Wednesday, April 05, 2006
New Trends In Online Traffic
Visits to Sites for Blogging, Local Information and Social Networks Drive Web Growth
While growth is slowing at most top Internet sites, it is skyrocketing at sites focused on social networking, blogging and local information.
The dramatic success of those Internet categories is apparent from a recent online-traffic analysis provided by market research firm ComScore Media Metrix, which examined visitor growth rates among the 50 top Web sites over the past year.
  A customer at a cafe in San Francisco uses its wireless Internet access. Traffic at social-networking sites such as MySpace.com, which caters to young users, boomed in 2005. (By Justin Sullivan -- Getty Images)  |
Top-ranked sites growing the most, ComScore's data showed, were Blogger.com, a personal publishing site; MySpace.com, where young people do virtual preening and share musical tastes; Wikipedia, an open reference site jointly edited by millions of people; and Citysearch, a network of local guides focused on cities.
The number of monthly visitors to each site rose at rates ranging from 185 percent (Citysearch) to 528 percent (Blogger.com) between February 2005 and February 2006. Their growth far exceeded the 4 percent increase in overall Internet visitors in the United States during that period.
The traffic analysis shows the Internet is still a space where new brands such as MySpace can suddenly break into the upper ranks, where older brands such as Citysearch can revive themselves after languishing for years, and where established outfits such as Google often wind up as beneficiaries because they buy or copy services pioneered by upstarts.
Google Inc., for instance, bought Blogger.com in 2003; the number of people posting or reading material at that site jumped to 15.6 million last month from 2.5 million a year ago.
"The growth in blogging reminds us the Internet is fulfilling its original promise about participation," said Gary Arlen, a research analyst and president of Arlen Communications Inc. "This medium empowers users in such a way that they can do what they want and be heard."
Peter Daboll, president and chief executive of ComScore Media Metrix, said one notable recent traffic trend is increased popularity of sites helping people find local information: "Things having to do with local search are really gaining momentum."
In addition to Citysearch, a network devoted to local entertainment and commerce, Daboll said, two local directories made the Web's top 50 last month, WhitePages.com and Verizon's Superpages.com.
Citysearch, which is owned by IAC/InterActive Corp., recently announced its first full year of profitability, thanks to its increase in ad sales. And the Kelsey Group, a Princeton, N.J., consulting firm specializing in local advertising, projects that ads relating to locally focused Internet searches will become a $6.1 billion market within five years.
Greg Sterling, an independent analyst, said local Internet services lagged behind their national counterparts for years but are finally coming on strong because they are much better today and people are more aware of their utility. "This is stuff people need and want in their everyday lives," Sterling said, "and to the extent they can find it online, they are starting to use these tools."
ComScore usually lumps together sites owned by the same firm in its Internet traffic reports, so AOL's visitors, for example, would be merged with those of other sites owned by Time Warner Inc. But The Washington Post asked ComScore to break out traffic for the Web's top 50 individual sites to get an idea of which were gaining and losing momentum.
The analysis showed that the Internet's biggest brands have plenty of staying power or at least are keeping pace with growth in the overall online population. Yahoo retains the largest audience in the United States, though its visitor growth slowed to about 5 percent last year.
Google was the only mega-site bucking the trend, with its users shooting up 21 percent in the past year. Not only has Google steadily expanded its share of the market for Web search, ComScore found, but it also has been attracting new users by expanding into other services offered by rivals, such as e-mail, mapping and personal publishing. If you combine traffic to all the properties it owns, including Blogger.com, Google's total audience jumped 27 percent last year, ComScore found.
The total audience for all of Time Warner's Internet properties, including AOL's various online services, showed little or no growth. Neither did the total audience for Microsoft Corp.'s collective Internet services, though some discrete services did well.
AOL's Mapquest.com, for example, pulled 7 percent more visitors in February this year compared with last.
One of the more dramatic growth stories was MySpace, which pulled 37 million visitors last month, 28 million more than a year ago. That gave it a ranking of No. 10 among all sites in the United States, according to ComScore.
Usage data for MySpace suggests an even higher popularity ranking: Based on total pages viewed and the time spent by each visitor, MySpace ranked No. 2 on the entire Internet, right behind Yahoo.
After Rupert Murdoch's News Corp. bought MySpace for $580 million last summer, the site made headlines when some men were arrested and charged with assaulting girls they had identified on the site. Since then, News Corp. has been working feverishly to improve safety on MySpace by screening photos for pornography and removing profiles of underage users.
Joining MySpace on the fast track was Wikipedia, the open encyclopedia that anyone can edit. Its traffic soared 275 percent last year following widespread media play over the posting of fake biographical material and similar controversies regarding the site's accuracy.
For a chart showing all top 50 Web sites and their number of visitors last month, go online tohttp://washingtonpost.com/technology.
source:http://www.washingtonpost.com/wp-dyn/content/article/2006/04/03/AR2006040301692_2.html
AJAX: Is your application secure enough?
Introduction
We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object.
