Pada contoh berikut Anda dapat mengetahui cara menyimpan dan mengambil setting program yang disimpan di Registry.
Code::
'Deskripsi: Menyimpan dan mengambil data ke dan dari Registry dengan
' memakai fungsi SaveSetting, GetSetting, dan GetAllSettings.
' Khusus GetAllSettings, merupakan fungsi untuk mengambil
' semua data di "bawah" suatu Section tertentu, jadi tanpa
' harus mengambil satu per satu item/setting dengan GetSetting.
'Pembuat : Masino Sinaga (masino_sinaga@posindonesia.co.id)
'Diupload : Selasa, 21 Mei 2002; Puslatpos Bandung 40151
'Persiapan: 1. Buat 1 Project baru dengan 1 Form.
' 2. Tambahkan 3 TextBox, masing-masing beri nama dengan
' Text1, Text2, dan Text3.
' 3. Tambahkan 1 ComboBox, beri nama dengan Combo1.
' 4. Tambahkan 2 CheckBox, masing-masing beri nama dengan
' Check1 dan Check2.
' 5. Tambahkan 4 OptionButton, masing-masing beri nama dengan
' Option1(0), Option1(1), Option2, dan Option3.
' 6. Tambahkan 1 ListBox, beri nama dengan List1.
' 7. Tambahkan 4 Commandbutton, masing-masing beri nama dengan
' - cmdSaveSetting
' - cmdGetSetting
' - cmdDeleteSetting
' - cmdSaveQuit
' 8. Copy-kan coding berikut ke dalam editor form yang bertalian.
'--------------------------------------------------------------------------
'Penggunaan setiap fungsi:
'SaveSetting(AppName As String, _
Section As String, _
Setting As String)
'GetSetting(AppName As String, _
Section As String, _
Key As String, _
Default As String)
'GetAllSettings(AppName As String, _
Section As String)
'Untuk melihat hasil dari contoh ini, jalankan Registry dari menu
'Start->Run ketikkan: Regedit lalu tekan Enter. Buka folder/direktori
'di explorer Regedit yaitu:
'HKEY_CURRENT_USER\Software\VB and VBA Program Settings\prjRegedit
'kemudian periksa subfolder "Form" dan "TestRegedit".
'Khusus untuk Section "TestRegedit", seluruh nilai yang diambil dapat
'Anda lihat di List1.
'--------------------------------------------------------------------------
Private Sub cmdDeleteSetting_Click()
'coding ini shrsnya jika error lanjut saja, sengaja dihilangkan spy dapat diupload ke brinkster
DeleteSetting App.Title, "TestRegedit"
MsgBox "Berhasil dihapus!", vbInformation, "Hapus OK"
End Sub
Private Sub cmdGetSetting_Click()
Form_Load
End Sub
Private Sub cmdSaveQuit_Click()
SimpanForm1
SimpanLetakForm
End
End Sub
Private Sub cmdSaveSetting_Click()
SimpanForm1
SimpanLetakForm
MsgBox "Berhasil disimpan!", vbInformation, "Simpan OK"
End Sub
Private Sub Form_Load()
Dim AtasForm, KiriForm As Integer
'coding ini shrsnya jika error lanjut saja, sengaja dihilangkan spy dapat diupload ke brinkster
AtasForm = Screen.Height / 2 - Me.Height / 2
KiriForm = Screen.Width / 2 - Me.Width / 2
Me.Left = GetSetting(App.Title, "Form", "Kiri", KiriForm)
Me.Top = GetSetting(App.Title, "Form", "Atas", AtasForm)
Me.Width = GetSetting(App.Title, "Form", "Lebar", 5000)
Me.Height = GetSetting(App.Title, "Form", "Tinggi", 5000)
Dim avntSettings As Variant
Dim intX As Integer
avntSettings = GetAllSettings(App.Title, "TestRegedit")
List1.Clear
For intX = 0 To UBound(avntSettings, 1)
List1.AddItem avntSettings(intX, 1)
Next intX
Text1 = List1.List(0)
Text2 = List1.List(1)
Text3 = List1.List(2)
Check1 = List1.List(3)
Check2 = List1.List(4)
Option1(0) = List1.List(5)
Option1(1) = List1.List(6)
Option2 = List1.List(7)
Option3 = List1.List(8)
Combo1.List(0) = GetSetting(App.Title, "TestRegedit", "Combo1(0)", "")
Combo1.List(1) = GetSetting(App.Title, "TestRegedit", "Combo1(1)", "")
Combo1.List(2) = GetSetting(App.Title, "TestRegedit", "Combo1(2)", "")
Combo1.Text = Text3.Text
End Sub
Sub SimpanForm1()
SaveSetting App.Title, "TestRegedit", "Text1", Text1
SaveSetting App.Title, "TestRegedit", "Text2", Text2
SaveSetting App.Title, "TestRegedit", "Text3", Combo1.Text
SaveSetting App.Title, "TestRegedit", "Check1", Check1.Value
SaveSetting App.Title, "TestRegedit", "Check2", Check2.Value
SaveSetting App.Title, "TestRegedit", "Option1(0)", Option1(0).Value
SaveSetting App.Title, "TestRegedit", "Option1(1)", Option1(1).Value
SaveSetting App.Title, "TestRegedit", "Option2", Option2.Value
SaveSetting App.Title, "TestRegedit", "Option3", Option3.Value
If Combo1.List(0) = "" Then
SaveSetting App.Title, "TestRegedit", "Combo1(0)", Combo1.Text
ElseIf Combo1.List(0) = Combo1.Text Or _
Combo1.List(1) = Combo1.Text Or _
Combo1.List(2) = Combo1.Text Then
SaveSetting App.Title, "TestRegedit", "Combo1(0)", Combo1.List(0)
SaveSetting App.Title, "TestRegedit", "Combo1(1)", Combo1.List(1)
SaveSetting App.Title, "TestRegedit", "Combo1(2)", Combo1.List(2)
Else
SaveSetting App.Title, "TestRegedit", "Combo1(2)", Combo1.List(1)
SaveSetting App.Title, "TestRegedit", "Combo1(1)", Combo1.List(0)
SaveSetting App.Title, "TestRegedit", "Combo1(0)", Combo1.Text
End If
End Sub
Sub SimpanLetakForm()
If Me.WindowState <> vbMinimized Then
SaveSetting App.Title, "Form", "Kiri", Me.Left
SaveSetting App.Title, "Form", "Atas", Me.Top
SaveSetting App.Title, "Form", "Lebar", Me.Width
SaveSetting App.Title, "Form", "Tinggi", Me.Height
End If
End Sub
Source:Masino-sinaga.com
semoga berhasil, jika ada yang ingin ditanyakan atau pengembangan dari program diatas klik Kuroda.
Terima kasih atas kunjungan anda, semoga bermanfaat
Sabtu, 12 Juli 2008
Registry-03
Menyembunyikan menu Start Menu > Settings > Taskbar
Jika Anda meng-enable setting ini maka menu Taskbar yang terdapat pada Setting pada Start Menu akan hilang.
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
Value Name: NoSetTaskbar
Data Type: DWORD Value
Data: (0 = disabled, 1 = enabled/sembunyikan)
Webmasters click here
Webmasters click here
Webmasters click here
are unstable, and might not result in all data being truly randomized. In a sense, one could say that the sorting algorithm divides up the data too fast for the randomizing to occur. A truly random shuffling has the property that each element has the same probability of being assigned to each location, or equivalently, each permutation of objects is equally likely. As far as I know, Safari is the only browser which may have an unstable sorting algorithm, resulting in the domain uuuuu.us being sorted to the last position most of the time, although other domains appear to be randomly placed. Unstable sorting algorithms may be fine, depending on the application.
There are also iterative methods for sorting. Iterative sorting methods are useful because the computational cost of one iteration is O(N) rather than O(n log N). A precise estimate is typically from N/2 to 2N. The data is not completely sorted after one iteration, but that's fine when the data ranking is based on subjective criteria such as clicking popularity or Google PageRank. Usually a good iterative sorting method guarantees that at least the lowest and highest ranked items are sorted to the correct positions.
Source:Internet.Com
Jika Anda meng-enable setting ini maka menu Taskbar yang terdapat pada Setting pada Start Menu akan hilang.
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
Value Name: NoSetTaskbar
Data Type: DWORD Value
Data: (0 = disabled, 1 = enabled/sembunyikan)
Webmasters click here
Webmasters click here
Webmasters click here
are unstable, and might not result in all data being truly randomized. In a sense, one could say that the sorting algorithm divides up the data too fast for the randomizing to occur. A truly random shuffling has the property that each element has the same probability of being assigned to each location, or equivalently, each permutation of objects is equally likely. As far as I know, Safari is the only browser which may have an unstable sorting algorithm, resulting in the domain uuuuu.us being sorted to the last position most of the time, although other domains appear to be randomly placed. Unstable sorting algorithms may be fine, depending on the application.
There are also iterative methods for sorting. Iterative sorting methods are useful because the computational cost of one iteration is O(N) rather than O(n log N). A precise estimate is typically from N/2 to 2N. The data is not completely sorted after one iteration, but that's fine when the data ranking is based on subjective criteria such as clicking popularity or Google PageRank. Usually a good iterative sorting method guarantees that at least the lowest and highest ranked items are sorted to the correct positions.
