Top 10 Useful Web Tools

The editors of Pandia share their favorite online tools for blogging, exploring and information management.

There used to be a time when you had to install software on your computer to get a job done. Now a large number of services are available online, and can be accessed from within your browser window. We work on several computers, and being able to access the tools on a PC in Berlin one day and a Mac in Oslo the next, is a must.

Here are our ten favorite tools right now:

1. Yahoo! Bookmarks
When we wrote the article Top 5 social bookmarking services last year, Yahoo! Bookmarks did not make it into the top 5. This was partly because it isn’t really a social networking site, but also because we found it lacking in many respects.

Since then Yahoo! has launched a new version of Yahoo! Bookmarks, and we love it!. It is well designed, and easy to use. We may be old fashioned, but the possibility of using folders instead of tags, is a relief.

2. Google Reader or Rojo
In order to keep track of all the search engine buzz in the blogosphere, we need to use an RSS feed reader. Susanne insists that Rojo is the best one, while Per argues that Google’s Reader is more than good enough. If you follow a lot of blogs and new sites, and haven’t started subscribing to feeds, this is the time to get going. Start by subscribing to Pandia’s feed.

3. Stumbleupon
Stumbleupon is one of the social networking site we like best. It is quite different from the likes of Facebook and MySpace. Users of the Stumbleupon toolbar may submit sites and pages they find useful. Other Stumbleupon users will then be presented with these pages when they click on the toolbar “stumble” button.

It is a bit like TV channel zapping, but the fact that the survival of Web pages in the system depends on the number of “thumbs up” they get from the “stumblers” mean that most of the pages shown are of good quality. You may also restrict your stumbling to specific categories, a great way to explore new unknown quality sites in your area of interest.

We hate that they tricked us into sending spam emails to our contacts, though. That was very embarrassing.

4.Vox
If you are to develop a company blog, or blog for profit, you definitely need to use professional software hosted on a reliable Web host. However, if you just want to make a personal blog, or a blog for a smaller project, an “off the shelf” solution may be exactly what you need.

Google’s Blogger is all right, but Vox is better. We like the various elegant Web page designs and the social networking aspect of Vox. And it is extremely easy to set up and edit a new blog. Susanne’s blog at Vox may serve as an example of what you can do.

5. Netvibes
Another way of managing large amounts of Internet information, is to make your own portal, consisting of your favorite headlines, search tools, videos, social networking accounts (you know, like Facebook), notes, weather reports and so on.

There are many good personalized start pages, but Netvibes is the best.

6. Yahoo Mail
We are using Google’s Gmail ourselves, which is an excellent service, but we have to admit that Yahoo’s online mail service is more good looking, and easier to use. It includes an integrated calendar, notepad and feed reader, and is accessible from any browser, anywhere.

7. Facebook
Unless you have been hiding under a rock during the last year, you probably know everything there is to tell about Facebook. It is a great way to present yourself to old and new friends, and to waste a lot of time on meaningless quizzes and funny applications. We like the ability to import your own Web feeds and present them to your network.

Facebook is the ultimate proof of man being a social, and not predominantly a rational being.

8. Feedburner
Having an RSS Web feed is obligatory for any serious Web site owner or blogger. This is especially true for sites like Pandia, which have a large number of technologically advanced users. Feedburner helps us keep track of our Web feed users, and gives us detailed statistics on what they read, and when they visit our site.

9. Google Docs
We have not abandoned Microsoft’s Office package yet, but in not a too distant future, we might. Using Google docs, you can write text documents, develop spreadsheets and design PowerPoint like presentations online.

The fact that all the documents are saved on the servers of Google, means that they are easy to share with others. This makes the service a great tool for collaborative team work.

10. Flickr
We have made our last paper based photo album. Now our digital photos go directly into the Mac’s iPhoto software and out on the Web. Still, the .mac service is not an alternative for non-Mac users (and that includes most of you), so we have put up Yahoo’s Flickr photo service as our favorite. Flickr lets you share your digital photos with the whole world, and even add them to a world map.

