Tuesday, 23 June 2009

Evaluation Report for Assignment 2

Dear all course mates,

After I have gone through all exercises and workshops, I know the infrastructure of e-commerce systems much better than before. (Actually, I not only learn the e-commerce infrastructure but also, the applications.) Honestly, in my workplace, we have different teams dedicated to networking infrastructures and application developments. I seldom get to know the work of the other team. This time really gives myself an opportunity to understand something that I got to understand but I didn’t understand for years.

The ‘Ruby on Rails’ workshops have enabled me to be familiar with the design of a web application by using the MVC technique. I really admit that the MVC technique is a good approach to develop an application. Nowadays, the life of software or an application is getting shorter as the technologies are progressing very fast as well as the business environment. Therefore, we can’t afford to spend plenty of time designing the application. The technique such as System Development Life Cycle might not be applicable at the era.

Overall, I have benefitted a lot from this course and got very good exposure to the new technologies.

Wednesday, 17 June 2009

System Integration

The final topic is for group reflective study using the wiki tool in CSU Interact and a way for you to add a final reflective comment on systems integration and make your closing remarks to your Developers blog.

1.Choose ONE of the four ways to manage and develop integrated systems as listed below;

I chose "portal and service-oriented architectures (SOA)" to manage and develop integrated systems.

2.Summarise your understanding and describe its relevance (250 words max) in either your study at university or in your work environment;

SOA as an architecture relies on service-orientation as its fundamental design principle. If a service presents a simple interface that abstracts away its underlying complexity, users can access independent services without knowledge of the service's platform implementation. Barry (n.d.) defines that ‘a SOA is essentially a collection of services. These services communicate with each other. The communication can involve either simple data passing or it could involve two or more services coordinating some activity. Some means of connecting services to each other is needed. Today, SOA and Web services become very popular but it is not something new. The first SOA for many people in the past was with the use DCOM or Object Request Brokers (ORBs) based on the CORBA specification.

I just put aside the principles and technical requirements of SOA and only refer to the above definition when illustrating how SOA is adopted in the system design at my workplace. The essential applications including (email, financial system, intranet, office applications and documents) are unified on the web portal via a single interface illustrated in Fig.1.

Fig.1


It provides a consistent look and feel with access control and procedures for multiple applications, which otherwise would have been different entities altogether. Behind the simple interface, there are complexities and depencies associated with the applications. Take Citrix as a good example, it is very different from other applications accessible through the portal. It actually takes you to an independent platform and users need to install the local Crtrix client prior to accessing it. From this perspective, it achieves the principle of 'loose coupling',

A small set of simple and ubiquitous interfaces to all participating software agents. Only generic semantics are encoded at the interfaces. The interfaces should be universally available for all providers and consumers (He 2003).
Of course, there are still many principles of SOA but I have no intention detail them here. I just attempt to put SOA in this context.

References
Barry, D n.d., Service-oriented architecture (SOA) definition, Barry & Associate, viewed 20 June 2009, <http://www.service-architecture.com/web-services/articles/service-oriented_architecture_soa_definition.html>.

He, H 2003, What Is Service-Oriented Architecture, posted 30 Sep, O'Reilly Media, Inc, viewed 21 June 2009, <http://webservices.xml.com/pub/a/ws/2003/09/30/soa.html>

M-commerce and the e-wallet: Innovation and mobile devices

Explore ONE of the problems associated with mobile technology or their suppliers, from 1 to 4 below:

1.What is meant by a location based service?

According to Wikipedia (2009), 'a location based service (LBS) is an information and entertainment service, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device'. For example, online game or SMS is one of the LBS applications that operates on handheld devices. However, LBS creates a privacy issue because it needs to track the location of the handheld device in order to provide the services at a particular spot.


2.Visit A location-based service (LBS) is an information and entertainment service, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device Web site and search for information on WAP or SMS access to booking airline services. Do the same for WAP or SMS services in banking. How do both industries compare?
Both Airline and Banking are service industries. However, what can be doing in the airline services might not be applicable to the banking services. The information delivered by the airline company is normally less sensitive and personal like the schedule of the flights or airfares. Most of these information are public. The worst case is the itinerary of a person is disclosed. This should be far less harmful than disclosing a person's financial information.

3.Visit the W3C website and find the status of the VoiceXML project. When do you think it will affect business on the Web and what will its impact be?

