Latka do IE

Hackers have long insisted that steering clear of Microsoft's Internet Explorer browser is one of the easiest ways to protect computers from many of the security threats that lurk on the Internet.

That suggestion is often greeted with apathy or angry accusations that the geek in question was indulging in Microsoft-bashing -- admittedly a not-uncommon activity in hacker circles.

But last Friday, in response to the latest security exploit involving Microsoft products, the usually staid U.S. government's Computer Emergency Readiness Team, or US-CERT, published a warning strongly suggesting that users of Microsoft's Internet Explorer should switch to another Web browser, due to "significant vulnerabilities" in technologies included in IE.

Gary Schare, director of the Windows Client Division at Microsoft, said that CERT's advice had been misrepresented in much of the press coverage.

"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.

But many evidently took CERT's warning to heart and downloaded Mozilla or Mozilla's Firefox, free, open-source Web browsers developed and distributed by the Mozilla Organization, who resurrected the remnants of Netscape after it was purchased by AOL in 1999.

Downloads of Mozilla and Firefox -- an advanced version of Mozilla -- spiked the day CERT's warning was released, and demand has continued to grow. According to Chris Hofmann, engineering director at the Mozilla Foundation, formed last July to promote the development, distribution and adoption of Mozilla Web applications, downloads of the browsers hit an all-time high on Thursday, from the usual 100,000 or so downloads on a normal day to more than 200,000.

Hofmann said the Mozilla team wasn't surprised when CERT issued its warning.

"Mozilla and Firefox downloads have increased steadily since last fall, with the Firefox user base doubling every few months, as more people seem to have reached their threshold level of frustration dealing with problems with IE and Windows, and have found the Mozilla software a good solution to solving those problems," said Hofmann. "CERT's recommendation is just a reflection of the trend we have seen for quite some time." Security experts said Mozilla's lack of ActiveX support makes the browser more secure than IE. ActiveX was intended to allow websites to add multimedia and interactive features, but has lately been used to slide spyware onto PCs without the user's knowledge or explicit consent.

"ActiveX allows programs to run in the browser," said Patrick Hinojosa, chief technology officer at Panda Software, a security software vendor. "It is a big part of the security equation, as most IE users don't have this locked down by default."

"But there have also been some exploits of the IE browser that had nothing to do with ActiveX," Hinojosa added. "There have been numerous IE patches issued over the last year or so."

Mozilla's Hofmann agreed that ActiveX is only part of the story, pointing also to IE's tight integration into the Window's operating system, and differences in IE and Mozilla's default security settings and architecture as other reasons why Mozilla browsers are more secure.

"Tight integration of the browser with the operating system provides some convenience and power for Windows developers and users, but has also been a continuing source that allows malicious hackers to leverage that same convenience and power for their exploits," said Hofmann.

"Most of this convenience centers on the default protection mechanisms for downloading, installing and running executable programs without the knowledge of the user or any intervention by the user."

Mozilla requires users to acknowledge and grant explicit approval to any situation that involves downloading, installing or running executable code or any other potentially risky operation. A well-patched version of IE usually does the same, but Mozilla can also interrupt automated attacks and keep malicious code from being run, features that have saved Mozilla and Firefox from being vulnerable to many of the problems that have plagued IE users.

But some security experts believe that Mozilla's biggest security benefit is that the browser is not in wide use yet.

"It is not so much a question that one browser is inherently safer than another, but the fact that so many people use Explorer," said Carole Theriault, security consultant at Sophos, a security software vendor.

"Microsoft is targeted because they are so successful. And they have a hard job ahead of them. Something like 90 percent of the world's computers run Microsoft operating systems. This homogenous environment is attractive to those cyber criminals looking to make some kind of impact."

Hofmann also credits Mozilla's open-source development model with the browser's security successes.

Every change made to Mozilla applications is first peer reviewed by at least two engineers who are familiar with the code and overall architecture of the system before the new code is allowed into the product. Then the product goes though a series of automated tests and evaluations, after which Mozilla users and the development community are invited to review the impact of each change by downloading the test builds that are produced two or three times a day.

"All kinds of hackers, from junior high school whiz kids to graduate students to seasoned engineers that work for companies that use and deploy Mozilla technologies have the code available to study and improve," said Hofmann.

Microsoft's Schare said that Microsoft also continues to work to improve the security of Internet Explorer, and said focusing on security is a top priority for the company.