It took us 30 minutes to put up this page. There ough to be alternative skins or Web page designs available, though. In this respect Flicks can learn from Vox.

We would also like to mention the following tool, which didn’t make it into the top 10 as it requires you to download software on your computer:

Last.fm
If you listen to a lot of digital music using iTunes or another music player, Last.fm may be the thing for you. Last.fm keeps track of what music you listen to (in our case by importing info from iTunes and our iPods), and then produces various hit lists based on what we have been listening too. It then compares this information with lists produced by other members and proposes artists similar to the ones you like.

You can also take a look at iLike, a good alternative to Last.fm.

Continue Reading...

101 most useful websites for internet users

The powerhouse of the internet and the only place many people go for information. But if you thought Google was a still a mere search engine, look again. Click on 'more' at the top of the homepage to discover the work of 'GoogleLabs' - more than 50 free tools and web pages that could change your internet life.

GoogleDocs lets you create documents, spreadsheets and presentations, store them online, share them with others and access them from wherever there's an internet connection.

Googlemail is probably the best email program - it has virtually limitless capacity and you don't need to change your email address to use it. The Google calendar is a powerful searchable diary that you can allow others to access, so family members can make appointments together.

SketchUp could be just the tool you are looking for to design that conservatory extension and see what it will look like once the builders have gone. Add to that databases for searching academic journals and books in the public domain, the powerful GoogleMaps, with its engaging satellite imagery, a finance page with live stock quotes and an easy-to-use online messaging system, and you can see why some people say Google is taking over the world - and, with GoogleMoon and GoogleMars, the rest of the galaxy, too.

2 Anonymouse
www.anonymouse.org

Surf the web without disclosing who or where you are.

3 iLounge
www.ilounge.com

Hints, tips and troubleshooting for your iPod and associated software.

4 Only2Clicks
www.only2clicks.com

If you use just a few websites, this lets you create a home page that has links to them all. Simple, free and practical.

5 Zoho
www.zoho.com

A suite of free business programs. From word processing and presentation software to tools for taking notes in meetings, planning projects and creating databases.

6 Backpack
www.backpackit.com

To-do lists, notes, ideas and calendar. Excellent for juggling projects and much more versatile than a ring folder.

7 GetNetWise
www.getnetwise.org

All you need to know about keeping the net safe - protecting children, preventing spam, avoiding viruses and stopping others accessing your personal details.

8 DaFont
www.dafont.com

More than 7,500 free fonts (for Mac and PC), so you can at last stop using Copperplate for your party invitations.

9 Pando
www.pando.com

The superfast way to send large files over the web. Don't attach that family video to an email, Pando it instead.

10 FlipClips
www.flipclips.com

Turn your home videos into animated flip books. Much more appealing than another DVD.

ENTERTAINMENT

11 Digital Spy
www.digitalspy.co.uk

Entertainment, media and showbiz news. Plus, a surprisingly good forum for technology-related problems - a great place to sort out your broadband.

12 BBC iPlayer
www.bbc.co.uk/iplayer

On-demand television and radio programmes from the BBC.

13 Whatsonwhen
www.whatsonwhen.com

Events, attractions, openings and exhibitions from around the world. Enter a location and dates and the site will show listings.

14 London Theatre Guide
www.londontheatre.co.uk

What's coming on and what's making an exit in London's theatre world. Especially good for seating plans, so you can see where the box office staff are putting you.

15 The Internet Movie Database
www.imdb.com

The world's biggest (and still growing) reference for actors, directors, locations, plots...

16 Rotten Tomatoes
www.rottentomatoes.com

A round-up of what the critics thought of films on general release.

17 Screenonline
www.screenonline.org.uk

The British Film Institute's definitive guide to the British film industry. Plots, features, statistics and news from the film world.

