Perhaps I’m confused or misread the text. At least I hope I did.

When reading the Cnet article “Microsoft modernizes Web ambitions with IE9” something dumbfounded me. As of today, the preview version of Internet Explorer 9 scores a “55″ on the Acid 3 test and (more importantly) this is something Microsoft is happy with. For a frame of reference- older versions of IE scored in the 20′s and other modern browsers (Firefox, Safari, Opera) currently score in the 90′s. Last time I checked a “55″ is still a horrible failure regardless of your last score. Is the bar really so low at Microsoft? We can only hope (and sadly dream?) that Microsoft can make it into the range of the competition by the final release.

On behalf of all internet users- Microsoft/IE please get your stuff together and raise your standards.

In following the flow of socal media news, two Facebook articles jumped out at me today.

• Facebook Now Accounts for 1 In 4 Internet Pageviews
• How To Spam Facebook Like A Pro: An Insider’s Confession

First, it interesting to see the dominance in traffic Facebook continues to build. The traffic of the top sites is staggering.  Secondly, it’s interesting to see the evolution Facebook has taken with advertising throughout it’s lifecycle. As much as I hate shady marketers, the information presented is interesting to consider. Is shady advertising really part of a normal growth pattern? His opinion is interesting, even if you don’t agree with him.

This is just a quick heads up to everyone that I plan to expand this blog outside of SEO and development based topics in the near future. I’ve been spending more and more time working on new strategies for up and coming media (read: bands), and lessons learned with marketing and management. You may even catch a concert photo or two as the tour continues on. This feels like a natural extension from where I’m at currently, and will hopefully also help make posts more frequent.

Google Analytics has become the fast, free and first choice for metrics for many sites. The sites I produce are no exception. But what happens when your client/boss doesn’t want to use Google? Check out these sites with worthy offerings:

• Mint
• Clicky
• KISSmetrics

What alternatives do you use?

Recently I’ve been working behind the scenes trying to come up a file naming convention that will receive formal support. I could play on the “designers are unorganized” stereotype here, but I won’t. Working in a mixed designer/developer shop you come to better understand the varying mindset that we all have in naming our files. Some of us use version numbers to differentiate documents, others use dates or letters. At this point the naming is dependent on the designer(s) assigned to the project. This can become a real issue when many designers come and go on a project, as well as when multiple designers work concurrently together. Can we always rely on the “modified” date? Of course not. The mobile nature of files, being copied from station to station removes this possibility.

So with the stage set, I am leaning on proposing a format similar to the following:

• <version>.<revision>.<document_name>.<file_extension>
• 01.00.mockup-a.psd

Coming from the code side, this is something that makes sense to me. I’m likely to modify this structure as I continue to talk to some of the designers, but I think it’s a good start. I see some clear benefits, including: automatic sorting and identification of latest files, removal of useless/confusing information like the designer’s name and date, and standardised document names (mockup, home, etc.).

While this process is sure to drag on through a number of dicussions and revisions, I’m looking forward to getting a standard in place and moving on to my next push – PhotoShop layer comps.

On vimeo.com via sbahns.com

Auto Tuning from Casey Donahue on Vimeo.

I can’t express how happy I am that Google finally released a public api for analytics. Let the barrage of 3rd party tools start coming!

Google Group

Code Code Documentation

Blogspot Blog Post

So, lacking anything witty for today, I’ve decided to post a list of some tools/apps that I use.

On the PC side:

Filezilla (PC/Mac) $FREE

This app handles both FTP and SFTP. I prefer a simple app for this process and Filezilla delivers. It includes synchronized browsing (a big time saver), stored sites and priority levels.

KeyPass (PC) $FREE

Trying to store a number of ftp/ssh/email settings and passwords in anything other than a dedicated (and secure) app has only failed for me. This is another simple and free app to handle the task. The data storage file can even be stored on a networked drive, giving shared access to a single password file.

Putty (PC/Mac/Linux) $FREE

I’m a minimalist when it comes to Telnet/SSH access. This client is a small .exe app that does the job. I always stick it in the windows directory, giving me the option to quickly type ‘putty’ in start/command line.

IE Tester (PC) $FREE

For quickly testing websites on IE6/7/8, this app is great. You can quickly add tabs with your selected IE rendering engine version. Word of warning though, I’ve noticed that it’s not always 100% acurate for each engine.

SVN/Subversion (PC/Mac/Linux) $FREE

So this is more of a overall tool listing, rather than an app. I use the Linux server components to host my repositories in a central location.

Tortoise SVN (PC) $FREE

This is a PC client for SVN which creates ‘hooks’ that show up as menu items when right clicking a folder. It’s easy to checkout/update/commit right from a windows folder view.

Versions (Mac) ~$52

This is a subversion client for Mac, that has the familiar Mac styling. It’s easy to recommend this app to other users, as it’s rather intuitive for new subversion users.

Pidgin (PC/Mac/Linux) $FREE

Pidgin is an instant message client, with support for FaceBook and Twitter. I find it simple and to the point. It only adds bonus points that it’s free and open source!

TweetDeck (PC/Mac/Linux via Air) $FREE

TweetDeck, for the 5 people who haven’t heard of it, is a twitter dashboard client that shows friends tweets, replies and direct messages. It does the job, though I’d gladly switch when something better comes along.

Anxiety (Mac) $FREE

This is a to-do list app that supports multiple lists and does not make things more complicated than needed. There are a number of similar apps for both Mac and PC.

I’m without many words for this. Sadly, the lyrics are accurate, so I can’t find much fault.