The second draft of VoiceXML 3.0 was just published by W3C on 4 June 2009 (W3C n.d.). The W3C Speech Interface Framework is a suite of markup specifications. When the VoiceXML is standardised and mature, we can actually use our cell phones with the voice browser to do the following:
  • Accessing business information, including the corporate "front desk" asking callers who or what they want, automated telephone ordering services, support desks, order tracking, airline arrival and departure information, cinema and theater booking services, and home banking services.
  • Accessing public information, including community information such as weather, traffic conditions, school closures, directions and events; local, national and international news; national and international stock market information; and business and e-commerce transactions.
  • Accessing personal information, including calendars, address and telephone lists, to-do lists, shopping lists, and calorie counters.
  • Assisting the user to communicate with other people via sending and receiving voice-mail and email messages.

As a result, the voice data can be browsed and transmitted freely over the Internet. The e-commerce and m-commerce will become much more popular and increase the volumne of the transactions as users (even the peolpe with hearing and speaking impairments) can place their orders by phone calls or voice mails and the business organisations can manage these requests based on the infrastructure.


4.According to Nokia:

The Nokia One Mobile Connectivity Service provides easy and secure access to email, calendar, directory and more from a mobile phone, PDA, PC or fixed-line phone - take your corporate applications mobile.

Why is a company like Nokia – http://www.nokia.com – described as having end-to-end expertise?



References

Nokia Siemens Networks n.d., End to End Expert, Insight, viewed 19 June 2009, <http://www.nokiasiemensnetworks.com/jp/Insight/end-to-end/>.

W3C n.d.,"Voice Browser" Activity, viewd 19 June 2009, <http://www.w3.org/Voice/>.

Wikipedia 2009, location based service, last updated, 10 May, Wikimedia Foundation Inc., US, viewed 19 June 2009, <http://en.wikipedia.org/wiki/Location-based_service>.


Virtual business worlds and cyberagents

Search the Web for a site that uses a cyber character or cyber agent to host a business site. (If you create a successful cyber agent, you may be able to get large companies to use it to sell their products online.)
1.Differentiate the various types of software agents.

Software agents carry out tasks associated with software. For example, Windows Update notifies the user of any new updates to an existing system, downloading updates and even applying an update when it is received (Ince 2005, p.396). Other agents normally only collect information from websites with specific purposes. For example, Governments agents collect statistics or extract the updates from the regulations of government and News agents notify you the breaking news and news updates.

2.Describe how techniques such as artificial intelligence and statistical techniques are used in software agents.

Like an auction agent, Bidder Edge, it scans auction sites onthe Web and continuously updates its catalogue of products. There are two ways that you can access the Bidder’s Edge Web site: first by scanning the various categories that are listed; second by personalising the Web site to your own interests, for example you can inform the site that all you are interested in is bidding for computer equipment and it will then only display items which fall under this category (Ince 2005, p.396). Certainly, it adopted the AI technique to identify you interests and the statistical technique to interpret your shopping habits. That's why it can recommend you the desired products or services.

3.Identify various activities in e-commerce where software agents are currently in use.

Amazon also employed similar techniques as mentioned above. It sends you the product update by email according to your shopping habits and interests.

4.Computing ethics and bot programming case study: rocky


a.Get an account username and password from the lecturer to LC_MOO at http://ispg.csu.edu.au:7680 and login to the Welcome Lobby.

b.Hold a 5-minute discussion with Rocky on a special topic. Commands: act rocky (start bot) hush rocky (stop bot)

c.Rocky is an ELIZA-like bot. Report your findings.

I logged in to the Welcome Lobby with the account 'train1' but couldn't get it to function as expected. But I know the bot was running because I attempted the second time and got the warning message, ' I didn't abort last time...'.

Searching mechanism

1.What is a spider? What does it do?
According to Ince (2005), Spider is normally used to describe software which harvests information for search engines and other allied sites, the image here being of a program which wanders around the strands of the Internet. It searches the information over the Internet in order to serve the following purposes:
  • alert users when a particular of event such as a web site being changed occurs
  • perform email address harvesting (the email addresses are sold to the business owners who will use them for sending bulk emails advertising a product or a service)
  • use for search engine indexing
2.What is a meta-search engine? Provide some examples.
Meta tags are HTML tags which provide information about a web page. A meta-search engine just looks at the meta tags in the HTML of the web pages, especailly the home page of web sites. The results will be aggregate in a database which is being accessed by search queries. It can also search the keywords and gather the hit rate of web sites in order to evaluate the popularity of them.
The following are the popular meta-search engines.
  • Brainboost is designed to provide specific answers to questions asked in natural language. Currently it only supports English.
  • Dogpile fetches results from Google, Yahoo!, Live Search, Ask.com, About.com, MIVA, LookSmart and several other popular search engines, including those from audio and video content providers.
  • Info.com provides results from leading search engines and pay-per-click directories, including Google, Yahoo!, Bing.com, Ask, LookSmart, About and Open Directory.