18 Good Reads
www.goodreads.com

Expand your reading. Catalogue your books online and others make recommendations based on what you seem to enjoy.

19 TV Guide
www.tvguide.co.uk

News, features and listings for Britain's terrestrial and cable television. Customisable interface so your favourite channels are always at the top.

20 Football365
www.football365.com

The authentic (and often tangential) voice of the Britain's 'real' football supporters.

21 CricInfo
www.cricinfo.com

Everything you want to know about the world of cricket.

22 Beijing Olympics
en.beijing2008.cn

The official Olympics site, with news, scheduling, features and a countdown to the games themselves.

23 Radio Locator
www.radio-locator.com

From shock jocks to orchestral baroque, thousands of internet radio stations to listen to on your computer.

24 Live Plasma
www.liveplasma.com

Expand your music and movie tastes. Enter the name of a song, band, movie, actor or director you like and Live Plasma will return some pretty intelligent recommendations for further investigation.

25 Blinkx
www.blinkx.com

A clever way of searching for video clips on the internet - from uploaded episodes of your favourite soap to comedy home-video moments.

26 Lulu
www.lulu.com

Self-publishing made smart again. Write, design and then print your own books - though you'll still have to persuade others to buy them.

27 VideoJug
www.videojug.com

28 Wonder How To
www.wonderhowto.com

Two great sites full of short videos showing you how to do almost anything, from the incredibly useful (exercises for diabetes sufferers, tying a Windsor knot) to the revelatory ('learn different kinds of kisses'), via the wonderfully obscure ('make a moving jaw for your werewolf mask').

29 Instructables
www.instructables.com

DIY projects from zombie make-up to LED balloons. Excellent selection of rainy-day projects for bored children (and adults) at home.

30 Flash games
www.k2xl.com

Addictive series of Flash games including the hypnotically soothing Boomshine.

31 GameSpot
www.gamespot.com

News, reviews, hints and tips for virtually every console game on the market. Essential if you are still up at 2am trying to find a way into the castle on Zelda.

32 Anagrammer
www.anagrammer.com

Online anagram machine for Scrabble players and crossword enthusiasts. Also solves Sudoku.

ADVICE AND INFORMATION

33 Newsmap
marumushi.com/apps/newsmap

A wonderfully graphical - and customisable - display of news stories from around the world. Click on an item to see the full story.

34 The Eggcorn Database
eggcorns.lascribe.net

Continually updated guide to modern-day Malapropisms, misunderstandings and other manglings of language. From 'high dungeon' to 'wreckless driving', Eggcorn names the culprits and nudges them in the right direction.

35 Arts and Letters Daily
www.aldaily.com

World-class articles from intellectual and influential journals around the world. Browse the day's selections. Like The Week for eggheads.

36 Ask Philosophers
www.askphilosophers.org

The academy comes to cyberspace. A panel of mainly American and British philosophy scholars answers questions sent in by the public. Search the database, from Abortion to War, or send in a question of your own.

37 When Is
www.when-is.com

Shows you the dates of Jewish, Christian, Buddhist, Muslim, Hindu and American holidays from now to 2010.

38 Rhyme Zone
www.rhymezone.com

For when the muse has gone, a rhyme and synonym generator to help you towards the perfect mot. You can also search for Shakespeare quotations, biblical references and other literary inspirations.

39 Nationmaster
www.nationmaster.com

Giant but easily searchable database of statistics, maps and profiles for every country in the world.

40 Digg
www.digg.com

The people's approach to news and features, Digg brings together items from across the net, ranked according to how many people have felt them worth recommending. Sometimes a little techie-heavy, but excellent for discovering what the cyberworld is getting worked up about.

41 They Work For You
www.theyworkforyou.com

A powerful way of keeping tabs on MPs and peers: attendance records, voting patterns, recent statements and more.

