This video is extremely well done and can help change the email mindset which seems to overwhelm most people.

Recently there has been a rash of SQL injection due to the approach of the thugs who honestly have nothing better to do with their time. In the first code writer wanted the attempt to appear as if it really just worked and moved on. In the second the writers actually used a Response.Write warning. Though the code writers in the second clearly have more targeted regular expression, and is more focused to current attacks. We offer these code snippets which work, and have offered to others to save time.

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function

(Author: Aalia Wayfare)

In example 2:

I put this function in place on every public page...

array_split_item = Array("-", ";", "/*", "*/", "@@", "@", "char", "nchar", "varchar", "nvarchar", "alter", "begin", "cast", "create", "cursor", "declare", "delete", "drop", "end", "exec", "execute", "fetch", "insert", "kill", "open", "select", "sys", "sysobjects", "syscolumns", "table", "update", "<script", "/script>", "'")

for each item in Request.QueryString
   for array_counter = lbound(array_split_item) to ubound(array_split_item)
      item_postion1 = InStr(lcase(Request(item)),array_split_item(array_counter))
         if item_postion1 > 0  then
           Response.Write("Command cannot be executed.")
           Response.End()
         end if
    next
next

(Authors: Nick Jensen & Steve Kluskens)

I will not start this article beating on the Washingtonpost.com. One should seriously question the headline of the article! I guess if it hits the United Nations it is news! The world has problems; #1 is certainly determining blame, followed by a posse mentality.

Giorgio Maone at hackademix was the one consistent calm in the storm of comments. When you look for answers to the Universe this is always good reading material. It is only a joke people so lets not get too serious. This article does point out the problem and suggest some solutions.

I do seriously wonder why the WashingtonPost.com article included the wrong assertion by PandaLabs that the problem is actually Microsoft's, with IIS being the cause. Perhaps just a case of fair and balanced reporting? But then going on for several more paragraphs, with non relevant links over an advisory which is not even the point, is beyond me!

The article's comments did bring the usual Linux desktop dorks out of the woodwork. It always amazes how MAC and Linux people have this idea that they are 10 foot tall and bullet proof. I do have several Linux machines but really this attack has nothing to do with the OS or the web server. A SQL injection is all about poorly formed code. I see you there looking for the person to blame! Stop It!

"Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers" is the headline at ZDNet! It is a great article and should be read by anyone who has any questions about this type of attack also this article. But really lets not go through life with this posse mentality. Lets try to focus more on the thugs who cause this type of thing. I don't mean getting bottom feeding law makers involved. Sharing information and taking action is the only real cure.

A tip to developers: Don't write code and walk away. If you have a contract like this, it must come with warnings to the client. If you maintain a site it is your duty to remain vigilant and update code. If you are not charging for this; you should revise your contracts to assure you have covered all the bases. If you are charging, then do your job!

Microsoft is a company that usually keeps plenty busy advising users of security issues with its products. Redmond is now advising users about a blended security threat that involves users running Apple's Safari Web browser on Windows.

The threat could potentially allow Safari to download a malicious file that Windows would then execute. Microsoft has a work-around it suggests, though no patch is available from Apple (NASDAQ: AAPL) for the issue.

"Security Advisory (953818) does not refer to vulnerability in either Safari or Windows," Tim Rains, security response communications lead for Microsoft said in a statement sent to InternetNews.com.

The Safari issue had been publicly disclosed by security researcher Nitesh Dhanajani on May 15. Dhanajani described the issue as a 'Safari Carpet Bomb' in his discussion of the security risk.

E-mail Marketing is fast becoming an essential channel for all website owners, and the tool that powers this channel can make or break your efforts. Choosing a reliable autoresponder software that has all features such as sequential autoresponse, timed mailings, bounced management, etc. is usually found in subscription-based service or expensive software.

The Omnistar Mailer email mailing list manager is a serious contender that meets (and exceeds) all of that for a very good price. Based on the popular PHP and MySQL combo, this web-based mailing list software is flexible and customizable. Follow me as I take you step by step to install and test it.