Schare said the Windows XP Service Pack 2 with Advanced Security Technologies, expected to be released later this summer, will deliver improved security infrastructure that will help reduce a PC's vulnerability to certain types of attacks. It will also include a new pop-up blocker and download monitoring tool that will help reduce unwanted or potentially malicious content and downloads.

"As for last week's IIS issues, Microsoft is aggressively working to provide a comprehensive fix for all supported versions of IE," Schare said. "This will be released once it has been thoroughly tested and found to be effective across the wide variety of supported versions and configurations of IE. In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."

Nowa inicjatywa w zakresie bezpieczenstwa MS

W dniu 2 lipca MS opublikowal remedium na ostatni blad wystepujacy w przegladarce MS IE. Jest do sciagniecia z MS Update. Dodatkowo pod adresem bezpieczenstwo jest informacja - miesieczny biuletyn na temat zabezpieczenia sieci. Strona o bezpieczenstwie produktow MS bezpieczenstwo

The Scripting Guys' First Blog

The Scripting Guys' First Blog
Friday, April 30, 2004

HTML DB rozwiniecie PL/SQL WebToolKit

HTML DB - The Web Development Tool For The Rest Of Us?
I went along to an Oracle Partner Workshop on HTML DB yesterday, at Oracle's offices in Reading, UK. Oracle run these occasionally and they're a good opportunity for developers to quickly get to know new Oracle products.

HTML DB is the new 'rapid application development' tool for the Oracle database, delivered as part of Oracle Database 10g or as a separate download for Oracle 9i 9.2.0.3 or higher. HTML DB helps you generate PL/SQL web applications, with the Oracle Portal 'look and feel', using a declarative GUI environment that is aimed at developers and power users with a basic understanding of SQL and PL/SQL.
Applications built using HTML DB are positioned somewhere between Oracle Portal applications (built using the forms and chart wizards within Portal) and full-blown J2EE applications, built using JDeveloper, UIX, BC4J and so on. I was particularly impressed with HTML DB, and here's a few reasons why.

First of all, it's a web applications development environment that's particularly suited to PL/SQL developers. If you've used the PL/SQL Web Toolkit that comes with Oracle 8i and higher, you'll immediately feel comfortable with the mechanisms behind HTML DB - it's all written in PL/SQL and uses the Web Toolkit, and applications built using HTML DB are PL/SQL Web Toolkit applications. Although HTML DB applications have the same look and feel as Oracle Portal applications, and those built using JDeveloper, UIX, ADF and so on, there's no Java, JSPs, servlets and so on behind the technology. Everything is built using the HTML DB graphical user interface, and any coding that needs to be done (which is very little) is done directly in PL/SQL. In addition, all of the functionality of HTML DB is exposed as packages, procedures, bind variables and normal Oracle tables, and it's therefore extremely easy to interface HTML DB with your existing PL/SQL program logic. It's a web development environment 'for the rest of us'.

HTML DB looks very east to use. It's aimed at all the Microsoft Access developers you find within an organization, and consequently the building process is iterative and encourages experimentation and trying things out. Each form and report you build has an 'edit' link at the bottom, allowing administrators to change things around and rerun the form without the need to recompile, relink and rebuild the application. Data from spreadsheets and text files can be easily uploaded to the database, with HTML DB creating tables and auto-incrementing primary key columns behind the scenes. Everything is done graphically, and there's no real requirement for you to design your application in full up front - the tool encourages experimentation and it's easy to add functionality to an application as you go along.

Having said that, it's not a 'dumbed down' application. HTML DB applications can authenticate against Oracle OID and Single Sign-On, other LDAP servers, external authentication methods or use Oracle database security. HTML DB applications can be published to Oracle Portal, and can take advantage of database features such as Fine-Grained Access Control and Label Security.

One of the coolest features in HTML is how it handles sessions and state. Traditionally with PL/SQL Web Toolkit applications , handling session data is a bit of a headache, with custom code having to be written to store session data in cookies; HTML DB automatically handles sessions by assigning a numeric ID to each logged in user, and automatically passes that ID around from page to page. The numeric ID gets stored in the database, with all session variables saved in oracle tables using this ID. This means that the database, rather than an application server, handles sessions and statefullness, which uses up less memory and takes all of the responsibility away from the application developer.

