Jerome's TOTs

Today is BlogDay.

The idea is to recommend 5 blogs.

Here are my recommendations:

1. YashLabs by Josh Nursing

At YashLabs, Josh has been recently doing some interesting stuff lately by Hacking IronRuby for which he did a presentation at DemoCampMontreal4. He also has an AI project in the works. I first met Josh in person at the June Yulbiz Montreal event and he is presently looking for a job, so if you are in need of a great person, contact him. His specialities are:

• Management
• Business Process Re-engineering
• IS Re-engineering
• Information Systems Strategy Development
• Intranet Strategy Development
• IS Project Management
• Systems Engineering, Software Engineering

2. The Praized blog by Sebastien Provencher

Also first met at the June Yulbiz Montreal event, Sebastien Provencher works for the Canadian Yellow Pages and his blog tag line is “Local 2.0 : where local meets social”. It pretty wells resumes the content of his daily posts. He also knows how to get attention. From his Robert Scoble is Media post to his Save Business 2.0 initiative, he sure got noticed! So, if you are interesting in Web 2.0 and local social networking, be sure to visit the Praized blog.

3. Montreal Tech Watch

To be kept informed of what’s happening in technology in Montreal, be sure to subscribe to Montreal Tech Watch. Heri, who I know from DemoCamp Montreal 3 and 4 is the main editor and writer. We both made a presentation at DemoCamp Montreal 3.

4. Marc-André Cournoyer’s blog

Marc-André Cournoyer is a developer at the StandoutJobs startup and I’ve heard more than a few times that he’s a real Ruby on Rails guru. In his blog, you’ll find a lot of interesting stuff concerning Ruby, development methodologies and much much more.

5. Bettina Forget

I wanted to at least recommend one blog that is not technical and neither in my industry. I chose Bettina Forget’s Inside the Artist’s Studio blog because I like her work.  She takes some of her inspiration from astronomy. Her work is really beautiful and original. Bettina is an artist that I met about 5 years ago because her studio was on the same floor than my office. Since I love astronomy too, I learned that she is also takes care of the Royal Astronomical Society of Canada community for Montreal. So, if you like astronomy and art, I’m sure you’ll find her blog most interesting.

After skipping a month, the monthly Yulbiz Montreal event took place last Tuesday evening, on August 28. As always, it’s a great event to meet fellow bloggers, entrepreneurs, creative workers, marketers and all those interested in what’s happening on the Web.

You must know that if you go to such an event and you don’t have a Facebook account (yet), you might be missing out.

To explain, let me recap my own experience.

First, a few months ago I had heard about Yulbiz in Les Affaires. I wanted to go with Kim, had put the event in Outlook, but we were too busy that day. Then, the next months, we had forgotten about it. Then, in June I learned that Michel Leblanc that I had met at my office through François Aubin, was on Facebook and we became Facebook friends. Because he’s the instigator of Yulbiz, I quickly received an invitation though Facebook for Yulbiz.

So, I went last June and I had met a lot of great people like (in no particular order) Pierre Bellerose, Josh Nursing, Katheline Jean-Pierre, Sebastien Provencher, Laurent Maisonnave and many others. They became Facebook friends. With the genius that is the Facebook feed, I learned a bit more about them. Because of these friends and their information on Facebook, I learned about and went to a bunch of other event like:

• Yulblog
• DemoCamp Montréal
• I went to DemoCamp Montreal 3 and had the guts to do a presentation
• I also assisted to DemoCamp Montreal 4
• A happy hour at a bar
• Yesterday’s l’apéro du Jeudi, organized by Katheline Jean-Pierre

To these events, I met again a lot of people I know and they introduced me to other interesting people.

Understand that I am not too good with names, but because of the friends’ pictures in Facebook and because its feed made me think about the interesting new people I met, I now rarely forget a name. So, this is really helpful.

So, back to Tuesday Yulbiz…

Because Sebastien had posted a link on Facebook that Duncan Moore from The Code Kitchen and myself commented, Duncan sent me a Facebook friend invitation. He thought, and I agree, that we share similar views on the future of the Web. At that time, which was about 2 weeks ago, I did not know Duncan. I don’t usually add friends that I don’t know. However, I went to see his profile and I saw that he had many of my Yulbiz friends in common. So I accepted since chances were we would meet at Yulbiz. Well, that happened this Tuesday and we had some really great discussions and yes, we share some similar views. Additionally, I discussed a Facebook application I am developing in secret and he offered to help me have some visibility through a good contact he has. Great! When the main business I’m working on in stealth mode is in need of his expertise, I’ll make sure to think of Duncan.

I also first met Kim Auclair a young, fun and bright entrepreneur. Because she had commented on the Yulbiz group on Facebook, I already knew a bit about her because I had seen her picture. I remembered her name and almost got her blog address right (it’s a .ca, not a .com!). That’s a pretty good conversation starter. Kim Auclair also presented me to her friend Aurélie Ponton to whom I spoke quite a bit gave me a great impression.