Source:Internet.Com
Baca Email sendiri dibayar dengan Dolar
Pertama, Anda harus punya minimal satu account email!
Anda butuh minimal satu email tapi kami sarankan punya 3 email: satu untuk ke teman dan keluarga, satu lagi untuk kontak bisnis satunya lagi untuk menerima newsletter yang kadang campur spam. Silakan daftar mau produk lokal maupun luar tidak ada larangan, cuma saya perlu diingat yang lokal punya keterbatasan ruang, tidak seperti Yahoo ataupun GMail yang berkapasitas lebih dari 1 GB.
Yang kedua, Ikutan program baca email dapat duit!
Begitu sudah punya email, manfaatkan email ini dimana tiap baca email dapat duit. Sebagai contoh, jika anda bergabung dengan E-mailPayU anda akan dibayar setiap 1(satu) email yang dibaca dengan $0,02. Anggap $1 amerika seharga Rp.9000 maka anda akan memperoleh Rp 180 rupiah per email. Lalu dalam sehari anda memperoleh 3 email maka akan diperoleh Rp 540 perhari. Dalam sebulan anda akan memperoleh 540x30=Rp.16.200,-. Ingat email tersebut harus dibaca dan anda diwajibkan mengunjungi link yang tertera di bagian bawah email untuk memperoleh kredit. Jadi bukan asal menerima email saja, sehingga kita tidak mungkin membaca emailnya secara offline. Waduh!!! Kalau bacanya diwarnet atau pake dial-up tekor dong??????? Itu kalau anda sendirian yang membacanya, tapi kalau anda sudah mempunyai downline, tiap email yang dibaca oleh downline anda akan meningkatkan jumlah kredit poin anda. Setiap email yang dibaca oleh tiap downline anda hingga ke level 2, anda akan memperoleh $0.01. Bayangkan jika minimal anda sudah mempunyai downline langsung sebanyak 10 orang dan tiap orang membaca 3 email, maka dalam sehari anda tanpa mengeluarkan biaya tambahan sudah memperoleh 10x270= Rp 2700. Ingat TANPA MENGELUARKAN BIAYA APAPUN.
Kok bisa? Karena yang mengeluarkan biaya untuk berinternet untuk baca email adalah downline anda bukan anda. Itulah yang disebut pasif income. Artinya pendapatan tambahan yang datang tanpa anda harus berusaha.
Jadi dalam sebulan dapat berapa? Tinggal kalikan saja Rp 2700x30hari= Rp 81.000,- . Sekarang kalau masing-masing downline anda sudah mempunyai 10 downline lagi berarti anda mempunyai 10+10x10=110. Maka dalam sebulan anda mendapatkan 110x270x30= Rp891.000,-. Itu kalau downline anda sebanyak 110 orang lalu bagaimana kalau lebih dari 1000 orang? Tinggal hitung sendiri hasilnya. Mungkinkah? MUNGKIN SEKALI sebab E-mailPayU adalah program yang berbasis internasional, sehingga jika anda ingin punya downline dari luar negeri website anda harus berbahasa inggris. Selain itu bisa ikut Paid-2-Click yaitu dibayar $0.005 setiap mengklik iklan yang ditayangkannya setiap hari.
Tips: Anda yang tidak mempunyai internet gratis, dapat membacanya seminggu sekali. Lalu untuk menghemat waktu, saat membuka email pertama, untuk mendapatkan kreditnya, klik kanan di link yang ditunjuk lalu pilih Open Link in New Window ataupun Open Link in New Tab. Lalu hapus email tersebut dan buka email kedua, sementara itu biarkan browser membuka link tadi. Setelah link tadi terbuka dan anda setelah mendapat pesan bahwa anda sudah dapat poin kredit, tutup jendela browser yang membuka link tadi, lanjutkan membaca email kedua. Atau jika saat membuka link kedua lama sekali, anda dapat membaca email kedua jika memang email kedua sudah terbuka. Demikian seterusnya.
Untuk memperoleh poin tambahan, anda dapat mengunjungi E-mailPayU, lalu klik gambar uanglogam berkaki (paidtoclick), dan isi dibawahnya dengan username anda, lalu anda akan membuka situs pemasang iklannya, setelah halaman terbuka maka klik di tulisan diatas berupa "Click here to click another banner", lalu klik lagi di gambar kedua dst sampai gambar ke 7.
Mau ikutan sekarang, udah GRATIS + bonus $10 lagi ,
Klik Disini
Anda butuh minimal satu email tapi kami sarankan punya 3 email: satu untuk ke teman dan keluarga, satu lagi untuk kontak bisnis satunya lagi untuk menerima newsletter yang kadang campur spam. Silakan daftar mau produk lokal maupun luar tidak ada larangan, cuma saya perlu diingat yang lokal punya keterbatasan ruang, tidak seperti Yahoo ataupun GMail yang berkapasitas lebih dari 1 GB.
Yang kedua, Ikutan program baca email dapat duit!
Begitu sudah punya email, manfaatkan email ini dimana tiap baca email dapat duit. Sebagai contoh, jika anda bergabung dengan E-mailPayU anda akan dibayar setiap 1(satu) email yang dibaca dengan $0,02. Anggap $1 amerika seharga Rp.9000 maka anda akan memperoleh Rp 180 rupiah per email. Lalu dalam sehari anda memperoleh 3 email maka akan diperoleh Rp 540 perhari. Dalam sebulan anda akan memperoleh 540x30=Rp.16.200,-. Ingat email tersebut harus dibaca dan anda diwajibkan mengunjungi link yang tertera di bagian bawah email untuk memperoleh kredit. Jadi bukan asal menerima email saja, sehingga kita tidak mungkin membaca emailnya secara offline. Waduh!!! Kalau bacanya diwarnet atau pake dial-up tekor dong??????? Itu kalau anda sendirian yang membacanya, tapi kalau anda sudah mempunyai downline, tiap email yang dibaca oleh downline anda akan meningkatkan jumlah kredit poin anda. Setiap email yang dibaca oleh tiap downline anda hingga ke level 2, anda akan memperoleh $0.01. Bayangkan jika minimal anda sudah mempunyai downline langsung sebanyak 10 orang dan tiap orang membaca 3 email, maka dalam sehari anda tanpa mengeluarkan biaya tambahan sudah memperoleh 10x270= Rp 2700. Ingat TANPA MENGELUARKAN BIAYA APAPUN.
Kok bisa? Karena yang mengeluarkan biaya untuk berinternet untuk baca email adalah downline anda bukan anda. Itulah yang disebut pasif income. Artinya pendapatan tambahan yang datang tanpa anda harus berusaha.
Jadi dalam sebulan dapat berapa? Tinggal kalikan saja Rp 2700x30hari= Rp 81.000,- . Sekarang kalau masing-masing downline anda sudah mempunyai 10 downline lagi berarti anda mempunyai 10+10x10=110. Maka dalam sebulan anda mendapatkan 110x270x30= Rp891.000,-. Itu kalau downline anda sebanyak 110 orang lalu bagaimana kalau lebih dari 1000 orang? Tinggal hitung sendiri hasilnya. Mungkinkah? MUNGKIN SEKALI sebab E-mailPayU adalah program yang berbasis internasional, sehingga jika anda ingin punya downline dari luar negeri website anda harus berbahasa inggris. Selain itu bisa ikut Paid-2-Click yaitu dibayar $0.005 setiap mengklik iklan yang ditayangkannya setiap hari.
Tips: Anda yang tidak mempunyai internet gratis, dapat membacanya seminggu sekali. Lalu untuk menghemat waktu, saat membuka email pertama, untuk mendapatkan kreditnya, klik kanan di link yang ditunjuk lalu pilih Open Link in New Window ataupun Open Link in New Tab. Lalu hapus email tersebut dan buka email kedua, sementara itu biarkan browser membuka link tadi. Setelah link tadi terbuka dan anda setelah mendapat pesan bahwa anda sudah dapat poin kredit, tutup jendela browser yang membuka link tadi, lanjutkan membaca email kedua. Atau jika saat membuka link kedua lama sekali, anda dapat membaca email kedua jika memang email kedua sudah terbuka. Demikian seterusnya.
Untuk memperoleh poin tambahan, anda dapat mengunjungi E-mailPayU, lalu klik gambar uanglogam berkaki (paidtoclick), dan isi dibawahnya dengan username anda, lalu anda akan membuka situs pemasang iklannya, setelah halaman terbuka maka klik di tulisan diatas berupa "Click here to click another banner", lalu klik lagi di gambar kedua dst sampai gambar ke 7.
Mau ikutan sekarang, udah GRATIS + bonus $10 lagi ,
Klik Disini
Kamis, 10 Juli 2008
7 Tips to Keep Windows XP Running (For Years...)
f all goes as anticipated (and it never does), Windows 7 will arrive in 2010. Therefore, if you’ve done the math that means Windows XP, originally released in 2001, will be nine years old. A nine-year-old operating system is human equivalent of a centenarian.
As we know this is no easy feat it calls for some serious life extension techniques.
I think this is a fitting analogy actually, since running Windows XP for another 1-2 years is a very real possibility for some. After all, many who despised Vista will likely not only wait for Windows 7 to release. They will most likely wait for the first service pack to arrive before making a change. That would put us possibly into 2011.
So if you want to see Windows XP make it to the ripe old age of ten, you should likewise take steps to keep it in good health.
