SQL Server Execution Plan

It just so happens that I've been charged with doing some dba stuff. I need to brush up on my exection plan knowledge and I found this great blog with a link to a free e-book.

Cookies are bad with strong auth in web apps

Here is a great write up by VeriSign on why using cookies for mutli-factor authentication is a bad idea. I think they obviously have a solution up their sleeves which will make them money, but besides this I think the point is still valid. It's well worth the read.

No Firewall - How to beat Jordan and Kasparov

I read an interesting blog post (http://1raindrop.typepad.com/1_raindrop/2009/08/there-are-no-firewalls-or-how-to-beat-michael-jordan-and-garry-kasparov.html) the other day which I thought was important enough to blog about.  This is good stuff to remember.

 

 

ask the client to draw up their security architecture on the whiteboard. This inevitably contains a firewall as one of the central pieces. Next, I ask them what is "behind" the firewall, describe the assets, their valuable to the business and so on. Then, I say "now imagine the firewall is not there. What would your security architecture look like? What would protect your assets, your data, your users, your apps?" Then I list off a series of attacks that take no notice of the firewall's presence because they were designed to circumvent it from the get go. From an attacker's point of view a firewall is a speed bump, not an immoveable object. Its simply a question of looking at it from a different point of view. Typically, at this point the blood drains from my colleagues' faces.

I call this the Michael Jordan/Garry Kasparov situation.

Question: how can you beat Michael Jordan & Garry Kasparov?

Answer: Get Jordan to play any game except basketball and Kasparov to play any game but chess.

Cross Origin Resource Sharing - Good or Bad?

I recently came across this article

http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/

.  From a web developers standpoint I think this is a great idea, one can share information more easily.  From a security standpoint I'm weary on the idea.  I'd need to dissect this even further to get a better grasp on the specifics.  It looks like the server must be setup to provide appropriate information as well as the browser.  Adding another head simply adds to the attack surface of web applications, which thanks to AJAX has already grown tremendously.  It will be interesting to sit and watch the evolution of this new functionality.

 

 

Mobile site Best Practices

It's been awhile since my last post, mainly b/c of time and the fact that it's blocked at work now. Anyway here is a very good list of resources and links for what you will need to develop a mobile site. The standards have come a long way since WAP 1.0.

Mobi Web Developers Guide - requires free registration
W3C Mobile Best Practices
Another XHTML Mobile Profile link
Mobile CSS link

Mobile Icon List

Mobile Emulators - good luck trying to get them to work
Getting Win Mobile Emulator working

.NET Mobile browsers file

Hay Day 2009

Here are some pictures from helping out with the hay at Stone Fox Farm.

2009_06_16

Identifying you between your work and home

I was reading the CryptoGram from Schneier and found this pdf which talks about how a persons identity could be determined based on the couple of locations they use to access sites on the internet. I had actually proposed a possible means of stemming fraud on an application at work by tracking IP's and using a GeoLocation database. While it's not 100% if you allow x amount of IP's to access an "order" for a given user then compare that based upon other information and where/when they access the site you can come up with data points outside of the "norm". Then you can throw a flag advising a human to look closer at an order or a set of users accessing the site. While I have read all of this I forsee it possible to take concepts from this to apply to a algorithm of identifying rouge users.

NMap Tutorial

I came across this site that had a tutorial for the tool NMap. I thought I would share.

Twitter worm

Here is an article about the multiple variants of worm that hit twitter. I found it interesting that the worm was created by someone who ran a site which is a competitor to twitter. The article quotes the other of the worm stating "...But I didn't think it would spread as far or as fast as it did."