The Omnistar Mailer can be purchased online at www.omnistarmailer.com and can downloaded instantly. It comes with a 30-day money back guarantee and free installation. Being the propeller head that I am, I decided to get my hands dirty.

The download, unzipping and uploading was fairly fast and simple, and soon, I'm greeted with the install screen. Here's where you might benefit from using their install service. Theres' some file permissions which needed to be sorted out before you can proceed with the install. After filling in all the necessary details (don't worry if you don't know some of them, just give the nice support people there your hosting signup details) and the installation took care of itself. Note: Omnistar is careful here to warn you to use a NEW MySQL database.

Symantec Corp. yesterday released a free tool that wipes spurious entries from Windows' registry that had crippled some PCs running the company's security software after they were upgraded to Windows XP Service Pack 3 (SP3) or Vista SP1.

The tool, SymRegFix, had been promised by Symantec two weeks ago when users reported that upgrading to XP SP3 emptied Windows' Device Manager, deleted network connections and packed the registry with thousands of bogus entries.

Symantec initially blamed Microsoft for the snafu, but later accepted some responsibility. Last week, the company said the combination of a Microsoft process and the SymProtect feature of its Norton-branded consumer security software had added the errant registry entries, and it told users to turn off that feature before upgrading.

SymProtect, designed to protect Symantec's security software from being hacked by malware, guards against unauthorized changes to the registry. When some users on that same thread noted that the tool had not deleted all the spurious registry keys, another Symantec employee stepped in. "The other garbage entries may have been created by Microsoft's Fixccs.exe outside of the Symantec registry keys," said Steve Dang.

Earlier, Symantec had identified the Fixccs.exe executable as the Microsoft side of the problem; it had also contended that other security software that monitors registry changes can cause registry pollution, although few incidents have been logged to Microsoft's support forums.

"If you have any other security applications, especially any that monitors/protects the registry, please disable those," said Dang. "Then, open a command prompt and type 'symregfix /override.' This will attempt to delete the garbage registry keys under the entire HKLMSystemCurrentControlSet hive, not just those under the Symantec registry keys."

Symantec has also issued a patch via its LiveUpdate service that prevents the registry corruption from occurring, although users must run LiveUpdate from within their security software, then reboot the PC before attempting an upgrade to Windows XP SP3 or Vista SP1.

That the problem could also affect users updating to Vista SP1 was new information last week; before then, only Windows XP SP3 upgrades had been fingered as causing trouble. In a message posted to the Symantec support forum last Friday, Anschultz downplayed the threat posed to Vista users. "Given how long Vista SP1 has been available relative to the XP SP3 upgrade and the rarity of this issue on Vista, it appears that the FixCCS.exe program doesn't need to 'fix' stuff as often on Vista, but it may on occasion," he said.

Symantec's SymRegFix clean-up tool can be downloaded from the company's site.

Security appliance vendor Barracuda Networks is looking to buy Sourcefire, makers of the open-source Snort and ClamAV security software.
 
Barracuda said late Thursday that it had made a US$186 million cash offer to Sourcefire's board of directors Tuesday. Barracuda is willing to pay $7.50 per share, a 13 percent premium on the company's current stock price, but about half what shares Sourcefire fetched a year ago.

"Barracuda Networks is uniquely positioned to address the challenges that have impacted the company's performance and stock price," Barracuda said in a statement.

Although Sourcefire is best known for its intrusion detection software, the company bought the ClamAV open source antivirus project last August, and is now working on ways to commercialize this code.That's an area where Barracuda believes it can help out. ClamAV is included in Barracuda's appliance products.

The open-source software has been at the source of a high-profile legal dispute between Barracuda and competitor Trend Micro, which claims that ClamAV violates one of its patents.

Because it is already fighting a lawsuit with Trend Micro, Barracuda feels it is already addressing what could turn into a legal problem for Sourcefire, Barracuda President and CEO Dean Drako said in a Tuesday letter to Sourcefire's board of directors, which Barracuda made public Thursday.