42 Time Bank
www.timebank.org.uk

Volunteering opportunities for young people, sorted by region, interest, skills and need.

43 Wikipedia
www.wikipedia.org

Controversial, democractic and sometimes error-strewn encyclopaedia that has brought Darwinism to the world of knowledge. Make it your first port of call for looking something up. Just be sure to check somewhere else that what you find makes sense.

44 Wiktionary
www.wiktionary.org

Wikipedia's online multilingual dictionary. Immensely powerful and far less controversial than its encyclopaedic forebear.

45 Motley Fool
www.fool.co.uk

The original - and still the best - personal finance site on the web (the American version is at www.fool.com). For savers, borrowers, stock spotters and day traders, sound, independent advice that cuts through the jargon.

46 Martindale's 'The Reference Desk'
www.martindalecenter.com

From the arts, business, science and technology, a dry but authoritative conglomeration of data from around the world.

47 PubMed

www.ncbi.nlm.nih.gov/PubMed

Free and authoritative database of more than 17 million medical research papers. Not always easy to understand if you are not a medic, but a far better place to look for information than the random sites that come up on Google.

48 About.com
www.about.com

The internet's version of that clever uncle who always seems to know the answer to your questions. There are few subjects the site doesn't tackle, though the coverage can be superficial. A good starting point for idle research.

49 NHS Direct
www.nhsdirect.nhs.uk

Online information and advice about health and illness, run by Britain's National Health Service. The site includes a useful self-diagnosis tool that can reassure you that your hangover is not in fact meningitis.

50 Legal Services Shop
www.freelawyer.co.uk

General legal advice relating to housing, family law, employment, motoring, consumer issues and personal injury, plus wills, conveyancing and divorce. Good starting point to see where you stand. Will also, for a fixed fee, answer questions and put you in touch with a solicitor.

51 How Stuff Works
www.howstuffworks.com

Engaging encyclopaedia of the modern (and not so modern) world, with good illustrations and clear text. Can suffer sometimes from an 'it's amazing!' tone of voice..

52 XE
www.xe.com

Currency converter covering every world currency. Azerbaijan new manats to Cayman Island dollars? Just a click away.

53 Advice Guide
www.adviceguide.org.uk

Find where you stand legally with the Citizens Advice Bureau's online information resource.

54 Need2Know
www.need2know.co.uk

Advice and information for young people, including health and fitness, drugs, problems with bullying, how to study and applying for jobs.

55 Royal Horticultural Society
www.rhs.org.uk

Advice and suggestions from the world's leading gardening organisation. A good 'how-to' section and seasonal tips for the time of year.

56 Babelfish
babelfish.altavista.com

Automatic translation to and from most European languages and Chinese. The results are sometimes a little strange, but you will usually get your message across.

57 eHow
www.ehow.com

How to do just about everything, from getting stains off curtains to buying a second-hand car.

58 Eat the Seasons
www.eattheseasons.co.uk

Updated weekly, information, tips and recipe ideas on British seasonal food.

59 Age Concern
www.ageconcern.org.uk

Website of Britain's leading charity for the elderly, packed with advice about maintaining an active life.

60 Weather.com
www.weather.com

The queen of weather sites, with more information than you would possibly imagine you might need, from pollen counts to surf forecasts.

61 Uncyclopedia
uncyclopedia.org

Spoof Wikipedia-style encyclopaedia where nothing is true, but a good deal is very funny indeed. Idle away an afternoon or, even better, hone your comedy skills by making a contribution yourself.

62 Kiva
www.kiva.org

An easy way to lend small sums (from $25) to business projects in the developing world. Kiva keeps track of your investment, updates you on progress and repays your loan as the business grows.

63 Embarrassing problems
www.embarrassingproblems.co.uk

From bad breath and piles to cold sores and beyond, Dr Margaret Stearn dispenses invaluable advice.

