The blog of Russ (snake) Michaels - News & Gossip

Sign into multiple Gmail accounts at once

Wed, 04 Aug 2010 19:40:00 --0100

Do you have multiple Gmail accounts? Then you will be happy to hear that Google is rolling out a new feature that lets you sign into multiple Google accounts at once. This is a pretty great feature, and one that will save many people a lot of time.

As far as multiple login goes right now, you can currently be signed into only two separate accounts at once â?? one Gmail Account, and one Google Apps account. This lets you be logged into your personal stuff, and your work stuff at the same time.

Until now though, there was no way for you to be signed into multiple Google Accounts â?? say, three Gmail accounts. People maintain multiple accounts for various reasons, now switching between them is a whole lot easier.

In supported applications, like Gmail, Google Calendar, Google Sites, Google Reader, Google Voice, App Engine and Google Code, there will be a dropdown that lets you choose which account you want to look at. I suspect it will be something like Google Analytics, where you can choose which account you want to view.

To set up this functionality, you have to visit your Google Account page, and enable multiple logins â?? you may not see it yet, but according to Google Operating System, itâ??s on the way.

What OS are web developers using?

Tue, 20 Jul 2010 17:58:00 --0100

The open source PHP dynamic language is one of the most widely deployed languages on Web servers today. But what operating systems are PHP developers using to develop and deploy their applications? It's a question that has been asked before and now it's being answered with a new study from Zend, one of the lead commercial backers behind PHP.

The study surveyed 2,000 PHP developers in December and found that 85 percent reported that Linux was their primary operating system as a production environment for PHP.

Windows came in at a distant second at 11 percent while Mac OS X came in third at just 2 percent. However, when Zend drilled down into which platforms respondents prefer for their development, the rankings change dramatically.

According to the study, 42 percent of respondents reported that Windows was their primary operating system for development. Linux came in as No. 2 at 38.5 percent while Mac OS X remained in third place at 19.1 percent.

The findings indicate that while Microsoft Windows remains the top platform for developing in PHP, its lead may be narrowing. Back in 2006, a Microsoft executive reported that 85 percent of PHP developers were developing on Windows, but only 20 percent deployed on a Windows machine. The change comes despite joint work by Zend and Microsoft to improve the capabilities of PHP on Windows servers.

that the new study was based on over 2,000 completed surveys conducted in December 2009, some of which came from Zend customers. The survey was made public through the Zend Framework website, the Zend monthly newsletter, Twitter and DevZone.

I have also noticed recently from reading blogs and lists that the majority of CFML open source developers seem to deploy Railo or Open BlueDragon on Linux, which is a major paradigm shift from ColdFusion developers who primary use Windows.

I don't think this is a matter of preference but rather one of necessity as pretty much all the PHP documentation is for Linux, most PHP apps are written for Linux/Apache and are not supported on windows even if you can get them working.

If you have tried to install Railo then will have discovered this can also be quite a task and a challenge to get working, especially on windows/IIS7, and there are far more blog posts and docs explaining how to get it running on Linux, as well as ready made virtual disk images, which I suspects encourages people to take the path of least resistance and install Linux.

In the case of CFML this does however tend to be done using virtualisation software such as virtualbox or vmware to run a linux development servers on windows, so cfml developers do still seem to be using windows as their primary desktop OS, so I do wonder if Zend took this into consideration with their study and if many of those who listed Linux as their primary development OS may in fact be running it as a virtual machine on windows. This feeling is further extrapolated by the fact that developers are mainly using servers distros like CentOS.

You also need to consider all the obvious facts as well:- While Linux has a lot going for it and plenty of software, most of the best/popular software, especially web dev/design products like Dreamweaver and the rest of the Adobe line is not available on Linux. Sure there are alternatives, but they are certainly not in the same league and you can't walk into PC World and buy any of it. For those who have always been running a Linux desktop this will of course not matter at all, but for the rest this will be a big issue, especially if it is software you have spent a lot of money on, so running a virtual machine makes sense.

Of course it could be the other way round entirely and developers are running a windows VM on linux, but this would seem an off way of doing it if their primary tools are on windows.

Before the Linux fanboys start ranting, let me make it 100% clear that this is not a linux vs windows slanging match and I will delete all churlish comments attempting to turn it into one. If you comment keep it on-topic and professional.