"We also feel that the company's inaction in dealing with the looming threat of litigation from Trend Micro has had an effect on the stock price," he wrote.

Sourcefire representatives could not be reached immediately for comment, but the fact that Barracuda felt compelled to take its offer public suggests that it was not well-received by Sourcefire's board of directors.

Dirk Meyer confirms

Dirk Mayer, President and Chief Operating Officer of AMD, has said to AMD's investors at its last week’s conference call that the new CPU architecture codenamed Bulldozer will debut in 45nm; and according to current agenda this is supposed to happen in 2009.

From what we know AMD will sample Bulldozer at late 2009, but the production parts are planned for 32nm. There is a possibility that AMD will launch Bulldozer in 45nm, but it will try to quickly move to 32nm.

AMD didn’t even start its 45nm production, and it has to heavily plan to go to 32nm. If you have one and a half fabs, their transitions tend to become real headache.

Currently, fab 36 produces all the Athlon, Phenom, Sempron and Turion CPUs you can buy, and Fab 38 is quickly coming to the rescue.

According to several sources close to the hard drive industry, Western Digital is working on a 20,000 RPM Raptor hard drive to combat the increasing pressure from SSD manufacturers.

Alot of people out here in Taipei about this industry’s direction and one thing is becoming clear: SSDs are going to be affordable in the next 12 to 18 months.

Because of this, hard drive manufacturers are starting to get a little worried about what marketshare SSDs might eventually take away from them—especially where performance is more of a concern than storage capacity.

And that’s exactly what Western Digital’s Raptor line is all about.

The new drive will be very similar to the recently-released VelociRaptor, in that it’ll be a 2.5in drive with a custom 3.5in housing built around it. Details are incredibly light at this stage, given that the product is still in development, and we don’t even have a release time frame at the moment.

Sources said that the drive will be ‘silent’ – that’s the last thing I would have expected from a drive with platters spinning at 20,000 RPM. Western Digital is apparently working on silencing the beast by improving the housing technology, which will now not just act as a heatsink, but also as a noise cancelling device. We’d also hope that the drive enclosure has some vibration dampening technology as well, because that’s also likely to be a problem given the high spindle speeds.

Gallery Server Pro is a powerful and easy-to-use ASP.NET web application that lets you share and manage photos, video, audio, and other files over the web.

• Stable, production ready
• Use any web browser to organize your media files into albums you can easily add, edit, delete, rotate, rearrange, copy and move
• Easily add thousands of files using one-click synchronize and ZIP file upload functions. Thumbnail and compressed versions are automatically created
• Powerful user security with flexible, per-album granularity
• Integrates with DotNetNuke and other Frameworks to provide a superior media gallery
• Image metadata extraction. Supports these formats: EXIF, XMP, tEXt, IFD, and IPTC
• Search function queries title, caption, filename, and image metadata
• Image watermarking with your own text and/or image
• AJAX-enabled for more responsive UI
• Web-based installer makes installation painless
• Uses SQL Server 2000 or higher as the data store. Supports MSDE 2000 and SQL Server 2005 Express
• Uses ASP.NET Membership provider so you can integrate with your existing accounts, including Active Directory
• Data access uses the ASP.NET Provider model, which allows other data stores such as MySQL, Microsoft Access, or Oracle to be used instead of SQL Server
• 100% managed code written in C# and ASP.NET 2.0
• Source code is released under the open source GNU General Public License
• All web pages target XHTML 1.0 Strict and CSS 2.1 standards to ensure maximum forward compatibility

Learn More and screen shots

Problem

You know, if you make just one change and don't transfer it on the other instanses it can cause big errors and stop your scripts from working. But (as in our case) opening 50 control panels and going to the MySQL administration and running manually these ALTER TABLE or CREATE TABLE statements was a cumbersome task, taking all of our time.

Solution

All the instances of our app were running on one physical server, not always the possible. But you can implement similar solution even if your ap is running on different servers - you just need to allow connection to the master host - the one which will run the Synhronizer - the script i will describe below. Our Synchronizer is actually a simple PHP script which is started manually and have one only purpose - to synchronize all 50 databases with one "master" database. In our case we needed that script to synchronize only the DB structure, but not the content. But if you understand the simple logic of the script, you can easy extend it to copy/synchronize your content if this is you case.