HOUSE AND HOME

64 Noise Mapping England
www.noisemapping.org

Click on an area of the map to find out how noisy a street, or even a section of the street, is - handy for light sleepers planning a move. At the moment only London is mapped, but the rest of England will follow.

65 Prime Location
www.primelocation.com

One of the best sites for finding property. It is UK-based but has a good international presence.

66 Rated People
www.ratedpeople.com

User reviews on local tradesmen. You describe the job you need done and how quickly and suppliers contact you with quotes - with previous customers rating them.

67 Zoopla
www.zoopla.co.uk

Possibly the most dangerous site on this list, Zoopla gives sale prices of recently sold homes and - the tricky bit - estimates the value of the rest. We dare you not to look.

68 Money Saving Expert
www.moneysavingexpert.com

Subtitled 'Consumer Revenge', this is where you find the discounts, tricks and tips to save money. The weekly email is essential reading for canny consumers. It caters only for Britain, but every country should have one.

69 MetaEfficient
www.metaefficient.com

Practical guide to making your home more environmentally friendly, from low-flow showerheads to 12V lighting. US-based, but many of the products are available elsewhere.

70 Design My Room
www.DesignMyRoom.com

For budding Laurence Llewellyn-Bowens everywhere, it provides the ability to redecorate your home in cyberspace. Choose colours, furniture, accessories and finishes and then publish the results online.

71 Up My Street
www.upmystreet.com

Neighbourhood information based on postcode: schools, shopping and, juciest of all, how much the house down the road sold for recently.

72 Home For Exchange
www.homeforexchange.com

One of many sites where you can swap homes with someone else for a period. This is less cluttered than some of the others and has a good geographical spread.

73 SimplySwitch
www.simplyswitch.com

The fast way to compare utility suppliers and other services, from broadband to home insurance. Enter your postcode and the site comes back with the best deals.

74 101 Cookbooks

www.101cookbooks.com

Enchanting recipe and foodie blog from a Californian cook who believes in good food. Subscribe to the email alert service and transform your cooking repertoire.

SOCIAL

75 Facebook
www.facebook.com

The most grown-up (just) of the social-networking sites that are fast taking over the world. Excellent for staying in touch with far-flung friends, though pretty good too for re-establishing contact with those you hoped you had lost.

76 Wordpress
www.wordpress.com

The quickest and easiest way to create a blog of your own.

77 Ringsurf
www.ringsurf.com

Like an online Mothers' Union meeting (though sometimes a little more risqué), Ringsurf is a chatroom where people exchange ideas about anything from politics to relationships. The quality is not always high, but users have been known to discover new (real-life) friends with interests they thought no one would share. A tribute to the information-sharing capability of the net.

78 bubbl.us
www.bubbl.us

Organise your thoughts by creating mindmaps online and sharing them with others.

79 Technorati
www.technorati.com

An intelligent, intuitive and inspiring way to read entries from some of the millions of blogs that dot the internet. You can browse by subject or area of interest, read the postings that are catching the world's attention and bookmark blogs that catch your attention. And if you want to join in...

80 Flickr
www.flickr.com

The website you graduate to once you've discovered how to put your holiday snaps on the net. Here, everyone's photos are linked by using tags, such as 'Spain', 'beach' or 'happy', which sets you off on an exploration of others' uploads.

81 BabyCentre
www.babycentre.co.uk

There are plenty of great parenting forums out there - Netmums, Mumsnet - but this is still the best source of considered, authoritative, often soothing advice on everything from colic to tax credits.

82 Friction TV
www.friction.tv

YouTube for debaters. Upload a short video about an issue close to your heart and others reply in kind or by text.

SHOPPING

83 GiftGen
www.giftgen.co.uk

Gift ideas for when you can't think what to buy someone. You enter their age, sex and interests and how much you want to pay and it scours the net for ideas.

