction on the issue.

Mashups galore

No, I didn’t go to Mashup Camp, much as I would have liked. But if you missed the festivities of having people proud of their APIs trying to get 20-somethings interested in building apps for them, then take a gander over yonder at this amazing listing of mashups.

What’s a mashup you might ask? In music/podcasting terms, it is when someone combines multiple songs together for a mixture of something new. In Web terms, you take multiple programming interfaces and produce something unique, like a way to display a map of used cars in your ‘hood that meet your specs, or bands that are playing at nearby clubs. All done within the comfort and safety of your Web browser. No small animals were harmed during the creation of this movie. And safe for families too.

MP3Tunes Locker/Oboe Review

So you have ripped all your music CDs on your hard drive, and you might be worried about what will happen to all these files if disaster strikes. You can copy them onto an external hard drive, or you can make a copy to an Internet-based backup service. I did a review of MP3Tunes’ Locker music service here on NewsForge/OSTG. The nice thing about this service is that it works across Mac, Windows, and Linux platforms. The bad thing is that the first time you use the service, it will take several days to upload all your data.

Cranite SafeConnect Has A New Twist on VPNs

If you absolutely need total control over your remote users, and need to run the widest possible range of applications, then the Cranite Systems Inc. SafeConnect VPN software should be in your short list of products to consider. I recently did some tests for the company and found that SafeConnect is neither fish nor fowl, and sits squarely between SSL VPN and IPsec products, combining the ease of use of the SSL crowd with end-to-end applications interoperability of IPsec.

I tested the product on a series of laptops and compared how it worked with SSL VPNs from Juniper, Nokia, and other major manufacturers. Overall, the product stood up well in these tests. SafeConnect will prevent eavesdropping over the remote connection no matter where and how your users connect, and it is easily setup in a few hours. It will support a wider range of applications and do so without any additional configuration required. It delivers extremely high file transfer throughput, way beyond any of the SSL VPN products. Finally, it is priced attractively at about a third to a half of what competitive SSL VPN products with equivalent feature sets would cost.

There are several other things the product doesn’t do. It can’t and doesn’t try to compete with the SSL products for unmanaged remote users, since its client must be installed on each remote desktop or laptop. It doesn’t provide the level of client endpoint integrity checking that a Nokia, Juniper or F5 SSL product provides. It also has three major deficiencies: First, it doesn’t prevent users with duplicate credentials from concurrently connecting to the network, and it doesn’t report on these circumstances either. This puts a burden on your IT department to keep track of their client credentials. Second, there is no auditing ability, which we discuss more completely below. Finally, while the product comes with its own LDAP and RADIUS servers, if you do decide to use these pieces you will have to configure them via their separate command line interfaces. Cranite should integrate these into its own graphic configuration screens.

We liked the fact that once you were connected, your remote connection was solid and bullet-proof from man-in-the-middle attacks. We tried to break the connection by sending malformed packets with a bad MAC address – something that would bring down any SSL VPN connection – but SafeConnect kept on going without any problems. About the only way to tear down the connection would be to fill the pipe with a denial of service attack or if we lost the line entirely from our ISP.

You can read my full report on Cranite’s Web site here.

Web Conferencing Compendeum

For close to ten years I have maintained a page on my site that has links to numerous Web-based voice and data conferencing products. If you know of something that I have omitted, please drop me an email with the details.

Lately, I came across a great blog maintained by Ken Molay. He has tips and tricks on how to do better Webinars, and plenty of insider information that is only from someone who really uses the stuff. It is definitely worth a closer look.

Want to start up a meeting over the Web and share your presentation out to desktops in real time? There are a number of companies providing this service. Here I track down what they cost and where they are located. Most of these products regrettably now only support Internet Explorer and Windows configurations, although the more enlightened are finally embracing Firefox and other Mozilla browsers. I used to track community discussion software products but David Woolley does such a great job and keeps better up to date information.

IM Interoperability Status Report

Today, the instant messenger world is about where the email world was in the early 1990s. For those of you not around then, MCIMail became one of the first private email companies to connect to the Internet and offer the means to bridge incompatible systems. Then the flood started, and eventually the TCP/IP and POP worlds became the default and no one cared about proprietary systems.

Now Vint Cerf is with Google, and MCIMail (his former home and pet project) is largely forgotten. With the advent of Jabber-based XMPP messaging systems (here is a complete list), and with the work of Apple, IBM, and others, we are now seeing software that can connect multiple IM systems, although it still is pretty crude. The issue is more than just the protocol, you need federated identity between disparate systems to make this all work.

I looked at five products that are available on Windows clients (Google Talk, Gizmo Project, AIM, Skype and Trillian Pro), along with Apple’s iChat. Three of the Windows products are also available on other platforms. All do basic chat or text messages from person to person. Some offer audio and video conferencing features, whereby you can connect multiple people on the same line. Two offer the built-in ability to record your text chats and also record your audio conversations, which are useful for assembling podcasts. And two also offer voicemail systems, so when you are away from your computer you can still receive audio messages.

Just as we were with email in the early 1990s, there are three commercial IM systems that don’t really connect with each other: AOL, Yahoo, and Microsoft. Then Trillian came along a few years ago and produced a single client that allowed you to chat with all three, along with ICQ. Then came Skype, which set things back as its own communications island, but moved chat into a features war with lots of enhancements, including voice conferencing and dial in/dial out features. And now we have all the jabbering Jabber clients, including Gizmo Project, which takes most of Skype’s features a step further but is notably missing file transfer.

Eventually, I will add more to this grid, but this should whet your appetite for what you can do. You can find the page here on my site

Beware of Gizmo Project

Yes, those emails from Gizmo Project were generated by me, but unintentionally. If you are willing to try out this new IM/VOIP software, download the client and give it a whirl. And if you are tempted to run the “Contacts Assistant” realize that it will also scan your address book and send off a batch of emails to your friends and associates asking them to join up.

I am not sure this is kosher, and would suggest that the Linspire folks add a disclaimer or a warning to this assitant before it goes and does the deed.