Implementation

First, you need to select all the tables and their fields from the master database:

//select tables from the master
$q="SHOW TABLES FROM master_database";
$tabs=$DB->aq($q); //$DB is a database fetching object, you can use the
built PHP functions to select from mysql if you prefer

$tables=array();

foreach($tabs as $tab)
{
       //select fields
       $q="SHOW FIELDS FROM $tab[0]";
       $fields=$DB->aq($q);

       array_push($tables,array("name"=>$tab[0],"fields"=>$fields));
}

You see how our script fills an array $tables with all the table names and itself containing another array - with the table fields.

Secondly, you need a list with the databases or domains where the instances of the synchronized application are running. Once having that list, you can browse thru it with "foreach" or another cycle.

Now we are going to select all the tables in the database on each target domain. (Of course you need to connect to its database, and disconnect from master one! We already did our job in selecting the tables from the master database :)

In the same way as above, you need to select the tables from the target domain.

Then below, just compare the tables:

foreach($tables as $table) //browse thru master tables
{
       $found=false;

       foreach($dtables as $dtable)
       {
          if($dtable[name]==$table[name]) $found=$dtable;
       }

       if(is_array($found))
       {
          //table exists, check fields
          foreach($table[fields] as $field)
          {
             $ffound=false;
             foreach($found[fields] as $dfield)
             {
                if($field[Field]==$dfield[Field]) $ffound=true;
             }

             if(!$ffound)
             {
                //alter table add field
                if($field[Key]=='PRI') $primary=" PRIMARY KEY ";
                else $primary='';

                     $q="ALTER TABLE `$table[name]` ADD `$field[Field]` $field[Type] NOT NULL
                     $field[Extra] $primary";
                     $DB->q($q);
          }
          }
          else
          {
             //table does not exists, create
             $q="CREATE TABLE `$table[name]`(";

             foreach($table[fields] as $cnt=>$field)
             {
                if($field[Key]=='PRI') $primary=" PRIMARY KEY ";
                else $primary='';

                $q.="`$field[Field]` $field[Type] NOT NULL $field[Extra] $primary ";
                if($cnt<(sizeof($table[fields])-1)) $q.=", ";
             }

             $q.=")";
             $DB->q($q);
             }
       }
}

And that's all! You may need to work a little on this code, but the logic is here provided for your needs. Feel free to use the ideas for your own applications.

The Author:
Bobby Handzhiev senior developer in PIM Team Bulgaria

The new power-sipping Atom processor line is already poised to become the standard in next-generation ultra-mobile laptops like the Eee PC 900 and MSI's Wind. But that hasn't stopped Intel from pushing its tiny 45nm, low-voltage darling into more mobile territory. Smartphone integration is in the works, but in the meantime, Intel is pushing Atom into a decidedly larger mobile platform: the automobile.

Pairing with Intel, device software optimization heavyweight Wind River recently announced an in-vehicle "infotainment platform" based on an automotive-optimized Linux platform tailored specifically for Intel's Atom processor. The idea is to create a single, open-source platform that will allow developers to create software that can be scaled across components in different vehicles, and create a broader range of consumer electronics integration options, while still allowing auto makers to differentiate the systems with their own configurations and branding.

X-bit Labs is reporting that BMW, Bosch, Delphi, and Magneti Marelli are all on board with the idea, which is a good thing, because Wind River plans to unleash the code on the Moblin.org Linux-centric auto-enthusiast community sometime in August.

Are you overwhelmed by your own inbox?
Do you use outlook as your mail client?

Then there is a must have plugin application for you. There simply is not much more to say accept get it now. Xobni is inbox spelled backward.

Mozilla warned Wednesday that a malicious program inserted adware code into a Firefox plugin that has been downloaded thousands of times over the past three months.