* Email Article
* Print Article
*
Share Articles
o Digg
o del.icio.us
o Newsvine
1) Run Windows Updates
As an IT Director, I cannot recall how many times I had someone bring me a PC with XP installed on it from home and tell me it does not work right. Nine times out of ten, the Windows updates were not done.
In a few cases, they had not even installed SP2. When XP was released, many of the technologies we have available today were in their infancy or non-existent. Keeping Windows updated will help keep you running well.
2) Add Memory and Move Data Online or to an External Drive
It is no secret Windows runs better with more memory, so maximize XP by adding RAM.
Another essential fact: Windows runs better if you have at least 20 percent disk space available. With the advent of downloadable Music and Movies (legally of course), you need to beware. Both RAM and storage are cheap these days so why not invest in some to keep your system in an optimal state. At a mere 38 years old (in human years) I wish I could just simply add some extra memory or possibly off-load some things to external memory. Perhaps they will have that available by 2010 as well…
3) Run System & Driver Updates
Another area that even many IT people are guilty of, is not updating the system itself. BIOS updates and driver updates go a long way to help keep things running smoothly.
It is important to remember, though, with driver updates, never run the “beta driver.” It is also a good idea to backup your system, in case the driver causes something to stop working.
Now it bears saying that if it’s not broke, don’t fix it, likewise you may be living with some issues. If you fit this description you need to decide if you’re happy with the issue from the driver. In that case perhaps you can live with it for a while longer.
4) Do Not Keep Up with the Joneses
The latest and greatest is always the smartest and efficient. Many of the software packages created today are built for the Vista platform or beyond. New software is always coded new systems and vice-versa.
So you need to decide if the latest version of Office or the newest Adobe Acrobat release is really necessary. If you can live without it (and be honest with yourself) than run the older version. Both you and XP will be happier.
As we know this is no easy feat it calls for some serious life extension techniques.
I think this is a fitting analogy actually, since running Windows XP for another 1-2 years is a very real possibility for some. After all, many who despised Vista will likely not only wait for Windows 7 to release. They will most likely wait for the first service pack to arrive before making a change. That would put us possibly into 2011.
So if you want to see Windows XP make it to the ripe old age of ten, you should likewise take steps to keep it in good health.
* Email Article
* Print Article
*
Share Articles
o Digg
o del.icio.us
o Newsvine
1) Run Windows Updates
As an IT Director, I cannot recall how many times I had someone bring me a PC with XP installed on it from home and tell me it does not work right. Nine times out of ten, the Windows updates were not done.
In a few cases, they had not even installed SP2. When XP was released, many of the technologies we have available today were in their infancy or non-existent. Keeping Windows updated will help keep you running well.
2) Add Memory and Move Data Online or to an External Drive
It is no secret Windows runs better with more memory, so maximize XP by adding RAM.
Another essential fact: Windows runs better if you have at least 20 percent disk space available. With the advent of downloadable Music and Movies (legally of course), you need to beware. Both RAM and storage are cheap these days so why not invest in some to keep your system in an optimal state. At a mere 38 years old (in human years) I wish I could just simply add some extra memory or possibly off-load some things to external memory. Perhaps they will have that available by 2010 as well…
3) Run System & Driver Updates
Another area that even many IT people are guilty of, is not updating the system itself. BIOS updates and driver updates go a long way to help keep things running smoothly.
It is important to remember, though, with driver updates, never run the “beta driver.” It is also a good idea to backup your system, in case the driver causes something to stop working.
Now it bears saying that if it’s not broke, don’t fix it, likewise you may be living with some issues. If you fit this description you need to decide if you’re happy with the issue from the driver. In that case perhaps you can live with it for a while longer.
4) Do Not Keep Up with the Joneses
The latest and greatest is always the smartest and efficient. Many of the software packages created today are built for the Vista platform or beyond. New software is always coded new systems and vice-versa.
So you need to decide if the latest version of Office or the newest Adobe Acrobat release is really necessary. If you can live without it (and be honest with yourself) than run the older version. Both you and XP will be happier.
Rabu, 09 Juli 2008
Database Normalization Basics
If you've been working with databases for a while, chances are you've heard the term normalization. Perhaps someone's asked you "Is that database normalized?" or "Is that in BCNF?" All too often, the reply is "Uh, yeah." Normalization is often brushed aside as a luxury that only academics have time for. However, knowing the principles of normalization and applying them to your daily database design tasks really isn't all that complicated and it could drastically improve the performance of your DBMS.
In this article, we'll introduce the concept of normalization and take a brief look at the most common normal forms. Future articles will provide in-depth explorations of the normalization process.
What is Normalization?
Normalization is the process of efficiently organizing data in a database. There are two goals of the normalization process: eliminating redundant data (for example, storing the same data in more than one table) and ensuring data dependencies make sense (only storing related data in a table). Both of these are worthy goals as they reduce the amount of space a database consumes and ensure that data is logically stored.
The Normal Forms
The database community has developed a series of guidelines for ensuring that databases are normalized. These are referred to as normal forms and are numbered from one (the lowest form of normalization, referred to as first normal form or 1NF) through five (fifth normal form or 5NF). In practical applications, you'll often see 1NF, 2NF, and 3NF along with the occasional 4NF. Fifth normal form is very rarely seen and won't be discussed in this article.
Before we begin our discussion of the normal forms, it's important to point out that they are guidelines and guidelines only. Occasionally, it becomes necessary to stray from them to meet practical business requirements. However, when variations take place, it's extremely important to evaluate any possible ramifications they could have on your system and account for possible inconsistencies. That said, let's explore the normal forms.
First Normal Form (1NF)
First normal form (1NF) sets the very basic rules for an organized database:
* Eliminate duplicative columns from the same table.
* Create separate tables for each group of related data and identify each row with a unique column or set of columns (the primary key).
Second Normal Form (2NF)
Second normal form (2NF) further addresses the concept of removing duplicative data:
* Meet all the requirements of the first normal form.
* Remove subsets of data that apply to multiple rows of a table and place them in separate tables.
* Create relationships between these new tables and their predecessors through the use of foreign keys.
Third Normal Form (3NF)
Third normal form (3NF) goes one large step further:
* Meet all the requirements of the second normal form.
* Remove columns that are not dependent upon the primary key.
Fourth Normal Form (4NF)
Finally, fourth normal form (4NF) has one additional requirement:
* Meet all the requirements of the third normal form.
* A relation is in 4NF if it has no multi-valued dependencies.
Remember, these normalization guidelines are cumulative. For a database to be in 2NF, it must first fulfill all the criteria of a 1NF database.
If you'd like to ensure your database is normalized, explore our other articles in this series:
* Database Normalization Basics
* Putting your Database in First Normal Form
* Putting your Database in Second Normal Form
* Putting your Database in Third Normal Form
If you want to receive notifications of new database articles posted on this site, Subscribe to our newsletter
By Mike Chapple, About.com
In this article, we'll introduce the concept of normalization and take a brief look at the most common normal forms. Future articles will provide in-depth explorations of the normalization process.
What is Normalization?
Normalization is the process of efficiently organizing data in a database. There are two goals of the normalization process: eliminating redundant data (for example, storing the same data in more than one table) and ensuring data dependencies make sense (only storing related data in a table). Both of these are worthy goals as they reduce the amount of space a database consumes and ensure that data is logically stored.
The Normal Forms
The database community has developed a series of guidelines for ensuring that databases are normalized. These are referred to as normal forms and are numbered from one (the lowest form of normalization, referred to as first normal form or 1NF) through five (fifth normal form or 5NF). In practical applications, you'll often see 1NF, 2NF, and 3NF along with the occasional 4NF. Fifth normal form is very rarely seen and won't be discussed in this article.
Before we begin our discussion of the normal forms, it's important to point out that they are guidelines and guidelines only. Occasionally, it becomes necessary to stray from them to meet practical business requirements. However, when variations take place, it's extremely important to evaluate any possible ramifications they could have on your system and account for possible inconsistencies. That said, let's explore the normal forms.
First Normal Form (1NF)
First normal form (1NF) sets the very basic rules for an organized database:
* Eliminate duplicative columns from the same table.
* Create separate tables for each group of related data and identify each row with a unique column or set of columns (the primary key).
Second Normal Form (2NF)
Second normal form (2NF) further addresses the concept of removing duplicative data:
* Meet all the requirements of the first normal form.
* Remove subsets of data that apply to multiple rows of a table and place them in separate tables.
* Create relationships between these new tables and their predecessors through the use of foreign keys.
Third Normal Form (3NF)
Third normal form (3NF) goes one large step further:
* Meet all the requirements of the second normal form.
* Remove columns that are not dependent upon the primary key.
Fourth Normal Form (4NF)
Finally, fourth normal form (4NF) has one additional requirement:
* Meet all the requirements of the third normal form.
* A relation is in 4NF if it has no multi-valued dependencies.
Remember, these normalization guidelines are cumulative. For a database to be in 2NF, it must first fulfill all the criteria of a 1NF database.
If you'd like to ensure your database is normalized, explore our other articles in this series:
* Database Normalization Basics
* Putting your Database in First Normal Form
* Putting your Database in Second Normal Form
* Putting your Database in Third Normal Form
If you want to receive notifications of new database articles posted on this site, Subscribe to our newsletter
By Mike Chapple, About.com
Passwords Are a Hidden PCI-Compliance Danger
Remember to seek out, change and manage every password in your IT infrastructure, or you'll fail your PCI audit.