FREE Railo hosting is now available at CFMLDeveloper.com

Tue, 29 Jun 2010 16:41:00 --0100

As of today, Railo 3.1 is now available at CFMLdeveloper.com.

If you already have an account then simply login to HELM and go to Packages -> add new and choose one of the new Railo Plans. Please note that the SETUP fee still applies for all new packages, but is still a one-time fee for fraud validation purposes and your hosting is then FREE forever. For more info please refer to the HELP pages.

If you do not yet have an account then simply SIGNUP from the hosting page.

Please don't forget to check the Hosting support pages if you get stuck, most common questions can be found there.

Photoshop CS5 demonstrates its stunning new party piece

Wed, 24 Mar 2010 21:36:00 --0100

I just had to share this as it is totally awesome. So many times I could have used this.

The now-familiar release cycle of Adobe's Creative Suite is signalled by two things: the hype and expectation of those who rely on Adobe's applications and prices that, especially for UK users, seem to soar further into the stratosphere with every new version.

A single new feature, though, has awed the PC Pro office and suddenly made CS5 seem like fantastic value for money. It's been dubbed the Content-Aware Fill, and has been shown off in a YouTube video narrated by Bryan O'Neil-Hughes, a product manager on the Photoshop team.

The dull, businesslike name hides a potentially revolutionary feature: if you're not happy with an item in your picture, select it, delete it, and Photoshop will analyse the surrounding area and plug the gap as if it never existed.

It seems easy to use and incredibly proficient: O'Neil-Hughes used it to remove lens flare, turn patchy and litter-strewn grass into a perfectly manicured lawn. He quickly removed entire trees and let Photoshop stitch together the grass and sky that would take their place. It's a testament to the new tool's proficiency that we couldn't tell that the image had been modified.

He didn't stop there: a simple click removed a dusty track and replaced it with desert, and a panoramic image's clumsy borders were filled out within seconds. Best of all, Photoshop handled these modifications without fuss and quickly delivered picture-perfect results.

Without this feature, making these edits could take hours or, in more complicated cases, even days. The Content-Aware Fill, though, took just seconds and has got us even more excited about the impending release of CS5. We'll have a full review available when the software is released but, for now, this demo should be more than enough to whet your appetite.

Firefox & Abobe rated as most bugiest software

Thu, 07 Jan 2010 11:50:00 --0100

Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe Reader more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.

Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.

However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.

Meanwhile, Adobe took the second place spot from Microsoft this year. The number of vulnerabilities in Adobe Reader rose from 14 last year to 45 this year, while those in Microsoft Office dropped from 44 to 41, according to Qualys. Internet Explorer had 30 vulnerabilities.

A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.

"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."

Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.

That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.

As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.

Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.

Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application white listing technology.

The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.

Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.

The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honourable mention" because of a zero-day vulnerability related to ActiveX that went un-patched for three weeks in July.

Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.

Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.

For those looking for a secure alternative to Adobe PDF reader, try Foxit Reader.

http://www.foxitsoftware.com/pdf/reader/

Security Alert! Sites hacked via upload scripts

Fri, 18 Sep 2009 11:33:45 --0100

SECURITY ALERT!

There has been an increase in the past few days of sites being hacked via file upload scripts, particularly a number of high profile ColdFusion based sites.

The hacker gets in by uploading a CFM, ASP, PHP or other supported file type to the server and executing the file, thus escalating his access.

If you have any publicly accessible areas of your site where files can be uploaded then you should make sure you are not vulnerable, make sure that you are validating allowed uploaded file types and not allowing executable files to be uploaded.

In particular you should pay attention to things like image uploads on forums or other applications which people seem to think are safe because it only allows images to be upload. Many scripts will actually accept the uploaded file to the final destination folder before validating it and then deleting it if it is not valid, thus giving a window of opportunity for the file to be executed.

What happens is that the hacker uses a load testing tool that constantly executes the URL on your site where he knows his file will be uploaded (e.g. mysite.com/files/xyz.cfm), this is done many times a second, so when he then uploads the file it will get executed in those few milliseconds before it is deleted.

To avoid this scenario you should perform checks prior to accepting the upload, or upload the file to a temp location first that the hacker cannot access and then move it to the destination folder once it has been verified.