Because of a virus infection, the Vietnamese language pack for Firefox 2 was polluted with adware, Mozilla security chief Window Snyder said in a blog posting. "Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy," she wrote. "Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload."

Mozilla is now going to add additional scans of its software to prevent this kind of thing from happening in the future.

The malware in the language pack is from the Xorer Trojan, according to discussion on Mozilla's Bugzilla developer Web site, which indicates that Mozilla developers first discovered the issue on Tuesday.

Mozilla missed the code during its initial scan because antivirus vendors had not yet added detection for Xorer into their products. Antivirus vendor Panda Security first detected Xorer on Feb. 28, 10 days after the infected plugin was published. Firefox developers have now scanned all of their plugins.

The open-source browser maker does not know how many people were infected with the adware, but the plugin was downloaded more than 1,200 times in the past week and has been downloaded 16,667 times since November.

The first public release of Moonlight, which provides a Linux client implementation of Microsoft's Silverlight rich Internet application (RIA) technology, was made available this week.

Moonlight, an open source project, supports the Silverlight 1.0 profile for Linux.

According to a blog post by Novell Vice President of Engineering Miguel de Icaza, the lead on the Moonlight project, Moonlight comes in two forms. In one form, no media codecs are supported but it is easy to install. In the other form, source code compilation is featured with users able to optionally compile FFMpeg codecs themselves.

Moonlight is intended to work on the Firefox 2 and?? Firefox 3 browsers, but recent changes in Firefox 3 prevent Silverlight and Moonlight from working on that browser. A Greasemonkey script is available that will work around this bug for some sites, de Icaza said.

A major problem has been revealed in Debian Linux and derivative packages, such as Ubuntu. Debian revealed the other day that a fix they made back in September 2006 had the unintended consequence of crippling the strength of their OpenSSL distribution.

OpenSSL is used, of course, for Secure Sockets Layer which provides authentication and encryption for web traffic, but it's also used for other cryptography functions. OpenSSL is a very important package that brought public key cryptography to the masses; prior to OpenSSL, https web sites were expensive and complicated to build.

The strength of public key encryption relies, in large part, on the large number of potential keys that could be used to encrypt data. Keys are often 1024 or 2048 or 4096 bits long; these store very large numbers so a brute force attack, trying all of the possibilities, could take a prohibitive amount of time.

But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption.

Because of it's centrality, Linux sites are often deeply-reliant on certificates generated by OpenSSL to encrypt network traffic. Fixing the problem is not just a matter of updating the software; you also have to go back and generate new certificates and have them signed. This is complicated stuff, not for the novice Linux user. Expect tools to come along soon to help.

In a letter sent Friday to the judge overseeing the case in Delaware, a lawyer for the shareholders argued Yahoo is trying "to whitewash embarrassing documents" because the company thinks the information will damage the board's efforts to repel a challenge by activist investor Carl Icahn.

Angered by the board's handling of Microsoft bid, Icahn has nominated an alternate slate of candidates to oppose Yahoo's 10 current directors — including Chief Executive Jerry Yang — at the Sunnyvale-based company's July 3 annual meeting.

Yahoo is trying "to sanitize the public record and maintain a cloak of secrecy regarding unflattering evidence of breach of fiduciary duty," shareholder attorney Joel Friedlander wrote in a letter to Chancellor William B. Chandler III.

The redacted documents include information about an employee severance plan that Yahoo adopted shortly after Microsoft made its initial bid Jan. 31 and notes about a conversation between Yang and Microsoft CEO Steve Ballmer, Friedlander wrote.

Yahoo had no immediate comment Friday. Generally, companies often seek to keep parts of publicly available lawsuits under seal for competitive reasons.Yahoo had previously disclosed the plans would give its 13,800 employees anywhere from four month to two years pay. Every $1.4 billion in severance cost theoretically would translate into about $1 per share less that Microsoft would have available to offer Yahoo shareholders.

Ballmer orally offered $33 per share, or $47.5 billion, but then withdrew the bid when Yang held out for $37 per share. Legg Mason money manager Bill Miller, whose fund is Yahoo's second largest shareholder, has publicly said he would have happily supported a Microsoft offer of $34 per share.