Webmail applications use it to quickly update the list of messages in your Inbox, while other applications use the technology to suggest various search-queries in real-time. All this without reloading the main, sometimes image- and banner- ridden, page. (That said, it will most probably be used by some of those ads as well.)
Before we go into possible weaknesses and things to keep in mind when implementing an AJAX enabled application, first a brief description of how this technology works.
The Basics
Asynchronous Javascript and XML, dubbed AJAX is basically doing this. Let me illustrate with an example, an email application. You are looking at your Inbox and want to delete a message. Normally, in plain HTML applications, the POST or GET request would perform the action, and re-locate to the Inbox, effectively reloading it.
With the XmlHttpRequest-object, however, this request can be done while the main page is still being shown.
In the background a call is made which performs the actual action on the server, and optionally responds with new data. (Note that this request can only be made to the web-site that the script is hosted on: it would leave massive DoS possibilities if I can create an HTML page that, using Javascript, can request thousands of concurrent web-pages from a web-site. You can guess what happens if a lot of people would visit that page.)
The Question
Some web-enabled applications, such as for email, do have pretty destructive functionality that could possibly be abused. The question is — will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?
Do you know if your recently developed AJAX-enabled or enhanced application is able to do this? And if so — does it do this adequately?
Do you even check referrers or some trivial token such as the user-agent? Chances are you do not even know. Chances are that other people, by now, do.
To be sure that the system you have implemented — or one you are interested in using — is properly secured, thus trustworthy, one has to ’sniff around’.
Incidentally, the first time I discovered such a thing was in a lame preview function for a lame ringtone-site. Basically, the XmlHttpRequest URI’s ‘len’ parameter specified the length of the preview to generate and it seemed like it was loading the original file. Entering this URI in a browser (well, actually, ‘curl‘), specifying a very large value, one could easily grab all the files.
This is a fatal mistake: implement an AJAX interface accepting GET requests. GET requests are the easiest to fake. More on this later.
source:http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/
Gold nanoparticles to trap toxins
Tiny particles of gold could soon be helping to spot viruses, bacteria and toxins used by bio-terrorists. 
Researchers in the UK have found that gold nanoparticles are very effective detectors of biological toxins.
The particles reveal the presence of poisons far faster than existing techniques which often involve shipping samples back to a lab.
The aim is to integrate the technology in a portable device that could give instant answers at crime scenes.
Colour chemistry
Led by Professor David Russell, researchers at the University of East Anglia are studying ways to use the nanoparticles as a detector of dangerous biological substances.
The research makes use of gold nanoparticles that are only 16 nanometres in diameter - roughly 1/5000th the width of a human hair.
Earlier work by Professor Russell's team has refined manufacturing methods so relatively large amounts of the particles can be made quickly. 
We can get quantitative information about how much of a toxin is present 
Once made, the particles are coated with sugars tailored to detect different biological substances.
When mixed with a weak solution of the sugar-coated nanoparticles, the target substance, be it a poison such as ricin or a bug like E.coli, binds to the sugar. This changes the properties of the solution and makes it change colour.
Professor Russell said pure solutions of the gold nanoparticles are a strong red colour but instantly change to blue when the target substance is present.
He said work had been done with solutions of particles tailored for just one toxin as well as mixtures that combined nanoparticles tailored to spot different substances.
The scientist said colour changes were less dramatic with mixtures of nanoparticles but were still significant enough to easily spot. The extent of the colour change can also reveal how much of particular toxins were present.
Portable detection
"We can get quantitative information about how much of a toxin is present," said Professor Russell.
This could be useful, he said, if the detection system is being used to check for impurities in water as it would reveal if they are present in small enough amounts to be safe or have passed a threshold level. 
"We can detect well below the threshold limit so we know the water is pure before we drink it," he said.
Future research will focus on building the detection system into a portable device that can be taken out to places where poisonous substances are thought to be present.
Such a gadget would give basic information about which toxins were present and in what quantities. Professor Russell speculated that the portable detector could be ready in five years time.
The research team is also looking into ways of using the detection system to help scene of crime officers analyse biological fluids such as sweat that criminals leave behind.
"There's a lot of chemical information in there," said Professor Russell.
The early results of Professor Russell's work were presented at a conference in London organised by the Engineering and Physical Sciences Research Council (EPSRC) which showcased research that aims to help forensic scientists.
Self-Parking Cars Coming To U.S.
source:http://slashdot.org/articles/06/04/05/0222209.shtml
Next-gen Robot Toys to Fetch Beer
source:http://hardware.slashdot.org/article.pl?sid=06/04/05/0040225
Slow Starters Have Higher IQ?
source:http://science.slashdot.org/article.pl?sid=06/04/04/218234
HAL Exoskeleton Assisted Mountain Climbing
source:http://hardware.slashdot.org/article.pl?sid=06/04/04/1513230
What I Learned at Hacker Camp
I didn't wake to Reveille in army barracks. I wasn't dressed in fatigues. And no way was I marching around holding a rifle above my head. But in the wee hours one recent Thursday I was headed to boot camp nonetheless -- hacker boot camp.