I hope that those visitors who may be newer to development can learn how to keep all of our data safe on the web. I’m sure that those who’ve been doing this for awhile have seen all of this before. If enough people find this helpful, I may write up some additional segments in the future.

Cross-Site Scripting (a.k.a. XSS)

The Summary

XSS commonly occurs via a form input that contains malicious javascript/vbscript/flash that is not properly sanitized before use or storage. An example of this is entering a siplet of javascript into a textarea field which is in turn displayed as a profile field. In this example, when a visitor views the infected profile they will call the javascript and the script inside will be executed. This could be as simple as a alert box or as dangerous as a way to extract personal information.

Example

A form textarea field “About Me” is stored directing into the user’s profile. The user (“Attacker”) inputs the following:

<script type=”javascript”>alert(“Hi there)”);</script>

Visitors that request the user’s profile will now have a javascript popup with the message “Hi there”.

The Fix

All input data should be sanitized and validated before use or storage. If you’re using $_GET, $_POST directly, then you need to start over. There are many third party scripts that help you sanitize your data, but ultimately it is best practice to understand the sanitation methods in use before you just plug them in. There’s nothing worse than a false sense of security. At a minimum, I recommend running your site through the “Cheat Sheet“.

Deeper Reading

ha.ckers.org: XSS Test List, a.k.a Cheat Sheet
TestingSecurity.com: XSS Injection
Shiflett.org: XSS
MS TechNet: XSS Testing
Wikipedia Entry

Cross-Site Request Forgery (a.k.a. CSRF)

The Summary

Unlike XSS attacks, CSRF attacks frequently occur off of the target site.  The idea of this attack is to exploit the trusted data stored in a user’s cookie data, bypassing login step and proceding to a desired action. This is possible when a site allows you to complete a action via query string data solely relying on login data contained within the cookie file.

Example

Knowing that you are a customer of XYZ Bank, an attacker attaches the follow image to a forum you visit:

<img src=”http://xyzbank.com/transfer?amount=500.00&account=0123456789″ />

If you have valid session data, and you bank has not protected itself from this attack, you just lost $500.00.

The Fix

Multiple changes chained together help minimize, if not eliminate this attack.

• First, if you’re using a general $_REQUEST variable for input, convert it to $_POST. The image stuffing method shown above works in part because the data is being passed as part of the $_GET data. Using $_REQUEST checks both the $_GET and $_POST datasets for field data and that leaves you (or the bank in this case) open to attack. Attacks via image tags will be blocked by this change, but Javascript attacks will still be possible.
• Secondly, use and read data not only in cookies, but also in the server session. Most importantly, when doing this make the login data in the session expire after a short amount of time (10-30 minutes). It’s standard practice for banks to do this today, and you should too.

Deeper Reading

CGISecurity.com: CSRF FAQ
Shiflett.org: CSRF
Wikipedia Entry

SQL Injection

The Summary

Like XSS, the root SQL Injection lies on using input data without sanitation. SQL Injection passes the input data into a database query, thus giving the user a means to connect directly to a otherwise private database. The types of data inputted is usually created in such a way, that a query is completed and an additional query is also run afterwords. An attacker can also utilize other SQL language commands, such as UNION to add sensitive data to a otherwise normal query.

Example

A corporate support forum allow customers to search the forum for their support topic. This field is passed into the following query:

SELECT * FROM forum_posts WHERE message LIKE ‘%<search_string>%’

Upon discovering this security problem, an attacker can craft the following search query:

anything%’; SELECT * FROM secret _passwords WHERE name NOT LIKE ‘%

Together, this forms the following query:

SELECT * FROM forum_posts WHERE message LIKE ‘%anything%’; SELECT * FROM secret _passwords WHERE name NOT LIKE ‘%%’

The query now will pull out everything in secret_passwords.

The Fix

While intense filter may make your database marginally safer, the absolute must is “escaping” the search data when making it part of the search query. Each language has it’s one functions or add on classes to accomplish this. The following is an example for php:

mysql_real_escape_string(<search_query>)

Deeper Reading

Wikipedia Entry
PHP.net Manual Entry
MSDN: Protecting ASP.net From Injection

Session Poisoning

The Summary

Session poisoning is similar to XSS, in that input data can be used to exploit the storage and use of said data. While XSS uses the re-display of this data in the browser, Session Poisoning relies on the use of unsanitized session data being used in code before information is displayed.

Example

Via Wikipedia Entry:
$var = $_GET["something"];
$_SESSION["$var"] = $var2;

The Fix

Like XSS, the fix for Session Poisoning is sanitizing user input. It is also suggested to validate and sanitize the data once more when retrieving data from the session. It may seem like a belt and suspenders approach, but it is possible to get data into a session that you did not sanitize. This can be seen most commonly with shared web hosts.

Deeper Reading

Zend.com: Session Management
Wikipedia Entry

Cookie Poisoning

The Summary

Cookie Poisoning relies on a website to full trust and fail to validate data retrieved from cookies. Cookie data may be edited to create attacks via SQL Injection, or when cookie data is solely relied upon for user authentication, to impersonate a user with elevated permissions.

Example

SELECT * FROM permissions where user_id=$_COOKIE['user_id']

The Fix

Once again, validate and sanitize your data. Additionally, don’t depend on cookies as your sole means of user authentication. Authentication should be comprised of both cookie and session data. Only store absolutely required data in a cookie and encrypt the data before storage where possible.

Deeper Reading
Security Focus: Penetration Testing (Part 3)
Wikipedia: HTTP Cookies