Other people I met for the first time somehow knew a bit about me because they had heard about me through their friend’s feeds on Facebook. When you look at it the other way around, it’s pretty flattering. Someone even knew my name before I told him!

Since it’s a small world, I also met Mathieu Bélanger, president of K3 Media. He already knew about me because we had a forgetful mutual ex-client, but also because he had assisted to a conference I gave in the past. We had a really great talk and I was glad to meet him.

Because of Michel Leblanc, who had a T-Shirt to move the Calder man statue following his Facebook group/movement which recently made the newspapers and other media, I met Pierre Bouchard with whom I spoke a bit, but not long enough.

As usual, Pierre Bellerose, who is a Vice President at Tourisme Montréal, was present. He introduced me to Louise Collignon who manages communications at Tourisme Montréal and to Véronique Arsenault who is a consultant at Morin Relation Publiques. I also talked to Jean-Julien Guyot, a strategist who works for SidLee (remember Diesel?).

After 9 PM, with almost 20 remaining Yulbizers, we went to have dinner at Cafeteria. At my table was Alain Theriault that I had previously met at the June Yulbiz, with whom I had a great discussion and exchanged some tips on wines. At our table, I met Ariane Labelle who works at The Code Kitchen. Ariane is quite a fun person to know because I had a great time speaking with her. How often do you meet a girl who not only talks about poker, but also about .Net and C#? I learned that she sometimes publishes her friendly poker events on Facebook to invite her poker friends at her place. The thing is that because of one of his Facebook status updates, I knew that Pierre Bellerose, which sat beside me, also liked playing friendly poker games. I hope we can get invited at Ariane’s next poker game, because I have been looking for friends who like playing poker for a while.

Before he left, Pascal Veilleux of NSI Solution spoke with me. He has quite a few ideas of Facebook applications to develop.

Two days later, Yesterday, I met again a lot of the people I mentioned above at the inaugural apéro du Jeudi, which was organized by Katheline and promoted through Facebook.

In conclusion, Yulbiz Montreal is a great event to meet great people.I also love to use Facebook to improve my networking. I don’t use Facebook to pass time in front of a monitor, I use Facebook to keep in touch with people I know and meet and to continue to socialize with them in person. That’s what’s important.

Yesterday, Dave Winer posted an article saying that Facebook *is* opening up that was followed by a few blogs, including TechCrunch.

As others quickly mentioned, the availability of RSS feeds for Friends’ posted items and status updates is not that new to Facebook and has been available for a little while. I have been following my friends’ posted items for a while now through Google Reader and it’s great. I wasn’t aware of the status feeds, however.

As Jeff Sandquist mentioned on Dave Winer’s blog it would be great to be able to be able to get your own status update feed. With this, you could automatically, through a software or service, have your Twitter status updated when you update your status on Facebook.

It took me a while last night to find out how to get my own feed, which I did. I was about to post on the subject, when I realized that Jeff Sandquist also found the pieces to the puzzle.

Read his post “How to publish your Facebook status to Twitter” to learn more.

You might have heard that the United Nation Web site was hacked Sunday morning. As of Sunday evening was still open to attacks.

What is surprising (or is it?), is that it was easily hacked through a SQL injection attack. If any self-called Web developer were to tell me they don’t know what SQL injection is, I would tell them to change career.

A typical SQL injection attack is made possible when an application does not filter SQL escape characters for character strings. When SQL statements are constructed, string delimiters are inserted in the statement to change the statement or terminate the statement and execute other SQL statements.

For example (typical examples from Wikipedia):

sql = "SELECT * FROM users WHERE name = '" + userName + "';"

This statement checks for a user name (it could also check for a password). As you see, the userName variable is concatenated to the string and surrounded by quotes, the usual literal string escape character in SQL. However, such code is very poor and open to attack because if userName comes from a user input, the user can inject additional quotes by supplying something like:

a' or 1=1

When reconstructed by the deficient code, the SQL statement becomes:

SELECT * FROM users WHERE name = 'a' or 1 = 1;

If that statement was used for some kind of authentication mechanism, it would always be true and the system might open content that was not intended for the current user.

In the case of the UN web site, one of the original Web pages that was hacked can be viewed here.

The titles for the latest speeches were changed to “Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
No war”.

The Web site was probably hacked through one of the speeches Web page, which have a URL as follows:

http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105

As you can see, this kind of hyperlink takes the parameter:

statID=105

Well, by simply appending a quote to this URL, anyone was able to access their database with the security permissions of the Web application. So, the hackers were able to insert (or update) different speeches that are supplied from the database by concocting their own SQL statements.

It now seems that a filter has been installed on their server, because if you try this URL, you connection will be reset and you will not reach their Web server. Some basic Web security filter will filter out URLs that seem suspect and URL with quotes in them are rarely used and stopping these can mitigate these sort of attacks.

This might stop this attack, but if they had data entry forms with similar holes, they would still be open to attack. URL filtering would not stop these. You might put a plaster to try to protect a Web site, but in this case, the plaster has not been applied to other Web sites. For example, at this very moment, other Web sites are open to the same basic amateur holes. For example, the UNEP (United Nations Environment Programme), has also been defaced, probably through the same techniques.

