Source code is compiled to byte-code, like Java. In addition to this, it encrypts the code with encryption key which is separated from source code and byte code. The final result would be the encrypted byte-code. When the program or the service is executed, it decrypts the code and executes it. The whole process is done in cloud so nobody could exploit the niche vulnerability. If an attacker tries to crack it, he or she should get the encryption key first. If the encryption key is stored in the deepest layer of the cloud, the attacker should try to break the cloud system first. It’s a good application of cyclic authentication which I mentioned in other posting here.

This model would be applied to the cloud database solution Cloudbean, which offers new DML(Data Manipulating Language) named C2QL as the security concern is one of the most highlighted issues in cloud system. The challenge is how to make the complexity of encryption higher not to be breached.

Common graph algorithms in computer science mostly assume that there’s no cycle in graph structure. On the other hand, the cyclic authentication proves to be a great tool for security enhancement indeed. A cycle means eternity. When a program meets the cycle, it never ends. We can apply the mechanism to ameliorate encryption algorithm. For instance, suppose that there are three individual services A, B and C. Service A has the password to access B, B has that of C and C has that of A. It’s a cyclic password lock. No one can break the cycle unless every service is completely exploited by attackers. Excluding social engineering cases, the countermeasure proves no way to break up. It’s a very subject worthy to consider.

We’ve researched a cloud database solution for a couple of months; the project name is Cloudbean. The project aims to bring a specially structured database solution which is scalable, high-performance distributed database system. The optimization process is now going on to make the solution faster than before. And now we unveil the result of performance test conducted recently. The Cloudbean version is not the newest that the upgrade and code migration are still in progress. The tested Cloudbean version is 1.2, and the test environment – hardware specification – looks like below.

• Intel Dual-core E6500 2.93GHz
• Samsung 2GB Memory
• WD SATA2 HDD 500GB (7,200 RPM)

The test is done with 100,000 key-value pairs in a single node. Each key and value sizes are 8 bytes. The following is the result of the test in reading and writing comparing to other noSQL solutions like membase and Cassandra.

• membase: writes data for about 28 secs, reads for about 12 secs in average
• cassandra: writes data for about 30 secs, reads for about 72 secs in average
• cloudbean data service: writes data for about 26 secs, reads for 2 secs in average

The optimization in this project means to minimize the data writing to disk. We have developed the prototype version 1.2, which is not stable yet though, the next version 2.0 would be more stable, satisfying ACID properties. Cloudbean is designed to offer a special purposed data model so that we could be prepping for a new kind of cloud service. Long way to go, but we have a vision for delivery.

For example, it’s possible that a game company who uses this database model can link game data to other records in online shopping mall database. The main idea has been applied to the patent, and now I participate in the development of the project which name is Cloudbean. The patent involves the content about domain rule and domain access control as well as the linked record pair stuff. In reality, the system may serve the link attributes as well.

What is Security Management? It is a really hard-hitting question for security managers. Sadly many people involved in security management cannot answer it clearly. Intuitive approach is not bad, but getting the answer known would be a great help to focus on what and how they should do for increasing security performance.

The performance of security cannot be estimated by numerical values, though, I suggest an easy equation to imply the elements of security. Here is the one.

Risk = Value * (Threat * Vulnerabilities / Countermeasures)

Companies consider Risk so as to minimize the loss from it. Fully understanding of each factors in this formula would lead you to know about the risk and then apparently define the role of security manager.

The first is Value which means the valuable things separated into 3 categories: monetary value, future value and secrets. If there is no value, there is no risk.

And the next one is Threat, the possible threats which can give you damage regardless of their intention, for example, natural disasters like earthquake, hackers, etc. These two elements cannot be reduced by security plan but the following things (Vulnerability and Countermeasures) are controllable and so more focused when thinking of the role of security manager.

Vulnerability is a kind of hole which can be exploited and hackers harness it in software to exploit users to do what they intend to. And Countermeasures are the methods to prevent the accident. Countermeasures could be firewall, anti-virus software and so forth. Security managers should make their plans focusing on those two elements. They need to search for possible vulnerabilities and to seek for countermeasures against them.