3.How can you get your site listed at major search sites; and how could you improve your site ranking?
You can just register my web site via the registration page of the search engine site. For example, you can just access the url to get your web site registered at Google.

http://www.google.com/addurl/

You can increase the number of hits on your website and therefore, the ranking of your site will improve accordingly. This can be achieved by the operation of bot. Just let a bot access repeatedly access your site.


References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp. 391-406.

Shopping cart specifications II

Differentiate between software systems such as Customer Relationship Management (CRM) software, Business-to-Business e-commerce programs and Supply-Chain Management (SCM) software.

CRM is a software system which is utilised by an enterprise to enable its marketing departments to identify and target their best customers, manage marketing campaigns and generate quality leads for the sales team (Williams 2009). Most likely, CRM would be accessed by the internal users including management, sales team and marketing department.

SCM software is the oversight of materials, information, and finances as they move in a process from supplier to manufacturer to wholesaler to retailer to consumer. Supply chain management involves coordinating and integrating these flows both within and among companies. The ultimate goal of an effective supply chain management system is to maintain inventory tothe "Just-fit" level (TechTarget 2009). Since the whole supply-chain process is involved a few parties, SCM software will need to be accessed by those parties as well.

B2B e-commerce model is highly adopted in SCM system. This is because it requires every company in the supply chain to move quickly to process an order from a company which follows it in the chain and the old practices could no longer cope with the demands of the supply chain process. The stakeholders of the supply chain understand that they need to drop the old practices, (i.e. elimination of waste bureaucracy and indirect connections between companies). Instead, they require to get the online information and place orders within minutes. The volume of transactions is growing exponentially. The ideal here is for a company higher up in the supply chain to share its data with companies further down the chain (Ince 2004). The internet will be the platform for them to trade with one another and exchange the information. CRM is an internal system for an enteprise. Very unlikey, the client information will be shared with other companies and no direct trade will occur with other companies as well via the CRM system.
References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp. 6-8.

TechTarget 2009, Supply chain Management, last updated 24 Feb, TechTarget, viewed 20 June 2009, <http://searchcio.techtarget.com/sDefinition/0,,sid182_gci214546,00.html#>.

Williams, E 2009, Customer Relationship Management, lasted updated 23 Sep 2008, TechTarget, viewed 20 June 2009, <http://searchcrm.techtarget.com/sDefinition/0,,sid11_gci213567,00.html>.

Monday, 15 June 2009

Shopping cart specifications I

Develop the class diagram for the following shopping cart specifications:



A shoppingCart object is associated with only one creditCard and customer and to items in itemToBuy object. Persistent customer information such as name, billing address, delivery address, e-mail address and credit rating is stored in the customer object. The credit card object is associated with a frequentShopper discount object, if the credit rating for the customer is good. The customer can make or cancel orders as well as add and delete items to the shopping cart product. The credit card object contains the secure method for checking that the charge is authentic.




Modeling with UML

Use Case, Class, Sequence, Collaboration, State chart, Activity, Component and Deployment diagrams are used in UML. Describe each of the eight (8) main diagrams used in UML.

I refer to Wikipedia (2009) for the following descriptions.

Use Case diagram shows the functionality provided by a system in terms of actors, their goals represented as use cases, and any dependencies among those use cases.

Class diagram describes the structure of a system by showing the system's classes, their attributes, and the relationships among the classes.

Sequence diagram shows how objects communicate with each other in terms of a sequence of messages. Also indicates the lifespans of objects relative to those messages.

Collabration diagram displays an interaction organized around the objects and their links to one another. Numbers are used to show the sequence of messages.

State Chart diagram describes many systems, from computer programs to business processes with standardized notation.

Activity diagram represents the business and operational step-by-step workflows of components in a system. An activity diagram shows the overall flow of control.

Component diagram depicts how a software system is split up into components and shows the dependencies among these components.

Deployment diagram serves to model the hardware used in system implementations, and the execution environments and artifacts deployed on the hardware.