Good security implies different layers of security. At the entry point of the network, you need good firewalls with filtering and intrusion detection systems and fully patched systems. But if the application opens up the database through programming holes, these are not worth much.

What’s more damning for an institution or a company that faces humiliation through such public attacks is that basic programming techniques would easily have avoided these holes in the first place:

1. For performance and security reasons, it is recommended to use prepared SQL statements instead of dynamically building strings. All modern database engines support prepared statements.
2. As an alternative to point #1, string inputs could filter escape characters. However, since most databases support multi-byte character sets and different character set settings, it can be quite easy to still leave some character escaping holes opened. If you need to do this instead (you don’t!), you would need a model that ensures that all input strings are correctly filtered. Leaving this task to the Web page developers will certainly leave some holes opened.
3. There is a debate about using stored procedures, but by parameterizing inputs and forcing types, user inputs can be correctly filtered. Evidently, to avoid most holes, you would still need to use prepared statements to call stored procedures.
4. A good object-oriented approach will also close some holes. In the example of the UN, the parameter is an integer corresponding to the identifier of a record. A typical entity class would necessitate to use integer properties and lookup methods that only accept integers to search by identifier. Therefore, by using strong types and forcing type conversions, this particular attack would not have happened.
5. A 3-tier architecture will isolate the database access functions in separate layer. It does not stops vulnerabilities, but having the database facing code isolated helps to avoid adding new vulnerabilities.
6. A model-view controller architectural pattern can further isolate the interface from the database.

In Web applications and Web sites, many more vulnerabilities can be made possible though amateurish programming:

1. Incorrect use of hidden form fields. In HTML forms, hidden fields in forms can be quite useful. When used by amateurish programmers, they are dangerous. For example, I once stumbled on a shopping cart that used hidden fields for the prices of the products sold. By simply saving the HTML of the page to my desktop and changing the prices, I could have ordered the products with my own user-defined pricing injection! Fortunately for the company, it was before publishing of the web site and they called me to check the Web site. When it took me 5 minutes to find the hole and came back to them with my findings. The next thing I heard was that the developing company was fired and I would doubt they got paid.
2. Incorrect use of cookies. When a Web application relies on cookies, it must be very careful about what is stored in the cookie. For example, a poorly developed web site could simply store a user id in the cookies for a “remember me” option. Then, a malicious user might change that identifier to something else and even maybe change his access to a user that has administrative access to the application. In that case, storing the identifier directly is a very bad idea. To at least avoid impersonating other users (without access to their computers), a secret random-like key could be stored. Still, someone with access to the computer could still do damage. Because of this, pages that give access to or allow to update sensitive information should be protected by asking the user to be authenticated, independently of a “remember me” option. There are a lot of different strategies to mitigate the risks of cookie usage.
3. Code injection. Even if your application prevents SQL injection holes, it might still be vulnerable to certain types of code injection attacks if you allow user inputs. For example, with community features like discussion forums, the application needs to filter inputs to avoid Web site defacement through injection of HTML or Javascript code.

Application security is a serious matter and is more complex than what I can go in depth in this blog. I’ve noted a couple of beginner’s mistakes, but there is much more than this.

More often than not, especially for small businesses, Web projects will go to the lowest bidders that are not necessarily professionals in the domain. This approach can be risky. I wonder how much the UN paid for their Web sites… I wouldn’t think they would go to the lowest bidder. But, even when paying the right price, you can get more than what you bargain for. It is important to correctly research the credentials and experience of the developers that will do the coding.

An institution like the UN would at least need to get an independent consultant that know the right questions to ask the developers to verify that they do apply the best practices in their development.

Following the $50 (USD) price cut in the states, Canadians will get a $100 (CAD) price cut for the Core and Premium consoles and a $50 price cut for the Elite. Prices will be effective on August 8, 2007. So, for the Premium, instead of paying $499 you will be paying $399.

Why the price $100 price cut when American only got a $50 reduction. Well, with the Canadian dollar almost at par, it seems like an adjustment for our currency’s strength which wasn’t reflected previously. Also, with the PS3 at $549, Microsoft had to make the pricing more attractive with the new Madden game coming out soon.

Financially speaking, it’s the time to buy the XBox 360 if you were on the fence for a purchase.

However, you might want to wait to pick one up in September to have a better chance of scoring a newer version with the 65 nm chip, which should reduces the risk of a hardware failure. Microsoft recently extended their warranty for the infamous Red Ring of Death problem to 3 years from the date of purchase for this problem. Because of this, in the event of a failure, you are in good hands, but you could be XBox 360-less for a few weeks. This weekend, I was victim of the RRoD. Since I had an extended warranty at Future Shop, I was able to make a deal with the manager to purchase a new XBox 360 and be able to get a refund even if the repair take more than 30 days. I was RRoDed and I’m still gaming!

Source: XBox Fanboy