While corporations are struggling with PCI compliance after PCI 6.6 became mandatory June 30, they may be overlooking one of the most critical areas for compliance -- passwords.
Generally, enterprises do not revoke passwords when their owners move to other departments within the company or leave, resulting in orphaned accounts.
But user and system administrator passwords are just the tip of the iceberg -- literally thousands of other passwords are hidden from view, such as application-to-application passwords, passwords embedded in applications and the passwords every device on a corporate network comes with.
The last category includes laptops, desktops, appliances, routers, bridges and just any other device you can think of.
"If you don't change the default passwords applications and devices are shipped with, you could fail your PCI audit, because these are freely available online," Robert Grapes, chief technologist of Cloakware's data center solutions, told InternetNews.com.
"There's more than 3,000 vendors and products listed with the default passwords on the Internet; very few people go through their devices or operating systems and change the passwords," he added.
Identities and passwords that have been hard-coded into applications or servers are the most difficult to revoke or change, and are often ignored because of this.
"I talked to one company who had not changed passwords on particular systems of theirs for 17 years," Grapes said.
Passwords on applications and devices, and administrator passwords, are privileged accounts, meaning they have more permissions and rights than the average end user. Such accounts constitute one of the biggest potentials for enterprise security breaches.
"There are many times the number of privileged accounts operating on your network than there are end user accounts," Grapes said.
For example, in an enterprise with, say, 1,000 end users running on Windows, every laptop, desktop and server will have a local administrator account and service accounts that are not being managed, according to Grapes.
Then there are all the back-end applications running on other systems, such as Unix servers, blades and mainframes, the network management systems, the database accounts, each of which will have multiple privileged accounts.
The proliferation of privileged accounts is so great that "we recently completed a transaction with a large European bank with 80,000 employees, and they bought a contract for 525,000 accounts," Grapes said.
It's impossible to root out all the passwords and change them individually to comply with the PCI regulations, and Grapes said automation is the best solution.
The PCI regulations' password requirements proved a "major, major pain" for the large U.S. retail chain where Joey Peloquin used to work.
"We had more than 160,000 users, and automation was the only way we could solve the problem," Peloquin, now a senior security consultant in HP software professional services' application security division, told InternetNews.com.
His former employer selected a product from Cyber-Ark called the Enterprise Password Vault; Cloakware also offers a solution, called the Cloakware Server Password Manager.
Some enterprises let systems administrators share identities and passwords to contain password sprawl, but that generates problems of its own.
"If you have 10 administrators sharing a password and ID, how can you audit and trace who performed a particular function on that system?" Grapes asked.
Such tracking information is crucial to passing an audit.
The cost of failure can be high. When Peloquin's former employer failed a PCI audit, "we lost millions of dollars on the day we failed just through the increased commissions we had to pay," he said.
While corporations are struggling with PCI compliance after PCI 6.6 became mandatory June 30, they may be overlooking one of the most critical areas for compliance -- passwords.
Generally, enterprises do not revoke passwords when their owners move to other departments within the company or leave, resulting in orphaned accounts.
But user and system administrator passwords are just the tip of the iceberg -- literally thousands of other passwords are hidden from view, such as application-to-application passwords, passwords embedded in applications and the passwords every device on a corporate network comes with.
The last category includes laptops, desktops, appliances, routers, bridges and just any other device you can think of.
"If you don't change the default passwords applications and devices are shipped with, you could fail your PCI audit, because these are freely available online," Robert Grapes, chief technologist of Cloakware's data center solutions, told InternetNews.com.
"There's more than 3,000 vendors and products listed with the default passwords on the Internet; very few people go through their devices or operating systems and change the passwords," he added.
Identities and passwords that have been hard-coded into applications or servers are the most difficult to revoke or change, and are often ignored because of this.
"I talked to one company who had not changed passwords on particular systems of theirs for 17 years," Grapes said.
Passwords on applications and devices, and administrator passwords, are privileged accounts, meaning they have more permissions and rights than the average end user. Such accounts constitute one of the biggest potentials for enterprise security breaches.
"There are many times the number of privileged accounts operating on your network than there are end user accounts," Grapes said.
For example, in an enterprise with, say, 1,000 end users running on Windows, every laptop, desktop and server will have a local administrator account and service accounts that are not being managed, according to Grapes.
Then there are all the back-end applications running on other systems, such as Unix servers, blades and mainframes, the network management systems, the database accounts, each of which will have multiple privileged accounts.
The proliferation of privileged accounts is so great that "we recently completed a transaction with a large European bank with 80,000 employees, and they bought a contract for 525,000 accounts," Grapes said.
It's impossible to root out all the passwords and change them individually to comply with the PCI regulations, and Grapes said automation is the best solution.
The PCI regulations' password requirements proved a "major, major pain" for the large U.S. retail chain where Joey Peloquin used to work.
"We had more than 160,000 users, and automation was the only way we could solve the problem," Peloquin, now a senior security consultant in HP software professional services' application security division, told InternetNews.com.
His former employer selected a product from Cyber-Ark called the Enterprise Password Vault; Cloakware also offers a solution, called the Cloakware Server Password Manager.
Some enterprises let systems administrators share identities and passwords to contain password sprawl, but that generates problems of its own.
"If you have 10 administrators sharing a password and ID, how can you audit and trace who performed a particular function on that system?" Grapes asked.
Such tracking information is crucial to passing an audit.
The cost of failure can be high. When Peloquin's former employer failed a PCI audit, "we lost millions of dollars on the day we failed just through the increased commissions we had to pay," he said.
Adding Google Maps To Your Rails Applications
In the months following publication of the final part of the very popular series on integrating Google Maps into PHP applications, I've spent quite a bit of time working with another popular Web technology: Ruby on Rails. As it turns out, Rails developers have been hard at work creating a few amazing plugins capable of adding powerful mapping capabilities to your applications. In this new series, I'll introduce you to these powerful plugins, showing you a number of tips and tricks along the way.
I'll presume you're familiar with mapping fundamentals, including the basic ideas surrounding the Google mapping API syntax. If you haven't had the opportunity to experiment with the API, take some time to read this tutorial before continuing.
Introducing the YM4R/GM Plugin
Although there's nothing preventing you from linking to Google's mapping JavaScript API and referencing the library directly from your views, jumping between Ruby/Rails syntax and JavaScript can quickly become a tedious affair. The YM4R/GM plugin remedies this issue nicely, abstracting the API calls through Ruby's familiar object-oriented syntax. With it you can do everything from render simple maps to build complex maps complete with custom markers, information windows, and clusters for facilitating the rendering of large numbers of markers.
Installing and Configuring YM4R/GM
To install the YM4R/GM plugin, execute the following command from your project directory:%>ruby script/plugin install
svn://rubyforge.org/var/svn/ym4r/Plugins/GM/trunk/ym4r_gm
YM4R/GM manages the Google API keys within a file named gmaps_api_key.yml, found in the project's config directory. The developers save you the trouble of having to create your own API key for local testing purposes by including an API key that has already been tied to http://localhost:3000. However, if you're testing on a different host, you'll first need to create an API key and add it to this file (instructions for creating a key are provided in the aforementioned introductory tutorial).
Creating Your First Map
Figure 1: Centering the map over Youngstown, Ohio
As is standard Rails practice, you'll use the controller method to define the map and its features, and the view to render the results. In the following example, you'll define a map in the index controller's index action, complete with a pan/zoom control but minus the map type selector:def index
# Create a new map object, also defining the div ("map")
# where the map will be rendered in the view
@map = GMap.new("map")
# Use the larger pan/zoom control but disable the map type
# selector
@map.control_init(:large_map => true,:map_type => false)
# Center the map on specific coordinates and focus in fairly
# closely
@map.center_zoom_init([41.023849,-80.682053], 10)
end
Next, in the index action's corresponding view, add the following code:
<%= GMap.header %>
<%= @map.to_html %>
<%= @map.div(:width => 400, :height => 300) %>
The GMap.header call will output references to both the Google Maps API and YM4R/GM JavaScript libraries. The @map.to_html call outputs JavaScript code generated by YM4R/GM according to the specifications set forth in the action. Finally, the @map.div call outputs the map to a div as specified in the action's GMap.new call.
Also, you'll see that the map dimensions are defined in the view rather than the controller. This is keeping with the convention of separating application logic and design; the view designer can choose any dimension he pleases; the map will simply fill to the desired size. The initial zoom level is, however, defined in the controller, although the user can easily subsequently adjust the zoom using the control.
By : Jason Gilmore
Move Settings Out of the Web.config File
Did you know that you can move sections of your Web.config file into other files? Whether it's to keep things tidy or simply to make it easier to find the settings you change often, it's easy to do and yet few people even realize you can.
The magic that makes this possible is the configSource attribute. It was added in .NET 2.0 and its value indicates the name of the file that contains the section that we're moving to another file. It's probably easiest to illustrate via a simple example. A normal connectionStrings section in Web.config might look something like this:
... ...
To move that section to a separate file, simply replace the connectionStrings section in the listing above with this line:
and then create a new "ConnectionStrings.config" file to hold the connectionStrings section's settings:
See... it really couldn't be much simpler. Now you can play with your connection strings as much as you want without fear of messing up any other settings in your Web.config file.
Oh... and just because I only showed you how to move the connectionStrings section, don't think that it stops there. You can just as easily move any section you want to an external file: appSettings, mailSettings, urlMappings, etc.
