Saturday, November 29, 2008

Technics: Web 2.0's downside opens way for spyware and other vulnerabilities via the Internet

Jason King is CEO of LavaSoft, a pioneer company that produces adware and software, labouring to chase down spyware, producing anti-virus services. Sheeraj Shah of Net-Square wrote a famous article "10 Web 2.0 Attack Vectors," putting forth something of an overall vector analysis on Help Net Security website, Oct9,2k6. You can visit them both at this Help Net Security website page.

First, let's have entrepreneur King speak to us for 2:50 minutes on video from YouTube:

LavaSoft and the antispyware industry

Sheeraj Shah explains how Web 2.0 advances have also opened vulnerabilities that hadn't existed before its arrival, not least of all the new vulnerability to spyware:

Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself.

XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.
Now, let's garner the points web-thinker Shah presents as headers, the result being a bit abstract for those, like me, who are still novices in these territories:

Web 2.0 security concerns are reshaping the whole industry of security-measures for websites, internet, and home computers.
Technotes, by Technowlb
Shah introduces his vector-theory of new web2.0 vulnerablities:
On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.

On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications.

On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.
So, here's his analytic list of 10 attack vectors, Shah providing us with a thick explanatory paragraph for each:

1. Cross-scripting in AJAX.
2. XML poisoning.
3. Malicious AJAX code execution.
4. RSS/Atom injection.
5. WSDL scanning and enumeration.
6. Client-side validation in AJAX routines.
7. Web-services routing issues.
8. Parameter manipulation with SOAP.
9. XPATH injection in SOAP message.
10. Rich Internet Applications (RIA) thick client binary manipulation.

Shah concludes:
AJAX, RIA and Web services are three important technological vectors for the WEB 2.0 application space. These technologies are promising and bring new equations to the table, empowering overall effectiveness and efficiency of Web applications. With these new technologies come new security issues, and ignoring them can lead to big disasters for the corporate world. [And what about us "end-user" consumers with our home computers?] In this article, the discussion was restricted to only ten attacks but there are several other attack vectors as well. Increased WEB 2.0 security awareness, secure coding practices and secure deployments offer the best defense against these new attack vectors.

Thursday, November 27, 2008

Music: Digital downloads may drop DRM restrictions

The Distorted-Loop website carries a breathless up-to-the-minute
post by Jonny on what may be a price revolution for digitally-downloaded music, especially from iTunes Music Store. Not just that, but the entire Digital Rights Management (what newspeak the DRM expression is!) promises to unscrew and in the process unscrew us, truly a gain for weary consumers.

H+-level negotiations have been taking place in the present financial climate, where a Depression hangs over everything like a thick smog. Will the music industry go down, taking iTunes and confrères with it ...? Steve Jobs is reported to have lost billions in his stock portfolio already, and we may expect that many of the negotiators for the other companies involved have likewise undoubtedly "dropped a bundle."

Steve Jobs of Apple, tho he lost a fortune, is negotiating with the DRM kingpins of the digital music industry to ease the financial load on music lovers.
The photo appeared as #15 in the set "The Biggest Losers: 20 global moguls who have gotten creamed in the recent economic collapse"--the set accompanies the article of that title by Hilary Lewis, Nov26,2k8, Business Sheet (none of the photographers are mentioned).

Maybe the downturn has forced new thinking to jell in the fetid money-brains of the digital music industry. Suddenly, with Mr Jobs' leverage, perhaps the music tycoons and their customers may together benefit from this possible move.
The long-standing duel between Apple and three major labels, Universal, Warners and Sony BMG may be coming to an end, with tracks from these majors now showing up within the iTunes Plus music upgrade service.

There’s been strong rumours claiming negotiations between Apple and the labels to offer music at high quality free of restrictive DRM have intensified in recent weeks. Sony BMG is already thought to be uploading tracks to make available through iTunes Plus.

Overnight sundry spies have spotted tracks from the three hold-out majors popping up in the ‘Upgrade My Library’ section of iTunes, where users can upgrade their purchases from DRM’d to DRM-free tracks.

For example, Rakim’s rather special ‘The 18th Letter/The Book of Life’ is currently available to upgrade to iTunes Plus. The major label behind this release is, of course, Universal.
Music Biz, by AudioViz
iTunes Plus was introduced in April 2007 with DRM-free tracks from EMI. The catalogue later grew to include music from many independent labels. While songs cost slightly more, they ship in higher-quality 256k bitrates. You can upgrade existing purchases for 20-pence.

Apple’s move to offer its full catalogue in DRM-free format opens the doors for a level playing field in digital music, with services including Amazon MP3 in the US and 7digital in the UK already offering tracks free of DRM in MP3 format for sale at the same price as an ordinary iTunes track.

Open to question at time of writing is whether Apple will compete on price by lowering iTunes Plus track prices to match existing standard downloads, and whether the company will make a major announcement on its plans later today. (Customarily, watch for an announcement around 1.30pm, well, if an announcement is to be made at all).