84 eBay
www.ebay.co.uk

Online shopping for (nearly) everything you might want to buy. The original auction formula is still going strong, but plenty more features have been added since it began. Take a look at non-UK sites, such as ebay.fr and ebay.de, too, for bargains others may have missed. The layout is the same even if you don't speak the language.

85 Who What Wear Daily
www.whowhatweardaily.com

Fashion tips, advice and suggestions. Includes Ask a Stylist for those tricky co-ordination problems and a What Was She Wearing? inquiry service to help you track down your favourite celebrity's fashion choice.

86 Gumtree
www.gumtree.com

Unabashedly straightforward classified ads site, for everything from new homes to online romance.

87 AbeBooks
www.abebooks.co.uk

The Amazon of the second-hand book world. More than 13,500 booksellers selling 110 million books. If it's not here, it's not worth looking for.

88 Kelkoo
www.kelkoo.co.uk

There are plenty of price-comparison sites on the web, but this one seems to get it right more often than most. Type in what you want to buy and Kelkoo will come back with the cheapest prices it can find.

89 Endgadget
www.engadget.com

A (digital) finger on the pulse of the technology world. All the newest developments, discoveries, gadgets and toys - before they hit the shops.

90 Cork'd
www.corkd.com

Discover more about wine by reviewing what you've enjoyed and receiving tips and suggestions from others.

91 I Love Jeans
www.ilovejeans.com

Find the right jeans for your fit before you even leave home. A cheeky but revealing 'body type' guide takes you straight to the brand you should be trying. Search by style, body type or brand. Women only.

TRAVEL

92 Sky Scanner
www.skyscanner.net

Monitors prices and destinations for all the low-cost airlines so you just type in where you want to go and when to find the best deal.

93 The Man in Seat 61
www.seat61.com

Routes, tickets, tips and advice - the only guide you need to travelling by train from Britain to Europe and the rest of the world.

94 Walk It
www.walkit.com

Online pedestrian routefinder for London, Birmingham, Newcastle and Edinburgh that shows you the best route to walk from A to B. Includes calorie counter, CO2 savings and points of interest on the way. Other cities coming soon.

95 Transport for London Journey Planner
journeyplanner.tfl.gov.uk

Indispensable and almost always spot-on guide to negotiating the capital's public transport system. You enter your starting point and destination and it gives you the best bus, tube, cycle and even boat routes to get you across town.

96 ViaMichelin
www.viamichelin.com

A hi-tech hark-back to the days of leisurely motoring. ViaMichelin gives you maps, routes and directions throughout Britain and continental Europe with added panache. The maps have a pleasant printed quality about them and, naturally enough, your route is accompanied by gastronomic highlights to be found along the way. There's also information about destinations.

97 Carbon Neutral
www.carbonneutral.com

Information on your carbon footprint and how to cut it down. Includes an online calculator to measure your effect on the world.

98 Expedia

www.expedia.com

Excellent all-round travel site. Use it for good prices on flights and holidays, but click on 'Destinations' for some well-researched and up-to-date travel guides.

99 SeatGuru
www.seatguru.com

Aircraft seating plans, showing you the prime seats, possible annoyances and seats you should avoid.

100 Airline Meals
www.airlinemeals.net

A consumer guide to what you can expect to eat on board. There are news and features from the airline catering world, but the best part is a gallery of photos of on-board meals sent in by passengers and listed by airline.

101 World Hum
www.worldhum.com

Travel writing with a twist. Click on the destination you have in mind and be prepared to be inspired. The site also offers tavelogues, news, books reviews, blogs and slideshows.

Continue Reading...

Improving website security tips

Recently this site was updated to avoid a potential security weakness. This article briefly describes the problem which was fixed, and explains some of the most common online security problems.

Introduction
This article was inspired by recent comments from dkg about a potential security hole present in the code behind this website.

The hole described was new to me and I think it is worth sharing in the interests of full-disclosure, credit to Daniel Gillmor, and hopefully the securing of more sites.