Source:ASP101
The magic that makes this possible is the configSource attribute. It was added in .NET 2.0 and its value indicates the name of the file that contains the section that we're moving to another file. It's probably easiest to illustrate via a simple example. A normal connectionStrings section in Web.config might look something like this:
To move that section to a separate file, simply replace the connectionStrings section in the listing above with this line:
and then create a new "ConnectionStrings.config" file to hold the connectionStrings section's settings:
See... it really couldn't be much simpler. Now you can play with your connection strings as much as you want without fear of messing up any other settings in your Web.config file.
Oh... and just because I only showed you how to move the connectionStrings section, don't think that it stops there. You can just as easily move any section you want to an external file: appSettings, mailSettings, urlMappings, etc.
Source:ASP101
Senin, 07 Juli 2008
Security Basics: A Strong Password is the Key
As your personal business life becomes accessible in digital form, using strong passwords to keep that information safe and secure is more important than ever. The proliferation of Web 2.0 services such as online payment, banking, accounting and payroll services means that your company’s most sensitive information is accessible to anyone with the proper login.
Relying on your pet’s name for a password just doesn’t cut it anymore. The only thing worse is having your passwords scrawled on a sticky note under your keyboard – you know who you are.
The Basics
Security experts agree: Most people have passwords that provide woefully inadequate protection against hackers and identity thieves. That’s because a password that’s easy to remember is also easy for an automated hacking program to guess, and one that’s hard to guess is also hard to remember—and winds up on that sticky note. But there are a few tricks that can help you come up with complicated passwords that will still be easy for you (and only you) to remember.
“A good technique is to come up with a base password, and then just change it a bit for every site,” advises David Ulevitch, CEO of OpenDNS, the leading provider of Domain Name System services. For example, your banking log-in for Bank of America could be ca$h!cowBoA, while your QuickBooks online accounting password could be ca$h!cowQB.
Which brings up a second point: Be sure to use a mix of upper- and lowercase letters, number, and symbols. The reason? Automated hacking programs can cycle through all known words (spelled both forward and backward), plus common names (including Fido and Queenie), in a matter of minutes.
“The best way to do strong passwords is to simply replace letters with characters and numbers, and make use of other keyboard tidbits,” advises Eric Green, president of ELG Consulting and a consultant to SCIPP International, the first non-profit security-awareness training certification organization. So while NYYankees is a weak password, it can be made stronger (and still remain memorable) with the simple tweak to NY_Y@nkee$$.
Another trick is to think of a passphrase that is meaningful to you and that can be turned into an acronym (again, with some symbols in place of letters). So, for example, the fact that my first car was a 1964 Buick Electra could become the PayPal password MfCw@!964BE!PP. And if you are worried about forgetting it, you could write down a reminder for yourself that will be useless to others, like “first car sentence.”
Other Observations
Ultimately, the security of your password (and hence your data) is only as secure as the site you enter it into. “When doing any work online and entering any kind of personal information at all, make sure the little pad lock is at the bottom of your screen indicating the site is using SSL (Secure Socket Layer) to encrypt your data,” cautions Green. “The strongest password in the world is a waste if someone can simply copy that information over an insecure network.”
Also be aware of keylogger programs and other malware that can lurk on a PC, recording your keystrokes and surreptitiously sending them to a hacker. The string “www.paypal.comjohndoefido” lets the thief know that a PayPal user name is John Doe and that the user’s password is Fido.
So never enter a vital password at a public computer terminal (such as at an Internet café), since you don’t know what programs people have installed onto the computers. And on your own home and business PCs, be very careful what you and your employees load (in fact, in Windows block employees from loading programs altogether) and be sure each PC’s spyware program (such as SpySweeper) is up to date.
Jamie Bsales is an award-winning technology writer and editor with nearly 14 years of experience covering the latest hardware, software and Internet products and services.
This article was first published on SmallBusinessComputing.com.
College degree still worth investment, economists say
INNEAPOLIS -- What's worse than being 12 years out of high school and on your way to having $40,000 in debt?
Being 30 years old, with no college degree, making $15 an hour.
That's why Jesse Mullan has taken a risk and gone back to college, sitting in classrooms with college juniors who were 8 years old when he graduated from high school in St. Paul, Minn., in 1994.
Mullan, who expects to graduate from college in 2008, figures that taking on debt to further his education will pay off. He expects to triple his hourly pay shortly after collecting a degree in computer science from the University of Minnesota, allowing him to pay off his school loans in no more than 10 years.
"It's better than car loans," he said.
Mullan is still making a good bet, many economists agree. While the cost of college has soared, the incomes of college graduates are still staying well ahead of those who don't have four-year degrees.
How far ahead? Lifetime incomes of college grads in today's dollars average nearly $300,000 more than high school graduates over a 40-year career. And that's the net benefit, after deducting an average cost of more than $100,000 in tuition, room and board and potential income lost while attending college.
The income gap between those with and without a college degree continues to grow, though at not as fast a pace since the mid-1990s as in the 1980s. Why? A rising tide of economic prosperity has lifted most of the boats, providing higher incomes for even the undereducated.
"Since the mid-1990s, the average (inflation-adjusted) wages of college graduates have skyrocketed, increasing by 18 percent" as of 2004, a recent study found. In contrast, wages of high school dropouts rose at about half that rate -- 10 percent -- over the same period.
Economists Lisa Barrow and Cecilia Elena Rouse said in the same paper that "there are no signs that the value of a college education has peaked or is on a downward trend."
While many people have heard stories of degree-holders with nothing more to show for their high-priced education than a job behind a coffee counter, sticker shock about the rapidly rising cost of tuition and fees is largely misplaced, said Rouse, a Princeton University economist.
Rouse cites two factors to back up that claim: Significant numbers of students get some form of aid, income tax credits at the very least -- meaning they pay less than the posted price for their degrees. What's more, by far the largest cost of going to college is foregone income, and wages of high school grads have not climbed nearly as fast as the double-digit gains in tuition at many colleges in recent years.
To be sure, paying for college is a bigger gamble for some than for others.
Sixty-three percent of all students with family incomes of $79,000 or less face a gap between the annual cost of college and the money they can raise through grants, scholarships, work-study programs and family contributions, according to a national study released last month by the Southern Regional Education Board.
That gap is filled by debt.
For example, in the spring of 2005, nearly two-thirds of the students graduating from the University of Minnesota's Twin Cities campus left with debt -- an average of more than $22,000. That was up 65 percent from the average for indebted students in the class of 2002.
But the average return to a college education is large enough to overshadow those liabilities, many studies have found.
The Census Bureau in 2004 calculated that the average college graduate earns $27,800 more per year, adjusted for inflation, than the average high school graduate. That adds up to more than $1 million over a lifetime.
Barrow and Rouse calculated that over 40 years, the average payback for a college diploma comes to $402,959 in today's dollars. Subtract $107,277 in their estimated average total cost for a four-year degree and the average expected benefit would come to about $296,000.
And what about the English majors or art students who end up behind a counter at Starbucks after graduation? Their degree still is likely to make them more attractive as a management candidate than someone who didn't go to college.
"There probably are more opportunities open to these people who maybe aren't doing as well as the average," Barrow said.
source:seattlepi.com
Sabtu, 05 Juli 2008
User Authentication Beyond the Password
Here's a simple fact: the security of your organization is at risk every time anyone logs on to your network. If it's an authorized user then you're probably safe, but if it's a hacker that's logging on then here's what could be on the menu: malware infections, network unavailability, server downtime, data loss or corruption, leakage of confidential or proprietary information, and much more besides.
Given all this, it's astounding that most businesses require only a user name and password to authenticate users onto their networks, even when logging in remotely. According to research house Gartner, about 94 percent of companies of all sizes require only single-factor authentication of this sort from their users.
It's astounding because single-factor authentication using "something you know"—a password, in other words—is notoriously insecure. If a password is to be easily remembered then it's probably easily guessable and rarely changed. If users are forced to use more secure passwords which are long, random and frequently changed, then the chances are they'll write them down on a sticky note "hidden" somewhere obvious.
Factor In Tokens
A sensible way to beef up security is to bump up authentication to a two factor process, involving "something you have"—some form of security token which users must be in possession of when they authenticate themselves to the network—as well as the "something you know" password. This is the model that ATMs use: a PIN that the user has to know, and an ATM card that has to be inserted to prove that it in their possession.
The most common form of network authentication credential is the SecureID token from RSA Security, part of storage company EMC. The SecureID token generates a one time password (OTP) which changes every minute or so, and the user has to type in this OTP to prove that the token is in his or her possession. The OTP is generated by putting a time value into an encryption algorithm using the token's unique "seed record" as the key. Since the only other entity in possession of the key is the authentication server, and since the server's and the token's clocks are kept in synchronization, the server is able to compare the OTP the user enters with the one it is expecting, and authenticate the user if it is correct.
But RSA is far from being the only player in town, with a number of other vendors active in the security token market including Vasco with its Digipass range, Secure Computing's SafeWord tokens, the ActivIdentity token range and Entrust IdentityGuard tokens. These products use a variety of systems, including event synchronous authentication. Such tokens generate an OTP each time they are activated (usually by pressing a button) and this OTP is compared with the next OTP that the server generates using the same crypto algorithm and key, and an incremental counter. These are in theory less secure than time synchronous systems as a hacker who gained access to one of these tokens temporarily could generate a sequence of OTPs for later use. These OTPs would remain useful until the next time the owner generated an OTP and submitted it for authentication, as at that point all previous OTPs would cease to be valid. These and other vendors (including memory stick manufacturers) also sell USB dongle tokens and smart cards which have to be physically inserted into a USB port or card reader of some sort during authentication.