Use Case and Activity Diagrams help you to describe system functional requirements - it is important to note that the user may be a human or another software or hardware process. In either case it is referred to as an actor. Use Cases help with the problem of definition of requirements and analysis.

The following Use Case diagram shows a credit card processing system. The actors are the parties who interact with the system and the use cases are the functionalities of the system.

Actor: Customer, Shipping & Customer Service
Use Case: Update Order Staus, Update Inventory, View Outsatanding Orders, Get Product Information, Check Order Status, Add Product to Order Form, View Order Form, Place Order, Credit Card Rejected & Calculate Total.


Fig1. (Source: SmartDraw 2007 template)

The following Activity diagram shows the workflow of the Order Processing system. It starts with 'Place Order' and ends with 'Receive Order'.



Fig.2 ( Source: SmartDraw 2007 template)


Use a table (see below) to start your thinking, where business processes are taken from the SME and an object modelling table is used to help show development of your ideas, using very simple object modelling techniques. Here is a simple way to model your objects. Use the level 1 and 3 tables for designing any object in the e-business application:
Level 1 - User and system tasks table


Fig.3

Level 2 – Abstraction

The next step is called finding the level of abstraction, where the business objects build on each other to form classes from the most general and abstract – root class, to the more refined and concrete. What could be more concrete than an automatic telling machine (ATM)? Here the actor is human and the use case are withdraw cash; make a deposit; or request a balance.

Level 3 - Object description table

Use the level 3 table below to detail your design with the example used in object-oriented design.

Fig.4

Reference

Wikipedia 2009, Unified Modeling Language, Wikipedia, The free encyclopedia, last modified 15 June 2009, Wikimedia Foundation, Inc., US, viewed 17 June 2009, <http://en.wikipedia.org/wiki/Unified_Modeling_Language>.

TP monitors and transaction protocols

1.Give a description in your own words of the ACID properties of a transaction.

ACID stands for Atomicity, Consistency, Isolation & Durability which are the properties of a transaction. Atomic means that when a transaction is being executed, it is not interrupted by any other process from another transaction. Consistency means that a transaction must leave stored data in a consistent state until the whole (e.g. update) proccess has been completed. Isolation means that a transaction must not be interrupted by another transaction. Durability means that after a transaction has completed its operations, the results are reflected to the data (Ince 2005, pp.356-357).

2.Describe a TP monitor environment. How can a TP monitor stop an operating system being overwhelmed?

Normally, a TP monitor operates in a multi-thread system (e.g. mainframe computers or distributed client/server system) because it manages the concurrent execution of the threads and processes that make up a transaction and ensure that the ACID properties are enforced. It schedules threads so the low-priority transactions are allowed a smaller share of resources than high-priority transactions such as online transactions and enable load-balancing when an operating system is being overwhelmed (Ince 2005, pp. 363-364).

3.What is difference in load balancing with traditional and transactional MOM, RPC and conversations?
First of all, we need to have some undersrandings on these terminologies.
The process of sharing the processing load in a distributed system equally among the servers in the system, which is known as load balanacing (Ince 2005, p.386).
The process of executing code on a remote computer by invoking it from another computer often known as RPC (Ince 2005, p.259).
In Enterprise Javabean, message-oriented middleware (MOM) is a software which manages the transactions that pass from a client to a server and vice versa (Ince 2005, p.364).
In Enterprise Javabean, a conversation is a potentially long-running sequence of interactions (document exchanges) between multiple web services. In many situations, the backend logic triggered as part of these conversations may be transactional because of their transactional properties (Frolund, S and Govindarajan, K, n.d.).
Load balancing is a design to evenly distribute the resources among the servers. This is a server-side operation. The rest of them occur on both the client-side and the server-side operations.

4.Why is a two-phase commit protocol better than a one-phase atomic commit protocol?
One-phase atomic commit protocol can only ensure that all or none of the operations in a distributed transaction either commit or abort is to keep sending a commit or abort. Two-phase commit protocol can handle the operations of the nested transactions that one-phase atomic commit protocol can't handle. For example, a transaction that has many sub-transactions and each sub-transaction can make a decision to abort or provisional decision to commit to a transaction. A transaction will only commit if all its sub-transactions are provisionally committed. However, commitment can still occur even if some of its sub-transactions have been aborted. In order words, the sub-transactions can be aborted without causing their parent transaction to abort. This is because the parent transaction may contain code which handles any abortion of its sub-tansactions (Ince 2005, pp.358-360).