The only part of Oracle's approach towards HTML DB that I'd disagree with, is in that they are pitching it towards what they refer to as 'Power Users' - users within the business who currently build VBA applications, spreadsheets with lots of macros, and so on. In my opinion, it's better suited to PL/SQL developers, ideally with experience with the web toolkit, who want to make themselves more productive and turn out applications of a higher quality and in less time. You don't need to know PL/SQL, but the tool is much more powerful if you do, and applications that HTML DB creates look just like the Java web applications created using JDeveloper.

Being honest, because HTML DB is pure PL/SQL, and runs directly on top of the Oracle database, it's got a smaller footprint and appears to run faster than a java web application, and would be easier for a PL/SQL developer to design and debug than a n-tier java application.

In my opinion, HTML DB is just the tool that PL/SQL developers have been looking for. It's easy to use, but still allows us to use our Oracle development skills to turn out top-notch applications. Give it a look over when you get a chance.

Portal
LDAP
PLSQL Web Tool Kit
HTML DB

Kontynuacja V Inter Dev 6.0 w Visual Studio 2005

The whole rich/dynamic interface pendulum swings widely and often. Rich is where commercial vendors want us to go, because rich front ends require vendor-specific run-time software, dev tools matched to the run time, books and classes, support contracts, consulting, coffee mugs, and so forth. Not to mention the specialized developer skills that might prove useless in their next job.

With rare exceptions, a rich interface is static. We don’t have static work habits, static job descriptions, static database layouts, or static connections between servers and services. If everything we do is dynamic, what room is there for static interfaces or static client-side programming languages?

The swing toward static richness isn’t just a Microsoft thing. Apple’s Xcode, as fine a development environment as it is, also squeezes developers into rich, static interfaces. In a way, Apple’s shortcoming is more egregious because Unix developers take for granted that applications will work remotely with minimal client-side requirements. Xcode can’t (or won’t) manage that, despite the uniformity of the server software that ships with every Mac. At least WebObjects, Apple’s flexible Web application development and deployment suite, provides a true Web app environment, albeit at a cost.

Visual Studio 2005 doesn’t send Web developers to external tools, and Microsoft has taken advantage of its new Web-friendly toolset. Internet Explorer is a prerequisite for many of Microsoft’s recent and upcoming releases. Visual Studio Team System, SQL Server Reporting Services, Windows Server 2003 management tools, and SharePoint use IE as their presentation engine. SharePoint makes heavy use of .Net Web Parts technology. Web Parts are very cool — dockable, resizable windows inside a browser look great. But their use is not mandatory. You still have a browser back there. Microsoft’s use of XML and Web services to feed data to Web Parts takes some of the proprietary sting out of this .Net rich front-end approach.

My greatest source of delight is the restoration of Visual InterDev, Visual Studio 6’s sweet and brutally murdered Web application IDE, to Visual Studio 2005. Of course, the name has changed to save face, and Microsoft didn’t give in to all of the developers’ demands. If Microsoft is holding out on Web dev tools, it should fork them over. IIS has always been a crown jewel of Windows, right up there with SQL Server and Terminal Services. IIS is Microsoft’s app server, and it’s useless without tools that create dynamic, scriptable interfaces.

I wrote a fat, marriage-straining book, Windows 2000 Web Application Development, that clarified my philosophy: Browser technology — DHTML, CSS (Cascading Style Sheets), DOM, and JavaScript — has no equal in the rich world for flexibility, interoperability, and rapid development. The only thing missing, and it irks me to no end, is a fast browser. Mozilla’s got some lightweight browser work under way. Maybe Apple will put the spring back in Safari’s step, which has gotten slower and fatter of late. But I am encouraged and amused to find that Microsoft’s own application developers are refusing to let Internet Explorer and Visual InterDev die.

Tom Yager is technical director of the InfoWorld Test Center.

Nowosci technologiczne w Longhorn

---- Wiadomość Oryginalna ----
Od: Marek W
Do: marekw1958@tlen.pl
Data: Mon, 28 Jun 2004 23:02:41 -0700 (PDT)
Temat: [Dzienniczek] Nowosci technologiczne w Longhorn

Longhorn and Avalon
Nowa jakosc - Podsystem grafiki wektorowej- AVALON

By Bryan Muehlberger

Over the course of the last five weeks, we discussed Microsoft Windows
Storage Server 2003 and the associated benefits and technologies
associated with it. This week, we start a discussion on Microsoft's
next major release of Windows, codenamed Longhorn, which will come
packaged with a number of new technologies that you need to make sure
you know.