Cost Slows Adoption
One reason why many organizations have so far been reluctant to introduce two factor authentication is the cost involved, according to Dr. Ant Allan, a research vice president at Gartner. "For a small enterprise, with a few hundred people working remotely, the cost has been something like $50 per user for a token, plus the same again for the infrastructure required," he says.
But Dr. Allan says the economics are changing rapidly. As well as RSA's time-synchronous tokens and time- or event-synchronous tokens from companies like Vasco and ActivIdentity, which use the ANSI X9.9 standard for identification codes, there's a significant project called OATH: the Initiative for Open Authentication. All tokens that use the OATH standard can be used with OATH-compatible authentication systems, unlike RSA SecureID tokens, for example, which only work with RSA back-end systems. "OATH has enabled the commoditization of security tokens," says Dr. Allan. "It provides the interoperability so you can implement a solution with OATH and buy some tokens from one vendor and others from another vendor. " OATH has been heavily promoted by security services vendor VeriSign, which wants to offer managed authentication services without having to be a token manufacturer or locking its customers in to a single token supplier, Dr. Allan says. Entrust, another security vendor, now supplies OATH based tokens for $5 each (albeit with a minimum order of 100), so token hardware costs have become almost negligible.
In fact, token hardware cost is rapidly becoming irrelevant for another reason: The increasing power and sophistication of mobile phones means that it is now perfectly practical to give users soft tokens-software which runs on a mobile phone or other handheld device which emulates a hardware token. "We actually see phone-based authentication tokens becoming increasingly popular, and we predict that 50 percent of future two factor authentication implementations will use phone-based tokens," says Dr. Allan. Once up and running these offer a similar level of security to hardware token based systems, he says, although he warns that enrollment issues (essentially getting the software to the right mobile phone) can be a potential security problem.
Vendors that provide authentication systems using cheap hardware tokens or software tokens make their money from the back-end systems (which they either license or provide as a service). Interestingly, authentication systems are available that uses precisely the opposite model: open source authentication server code which is supplied at no cost to work with more costly tokens. For this to work the tokens have to be differentiated in some way to be worth paying more for.
An example of this is the YubiKey, a tiny USB token from a Sweden-based outfit called Yubico. The YubiKey is "seen" by the user's device's operating system as a USB keyboard. Touching the YubiKey's single button automatically generates and enters an OTP into the active field on the user's computer without any other activity required on the part of the user. YubiKeys cost $20 each (in orders over 100), but since the authentication software is open source there are no annual license fees to be paid (although there are obviously costs associated with integration and maintenance). Yubico also offers a free basic managed authentication service -- it previously cost $2 per user per year -- for companies that do not wish to run their own authentication servers. (Ed. Note: See update)
"There are many companies providing expensive validation services and there is clearly a void in the market today for a no-subscription, "no strings attached" offering," says Stina Ehrensvärd, Yubico's CEO. "A buyer needs to look at the total cost of ownership and for large deployments that run for many years the Yubico offering is less expensive than the competition. We do not subsidize the tokens to regain on services." Ehrensvärd expects the price of the YubiKey to drop in the near future, and says by mid-August the device will support OATH.
Because the cost of token based authentication has historically been high, a number of other authentication methods have appeared, providing a variety of levels of security. The prevalence of mobile phones has led to a degree of popularity for out of band authentication methods using SMS messages, email, or even voice messages. A user attempting to log on has a security code sent to their mobile phone using one of these methods, and this code must be entered as part of the log on procedure. As long as the communication channel (in this case the mobile phone connection) is not compromised, this method is actually pretty secure. Problems occur if network latency means that the user has to wait too long for the security code to arrive - or if the user is outside a mobile phone coverage area.
Alternative Factors
Other authentication methods involve identifying the IP address from which a user logs in, or the device the user is operating (using network access control devices, or proprietary systems). These, however, authenticate a location or a device not a user, so they can't be used when a user is mobile (in the case of IP address authentication) or when a user wants to use a different computer system (in the case of NAC or other systems). It also leaves a network vulnerable to attacks from malware-infected, authorized machines operated remotely.
What's clear is that with the commoditization of tokens thanks to standards like OATH, and with open-source based solution using low cost hardware such as the YubiKey, the cost barrier to implementing strong two factor authentication is falling fast. "There has historically been an authentication chasm because the cost of hardware has been high," says Dr Allen, "but now that cost is shrinking." What that means is that there is now less of a reason than ever before to rely on user names and passwords for the security of your network. For a fairly modest cost you could introduce two factor authentication and increase the level of your network's security significantly.
Create:Paul Rubens
Given all this, it's astounding that most businesses require only a user name and password to authenticate users onto their networks, even when logging in remotely. According to research house Gartner, about 94 percent of companies of all sizes require only single-factor authentication of this sort from their users.
It's astounding because single-factor authentication using "something you know"—a password, in other words—is notoriously insecure. If a password is to be easily remembered then it's probably easily guessable and rarely changed. If users are forced to use more secure passwords which are long, random and frequently changed, then the chances are they'll write them down on a sticky note "hidden" somewhere obvious.
Factor In Tokens
A sensible way to beef up security is to bump up authentication to a two factor process, involving "something you have"—some form of security token which users must be in possession of when they authenticate themselves to the network—as well as the "something you know" password. This is the model that ATMs use: a PIN that the user has to know, and an ATM card that has to be inserted to prove that it in their possession.
The most common form of network authentication credential is the SecureID token from RSA Security, part of storage company EMC. The SecureID token generates a one time password (OTP) which changes every minute or so, and the user has to type in this OTP to prove that the token is in his or her possession. The OTP is generated by putting a time value into an encryption algorithm using the token's unique "seed record" as the key. Since the only other entity in possession of the key is the authentication server, and since the server's and the token's clocks are kept in synchronization, the server is able to compare the OTP the user enters with the one it is expecting, and authenticate the user if it is correct.
But RSA is far from being the only player in town, with a number of other vendors active in the security token market including Vasco with its Digipass range, Secure Computing's SafeWord tokens, the ActivIdentity token range and Entrust IdentityGuard tokens. These products use a variety of systems, including event synchronous authentication. Such tokens generate an OTP each time they are activated (usually by pressing a button) and this OTP is compared with the next OTP that the server generates using the same crypto algorithm and key, and an incremental counter. These are in theory less secure than time synchronous systems as a hacker who gained access to one of these tokens temporarily could generate a sequence of OTPs for later use. These OTPs would remain useful until the next time the owner generated an OTP and submitted it for authentication, as at that point all previous OTPs would cease to be valid. These and other vendors (including memory stick manufacturers) also sell USB dongle tokens and smart cards which have to be physically inserted into a USB port or card reader of some sort during authentication.
Cost Slows Adoption
One reason why many organizations have so far been reluctant to introduce two factor authentication is the cost involved, according to Dr. Ant Allan, a research vice president at Gartner. "For a small enterprise, with a few hundred people working remotely, the cost has been something like $50 per user for a token, plus the same again for the infrastructure required," he says.
But Dr. Allan says the economics are changing rapidly. As well as RSA's time-synchronous tokens and time- or event-synchronous tokens from companies like Vasco and ActivIdentity, which use the ANSI X9.9 standard for identification codes, there's a significant project called OATH: the Initiative for Open Authentication. All tokens that use the OATH standard can be used with OATH-compatible authentication systems, unlike RSA SecureID tokens, for example, which only work with RSA back-end systems. "OATH has enabled the commoditization of security tokens," says Dr. Allan. "It provides the interoperability so you can implement a solution with OATH and buy some tokens from one vendor and others from another vendor. " OATH has been heavily promoted by security services vendor VeriSign, which wants to offer managed authentication services without having to be a token manufacturer or locking its customers in to a single token supplier, Dr. Allan says. Entrust, another security vendor, now supplies OATH based tokens for $5 each (albeit with a minimum order of 100), so token hardware costs have become almost negligible.
In fact, token hardware cost is rapidly becoming irrelevant for another reason: The increasing power and sophistication of mobile phones means that it is now perfectly practical to give users soft tokens-software which runs on a mobile phone or other handheld device which emulates a hardware token. "We actually see phone-based authentication tokens becoming increasingly popular, and we predict that 50 percent of future two factor authentication implementations will use phone-based tokens," says Dr. Allan. Once up and running these offer a similar level of security to hardware token based systems, he says, although he warns that enrollment issues (essentially getting the software to the right mobile phone) can be a potential security problem.
Vendors that provide authentication systems using cheap hardware tokens or software tokens make their money from the back-end systems (which they either license or provide as a service). Interestingly, authentication systems are available that uses precisely the opposite model: open source authentication server code which is supplied at no cost to work with more costly tokens. For this to work the tokens have to be differentiated in some way to be worth paying more for.