WPA Protocol hacked

Mon, 07 Sep 2009 12:34:37 --0100

I guess this has been inevitable for some time, but the the WPA wireless security protocol has now been effectively hacked. A Japanese group have developed a hack for the WPA protocol and will be presenting their findings in Hiroshima on Sept 25th (http://www.ieice.org/ken/paper/20090925faPH/eng/).

See here for their full report:

http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf

If you are using WEP(already hacked) or WPA, I would strongly encourage you to switch to the WPA2 protocol as soon as possible. If you are using WPA with AES, you should be fine, for now. This hack currently affects WPA using TKIP. But if you have to switch things up might as well go to WPA2 with its newer version of AES. It's only a matter of time before this exploit is actively used, so time is critical.

Here's also a report on this from Network World:

http://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.html

Five Kids Rescued From Sex Abuse Gangs

Tue, 01 Sep 2009 15:35:00 --0100

Police have rescued five children who were being kept as sex slaves by paedophiles who broadcast the abuse on the internet.

The boys and girls, aged from seven to 13 years old, were snatched from the suspects in a series of raids across the UK.

Three of the youngsters were discovered at addresses in Scotland, and two in England.

The children were being attacked on a daily basis, and footage of the abuse was streamed live on websites.

All are now receiving counselling and support.

Officers said a number of suspects were arrested in the operation.

Scotland's National Sex Crimes Unit, which was set up in March this year, said legal proceedings have begun against them.

Senior prosecuting counsel Derek Ogg QC, who heads the unit, praised police for the "good old-fashioned detective work" that led to the arrests.

Officers began the operation after a man was arrested for other alleged sex offences.

Children were identified and the raids were launched across the UK.

Mr Ogg told Sky News Online: "When you discover this going on in your own back yard, in your home country, it really brings it home to people.

"This was all down to good old-fashioned police detective work."

He added: "It was carried out by incredibly dedicated officers who worked night and day to put an end to these children's daily ordeal.

"I can't stress enough the credit that the police take in these cases.

"It takes amazing dedication sifting through the evidence to get success like this."

I can only hope that our dismal justice system for once does the right thing and a sensible judge puts these evil bastards away for the rest of their lives and while inside they get their genitals amputated.

As a father of 3 myself, I can only imagine how the parents of these children must be feeling right now, it is certainly a heart wrenching decision when you have to decide between what you want to do and what you should do in the best interest of your kids, when sadly vengeance, no matter how much you want it or deserve it will only make the situation worse.

55,000 Web sites hacked to serve up malware cocktail

Tue, 25 Aug 2009 15:37:00 --0100

Technorati Tags: web,malware,spyware,adaware,hacked

Security researchers are raising an alarm for a potent malware cocktail - backdoor Trojans and password stealers being pushed to Windows users from about 55,000 hacked Web sites.

According to Mary Landesman, a researcher in ScanSafe's security threat alert team, the cybercriminals have embedded a malicious iFrame into tens of thousands of Websites to fire exploits at unsuspecting PC users who surf to one of the rigged sites.

The iFrame points to an intermediary exploit site which in turn loads additional exploits and malware from up to seven different malware domains, Landesman said.

She ran a Google search on the iframe script tag and found it embedded on about 54,900 sites, many of them legitimate online destinations.

Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.

At the time of writing this blog post, the number of hacked sites listed in Google results climbed to 56,000.

It is not yet clear which vulnerabilities are being exploited in this attack but, judging from recent history, end users should ensure that operating system and desktop software programs are fully patched.

The most common programs under attack include Adobe Flash, Adobe PDF Reader, Apple's QuickTime, WinZip and RealPlayer. In addition to Microsoft Windows patches, these desktop applications should be updated to the newest version immediately.

If you run a website then I would suggest you do a file search for the aforementioned code and make sure your site has not been hacked, especially if you use 3rd party scripts that may be vulnerable.

Secret of Monkey Island comes to XBox

Thu, 23 Jul 2009 11:16:00 --0100

One of my all time favourite games, Monkey Island, is now available on XBox Live.