References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp. 259,355-389.

Frolund, S and Govindarajan, K, n.d., Transactional Conversations, Hewlett-Packard Company, viewed 17 June 2009,<http://www.w3.org/2001/03/WSWS-popa/paper50>.

Sunday, 14 June 2009

Concurrency terms

Find definitions for eight terms and concepts used in threaded programming:


Thread Synchronisation - This is a popular terminology used in the programming languages such as .Net, Java, Python and ...It means the coordination of multiple threads that must access shared data in Java language (Venners 1997).

Locks - This can ensure that only one thread at a time is given access to a resource (Ince 2005 pp.341-342).

Deadlock - This occurs when there is a contention between two transactions for two items of data and would occur in all distributed systems where there is shared access; however, in those systems where there are a number of clients which hold data for a long time (the typical interactive system) it is a major occurrence (Ince 2005, p.351).

Semaphores - This is a protected variable or abstract data type which constitutes the classic method for restricting access to shared resources such as shared memory in a parallel programming environment. A counting semaphore is a counter for a set of available resources, rather than a locked/unlocked flag of a single resource (Wikipedia 2009).

Mutex (mutual exclusion) - Mutex algorithms are used in concurrent programming to avoid the simultaneous use of a common resource, such as a global variable, by pieces of computer code called critical sections. A critical section is a piece of code where a process or thread accesses a common resource. The critical section by itself is not a mechanism or algorithm for mutual exclusion. In other words, Mutex is a not default algorithm in a program which includes critical sections (Wikipedia 2009).


Thread - A thread is anexecution of a chunk of code which can be carried out in parallel with the execution ofother chunks of code. On a computer with a number of processors the threads can beexecuted concurrently, with each instruction of each thread being executed at the sametime (Ince 2005, p.336).

Event - This is an action or a request that is usually initiated outside the scope of a program and that is handled by a piece of code inside the program. Typically events are handled synchronous with the program flow, that is, the program has one or more dedicated places where events are handled. In the threaded programming environment, when one event holds up the thread, the other thread can make use of the processor that has been forced to be idle. For example, a request for some data from a computer resident on a wide area network suchas the Internet (Ince 2005, p.336).

Waitable timer - According to Microsoft Developer Network (2009), Waitable Timer is a synchronization object whose state is set to signaled when the specified due time arrives. The operations of threads are prioritised by the timer objects.


References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp. 336-373.

Microsoft Developer Network 2009, Waitable Timer Objects, Library, viewed 15 June 2009, http://msdn.microsoft.com/en-us/library/ms687012(VS.85).aspx>.

Venners, B 1997, 'How the Java machine performs Thread Synchronization' , JAVAWORLD, posted 1 July, viewed 14 June 2009, <http://www.javaworld.com/javaworld/jw-07-1997/jw-07-hood.html>.

Wikipedia 2009, Semaphores (Programming), Wikipedia, The free encyclopedia, last modified 5 June 2009, Wikimedia Foundation, Inc., US, viewed 14 June 2009, <http://en.wikipedia.org/wiki/Semaphore_(programming)>.

Wikipedia 2009, Mutual exclusion, Wikipedia, The free encyclopedia, last modified 4 June 2009, Wikimedia Foundation, Inc., US, viewed 14 June 2009, <http://en.wikipedia.org/wiki/Mutual_exclusion>.

Saturday, 13 June 2009

Authentication and Encryption systems

1.Visit an e-commerce website and survey the mode of payment allowed. Would you trust the site with your business?

I have purchased goods from a few different e-commerce. Nearly all of them require me to settle the payments by a credit card. Just one or two can offer me an alternate payment method (e.g. paypal). To a great extent, I trust those e-commerce websites. Normally, I only purchase goods from the well-known companies such as Amazon, Symantec and other software distributors. Besies, I tend to use a virtual credit card with very low credit limit to make the payments because it would minimise the possible loss in case of fraud.

2.What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

Most of e-commerce websites have enabled SSL encryption to secure the communications between the websites and the clients. If the customer is able to view the web address begins with 'https' and the 'lock' image as illustrated below.


The website should have enabled the SSL encryption.


3.Visit the Verisign web site - what solutions does it offer for e-commerce?

Verisign offers a number of products and services to various types of customers. There are four main categories of its products.