An example of this is the YubiKey, a tiny USB token from a Sweden-based outfit called Yubico. The YubiKey is "seen" by the user's device's operating system as a USB keyboard. Touching the YubiKey's single button automatically generates and enters an OTP into the active field on the user's computer without any other activity required on the part of the user. YubiKeys cost $20 each (in orders over 100), but since the authentication software is open source there are no annual license fees to be paid (although there are obviously costs associated with integration and maintenance). Yubico also offers a free basic managed authentication service -- it previously cost $2 per user per year -- for companies that do not wish to run their own authentication servers. (Ed. Note: See update)
"There are many companies providing expensive validation services and there is clearly a void in the market today for a no-subscription, "no strings attached" offering," says Stina Ehrensvärd, Yubico's CEO. "A buyer needs to look at the total cost of ownership and for large deployments that run for many years the Yubico offering is less expensive than the competition. We do not subsidize the tokens to regain on services." Ehrensvärd expects the price of the YubiKey to drop in the near future, and says by mid-August the device will support OATH.
Because the cost of token based authentication has historically been high, a number of other authentication methods have appeared, providing a variety of levels of security. The prevalence of mobile phones has led to a degree of popularity for out of band authentication methods using SMS messages, email, or even voice messages. A user attempting to log on has a security code sent to their mobile phone using one of these methods, and this code must be entered as part of the log on procedure. As long as the communication channel (in this case the mobile phone connection) is not compromised, this method is actually pretty secure. Problems occur if network latency means that the user has to wait too long for the security code to arrive - or if the user is outside a mobile phone coverage area.
Alternative Factors
Other authentication methods involve identifying the IP address from which a user logs in, or the device the user is operating (using network access control devices, or proprietary systems). These, however, authenticate a location or a device not a user, so they can't be used when a user is mobile (in the case of IP address authentication) or when a user wants to use a different computer system (in the case of NAC or other systems). It also leaves a network vulnerable to attacks from malware-infected, authorized machines operated remotely.
What's clear is that with the commoditization of tokens thanks to standards like OATH, and with open-source based solution using low cost hardware such as the YubiKey, the cost barrier to implementing strong two factor authentication is falling fast. "There has historically been an authentication chasm because the cost of hardware has been high," says Dr Allen, "but now that cost is shrinking." What that means is that there is now less of a reason than ever before to rely on user names and passwords for the security of your network. For a fairly modest cost you could introduce two factor authentication and increase the level of your network's security significantly.
Create:Paul Rubens
Kamis, 03 Juli 2008
Creating a Contacts Database in OpenOffice
Last week we learned how to make pages of labels, business cards, and form letters using OpenOffice Writer and Base. The steps for setting up any mail-merge document in OpenOffice are easy; the one potentially gnarly bit is creating your contacts database in the first place. Your contacts list must be in Base, which is a bit of a pain. But the good news is Base can import data from most other databases, spreadsheets, text-delimited files, and email address books. Figure 1 shows the import screen. Yours may have some different options, depending on your Linux distribution.
Base can connect directly to most relational databases, such as MySQL, PostgreSQL, Oracle, Adabas D, or any database that supports the Open Database Connectivity (ODBC) or Java database connectivity (JDBC) drivers. So it also functions as a graphical front-end to other databases, and you can use it to edit and change them. Address books, spreadsheets, and delimited text files are read-only. You can import their data into Base, but whenever you make a change to the source document you have to import the new data; you can't change it or directly access it from Base.
My contacts are in a KDE address book. Importing this into Base is so easy your cat can do it:
File - New - Database
Connect to an existing database
Yes, register the database for me and open the database for editing
Click finish, name and save the new file
You will see something like Figure 2. Double-click on the Address Book table to see your imported data
If Base doesn't have an option to directly import from your address book, try exporting your addresses into a comma-delimited .csv file. Then in the "Connect to an existing database" dropdown list, choose "Text". The next screen asks for the path, be sure to check "'Comma separated value files ' (*.csv)", and then select the correct delimiters. If it is a correctly-formed .csv file Base will have no problems with it. Here is an abbreviated example from my KDE address book export:
"Family Name","Given Name","Honorific Prefixes","Home Phone",
"Home Fax","Home Address Street","Home Address City",
"Home Address State","Home Address Zip Code"
"Robby","SIlaen","Mr.","","","Sumatera Utara",
"Indonesia","Medan","20154"
Even though there are line breaks for readability, the real line breaks are at the ends of the lines with no commas. You have to have the exact same number of fields in your field definitions line, which is the first line in the file, and in your data lines. In this example there are nine. Any empty fields need "" for a placeholder, and each field is separated by a comma. You can use a comma, single space, tab, colon, or a semi-colon for the delimiter.
Source:LinuxPlanet.com
Base can connect directly to most relational databases, such as MySQL, PostgreSQL, Oracle, Adabas D, or any database that supports the Open Database Connectivity (ODBC) or Java database connectivity (JDBC) drivers. So it also functions as a graphical front-end to other databases, and you can use it to edit and change them. Address books, spreadsheets, and delimited text files are read-only. You can import their data into Base, but whenever you make a change to the source document you have to import the new data; you can't change it or directly access it from Base.
My contacts are in a KDE address book. Importing this into Base is so easy your cat can do it:
File - New - Database
Connect to an existing database
Yes, register the database for me and open the database for editing
Click finish, name and save the new file
You will see something like Figure 2. Double-click on the Address Book table to see your imported data
If Base doesn't have an option to directly import from your address book, try exporting your addresses into a comma-delimited .csv file. Then in the "Connect to an existing database" dropdown list, choose "Text". The next screen asks for the path, be sure to check "'Comma separated value files ' (*.csv)", and then select the correct delimiters. If it is a correctly-formed .csv file Base will have no problems with it. Here is an abbreviated example from my KDE address book export:
"Family Name","Given Name","Honorific Prefixes","Home Phone",
"Home Fax","Home Address Street","Home Address City",
"Home Address State","Home Address Zip Code"
"Robby","SIlaen","Mr.","","","Sumatera Utara",
"Indonesia","Medan","20154"
Even though there are line breaks for readability, the real line breaks are at the ends of the lines with no commas. You have to have the exact same number of fields in your field definitions line, which is the first line in the file, and in your data lines. In this example there are nine. Any empty fields need "" for a placeholder, and each field is separated by a comma. You can use a comma, single space, tab, colon, or a semi-colon for the delimiter.
Source:LinuxPlanet.com
PCI DSS for Database Professionals for Credit Card
The Payment Card Industry Data Security Standard (PCI DSS) sets forth the security requirements for organizations that store, process and/or transmit credit or debit card transactions. These requirements stem from a series of affecting databases of consumer credit information over the past decade.
What does PCI DSS mean to you as a database professional? If you review the PCI DSS standard, you’ll find seventeen pages packed with detailed requirements for securing cardholder information. If your organization processes transactions, it’s a good idea to review the entire standard and ensure you’re meeting all of those requirements. That said, I’ll highlight a few salient points that pertain directly to database professionals.
Place the database in an internal network zone, segregated from the DMZ. PCI requires that you place your database server on your internal network and that you deny attempts to directly access the database from untrusted networks. Additionally, you must use private IP addresses for the database server.
Change vendor-supplied default passwords. You must ensure that your database uses strong passwords for all user accounts and that you change the passwords for any default accounts supplied by your database vendor.
Encrypt all non-console administrative access. You’re required to use encryption technology (e.g. VPN, SSL, ssh) to encrypt any administrative connections to the database. This reduces the risk of an eavesdropper obtaining administrative credentials to the database.
Keep cardholder data storage to a minimum. You should never store cardholder data that you no longer need. If you don’t need to store it, don’t. If you’re finished with it, purge it from your database. In all cases, you may never store data from the card’s magnetic stripe or the three digit security code on the back of the card.
Encrypt card numbers that you do store. If your business requirements dictate that you store card numbers, you must encrypt them using a strong encryption algorithm. Furthermore, you must use sound key management practices to limit access to the encryption keys.
Ensure that you patch your database regularly. A recent study revealed that many DBAs . PCI requires that you apply security updates within one month of their release.
Develop web applications securely. Granted, DBAs seldom have control over the code written by developers, but it's important that we act as security evangelists, educating developers about the risk posed by database attacks such as .
Practice secure user management. In addition to the controls you'd expect, such as requiring individual user accounts with strong passwords, you also need to in a fashion that limits access to those with a need to know.
Log everything. PCI requires that you record the name of the user, type of event, timestamp, and other technical information about any individual user access to cardholder data, administrator actions and failed authentication attempts.
This article provides only a high-level overview of the PCI DSS requirements most applicable to database administrators. I encourage you to and discuss it with other IT and business professionals in your organization.
source : database.about.com
Tutorial pasang Hit Counter di blogspot
Widget blog yang satu ini cukup diminati oleh blogger karena berguna sebagai statistik blog sekaligus sebagai asesoris blog. Ada banyak situs yang bisa kita manfaatkan untuk keperluan ini, mis kita pake Site Meter. Cara pasang di blog ikuti langkah berikut ini:
1. login ke Site Meter
2. lihat pada gambar, klik Sign Up, pilih Site Meter Basic Free, klik Sign Up
3. pada bagian "Your Site's URL:" isikan URL situs/blog anda
4. pada bagian "Your Site's Name:" isikan title situs anda atau terserah apa aja
5. pada bagian "Codename" isikan code apa saja (min 5 karakter) , kode ini nantinya akan kita gunakan sebagai user login.