Forgoing the history lesson on an almost-20-year-old game, The Secret of Monkey Island is a point-and-click adventure in which you assume the role of a wannabe pirate named Guybrush Threepwood. In order to become a pirate, Threepwood must prove himself as a swordsman, a treasure hunter, and a thief, which means you must prove that you can both solve puzzles and move a cursor around a screen--often simultaneously. You can expect to hit a few brick walls when you encounter some of the more baffling puzzles, but the all-new hints system does a great job of pointing you in the right direction if you choose to use it (although I would advise only rto use it as a last resort), and the writing is entertaining enough to keep you interested during extended periods of head-scratching if you don't. An option to play the game in its original form or with greatly enhanced audio and visuals is the foamy head on this Special Edition pint of Grog, and you won't want to stop drinking until you can see the bottom of your tankard.

Why choose just one art style when you can have both?

[Comment on this video]
[Watch this video in HD 540p]

Flash Player 9 is required to watch this video

The Secret of Monkey Island is an easy game to pick up, regardless of whether or not you've played this kind of adventure game before. You can use either analogue stick to move a cursor around the screen, and when you're pointing at something you want to interact with or a location you want to move to, you push the A button. Other actions, such as "speak to," "pull," "use," and "give," are assigned to onscreen buttons that, depending on whether or not you're playing with the updated visuals, either appear at the bottom of the screen at all times or in a pop-up window mapped to a shoulder button. Items in your inventory also appear onscreen at all times when playing with the original graphics, but they are mapped to a second pop-up window in the new interface. It's great that you can switch between the two modes on the fly because there are pros and cons to both. The Special Edition looks much better and is the only way to play if you want to hear, as well as read, what characters are saying, whereas the original game's interface is less clunky.

Monkey Island isn't a game that wastes any time throwing seemingly useless items and satisfying puzzles at you. Shortly after starting out on Melee Island, you visit a bar where pirate leaders drunk on Grog (a drink so acidic that you have to consume it before it eats through the tankard) give you three challenges to complete; a surly chef refuses you entry to his kitchen; and a hungry seagull makes it difficult for you to pick up what may or may not be a red herring. Before you know it, you're walking around the island with all manner of items stuffed into Threepwood's physics-defying pockets, and you'll spend the majority of your time figuring out how to combine or use those items. Using the "look at" option on an item will afford you an amusing description that often doubles as a clue to its intended purpose. You might still end up solving some puzzles through trial and error, but you'll also kick yourself for not spotting the clues to the puzzle's solution before resorting to that time-tested technique.

This conversation was amusing in 1990...

When you're not attempting to combine a staple remover with a banana or wondering how to get past a group

of deadly piranha poodles, much of your time is spent navigating dialogue trees with characters that include belligerent buccaneers, cholesterol-conscious cannibals, and a used boat salesman named Stan. Some of the conversations are laugh-out-loud funny, and while the actors' delivery isn't always up to the standard of the writing, the voice work is such a great addition to the game that it's difficult to go back to the original edition. Lengthy conversations with the aforementioned salesman can be a little irritating when you have to listen to--as well as read--his persistent patter, but he's still an amusing and memorable character in a cast composed almost entirely of amusing and memorable characters.

In The Secret of Monkey Island: Special Edition, meeting and interacting with these characters is every bit as enjoyable as it was almost 20 years ago. The puzzles, the humor, and the Caribbean-sounding tunes that keep you company as you ponder your next move continue to defy their age, and even the original visuals still have plenty of pixel-perfect charm. The Special Edition update employs a colorful art style that's more reminiscent of the style in The Curse of Monkey Island (the third game in the series) than other games, but it retains the primitive (but pleasing) animation of the first game. Switching between the two available art styles is something that you'll almost certainly do from time to time just because you can, and it's interesting to see how faithfully and brilliantly such locations as the Scumm Bar and the cannibal village have been updated.

and it's even better in 2009 because you can hear it.

It's possible to beat The Secret of Monkey Island in just a couple of hours if you go into the game armed with a complete solution. However, if you take the time to enjoy it and solve the puzzles yourself, it should last you anywhere between five and 10 hours. If you have a rubber chicken with a pulley in the middle, two sticks of cinnamon, a length of rope, and 800 Microsoft points in your pocket right now, the best advice I can give you is this: Spend the points on The Secret of Monkey Island: Special Edition and then figure out for yourself what to do with the rest of that stuff.