In conclusion, the role of security manager is not to MINIMIZE the risk but to OPTIMIZE it. Assigned budgets would be limited because most senior managers and CEOs don’t like to invest into such an invisible matter. Security manager can offer the report of vulnerabilities and show how he or she can reduce the damage from any disasters, then the security plan would be going through the right path without profligate spending.

The most impressive change in HTML5 is Canvas element with drawing tool. This allows developers to represent their creativity with more effective and aesthetic design. One more, offline storage database support is a brilliant feature. It will alleviate the traffic through server machine and speed up the web experience by delegating tasks which manipulate insignificant personal information to client-side. Furthermore, enhancement on dealing media contents like audio, image and video is great. Amazing achievement!

Otherwise, there are some deprecated features as well. Some tags would be removed: strike, center, applet, etc but no problem because most of them are in the area of style-sheet rather than tag element and are able to be represented in different way with CSS(Cascading Style-Sheet).

Steve Jobs’ remark against Abode Flash increased interest upon HTML5. This is a kind of trend that Microsoft IE9 will strongly support it and the other browsers would go through the same way. And I think it would be quite good for web developers to read HTML5 specification document to understand the future format.

This movie: Gary Flake’s talk in TED posted in March 2010 shows the power of computer science. A kind of augmented reality becomes an issue as a future-leading technology. If you use Android phone, you may know Google Goggles which is an Android app, searches for information of the picture you take with your phone camera. Many other techs related to the reality are exposed to increase the manner in life.

Plenty of ongoing researches to improve the life-style look so amazing. Such unseen forces would provide facilitation largely. And I need to think about what should I do and how could I make the world better all the time to contribute to this society as well.

The most general form is man-in-the-middle attack. Attacker can catch all messages between two clients and he also can forge them as intended. To prevent this, you should establish session and improve identification/authentication process. (Normally IDS cannot catch this problem)

Spoofing can be used in phishing sites by URL spoofing. A legitimate web page such as a bank’s site is reproduced in “look and feel” on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords. This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate site and the attacker gets the personal data.

Although many other types of spoofing exists and can be abused and be applied to many cases, there’s no absolute solution for them. You may monitor the system, patch OS last-updated, verify source and destination in router. As the network is not completely safe, you should suppose that there may be fake packets through the web when constructing network system.

At first, let’s see the attributes of SGML.

• Some starting tag doesn’t allow end tag. (ex: <img> tag)
• Some starting tag allows both end tag and naught. (ex: <p> tag)
• Some starting tag always needs end tag. (ex: <script> tag)
• Tags can lie in any order. (ex: you can use <b>A<i>B</b>C</i>)
• Some attributes should set a value.
• Some attributes should not be set.
• Quotation marks are available to evaluate an attribute. 

SGML is really flexible but has many vulnerabilities by anonymous syntax. XML, which prevails in web technology enforced the rule to avoid such faults. The following is the advanced rule of XML.

• All tags must have end tag.
• Attaching slash(/) in the end of the tag can substitute for end tag.
• Tags must be in hierarchy structure.
• Every attributes should be evaluated.
• Quotation marks are essential to locate values of attributes.

Those rules which represent web standard resolves problems when interpreting markups (especially XHTML which is HTML in XML rules). You should keep them on your web site because the XHTML rule, the standard reduces distinct among web browsers or the other features of web service. Standard is a powerful tool for unification and you need to understand the rule in detail.

Perspective #1. IT affects significantly good.

It decreases the cost of both time and money. You can find the map without visiting the site. You can buy some books in Amazon.com instead of going to the bookstore. What if we lose the technology? I think it’s miserable. One of the most useful tools is the search engine like Google. It creates the power of the nation and destructs ignorance.

Phone evolves dramatically with internet. You can do lots of things with your phone. Social web community does good with mass intelligence. Web 2.0 publishes invaluable information. Is there any other way to do this better?

