Slashdot Mirror

← Back to Domains

Domain: xml-dev.com

Stories and comments across the archive that link to xml-dev.com.

Stories · 15

  1. A Better Anti-Phishing Toolbar?

    Ask · Security · · posted by Cliff · from the browsing-where-you-are-supposed-to-be dept. · 33 comments
    Saqib Ali asks: "There have been recent discussions on Security Focus mailing lists about several Anti Phishing Toolbars available for Firefox. Do Slashdot readers have any recommendations on which Anti Phishing toolbar to use, or on how to improve upon the existing ones?"

  2. A Better Anti-Phishing Toolbar?

    Ask · Security · · posted by Cliff · from the browsing-where-you-are-supposed-to-be dept. · 33 comments
    Saqib Ali asks: "There have been recent discussions on Security Focus mailing lists about several Anti Phishing Toolbars available for Firefox. Do Slashdot readers have any recommendations on which Anti Phishing toolbar to use, or on how to improve upon the existing ones?"

  3. A Better Anti-Phishing Toolbar?

    Ask · Security · · posted by Cliff · from the browsing-where-you-are-supposed-to-be dept. · 33 comments
    Saqib Ali asks: "There have been recent discussions on Security Focus mailing lists about several Anti Phishing Toolbars available for Firefox. Do Slashdot readers have any recommendations on which Anti Phishing toolbar to use, or on how to improve upon the existing ones?"

  4. Do You Code Sign?

    Ask · Security · · posted by Cliff · from the how-is-your-digital-handwriting dept. · 259 comments
    Saqib Ali asks: "I am a regular reader of Bruce Schneier's Blog, Articles, and Books, and I really like what he writes. However I recently read his book titled 'Secret and Lies' and I think he has done some in-justice to the security provided by the 'Code Signing.' On page 163 of his books, he (Bruce Schneier) basically states that: 'Code signing, as it is currently done, sucks.' Even though I think that Code Signing has its flaws, it does provide a fairly good mechanism for increasing security in an organization." What are your thoughts on the current methods of code signing in existence, today? If you feel like Bruce Schneier, how would you fix it? If you feel like Saqib Ali, what have you signed and how well has it worked? "The following are the reasons that he (Bruce Schneier) gives:

    Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.

    My comments: True. However in an organization it is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not tell the difference between Snake Oil and Citrix Corp.

    Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.

    My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.

    Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.

    My comment: Again Code Signing was was never designed to accomplish this.

    Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.

    My comment: I agree with this statement.

    Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.

    My comments: I am not sure what this statement means. I think this type of attack is outside the realm of Code Signing. 'It is like saying host based IDs or anti-virus are useless, because if you can compromise the system you can turn them off.'

    I would really appreciate any comments / thoughts / feedback on the above mentioned Bruce's arguments and my commentary. I am planning to give a short talk about benefits of code signing, so any feedback will really help me."

  5. Managing Code Signing Digital IDs for Open Source?

    Ask · Security · · posted by Cliff · from the project-security dept. · 103 comments
    Saqib Ali asks: "What are the best practices for managing Code Signing Digital IDs for Open Source projects, where the developers are dispersed throughout the globe? For our project there is NO central office, where we can secure the private key for the Code Signing Digital ID. Who should have the possession of the private key? Multiple people, or just the project manager? What Key Escrow (recovery) techniques can be used, in case the private key holder is not available? Who should be allowed to digitally sign the build? Currently one person handles the signing responsibility, but I think that is surely a single point of failure. Any thoughts/ideas?"

  6. Enforcing Crytographically Strong Passwords

    It · Security · · posted by Zonk · from the nd3knsdkh238979103dsw dept. · 429 comments
    Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

  7. Office 2003 Pro as an XML Authoring Application?

    Ask · Microsoft · · posted by Cliff · from the state-your-opinions dept. · 41 comments
    Saqib Ali asks: "Office 2003 Pro as been out for quite some time now. I was wondering how many large corporations have been to able use it as a XML authoring / modelling application? I have been involved in evaluation of several XML authoring / modelling applications and am planning to evaluate Office 2003 for it's XML authoring capabilities. The scope of my evaluation is limited to capabilities required for authoring technical documentation, preferably in DocBook XML. Is there anything I should keep in mind before starting the evaluation? One feature that I like about Office 2003 is its support for WebDAV. Our homebrewed CMS (Content Management Systems) supports WebDAV, which makes publishing the content a breeze. Except for OpenOffice, I haven't seen any other XML authoring application that has support for WebDAV. Any suggestions?"

  8. To Citrix or Not to Citrix?

    Ask · Technology · · posted by Cliff · from the such-is-the-question dept. · 31 comments
    Saqib Ali asks: "These days, it seems almost any application can be served on a Citrix Farm . However, not all application are best fit for a Citrix environment, and I am sure most IT admins are faced with the tough decision of whether to host an application on Citrix or not. What questions should an IT administrator ask before deciding whether to serve an application over Citrix or just plainly install the application on each desktop? I am NOT looking for the benefits of using Citrix, as I'm very well aware of them. What I want to know is, what criteria should be used in determining whether to use Citrix for an application or not. I just don't want to use technology for the sake of using technology. There should be a methodical way (like a checklist or questionnaire) for determining the feasibility (NOT PROs and CONs) of serving an (any) application on Citrix. Here is a Checklist/Questionnaire that I have come up with. Any more suggestions to add to the checklist?"