Even after all these years it seems I still remembered enough about this game to plough through certain parts quickly, but I had also forgotten enough to make me resort to using the hint system far too quickly just because it is there.

Knight Rider Reboot

Wed, 22 Jul 2009 13:53:00 --0100

Have you been watching the new series of Knight Rider? It is actually rather cool I have to say. I was sorely disappointed after watching the pilot, as were many others judging by the online chatter, Kitt had none of the cool features from the original series other than being bullet proof, and the only new feature was his ability to morph, which was also rather lame in the pilot, and quite frankly the car just didn't look anywhere near as cool as the old trans-am, and I really wasn't feeling at all excited about the new series based on this.

Thankfully it seems the producers have listened to the complaints and things are vastly better in the new series, Kitt can now turbo boost, shoot lasers and rockets, emit emp's, xray and all manner of other scanning and computer wizardry. He can also generate just about anything it seems from a 3D molecular imaging device, has a super pursuit mode (now called attack mode) and the morphing is truly cool even if totally unbelievable allowing Kit to transmogrify into all manner of different vehicles to match the terrain or simply to blend in.

I still do not think the car looks as cool as the original trans-am, but this is far less of an annoyance now that everything else is cool and you can accept the fact that the car is meant to be able to blend in and not stick out like a sore thumb.

The car aside, the cast are also pretty good, the new Michael Knight (it is explained why he has the same name) is a proper ass kicking ex-marine agent type, so the fight scenes are far more exciting and action film like instead of the lack lustre unrealistic fights from the old 80's series that just made Hasslehoff seem like a smooth talking James Bond wannabe.

Back at HQ there are the genius geeks who keep Kitt up and running and help Mike on his missions with all their gadgetry and ability to remotely hack into just about anything, as well us providing us with eye candy as most of them just happen to be extremely hot babes who of course all lust after Michael Knight, lucky guy.

Everything in this new series is totally unbelievable and technically impossible by any stretch of the imagination, but as long as you are not anal about this and are not one of those people that needs to over analyse everything instead of simply enjoying it, it is great fun to watch whether you were a fan of the original series or not and is I think a great reboot of a classic series for the 21st century and is at least for me a must watch programme each week.

ColdFusion 9 Tutorials and Resources

Fri, 17 Jul 2009 15:33:00 --0100

I was about the start compiling a list of useful links to info and tutorials for CF9 and CFBuilder, but it seems someone has beat me to it, so rather than re-invent the wheel I will just link to this chaps page and save myself some work :-) If you are looking for find out what is new in CF9 and how to do it, this is worth reading.

A few of my favourite new features are below, of course I tend to look at things from a hosts perspective these days rather than a developer seeing as I don't do a lot of coding anymore.

Most of these improvements are especially great for me because I actually had discussion with Adobe some years ago about about what improvements needed to be made to ColdFusion to make it more suitable for shared hosting and explained how they needed to work, and these are areas I specifically addressed, so it seems that finally they did listen to me.

View Undelivered Mail
This new feature allows you to browse mail sitting in the undelivered folder and then delete or respool them. This is handy for manual checking or on a dev machine. Currently my company has a custom script that automatically respools all undelivered mail for 24 hours, and then deletes them, which is very useful in a shared hosting environment otherwise the undelivered folder regularly fills up. It is a shame Adobe didn't have the foresight to add this kind of automation as well, but at least the viewer allows an easy way to find missing emails.
Application Specific Datasources
This is a real code saver and somewhat of a security benefit as well. With this new "this.datasource" application property to can set an application wide datasource, thus negating the need to specify the DSN in every query. A full review of this feature can be found on Ben Nadel's blog.
Server Manager
ColdFusion 8 introduced server monitoring for single and multiple servers via a Flex based app which provided access to all sorts of ColdFusion internals, alerts, proactive problem management, and more.
ColdFusion 9 takes this a big step further with a new tool called "ColdFusion Server Manager". This AIR based application allows you to monitor as many servers as needed (including individual ColdFusion instances on a multi-instance configuration) and even offers pop-up alerts when issues occur, it allows for remote server configuration (define a data source, for example), it also allows for settings to be applied to multiple servers at once, it can clear the template caches, it can upload hot-fixes to one or more servers, and it even allows you to select two ColdFusion servers to compare their configuration settings, highlighting any differences between them.
Oh, and before you ask, here are answers to the three most commonly asked questions.
1. No, this is not a separately sold utility, it is part of ColdFusion itself (and installed via a link in the ColdFusion Administrator).
2. ColdFusion Server Manager uses APIs added to ColdFusion 9, so no, this will not work with ColdFusion 8 or earlier.
3. Adobe have not made any decisions yet as to product edition, so no decision as to whether this is an Enterprise only feature or not.
Server Security
One of my big issues has always been ColdFusion's security, or rather lack thereof. You need the enterprise edition to get security sandboxes and these only sandbox CFML code, if someone writes some Java code into their CFML pages they can completely bypass the sandbox and do whatever they like, which actually makes ColdFusion one of the most insecure application servers out there in a shared hosting environment as PHP, ASP and .NET do not suffer from this problem.
This has supposedly now been addressed with ColdFusion 9 now allowing you to restrict access to certain JAVA functionality. I have not yet looked into this, and as no-one else seems to have written an article on particular area yet I may as well do so, so a more detailed tutorial ont his subject will be coming soon.
64bit ColdFusion for all
Up till now, 64bit ColdFusion has only been available to ColdFusion Enterprise customers. This will (thankfully) change in ColdFusion 9, and all customers will have access to 32bit or 64bit versions, regardless of edition. Groovy!

