Archive for August, 2008

Xlinks – 28 / 08 / 08

Thursday, August 28th, 2008

Xlinks is a collection of interesting links as discovered by the ProjectX team.

    Flickr uses open street map for Burning Man
    Added on 08/28/2008 at 07:57AM
    8 Golden rules of interface design
    Added on 08/28/2008 at 07:48AM

    Ubiquity – quicksilver of the firefox browser
    Added on 08/28/2008 at 07:44AM

    Olympics medal map: Hat tip to Daniel
    Added on 08/27/2008 at 05:08PM

    Window viewport using Javascript
    Added on 08/27/2008 at 04:29PM

    37signals Architecture
    Added on 08/27/2008 at 09:37AM

    IP Geolocation for Google Maps
    Added on 08/27/2008 at 09:27AM

    Startups warned of VC pitfalls
    Added on 08/27/2008 at 09:18AM

    NZ Video game market worth 145M
    Added on 08/26/2008 at 10:49AM

    Razor profiler – check out your AJAX code
    Added on 08/26/2008 at 08:01AM

    Why the Mega-pixel race has to end.
    Added on 08/25/2008 at 07:38PM

    IE Death March: Hat tip to Darren Wood
    Added on 08/25/2008 at 07:05PM

    Added on 08/25/2008 at 06:05PM

    Latency is everywhere and how to crush it
    Added on 08/25/2008 at 08:58AM

    The secret to happiness: Hat tip to Rowan
    Added on 08/25/2008 at 08:56AM

    Why people believe wierd things about money: Hat tip to Rowan
    Added on 08/25/2008 at 08:55AM

    New Google APIs know where you are
    Added on 08/25/2008 at 08:54AM

    Experience is the product
    Added on 08/25/2008 at 08:53AM

    Alan Cooper on Agile Development – Wisdom of Experience: Hat tip to Hayden
    Added on 08/25/2008 at 08:53AM

    Detect The Language Of A Text using Ruby
    Added on 08/23/2008 at 03:13PM

Xlinks – 20 / 08 / 2008

Wednesday, August 20th, 2008

Xlinks is a collection of interesting links as found by the ProjectX staff

    New way to search / browse your browser history
    Added on 08/20/2008 at 10:46AM
    Using photographs to enhance videos of a static scene
    Added on 08/20/2008 at 08:50AM

    Car thieves target GPS devices
    Added on 08/19/2008 at 08:21PM

    Mygazines – Youtube for Magazines
    Added on 08/18/2008 at 04:39PM

    Megaphone – turning phones into games consoles: Seen at UX week by Lulu
    Added on 08/16/2008 at 09:09PM

    This is amazing Seen at UX Week by Lulu
    Added on 08/16/2008 at 09:06PM

    From Digital Roam
    Added on 08/16/2008 at 07:55PM

    7 months into my 2nd stint as start-up CEO
    Added on 08/16/2008 at 04:13PM

    12 learnings from my first turn as a start CEO
    Added on 08/16/2008 at 04:12PM

    UPS saves money by only making right turns
    Added on 08/16/2008 at 10:03AM

    Investment vs Bootstrapping
    Added on 08/16/2008 at 10:01AM

    Apple market cap now worth more than Google
    Added on 08/14/2008 at 07:33PM

    YUI 3 preview release 1: YUI gets serious
    Added on 08/14/2008 at 07:31PM

    Pink box testing: Bad recruitment company practices exposed
    Added on 08/13/2008 at 08:07PM

    Hadoop when grown-ups do open source
    Added on 08/13/2008 at 08:22AM

    No killer apps on iPhone …. yet
    Added on 08/13/2008 at 08:12AM

    Xero awarded 10 Application UI from Jakob Nielsen
    Added on 08/13/2008 at 08:07AM

    Why Apple doesn’t do concept products
    Added on 08/13/2008 at 08:06AM

    This is what happens if you follow google directions…. Humour
    Added on 08/12/2008 at 03:57PM

    Chuck Norris’ing code: Perl +  Chuck Norris => AWESOME
    Added on 08/11/2008 at 04:51PM

Security alert – SQL server injection attack on the loose

Sunday, August 10th, 2008

Another SQL Injection that targeting Microsoft’s SQL Server is doing the rounds and looks to be increasing in rate.  SANS is reporting that the activity is increasing, other sources indicate that close variants have infected several thousand sites.   I was contacted over the weekend to help recover a database for an international newspaper that had been subjected to attack earlier this weekend.  The damage? Some 40k pieces of data that had been modified to embed the undesirable Trojan code.

Looking into this indicates that this attack is sourced from the botnet ASProx, previously associated with phishing attacks, now pushing malware through sites vulnerable to SQL injection.  ASProx utilizes the google cache to target initially ASP but now also, PHP and coldfusion pages.  It also utilizes DNS fast-fluxing (DFFer) technique to hide the actual malware delivery sites.  It is understood that the ASProx botnet now exceeds some 30,000 unique IP addresses.

A quick assessment of the NZ landscape shows that over a sample of 100 of the latest attack signatures (specifically looking at the result of the successful SQL Injection) indicates that there are 68 distinct infections over some 18 “NZ” sites…  all IIS5/6 sites.  Not good news for some and given that a couple of these sites are in NZ’s “top 100” and would service a not-so-insignificant number of unique browsers.
Note: I’ve performed this assessment out of the google cache so I’d expect that this would be somewhat worse, given SEO (in general) and the timing of google spider visits.

SQL Injection is not a new method of attack, but the sites affected indicate that the quality of website code to protect against this type of attack still is not good enough.  The nature of this particular attack is such that there only needs to be a single vulnerable hole.  Reverse engineering the attack server-side is relatively easy, but the number of signatures/payload and the coding required to identify and block can become time consuming.  Preventing the attack in the first place is a little more difficult, but not impossible as the payload continually morphs.

Maintaining a strategy to provide you with protection against this type of attack in a multi-layered approach at the database, application and web server in my opinion is the best approach.

Understood, re-engineering an existing site can be time consuming, but, regardless of the complexity and costs involved, a (website) publisher has a responsibility to shield their website from the risk of infection and the result of becoming a virus distributing agent.  Publishers of any size must protect their sites’ visitors from the exposure to malicious scripts at all times.

Are you a responsible publisher?  Or do you believe that protection is the responsibility of your browsers?

Where's my Train ?

Wednesday, August 6th, 2008

At ProjectX, we’ve been wanting to show-case our abilities in building cool map applications. Here’s a little R&D project that was kicked off as potential contender of Mash-up challenge. We’ve built Wellington Trains as a flash based “Train Simulation” showing the estimated location of a train in real time. The position of the train is estimated based on the train time-table from the Metlink site. The project was inspired by Swiss Trains. We’ve taken it to the next level by having proper animated trains and it runs against the current time. We’re thinking of adding buses to the app in due time. We’ve used Google and Virutal Earth maps in the demo.

Its fun to watch around 8:30am and 5pm as the number of trains on the network increase.

A big thanks to Metlink for giving us permission to build the demo.

Here’s some pictures:

Johnsonville, Hutt and Melling trains on a Google Map.

A couple of trains stopping at the station in Red on a Virtual Earth Aerial map.

A couple of trains stopping at the station in Red on a Virtual Earth Hybridmap.

Here’s a train coming into Ava Station

Where can I load my Snapper card in Wellington?

Wednesday, August 6th, 2008

Looking for Snapper vendor to buy or recharge your snapper card?

We’ve tagged up every Snapper merchant on ZoomIn.

Here’s the list of snapper merchants:

Wellington City Suburbs

Outer surburbs:

Lower Hutt