** Well, the day’s moving on and no official news yet - we’ve dropped an enquiry to Apple, and their lack of a response suggests at present these moves belong in the official ‘rumour and speculation’ department, it may be helpful if readers have a check to see what songs/artists from the three majors they can dig out using the ‘Upgrade’ feature in iTunes, and note them here. Hang in there.
We owe Distorted-Loop'a Jonny a huge tip of the hat. (The underlines in the quoted text above are added by yours truly.)

Tuesday, November 25, 2008

Aesthetics: Citizens' architectural renewal of rundown historic Buffalo

Nicolai Ouroussoff writes charmingly, "Saving Buffalo’s Untold Beauty," Nov14,2k8, NYT:

One of the most cynical clichés in architecture is that poverty is good for preservation. The poor don’t bulldoze historic neighborhoods to make way for fancy new high-rises.

That assumption came to mind when I stepped off a plane here recently. Buffalo is home to some of the greatest American architecture of the late 19th and early 20th centuries, with major architects like Henry Hobson Richardson, Frederick Law Olmsted, Louis Sullivan and Frank Lloyd Wright building marvels here. Together they shaped one of the grandest early visions of the democratic American city.

Yet Buffalo is more commonly identified with the crumbling infrastructure, abandoned homes and dwindling jobs that have defined the Rust Belt for the past 50 years. And for decades its architecture has seemed strangely frozen in time.

Now the city is reaching a crossroads.
That's how Ouroussoff begins his study tour of the restoration of areas of the northern USA city that had fallen victim to the scourge of the infamous Rust Belt. Several of the recent reversals of bad fortune warm the heart, and suggest a new future for this urban center that has lost its formerly lucrative connection to the once-upon-a-time Eire Canal system. Once a thriving hubway for goods coming in from Lake Ontario and then streaming out again, along with the products of Buffalo's own manufactories, the largely-Black populated city now seems poised on brink of a new age and perhaps even a new prosperity.

Archibald

Friday, November 21, 2008

Technics: Google launching personal-edit searches minus garbage subtopics

Google has outdone itself with the launch of the new Google SearchWiki. The idea is to allow a marginal unorganized set of users who intensely dislike wading thru the now-inevitable garbage that swells search results for a given keyword, allows users now to avoid that recurrent mishap by submitting a truer listing of results -- minus the garbage links. Not that this involves a separate search result in every case of WikiSearch editing by an individual wiki user for the purpose.

Rather, individual edits for a keyword are combined with the edits of others for the same word, and a composite result becomes available to all the marginals who use the Google SearchWiki to obtain hopefully cleaner results for the set. But one wonders whether a new censoriousness could set in.

Technotes, by Technowlb

I wouldn't mind seeing Philosophy the cosmetic line disappear from the wiki's search results for Philosophy; but would the various competing sects of view try to take out results giving links to competitor websites that define, say, the keyword Reformational other than as approved by various sites of the competition?

My rather arcane examples may or may not amuse you, dear reader, but I'm sure you can extrapolate to examples for poignant to your own interests and concerns to help make the point more clear for your own purposes.

Updates:
*Reports conflict over Microsoft buying Yahoo search (MarketWatch Nov30,2k8)
*Is Apple building a search engine? Does Apple plan to take on Google, Yahoo and Microsoft? (MacWorld [UK], Nov14,2k8)

Thursday, November 13, 2008

Literature: France's Le Clézio won the Nobel Prize for literature

French novelist Jean-Marie Gustave Le Clézio won the Nobel Prize for literature a few weeks back. Sarah Lyall, "French Writer Wins Nobel Prize," http://www.nytimes.com/2008/10/10/books/10nobel.html, Oct19,2k8, New York Times.

The French writer Jean-Marie Gustave Le Clézio, whose work reflects a seemingly insatiable restlessness and sense of wonder about other places and other cultures, won the 2008 Nobel Prize in Literature on Thursday. In its citation, the Swedish Academy praised Mr. Le Clézio, 68, as the “author of new departures, poetic adventure and sensual ecstasy, explorer of a humanity beyond and below the reigning civilization.”


The works of Jean-Marie Gustave Le Clézio reflect a sense of wonder about other cultures. ...

Mr. Le Clézio’s work defies easy characterization, but in more than 40 essays, novels and children’s books, he has written of exile and self-discovery, of cultural dislocation and globalization, of the clash between modern civilization and traditional cultures. Having lived and taught in many parts of the world, he writes as fluently about North African immigrants in France, native Indians in Mexico and islanders in the Indian Ocean as he does about his own past.

I had read his first in my halting French (with many dictionaries at my elbows!), but then had lost track of Le Clézio over the decades. That first novel of his was too much full of self-loathing. I had too much of my own to expend my reading energies with his work. Maybe now with his "mature" novels being celebrated so, I should look again.

Owlb