Perspective #2. IT destructs the balance.

I understand how IT makes the world better. But it goes too fast to lead the other factors. First, it reduces jobs. You may know the reason. The world population decreases smoothly but IT grows so fast. IT offers the way to do a task with less people and it breaks the balance between the supply and the demand for jobs. Second, it invalidates new technology in a short time because the newer one is coming up soon. It is an enormous loss in the industry.

The faster IT grows, the more inclined the scale is. Approving agile web technology is dangerous and makes the world an emergency room. Then I ask, will it do good? I hope no would be your answer though I’m interested in it.

Host-based IDS
Host-base IDS focuses on sole computer so that it can check event logs in detail. This type of IDS can detect anomalies which couldn’t be detected by Network-based IDS, but it cannot detect attacks from network or other systems. It consumes resources for monitoring and reduces performance.

Network-based IDS
Network-based IDS detects attacks and exceptions by capturing network packets and auditing them. It can detect continuous attempt to attack but can’t supply any log which records how the attack affects the system.

Knowledge-based detection
Knowledge-based detection is also called pattern-matching detection. It checks whether each monitored event matches signature DB. If it matches, IDS will decide that attack occurs. It can only find attacks which signature DB know.

Behavior-based detection
Behavior-based detection is also called statistical intrusion detection, anomaly detection, and heuristic-based detection. It explores normal activities and events by auditing and learning. Once it accumulates enough data for normal actions, it can judge anomalies. The weak point is that it alerts wrong alarms far more frequently than other IDSs.

• ^P implies the beginning of the string.
• P$ implies the end of the string.
• P* implies the sequent pattern P including an empty string.
• P+ implies the sequent pattern P. (P appears once at least)
• . implies a character.
• ? implies a pattern (and also implies a naught).
• P{n} implies the sequent pattern P repeated exactly n-times.
• P{n,} implies the sequent pattern P repeated least n-times.
• P{m, n} implies the sequent pattern P repeated from m to n times.
• (P) captures pattern P.
• P1 | P2 choose only one from those patterns.
• [ string ] implies any string which include the string.
• [^ string ] implies any string which doesn’t include the string.
• [ character-range ] checks a character that matches the range.
• [^ character-range ] checks a character that doen’t match the range.

It’s easy, right? Though they are not all of them, but they’re useful enough to realize your dream~ :) I want to introduce some examples here. (regular expression is usually notated in /pattern/ form.

/^[a-zA-Z]+$/ implies that alphabet characters are only available.
/^[http]\:\/\/.*/ implies HTTP link addresses.
/^[0-9a-zA-Z]+\@[0-9a-z]+\.[a-z]+(\.[a-z]+)*$/ implies e-mails.

Identification

It’s the stage for subjects to open their identity and get accountability. Once they open themselves to the public, they are responsible for their behaviors. It begins with showing their ID, or private identifying number.

Authentication

It’s the stage to check the identification is correct. Authentication requests additional information to audit whether presented identity corresponds with the subject. Three types of information is usually used for authentication.

• Type 1: Something you know. (ex: password)
• Type 2: Something you have. (ex: smart card)
• Type 3: Something you are. (ex: fingerprint, iris)

Authorization

It’s the stage to grant rights and privileges to the authenticated subject. Authenticated subjects are able to do something which is allowed with their authority.

To make this, there are 3 things to do: DOM, events, and removing distinct among browsers. First of all, DOM object means the frame of popup component. It involves DIV tag, LAYER tag, etc (such block tags). You can define it as the following way.

<div id=‘component_name’ style=‘position:absolute; left:10px; top:10px;’>
What you want to write on the component
</div>

You may have a question about STYLE attribute. It is a really important matter to remove distincts among browsers. I’ll explain it in the third part. Anyway, you’ve done your first job! The next is to set events on the component (and it’s the most important work). Now, I’ll define 5 variables in javascript.