6. Centang pada "By Cheking this box i agree to be bound by Site's Meter Term of Service Agreement"
7. Klik Next
8. Isikan Email pada bagian Email Address, pilih Title, isikan Kode Pos pada Postal Code, pilih Country, Can you receive HTML email? pilih aja No, pilih Gender.
9.Klik Next
10. Klik Next
11. Klik Next
12. Jika sukses akan muncul pesan "Success! Thank You"
13. Selanjutnya buka email, lihat apa email verifikasi dari sitemter udah masuk. Soalnya dalam email ini terdapat Codename & Password kita. Jika belum ada silahkan menunggu (max 24 jam), jika sudah ada lanjutkan ke langkah berikut.
14. Ketikkan Codename dan Password yang diberikan (email), klik Login
15. Klik pada menu Manager (sub menu Manager tampil sebelah kiri), klik sub menu Meter style dan klik radio meter pada style yang anda suka dan klik tombol Select.
16. Klik HTML Code (sub menu Manager) dan Copy/Paste pd bagian Site Meter Javascript HTML (misalnya ke sidebar blog).
17. Selesai :)
Untuk widget menambah sidebar blog lihat disini. Selamat mencoba dan jangan lupa komentarnya klu udah berhasil. Klu gak sukses juga ya :)
Source : lbsfighter.blogspot.com
1. login ke Site Meter
2. lihat pada gambar, klik Sign Up, pilih Site Meter Basic Free, klik Sign Up
3. pada bagian "Your Site's URL:" isikan URL situs/blog anda
4. pada bagian "Your Site's Name:" isikan title situs anda atau terserah apa aja
5. pada bagian "Codename" isikan code apa saja (min 5 karakter) , kode ini nantinya akan kita gunakan sebagai user login.
6. Centang pada "By Cheking this box i agree to be bound by Site's Meter Term of Service Agreement"
7. Klik Next
8. Isikan Email pada bagian Email Address, pilih Title, isikan Kode Pos pada Postal Code, pilih Country, Can you receive HTML email? pilih aja No, pilih Gender.
9.Klik Next
10. Klik Next
11. Klik Next
12. Jika sukses akan muncul pesan "Success! Thank You"
13. Selanjutnya buka email, lihat apa email verifikasi dari sitemter udah masuk. Soalnya dalam email ini terdapat Codename & Password kita. Jika belum ada silahkan menunggu (max 24 jam), jika sudah ada lanjutkan ke langkah berikut.
14. Ketikkan Codename dan Password yang diberikan (email), klik Login
15. Klik pada menu Manager (sub menu Manager tampil sebelah kiri), klik sub menu Meter style dan klik radio meter pada style yang anda suka dan klik tombol Select.
16. Klik HTML Code (sub menu Manager) dan Copy/Paste pd bagian Site Meter Javascript HTML (misalnya ke sidebar blog).
17. Selesai :)
Untuk widget menambah sidebar blog lihat disini. Selamat mencoba dan jangan lupa komentarnya klu udah berhasil. Klu gak sukses juga ya :)
Source : lbsfighter.blogspot.com
Selasa, 01 Juli 2008
Revenge of the IT Worker
“He said what about me?”
I said this out loud because I could not believe my eyes. A peer had sent me an email, with the lead in “I thought you should see this – but you didn’t get it from me.” This was a substantial hint that what followed wouldn’t be pleasant reading. Also setting me on alert, I noticed the subject stated “Totally Unfair Review.”
One of my team members -- we’ll call him Jimmy -- had skewered me in an email to a co-worker. The email told a story about how I had written a quarterly review about Jimmy without any input from him. Jimmy was telling tales because this simply was not the truth. I had asked him for his input and he had ignored my request.
Now the fact that he was not happy with the review was not surprising, because Jimmy had missed a project deadline and had misled the team to think he was on target. That he had falsely stated he had no input is what ate at me. Turns out the co-worker didn’t care for Jimmy and therefore shared the email with his manager. (Note – as I have stated in past articles: don’t put anything in an email you don’t want shared, even to so-called confidants)This whole episode got me thinking. What if the opinion of Jimmy was conveyed in a public forum? Not that Jimmy would have put his name to it, but even anonymously, with MY NAME attached to it. If you think it wouldn’t matter because no one would probably read it, think again. The online world is changing the way feedback is made available. It used to be if you had a bad experience with something, it was between you and that person or business. Not today. If teenagers are experiencing cyber-rumor-mongering on sites like Facebook and MySpace, why is it not conceivable for this to happen in the business world, especially with technology savvy IT workers?
Consider sites like LinkedIn where it’s mostly professionals who put up their experience for all to see. It is typical on these sites for your “connections” to write a recommendation based on their experience working with you, which is attached to your online profile.
What if the tables were turned and former co-workers could anonymously post negative reviews about their experiences with you? At least with the recommendations, you have the control to reject them. Imagine if you couldn’t even provide a rebuttal?
Still think this isn’t an imminent possibility?
Check out the site TheFunded. Not quite what we are talking about here, but bear with me because I think it is a relevant example. This Web site was created by the CEO of an early stage technology company who has had multiple experiences with venture capital firms, not all of them good experiences. This CEO anonymously created the site to allow other tech startup entrepreneurs to post their experiences, both good and bad, with venture capitalists (VCs).
Think about this for a minute. VC’s typically reject 95 percent of the entrepreneurs they meet with – that’s the nature of their business. Imagine how many entrepreneurs are left with a bad taste in their mouth! But that isn’t the point. The majority of the comments I have read aren’t just glad-handed personal attacks but instead very thoughtful insights on how an entrepreneur felt they were treated by the VC firm, whether they ended up being funded by them or not.
Create:itmanagement.earthweb.com
FakeAle-CT Trojan Creates Registry Entries
Troj/FakeAle-CT is a Trojan for the Windows platform.
When run Troj/FakeAle-CT copies itself to (Temp)\_addon.exe and attempts to download code from the internet and store it to the file (User)\Application Data\Adsl Software Ltd\Winspywareprotect.exe.
Registry entries are created under:
HKCU\Software\Adsl Software Ltd\Installer
HKCU\Software\Adsl Software Ltd\WinSpywareProtect
More information can be found at this Sophos page.
When run Troj/FakeAle-CT copies itself to (Temp)\_addon.exe and attempts to download code from the internet and store it to the file (User)\Application Data\Adsl Software Ltd\Winspywareprotect.exe.
Registry entries are created under:
HKCU\Software\Adsl Software Ltd\Installer
HKCU\Software\Adsl Software Ltd\WinSpywareProtect
More information can be found at this Sophos page.
Bdoor-AMH Trojan Edits Registry Value, Connects to Remote Host
Troj/Bdoor-AMH is a Trojan for the Windows platform.
Troj/Bdoor-AMH copies itself to either the (Windows\naver2.exe) folder or C:\naver2.exe.
Troj/Bdoor-AMH edits the registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run naver2.exe
Troj/Bdoor-AMH connects to a remote host to receive information. After receiving instructions from the remote host, it will then send the data back to the remote host using SMTP.
More information can be found at this Sophos page.
Source : esecurityplanet.com
Troj/Bdoor-AMH copies itself to either the (Windows\naver2.exe) folder or C:\naver2.exe.
Troj/Bdoor-AMH edits the registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run naver2.exe
Troj/Bdoor-AMH connects to a remote host to receive information. After receiving instructions from the remote host, it will then send the data back to the remote host using SMTP.
More information can be found at this Sophos page.
Source : esecurityplanet.com
Blusod Trojan Disables System Restore Upon Running File
W32/Blusod is a Windows systems Trojan.
Upon execution, the trojan creates the following files:
.tt(Two Random Characters).tmp in the %UserProfile%\Local Settings\Temp folder,
lph(Two Random Characters).exe in the %System%\system32 folder,
blph(Random Characters).scr in the %System%\system32 folder.
The trojan creates the following registry entry in order to install the screensaver:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\"EULAAccepted" = "1"
It also creates and runs the following file, which disables System Restore:
.tt(Two Random Characters).tmp.vbs in the %UserProfile%\Local Settings\Temp folder.
The Trojan then creates ph(Ramdom Characters).bmp image file in %System%\system32
The image contains the following message:
Warning!
Spyware detected on your computer!
Install an antivirus or spyware remover to clean your computer.
The trojan changes the desktop background on the computer to the above image by modifying the registry.
The trojan tries to connect the following websites in order to download more files on to the affected computer:
youpornztube.com
antivirusxp2008.com
source : esecurityplanet.com
Upon execution, the trojan creates the following files:
.tt(Two Random Characters).tmp in the %UserProfile%\Local Settings\Temp folder,
lph(Two Random Characters).exe in the %System%\system32 folder,
blph(Random Characters).scr in the %System%\system32 folder.
The trojan creates the following registry entry in order to install the screensaver:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\"EULAAccepted" = "1"
It also creates and runs the following file, which disables System Restore:
.tt(Two Random Characters).tmp.vbs in the %UserProfile%\Local Settings\Temp folder.
The Trojan then creates ph(Ramdom Characters).bmp image file in %System%\system32
The image contains the following message:
Warning!
Spyware detected on your computer!
Install an antivirus or spyware remover to clean your computer.
The trojan changes the desktop background on the computer to the above image by modifying the registry.
The trojan tries to connect the following websites in order to download more files on to the affected computer:
youpornztube.com
antivirusxp2008.com
source : esecurityplanet.com
Langganan:
Postingan
(
Atom
)