Windows Live Writer overwrites images

Thu, 02 Jul 2009 12:27:00 --0100

I have just noticed a very annoying bug in Live Writer, thus why you have have received multiple copies of my last posts. After I had posted those last 2 articles, I noticed they both had the same images, even though they clearly didn't when I posted them. It seems that if you paste in an image from the clipboard Live Writer will name it image.png by default and the thumbnail will be image_thumb.png, it will not create a unique filename, thus will simply overwrite any existing images with the same name, thus messing up all your previous blog posts with images not to mention if you have multiple images in your current post, they will all end up as the same image.

I presume this bug must have been added to the latest release (2009) as I have not noticed it previously.

I have however found the following temporary fix on the Windows Live Writer Blog

Open HKCU\Software\Microsoft\Windows Live\Writer\Weblogs\{blog-id}\UserOptionOverrides\, where {blog-id} is a GUID. You will have several of these, but should be able to tell the right one by looking at the contents of the key.

Add a new String value with name â??fileUploadNameFormatâ?? (case matters!!) and the value e
{WindowsLiveWriter}/{PostTitle}/{Randomizer}/{AsciiFileName}

hopefully they will fix this annoying bug very soon.

Email archiving UK law, regulations and implications for business

Tue, 24 Feb 2009 10:08:00 --0100

The use of business email has grown exponentially over a relatively short period of time, bringing with it the huge advantages of worldwide, cost-effective, easy and near-instantaneous communication. But as all those involved in the management of IT systems know, the growth in email usage has brought its own challenges.

[More]

Firefox tops list of 12 most vulnerable windows apps

Tue, 16 Dec 2008 17:05:00 --0100

Mozilla's Firefox browser has earned the undesirable title of the most vulnerable software program running on the Windows platform. Something that will probably dismay most web developers, as it is the browser of choice for most of them due to its superior debugging capabilities. I would imagine this is also a shock to most of you Internet Explorer haters as well, especially as IE is not even on the list.

According to application white-listing vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Hereâ€™s Bit9â€™s dirty dozen:

Mozilla Firefox: In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
Adobe Flash and Adobe Acrobat: Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,â€œinput validation issuesâ€? and malformed parameters.
EMC VMware Player,Workstation and other products: A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.
Sun Java JDK and JRE, Sun Java Runtime Environment (JRE):
Inability to prevent execution of applets on older JRE release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications. 10 patched vulnerabilities listed.
Apple QuickTime, Safari and iTunes: In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs. The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and denial of service involving JavaScript arrays that trigger memory corruption. Appleâ€™s iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.
Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.
Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for remote attackers to execute arbitrary code.
Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.
Aurigma Image Uploader, Lycos FileUploader: Remote attackers can perform remote code execution via long extended image information.
Skype: Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.
Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.
Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, â€œchange state,â€? obtain contact information and establish audio or video connections without notification.

See Bit9â€™s full report (.pdf) for information on how the list was put together, including criteria for inclusion.