  • Consumer Authentication - protect consumer online identities and accounts with a trusted, convenient authentication experience and behind-the-scenes, real-time fraud detection.
  • Enterprise Authentication - address business challenges and regulations around strong authentication, encryption, and digital signatures with secure and scalable PKI and OTP solutions.
  • Government Authentication - PKI and OTP solutions for Federal, state, and local agencies and government contractors.
  • Authentication for individuals - Digital signing, digital certificates and credentials for individuals and organizations to secure and protect online identities.

Not all of above are applicable to the e-commerce practice. Consumer Authentication would be designed for B2C e-commerce transactions and Enterprise Authentication is more for B2B e-commerce transactions.

4.Visit the TRUSTe web site. Describe what services and solutions are offered.

TRUSTe is an independent, privately held organisation which certifies the businesses with its Web Privacy Seal .and Email Privacy Seal. The following is the mission statement of TRUSTe.

TRUSTe helps consumers and businesses identify trustworthy online organizations through its Web Privacy Seal, Email Privacy Seal and Trusted Download Programs. TRUSTe resolves thousands of individual privacy disputes every year (TRUSTe n.d.).

In order to acquire a seal from TRUSTe, the busniesses need to meet the privacy rules set by TRUSTe as well as the legal requirements. However, some people just treat it as a marketinh tool rather a security benchmark (Cline 2003).


References

Cline J 2003, 'Web site privacy seals: Are they worth it?', Computerworld, network & internet, posted 8 May 2003, viewed 13 June 2009, <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=81041>.

Truste n.d., Advancing Privacy and Trust for a Networked World, mission statement, viewed 13 June 2009, <http://www.truste.org/>.

VeriSign n.d., Products and Services, Verisign Inc., viewed 13 June 2009, <http://www.verisign.com/products-services/index.html>.

Friday, 12 June 2009

Pretecting and archiving data

1.What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?


Ince (2005) notes that a firewall is an extra layer of protection placed around a network or around a particular application. A firewall placed around a network will usually employ a router which can be programmed to deny access to a network, for example it can be programmed to deny access to any packets of data which have been sent to a particular dedicated port. The following diagram illustrates the operation of a simple firewall.Figure 1 A Simple Firewall (Ince 2005 Fig. 11.2)


My firm employs Check Point and WatchGuard as the firewalls for different sites. I myself installed Norton 360 developed by Symantec Corporation on my home machines, which also has the firewall facility. These three firewall products can possibly meet the needs of users from different markets. Check Point is very popular software firewall for enterprises and WatchGuard is a hardware firewall welcomed by SMEs. Norton 360 is a home anti-virus software that also acquires the personal firewall.


2.Find out if your university or workplace has a backup policy in place. Is it followed and enforced?

My firm certainly has a backup policy which is thoroughly implemented. It has multiple backup devices including magnetic tapes and optical disks. They just barely meet our needs and are still manageable. Apart from that, everyday we used up a few backup tapes and optical disks and as time gone by we have accumulated a huge volume of them. Therefore, the metadata of tapes and disks are getting more and more important, which highly affects the recovery process. We all know that the recovery of data is very time consuming and never an easy task. However, we are usually required to fulfil the requests from users with a tight time frame. As a result, this is crucial to implement an effective backup and recovery solution with holistic view.


3.Most of the antivirus software perform an active scanning of the user activity on the Internet, detecting downloads and attachments in e-mails. Hackers have readily available resources to create new viruses. How easy is it to find a virus writing kit?

From the given website, it doesn't take long for someone to create a virus. I just recall what happened about 9 to10 years ago. The 'ILOVEYOU' virus successfully attacked tens and thousands of computers around the world. It created super email storms over the networks in order to give denial-of-service (Dos) attacks to email services. The virus wass actually a simple VB program. After we had analysed the source code of the program, my colleague worked out a solution within 24 hours. The solution was to cheat the virus that the machine had got infected and therefore, it would not execute itself. How? The infected machine would have been inserted a registry key by 'ILOVEYOU' and the virus only attacked the computers wiithout this key. We inserted this key to all computers on the network as a 'vaccine'. According to Wikipedia (2009), 'ILOVEYOU' infected10 percent of all computers connected to the Internet.


References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp. 321-322

Wikipedia 2009, ILOVEYOU, Wikipedia, The free encyclopedia, last modified 28 May 2009, Wikimedia Foundation, Inc., US, viewed 12 June, <http://en.wikipedia.org/wiki/ILOVEYOU>.

Wednesday, 10 June 2009

Electronic payments and security II



1.What are cookies and how are they used to improve security?