Friedlander's letter also indicated the redacted documents include comments that Yahoo's top executives made about the severance plans.

Charter has told its high-speed Internet customers in four markets about the pilot, which will produce enough information for Web advertisers to target online advertising for individual customers based on their habits.

The ads "will better reflect the interests you express through your Web-surfing activity," Charter senior vice president Joe Stackhouse told the affected subscribers in a letter. "You will not see more ads — just ads that are more relevant to you."

In response to the announcement, Rep. Edward Markey (D-Mass.) and Rep. Joe Barton (R-Texas) asked Charter President and Chief Executive Neil Smit to put the plan on hold until the three can confer.

The tracking is set to begin in June in Ft. Worth, Texas; San Luis Obispo, Calif.; Oxford, Mass.; and Newtown, Conn.

Subscribers can opt out of the tracking, though they must provide their name and address to install an opt-out cookie on their computer.

Should Charter instead offer subscribers the ability to opt in if they want to participate?

The bugs in question are crazy raspberry ants, which are named not for their flavor, but for their inscrutable meanderings and for past efforts by exterminator Tom Raspberry to eliminate them.

Supposedly, crazy raspberry ants are fond of electronics.

According to Associated Press writer Linda Stewart Ball, the ants are "are invading homes and yards across the Houston area, shorting out electrical boxes and messing up computers."

"They have been known to short out many different types of electrical apparatuses," says a Texas A&M University Web page about the pests.

Exterminators in Houston are aware of problem but aren't all that alarmed.

Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer's microprocessor, hidden from current antivirus products.

Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer's memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what's happening in a computer's memory.

The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August. The rootkits used by cyber crooks today are sneaky programs designed to cover up their tracks while they run in order to avoid detection. Rootkits hit the mainstream in late 2005 when Sony BMG Music used rootkit techniques to hide its copy protection software. The music company was ultimately forced to recall millions of CDs amid the ensuing scandal.

In recent years, however, researchers have been looking at ways to run rootkits outside of the operating system, where they are much harder to detect. For example, two years ago researcher Joanna Rutkowska introduced a rootkit called Blue Pill, which used AMD's chip-level virtualization technology to hide itself. She said the technology could eventually be used to create "100 percent undetectable malware." Full Article

After a long period of resistance to Linux in general we have offered Linux specifically CentOS to clients. The response to our offering of CentOS and Virtual-Min has almost been alarming. We have given enough demos to our clients that we have seen the number of machine builds grow by over 300%. Being a exclusive windows host for over 10 years made us wonder if we would be overwhelmed by support.

We have to give alot of credit to the guys at Virtualmin for this lack of support we originally expected. We have many comments from clients who have been exclusive windows people for years. Quotes like; "You have made the web developer enviroment exciting again"! We stumbled on this install tutuorial on the web and thought we woud share it with people looking to setup their own local boxes. "Learn More"

We have also been exploring Ubuntu for desktops with everyone complaining about windows vista. It is clear some of the free alternatives these days are just as good as going out and blowing your wad on a OS. We personally love this article from a MAC user who decided to give Ubuntu a spin. It was a nice read without all the typical lame input. It seemed the writer learned, there are other OS options available that acutally run better than MAC. Go Figure! Full Article.

How it works: The USPTO (US Patent & Trademark Office) gets the initial patent application from the inventor or patent agent. But it can take a while to grant or deny a patent application. They have a heavy workload, examining and publishing thousands of patents each week! However, during the period of waiting for a USPTO grant decision, the USPTO publishes the patent application at some point (usually after 18 months) and the general public may view the full contents and it is in the public domain. (note: FreshPatents.com does not have access to and does not publish confidential and/or non-USPTO-published Patent Applications!)

Next, FreshPatents.com (no affiliation with the USPTO) empowers users with FREE tools to better find and track published patent applications. FreshPatents.com features the latest published US patent applications...which is certainly useful for your business and technology intelligence needs.