For a full day, I would immerse myself in the tricks of the computer hacking trade, getting hands-on training in how scam artists construct the code that wreaks havoc on the world's computers. The key distinction: This is "ethical" hacker boot camp, put on by a company called TechTrain, which hosts about 24 of these intensive training sessions each year.
My drill instructor (read: teacher) is Andrew Whitaker, TechTrain's director of enterprise security, who's had stints protecting online banks, and teaching other financial institutions what's wrong with their security systems, over the last ten years. Before class, he gives me the rundown of what we'll learn: how to use viruses, how to compromise wireless networks and how to evade firewalls.
"PRETTY SWEET." I am in a classroom full of middle-aged high-tech system administrators. They're all men, from all over the country, attending the $4,300-a-week course to brush up on the skills needed to combat a rising tide of computer threats.
Mainly, they work for computer makers and software firms, and boy do they love their computers. One describes the tension between himself and his wife over how much he uses the computer. Another student agrees. "Don't make me choose, because you won't like the outcome," he says, to raucous laughter.
Each time Whitaker unveils a new way to compromise a company's security, "Cool!" is exclaimed throughout the room. Even Whitaker, who tackles hacking challenges in his spare time, pauses from time to time to ask, "Pretty sweet, huh?" It's a bad-boy thrill, and it's as infectious as the attacks we're trying to thwart.
NEW BREED. Thrill or no, this is boot camp, and there's a big task at hand: earning the right to be called a "certified ethical hacker," a distinction bestowed by the International Council of Electronic Commerce Consultants. The e-commerce trade group has been administering the program for several years, but the need for IT professionals who know how to think -- and code -- like the enemy is as urgent as ever.
Time was, companies that wanted to fight hackers would go out and hire the bad guys themselves. But as hackers proliferate and get smarter, companies increasingly want homegrown experts, so-called white hats.
Another shift they're responding to: Increasingly, attacks are financially motivated. These are no longer mere "hacktavists" who spread viruses to take down Corporate America or spread social and political commentary. Nor are they out to make a name for themselves. Today's hackers want to fly under the radar (see BW Online, 1/23/06, "Coming to Your PC's Back Door: Trojans"). According to the latest Interne threat report by Symantec (SYMC), attacks that have the potential to give bad guys confidential information rose 74% in the second half of 2005 to comprise 80% of all threats.
ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.
It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successfully.
Here's another trick. Put a single quote mark in the user name line of a password. If you get a particular error message, you know that site is vulnerable to a technique of stealing database contents called "sequel injection." "Pretty cool, huh?" Whitaker says to the stunned crew. "You guys want to see some more scary stuff?"
OPEN TO ALL. It wasn't a real bank's site I was hacking into. And I was pretty much typing instructions written out for me. Still, Whitaker says there's an enormously large number of sites with these types of basic vulnerabilities, largely because database administrators don't know security -- and the security administrators don't know databases. If I could master basic database hacking in an hour, how much damage could a truly technically proficient person do?
So, do ethical hackers go bad, I wonder aloud? Whitaker says he knows of a few cases, but companies like his screen candidates carefully. They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks. In any case, the sad truth is that anyone who wants to be a hacker can do so these days -- with or without these classes.
A large percentage of the materials used to train ethical hackers are freely available over the Web. Just like the mainstream software world has been turned on its head by the open source revolution of coders creating free databases and operating systems, there's a whole open source world of viruses and trojans.
BEAUTY AND THE BEAST. After about six hours of crash training, the class embarks as a team "capture the flag hacking challenge" that entails stealing credit card numbers from a fictional bank and posting all the numbers to the site. It gives pupils a chance to apply all the skills learned over the week.
I must concede it's too sophisticated for my grade-school BASIC skills and a half day of hacking tips, so I hang back as Whitaker shows me how he infected another machine with a trojan called "Beast."
Beast was written by a college guy in love with a girl who didn't love him back. So he did what any lonely geek would do. He wrote a vicious program that could control her dorm room Web cam. Beast can also control your CD drive, Internet browser, and chat windows -- anything on your machine. And you can download it free on the Web today. Sure, most security software can catch it -- but nearly half of PCs in the U.S. don't have basic security software. And for just a few hundred bucks, mercenaries will write you a new, undetectable version.
FACT AND FICTION. According to research by Symantec, most hacking activity goes on Monday through Friday from 9 a.m. to 5 p.m. -- it's a career for some. "We were stunned by their brazen indifference to law enforcement and the extent to which they emulate a sophisticated economy," says David Cole, director of Symantec's security response team, who spent months watching hacker activities online.
Earlier in the day, I ask Whitaker if he's seen the recent movie Firewall, where Harrison Ford portrays a security specialist forced to rob the bank he's protecting so he can save the life of his kidnapped son. "Yeah, it's not really like that in the real world," Whitaker says, condescendingly. After a day at hacker camp, I agree. The real world is scarier.
source:http://www.businessweek.com/technology/content/apr2006/tc20060403_499982.htm?campaign_id=bier_tca