Ince (2004) notes that 'a cookie is a file which is placed on a client running a browser and which usually contains details of a particular transaction, for example the products which someone has bought from an e-tailing site.'

According to Wikipedia (2009), there are a few uses of cookies.

  • Cookies were introduced to provide a way to implement a shopping cart a virtual device into which a user can store items they want to purchase as they navigate the site.
  • Cookies allow the server to know that the user is already authenticated, and therefore is allowed to access services or perform operations that are restricted to a user who is not logged in.
  • Many websites also use cookies for personalization based on users' preferences.
  • Some websites use the cookies to track internet users' web browsing habits for on-line advertising purpose (e.g. Google).

Users typically log in by inserting their credentials into a login page; cookies allow the server to know that the user is already authenticated, and therefore is allowed to access services or perform operations that are restricted to a user who is not logged in. In this sense, cookies become the authentication token of users' login.

2.Can the use of cookies be a security risk?

In general, a cookie itself is not dangerous. They may potentially infringe upon the host's privacy, but they are easily removed. A tracking cookie cannot cause any system instability. However, the use of cookies might trigger the following security risks.

  • Inaccurate identification - this problem might arise when multiple users share the same user account on a computer.
  • Cookie hijacking - attackers can use packet sniffing to steel the cookies which are being sent back and forth over the unencrypted http connections and then, intercept the cookies of other users and impersonate them on the relevant websites.
  • Cookie theft - by design the cookie specifications constrain cookies to be sent back only to the servers in the same domain as the server from which they originate. However, the client-side scripts can redirect the values of cookies to a different server. Thus, the attackers can collect the cookies of other users.
  • Cookie poisoning - while cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server.
  • Cross-site cooking - this is similar to cookie poisoning, but the attacker exploits non-malicious users with vulnerable browsers, instead of attacking the actual site directly. The goal of such attacks may be to perform session fixation.
  • Inconsistent state on client and server - the use of cookies may generate an inconsistency between the state of the client and the state as stored in the cookie. If the user acquires a cookie and then clicks the "Back" button of the browser, the state on the browser is generally not the same as before that acquisition.

References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp. 305-306.

Wikipedia 2009, HTTP cookie, Wikipedia, The free encyclopedia, last modified 3 June 2009, Wikimedia Foundation, Inc., US, viewed 7 June 2009,<http://en.wikipedia.org/wiki/Intrusion_detection_system>.

Sunday, 7 June 2009

Electronic payments and security I

1.List and describe your experiences with a secure Web site.

Very often I use online banking services to settle my bills and manage my financial transactions. HSBC online banking website adopted two-factor authentication and is equiped with EV SSL certificates. Not only I need to logon it with my user id and password but also, enter a one time password generated by the given hardware token. The password is only effective for 15 seconds.

I have experience of purchasing goods from Amazon. When I make a payment for the selected items, I will have to sign in the secure server for processing the transaction. Hypertext Transfer Protocol Secure (HTTPS) is adopted in the payment module of the Amazon website. There are a few methods to settle the payment. I have chosen the credit card option in my account since day one.

2.What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

Secure Electronic Transactions (SET) is a protocol which is used for sending credit card information over the Internet. It consists of three major components: Electronic Wallet, SET Server and Payment Server. For details, please refer to my previous blog entry.

Both SET and SSL employed Cryptography to secure the information exchanged over the Internet. This would be tremendous important for online transactions. SET was launched in 1996 but was not very popular in the market even though 'SET was ultimately the strongest technology for securing online payments, businesses tended toward the less sophisticated models as a means of establishing for themselves an online presence' (Free Encyclopedia of Ecommerce n.d.).

Wikipedia (2009) explains why SET could win the market due to the following factors:

  • Network effect - need to install client software (an e wallet).
  • Cost and complexity for merchants to offer support and comparatively low cost and simplicity of the existing SSL based alternative.
  • Client-side certificate distribution logistics.

Free Encyclopedia of Ecommerce (n.d.) also claims that SET is a sophisticated model but users favour the less sophisticated model, SSL. Nowadays, SSL has been the most popular protocol for securing e-commerce transactions. Lee, Malkin & Nahum (2007) have evaluated the adoption and evolution of Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) through 19,000 servers. Most of the well-known e-commerce sites (e.g. Amazon, Buy.com), auction sites (e.g., eBay), on-line banking (e.g., Citibank, Chase), stock trading (e.g., Schwab), and even government (e.g., irs.gov) have adopted the SSL protocol. Communication with these sites is secured by SSL or its variant, TLS, which are used to provide authentication, privacy, and integrity. A key component of the security of SSL/TLS is the cryptographic strength of the underlying algorithms used by the protocol. It is crucial to ensure that servers using the SSL protocol have employed it properly. The adoption rate of SSL 3.0 is very positive.The on-going developments of SSL/TLS really enable them to win the e-commerce market.