<script type=‘text/javascript’>
<!–
var target = document.getElementById(‘component_name’);
var mouseX = 0;
var mouseY = 0;
var moveOn = false;
var IE = document.all ? true : false;
// ..(insert the following functions and event handlers)
//!–>
</script>

As you see, target means the object of the layer component. And the tuple (mouseX, mouseY) is the mouse-clicked position relative to the layer. Variable moveOn announces that the layer is now moving on. The last IE shows that the browser is Internet Explorer. Then, I’ll define 3 event handlers and 2 supportive functions. The following they are.

// AddEvent: add new event having no difference among browsers.
function        AddEvent( unit, type, func )
{
        if(unit.addEventListener)
                unit.addEventListener(type, func, false);
        else    unit.attachEvent(‘on’ + type, func);
}
// RemoveEvent: remove an event having no difference among browsers.
function        RemoveEvent( unit, type, func )
{
        if(unit.removeEventListener)
                unit.removeEventListener(type, func, false);
        else    unit.detachEvent(‘on’ + type, func);
}
// MousedownHandle: mousedown event handler
function        MousedownHandle( oEvent )
{
        moveOn = true;
        if(IE)
        {
                // when IE, locate popup with pixel position
                mouseX = oEvent.clientX – parseInt(target.style.pixelLeft);
                mouseY = oEvent.clientY – parseInt(target.style.pixelTop);
        }
        else
        {
                // when not IE, locate popup with normal position
                mouseX = oEvent.pageX – parseInt(target.style.left);
                mouseY = oEvent.pageY – parseInt(target.style.top);
        }
        // add mousemove event when mousedown occurs
        AddEvent(document.body, ‘mousemove’, MousemoveHandle);
        return false;
}
// MouseupHandle: mouseup event handler
function        MouseupHandle( oEvent )
{
        // remove mousemove event to save system resource
        RemoveEvent(document.body, ‘mousemove’, MousemoveHandle);
        moveOn = false;
        return true;
}
// MousemoveHandle: mousemove event handler
function        MousemoveHandle( oEvent )
{
        if(moveOn)
        {
                if(IE)
                {
                        target.style.pixelLeft = event.clientX – mouseX;
                        target.style.pixelTop = event.clientY – mouseY;
                }
                else
                {
                        // add the text ‘px’ in the end of the value
                        target.style.left = (oEvent.pageX – mouseX) + ‘px’;
                        target.style.top = (oEvent.pageY – mouseY) + ‘px’;
                }
        }
        return false;
}
 window.onload = function()
{
        // add mousedown event on target
        AddEvent(target, ‘mousedown’, MousedownHandle);
        // add mouseup event on document.body
        AddEvent(document.body, ‘mouseup’, MouseupHandle);
}

This is the way to set events for moving the layer. The source code is over and now I explain how to give differences among browsers. See the below.

Internet Explorer supports:

• attachEvent function: it’s only for IE. You should add ‘on’ to a type.
• detachEvent function: it’s only for IE. You should add ‘on’ to a type.
• window.event: it’s only for IE. Get event attributes from it.
• style.pixelLeft: when you set ‘left’, it would be set in IE.
• style.pixelTop: when you set ‘top’, it would be set in IE.

Firefox, Chrome, and Opera support:

• addEventListener function: it doesn’t work in IE.
• removeEventListener function: it doesn’t work in IE.
• oEvent: unless you use IE, this contains event attributes.
• oEvent.pageX and oEvent.pageY: IE doesn’t have the values.
• style.left: when you set ‘left’, it would be set. (not pixelLeft)
• style.top: when you set ’top’, it would be set. (not pixelTop)

These differences are not the entire matters. You should set the style value LEFT and TOP as a pixel value. If you remark them as percentage values, you’ll meet a problem in Firefox. (The layer is hopping here to there) The reason is that Firefox does not set the pixel values at the first time of setting LEFT and TOP.

Here’s the end of the lesson. I did my best to let you know how to make it easily. If you have any question on it, mail to wildartist.world@gmail.com. Good luck.