One of the new technologies being release with Longhorn is the new
presentation subsystem, called Avalon. Avalon is positioned as a new
graphics subsystem that serves as a foundation for Longhorn's shell.
Avalon will also come with a full set of the user interface components
for Longhorn. By integrating user interface (UI), documents, and media
into the next generation of interactive client applications and
experiences, Longhorn will achieve a more unified approach, as well as a
fully integrated development and user experience.

Avalon will better utilize the power of the PC throughout the graphics
stack, bringing designers directly into application development.

A major capability of Avalon is its support for XAML (Extensible
Application), which provides a one-to-one correspondence with the object
model within the presentation layer of Longhorn, with its key role being
to enable interoperation between UI authoring tools and developer tools.

Avalon will also provide built-in support for recent advancements in the
Windows OS, such as the Tablet PC and the Windows XP Media Center
Edition operating systems.

Join me next week when we talk about how to use the "run as" feature in
Windows Server 2003.

--
Posted by Marek W to Dzienniczek at 6/29/2004 08:00:35 AM

FYI - Article from CIO Magazine

A reader of CIO.COM has forwarded this article to you.

CIO Magazine is free to qualified readers.
http://subscribe.cio.com/

Subscribe to CIO's online newsletters at
http://subscribe.cio.com/newsletters.cfm

Readers Comments:
Ciekwe przemyslenia

CIO Magazine
Jun 15, 2004

Six Tips for Effective Career Development Programs

Executive Council members share their tried-and-true methods for grooming their staff.

By Martha Heller

Executive Council members share their tried-and-true methods for grooming their staff
If we've said it once, we've said it a thousand times: Your people are your greatest asset, and you need to develop them with as much care as you would your systems and products. Yet, career development programs are often given short shrift by senior executives with deadlines and budgets on their minds.
Members of the CIO Executive Council, a professional organization of CIOs founded by CIO magazine, told us about their career development programs and what makes them work. Here are some guidelines for getting the most out of your human investments.


1 Walk the halls
Senior management meetings are not the right place to glean the career aspirations of your staff. "My organization is five deep. If I waited for the chain of command, I would never get the information I do by just asking people about their careers," says Samantra Sengupta, CIO of the Scotts Co. "I walk the halls a lot and sit down with people at all levels to understand their needs and desires." Based in part on staff feedback, Sengupta decided to split what was solely a managerial career path into three separate paths: traditional management, heavy technical competency with light management and architecture with no management responsibilities. The paths carry similar compensation plans but allow each person to do what he does best. Before you walk the halls, make sure you clearly understand how much flexibility HR will allow when setting up a new career development program, cautions Sengupta. "If you encourage people on your staff to give you a data dump about their career, they may believe that you will act

2 Create an integrated job model.
When Jim Burdiss became CIO of Smurfit-Stone in January 2002, there were few titles on his staff other than "systems analyst." So he put Keith Fehd, director of applications development and support, in charge of developing a program that would define paths for progression along four distinct disciplines: applications, infrastructure, business operations and management. "The program is successful because it integrates job titles with salaries, skill requirements, merit increases and our annual review process," says Burdiss. "We now have a much clearer view into the skills of our organization, and our people truly understand their growth potential."


3 Launch a publicity campaign.
Just like any major initiative, a new career development program needs a timely and effective communication plan. "It took us 14 months to build our integrated model," says Smurfit-Stone's Fehd. "If we had publicized it early or not well enough, we would have raised expectations or created uncertainty about a pretty sensitive subject."


4 Promote leaders carefully.
Successful project leaders do not necessarily make great managers, says Linda Brigance, CIO of FedEx Asia Pacific. "People tend to look at great projects and want to promote their leaders," she says. "But we need to pay close attention to how their leadership skills translate in tougher situations. Are they as successful at guiding and motivating their teammates when the going gets tough?"


5 Incorporate business training
Burdiss at Smurfit-Stone hired an outside consultant to design a "Business 101" course specifically for the IT team. With sections on the supply chain, supply and demand planning, marketing, budgeting and financials, the business course has gone a long way toward helping the IT people at Smurfit-Stone understand the business they support.


6 Use cross-training.
When Barbara Kunkel, CIO of Nixon Peabody, is out of the office, one of her direct reports is acting CIO. Her managers regularly facilitate department meetings, entry-level technical support specialists team up with seasoned staff, and office services employees intern in the IT department during the summer months. "Cross-training is a great career development tool," says Kunkel. "But it needs to be a planned activity with clearly thought-out goals, and it should provide workers with continued job enrichment opportunities once they return to their routine duties."