References

Free Encyclopedia of Ecommerce n.d., Secure Electronic Transaction (SET), <http://ecommerce.hostip.info/pages/925/Secure-Electronic-Transaction-SET.html>.

Lee HK, Malkin T & Nahum E 2007, 'Cryptographic strength of ssl/tls servers: current and recent practices', Internet Measurement Conference: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, San Diego, California, USA, pp.83-92, also available as pdf file, <http://www.imconf.net/imc-2007/papers/imc130.pdf>.

Wikipedia 2009, Secure Electronic Transaction, Wikipedia, The free encyclopedia, last modified 1 April 2009, Wikimedia Foundation, Inc., US, viewed 7 June 2009, <http://en.wikipedia.org/wiki/Secure_electronic_transaction>.

Monday, 1 June 2009

Designing for a secure framework

Find out about SET and the use of RSA 128-bit encryption for e-commerce.

SET is a protocol which is used for sending credit card information over the Internet. It consists of three major components as listed below:


  • Electronic Wallet - stores the customer's credit card details in an encrypted file on the customer's computer. At the same time, the software associated with SET will produce a public and a private key for processing.
  • SET Server - attaches the digitial signature to the encrypted credit card details received from customers and then, send them to the payment server located at the bank or credit card company.
  • Payment Server - validates the credit card details received from the SET server located at the vendor and then, sends a receipt to both the vendor and the customer.
The beauty of SET is to protect the customer's credit card details and the transcation details from being disclosed to the people handling the transactions (Ince 2004, pp. 319-320).

RSA is the most well-known public key cryptograpy system, which was developed by three professors: Ronald Rivest, Adi Shamir and Leonard Adelman at MIT. RSA128-bit encryption is an algorithm that uses a system of public and private keys to encrypt and decrypt messages over an insecure line (Ince 2004, p. 314). Normally, 128-bit is refering to a symmetric key size which is equivalent to a RSA 3072-bit asymmetric key size, in terms of the level of security (Kaliski 2003). Certainly, the longer the key size means the harder to be broken. Kirk (2007) claims that 'the strength of the encryption used now to protect banking and e-commerce transactions on many Web sites may not be effective in as few as five years, a cryptography expert has warned after completing a new distributing-computing achievement'. Kaliski (2003) also points out that RSA1024-bit will be able to protect the security of data until 2010. By that time, the distributed computation capacity will be to break the encryption.

Both SET and RSA encryption can secure the data exchanged in the Internet, which is extremely important in e-commerce transactions.

What can you find out about network and host-based intrusion detection systems?

A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic (Wikipedia 2009).

A host-based intrusion detection system (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state (Wikipedia 2009).

What is 'phishing'?

Webopedia (2009) gives the following definition of 'phishing'?

The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.

As mentioned above, very often phishing scams rely on placing links in e-mail messages, on Web sites, or in instant messages that seem to come from a service that you trust, like your bank, credit card company, or social networking site. We can identify 'phishing' scams or fake websites by carefully examining the suspicious website addresses:
  1. any typos on the address,
  2. whether the address is a masked address, and
  3. whethere extended validation SSL certificate is applied
This will alert us to the phishing scams or fake sites.

References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp 295-320.

Kaliski, B 2003, TWIRL and RSA Key Size, RSA Laboratories, 6 May, RSA Security, viewed 6 June 2009, <http://www.rsa.com/rsalabs/node.asp?id=2004>.

Kirk, J 2007, Researcher: RSA 1024-bit Encryption not Enough, PCWorld, 24 May, viewed 6 June 2009, <http://www.pcworld.com/article/132184/researcher_rsa_1024bit_encryption_not_enough.html>.


Wikipedia 2009, Intrusion Detection System, Wikipedia, The free encyclopedia, last modified 3 June 2009, Wikimedia Foundation, Inc., US, viewed 7 June 2009,
<http://en.wikipedia.org/wiki/Intrusion_detection_system>.

Webopedia 2009, phishing, last updated 1 May 2009, <http://www.webopedia.com/TERM/p/phishing.html>.