  9. CSS for the LDP?

    Linux · Software · · posted by Cliff · from the extreme-presentation-makeover dept. · 506 comments
    Saqib Ali asks: "Over at The Linux Documentation Project there is a lengthy discussion going on about whether to use CSS (Cascading Style Sheets) to improve the presentation of the documents. I support the use of CSS to improve the image/formatting of the document, and improve readability. I understand that content is more important than the presentation, but it can't hurt to improve both. There are others who think we should not get involved the presentation layer, and mainly concentrate on the content. Since, most Slashdot readers are Linux users, and might have visited the LDP once or twice, I would like to poll them on what they think about implementing and using nice CSS for the documents on the Linux Document Project website. I've written a CSS for this purpose that is available here, and some sample documents available in this weblog. Any thoughts? Any pros and cons on using CSS to improve presentation?"

  10. CSS for the LDP?

    Linux · Software · · posted by Cliff · from the extreme-presentation-makeover dept. · 506 comments
    Saqib Ali asks: "Over at The Linux Documentation Project there is a lengthy discussion going on about whether to use CSS (Cascading Style Sheets) to improve the presentation of the documents. I support the use of CSS to improve the image/formatting of the document, and improve readability. I understand that content is more important than the presentation, but it can't hurt to improve both. There are others who think we should not get involved the presentation layer, and mainly concentrate on the content. Since, most Slashdot readers are Linux users, and might have visited the LDP once or twice, I would like to poll them on what they think about implementing and using nice CSS for the documents on the Linux Document Project website. I've written a CSS for this purpose that is available here, and some sample documents available in this weblog. Any thoughts? Any pros and cons on using CSS to improve presentation?"

  11. DTDs for Internal IT Documents?

    Ask · Business · · posted by Cliff · from the defining-your-documents dept. · 44 comments
    Saqib Ali asks: "A DTD (Documentation Type Definition) defines the document structure with a list of legal elements. DocBook DTD is being widely used in creating Linux related documentation. However I am looking for a XML DTD that is more suited to internal IT documentation, and easy to learn and use. Preferably I would like to use a DTD that can be used with OpenOffice. What DTDs are other Slashdot readers using for for internal IT documentation? I have created documentation using DocBook DTD and hosted them on a Apache Cocoon . Cocoon lets me transform the XML to HTML or PDF. I would like to keep the same backend infrastructure (i.e. Cocoon) but try out other DTDs that are suited for IT related documentation. Any ideas?"

  12. Evaluating SSL-Based VPNs?

    Ask · Internet · · posted by Cliff · from the assessing-the-technology dept. · 34 comments
    Saqib Ali asks: "There are numerous SSL based VPNs available in the market. They all offer same basic functionality, but a varied set of features. I am currently evaluating a few of these of SSL based VPN solutions. Compared to a IPsec based VPN, SSL based VPNs are fairly easy to test and evaluate, since no client installation is required for the SSL based VPNs. One way to evaluate is to test all of my applications against the each product. I am also planning to test support for various browsers. I was wondering if Slashdot readers have some suggestion/ideas on what else to include in my evaluation matrix. Are there any features that are a MUST, or things that I should watch out for while evaluating SSL based VPNs?."

  13. Registration For Linux Desktop Summit Now Open

    Developers · Gui · · posted by timothy · from the remember-this-is-the-year-of-desktop-linux dept. · 10 comments
    Saqib Ali writes "Registration for Linux Desktop Summit is now open. Here is the press release and the list of sponsors Highlights will include RedHat's direction for Linux on Desktop, and Sun Java Desktop. Today Sun did a presentation on Sun Java Desktop, the presentation will be available @ Java Desktop System in Action: Secure, affordable and compatible. Revolutionary (View on Demand), or in PDF format."

  14. PDF Writers?

    Ask · Printer · · posted by Cliff · from the reports-are-a-PHBs-best-friend dept. · 94 comments
    Saqib Ali asks: "I am looking for for some OpenSource PDF Writers/Creator. I found one, here. It can basically create PDFs out of common software Like OfficeSuite, Visio, Project or any other Windows Application that uses the Windows Printers. I know OpenOffice can also export to PDF. I am working on a project (fat client) where I need to dynamically create PDF reports from data stored in MySQL DB. I know I can use PHP to create PDFs, and also Apache's Cocoon (you can find an example document, here). Of course, I would like to investigate other OpenSource PDF writers as well. Do you know of any other PDF writers, that I can utilize or learn from by looking at the source-code?"

  15. VMware ESX 2 vs. MS Virtual Server?

    Ask · Os · · posted by Cliff · from the hare-vs-the-gorilla dept. · 68 comments
    Saqib Ali asks: "I m sure most of you have heard that Connectix, the makers of Virtual PC/Server, have been acquired by Microsoft. Based on the technology acquired, MS has developed a new product called Microsoft Virtual Server, using which a Windows Server 2003 based server can run multiple operating systems concurrently. I am doing a preliminary analysis of using MS Virtual Server vs. running VMware ESX Server 2.0 on Clustered Linux Environment. Both solutions offer a way of running multiple OSes in a virtual environment using the same underlying OS (Windows 2003 or Linux). Of course, running VMware on Linux, offers the stability, scalability, and reliability of Linux, and also prevents a business form being locked into one single vendor. However running Microsoft Virtual Server does have some merits from a business perspective (vendor viability, reduced licensing costs etc). Any thoughts on merits/benefits/downside of using either of the technology stacks?"