The Case
Moving to an open-source environment with Linux
Council Member
Marc West, SVP and CIO, Electronic ArtsThe Challenge »
Electronic Arts' website, EA.com, had grown into the fourth-largest computer games destination on the Web, with 10 million visitors playing a combined 4.5 billion minutes a month. However, as the site grew, technology spending was a disproportionately large hit on the company's bottom line. Each time EA wanted to increase the number of online game players, it had to purchase more Sun Unix servers for its Equinox-hosted data center and license more software.
With the recent launch of EA's new Club Pogo premium games, EA added another 360,000 paying subscribers with plans to double the community in the near future. West was faced with two challenges: Deliver a high-performance, high-availability online experience--and do so at a low initial and ongoing cost.
West believed that switching to a "commodity computing" architecture--using open-source Linux server software on Intel boxes instead of running Unix on Sun machines--could help EA cut its technology costs for online Web games. "Lintel" servers are "cheap, fast and disposable; investment levels are less; and if they burn out or need to be refreshed, you can manage against a shorter and less expensive asset lifecyle," West says. And with the right architecture, they can be scaled up or down in response to business-driven demand. The Execution »
It took four months to develop and pilot a website for game players to beta test. "The amount of time and level of effort was no more but no less complicated than any other technology change that a company might do," West says. "Most people would say, 'It would take me forever; I can never leave my current environment.' While it's a change, it's not that complicated."Lessons Learned »

* Choose a vendor that has experience doing these types of re-architecting efforts. "Each vendor had a cookbook that it wanted us to follow, but none of the cookbooks fit what we were trying to accomplish," West says, adding that a consortium type of approach would have been more helpful. * Allow some time to fully investigate the legal issues surrounding Linux and the SCO lawsuits. Electronic Arts did and was satisfied that it was safe to move ahead with such a large Red Hat deployment, although EA still keeps tabs on legal issues.* Have someone on staff with a deep knowledge of Linux in a distributed-computing environment rather than relying on consultants for this know-how. * Make sure you have won the hearts and minds of your applications and engineering teams. "You do cross a few career paths when you do this," West says. By asking people to switch from the "monolithic computing" world to the distributed commodity computing world, West says, "you're asking people to make a significant change in how th



http://www.cio.com/archive/061504/exchange.html

CIO Magazine
Copyright 2004 CXO Media Inc



----- CIO's Grounding Themselves in the Fundamentals -----

CIOs today tell us they are taking a step back to evaluate three primary areas:
Their role in the organization, how to develop an IT strategy that aligns with business
objectives, and how to measure and communicate the return on IT investments.

Three CIO Focus Guides are helping to ground them in these basics:
Fundamentals of the CIO Role
Strategic Planning:How to Develop and Align IT Strategy; and
IT Value:Measurement Tools and Techniques That Work.

In combination, these Focus Guides provide a blueprint for leadership as
CIOs prepare for the economic recovery.

See all the CIO Focus guides at The CIO Store
http://www.theciostore.com/

Nowosci technologiczne w Longhorn

Longhorn and Avalon
Nowa jakosc - Podsystem grafiki wektorowej- AVALON

By Bryan Muehlberger

Over the course of the last five weeks, we discussed Microsoft Windows
Storage Server 2003 and the associated benefits and technologies
associated with it. This week, we start a discussion on Microsoft's
next major release of Windows, codenamed Longhorn, which will come
packaged with a number of new technologies that you need to make sure
you know.

One of the new technologies being release with Longhorn is the new
presentation subsystem, called Avalon. Avalon is positioned as a new
graphics subsystem that serves as a foundation for Longhorn's shell.
Avalon will also come with a full set of the user interface components
for Longhorn. By integrating user interface (UI), documents, and media
into the next generation of interactive client applications and
experiences, Longhorn will achieve a more unified approach, as well as a
fully integrated development and user experience.

Avalon will better utilize the power of the PC throughout the graphics
stack, bringing designers directly into application development.

A major capability of Avalon is its support for XAML (Extensible
Application), which provides a one-to-one correspondence with the object
model within the presentation layer of Longhorn, with its key role being
to enable interoperation between UI authoring tools and developer tools.

Avalon will also provide built-in support for recent advancements in the
Windows OS, such as the Tablet PC and the Windows XP Media Center
Edition operating systems.

Join me next week when we talk about how to use the "run as" feature in
Windows Server 2003.