XSS
Many web-developers (although not all!) are familiar with Cross Site Scripting attacks, often known as XSS, which are usually the result of not filtering input to applications.
A standard example would be a message-board, or forum, which allowed users to login and post messages which would be displayed literally - so a malicious user could create a message reading:
<script>alert(1);</script>

This would then result in an alert being displayed by subsequent visitors who viewed the message if they had javascript enabled.
The root cause of these security issues is trust. The implementor of the forum or message board trusted the users input and didn't sanitize it appropriately.
The XSS attacks exploit that weakness to steal cookies, etc.
(Once upon a time I wrote a simple online XSS demonstration/explaination, which might make this abstract discussion more interesting or obvious.)

SQL Injection
SQL injection is a problem specific to database-driven websites, especially those written in a hurry without the use of the appropriate language features.
Essentially SQL injections arise because input is passed directly to a database query without being escaped, or processed, correctly.
This is virtually identical to the XSS attack described above, just a different level of attack. (The remote-database rather than the local-client browser.)
Thankfully most programming languages and libraries which have database support make use of "binding" and other mechanisms which should make these issues trivial to prevent. The sad fact is that many programmers don't use them.

CSRF
"Cross Site Request Forging" is the new name for a new problem, or one new to me at least.
The root cause of the CSRF attacks is also trust. The trust of a website by a user of that site. This trust is exhibited by the fact that the user never, or only rarely, logs out.
In a typical scenario the communications between a webserver and client browser looks like this:
Client makes a request to the server.
The server responds.
The client displays/uses the response.
For example to create a new weblog entry the user would browse to this site, click upon the "add entry" link in the sidebar and submit the resulting form.
Now consider what happens if a malicious external site were to copy the "add weblog entry" form and host it upon their site.
They could change the wording, hide the fields, etc. But ultimately there is nothing stopping them from hosting a modified version of the form - and serving it to users.
This is where the cross-site issue comes into play. If that remote site can coerce, persuade, or trick a user logged into this site to submit the form then the request will be processed by this site using their cached credentials.
Because they trust this site, and have remained logged in, the submission would be processed and the unsuspecting user would have a new weblog entry posted which they didn't explicitly write, or expect. For example "I like cheese."
Step by step the attack works like this:
External site copies a form from this one.
External site persuades/cajoles/tricks a user who remains logged in here to visit their site and submit the form.
Perhaps via javascript magic.
The server here receives the form submission and proceses it
Because it doesn't realise the form came from a malicious remote source.
And because the user was logged in any authentication tests succeed.
The user now arrives at this site with new content posted in their name.
The solution to this problem is potentially invasive but conceptually simple. Rather than serving forms to clients and then processing them without regard to the submission source the forms each include a "session token".
When a form is submitted this token is examined, and if it matches the token which was sent with the form the processing occurs, if it doesnt an alert is raised.
This utterly prevents the attack because it means that the malicious remote server cannot serve a valid form - it can't predict the secret form session token, so the submission will always fail.
(There are simpler solutions involving the use of the HTTP Referer (sic) header, but these are unreliable as this information might be forged or not present.)
It is worth noting that many sites fail to verify the submission of forms in this manner, so they are potentially at risk of malicious (ab)use of their forms.

Site Changes
With this discussion in mind I will now describe three changes I've made to this site:

Cookie Safety
Microsoft's Internet Explorer supports an extension to cookies called "httponly". The intention of this support is that the cookies served by a site will be marked as unavailable for scripting use.
This means that if there were an XSS attack available in this site then users of that browser wouldn't be vulnerable to cookie/session theft.
A bug was filed against Mozilla, but progress appears to have stalled (#178993).
I'm unaware of any XSS attacks lurking in the current codebase, so this is a small paranoia addition rather than a significant change.
(IE comprises about 9% of visitors to this site, certainly not the majority. However the change involved is sufficiently minimal that it is worth doing just to mitigate any future attacks.)

Session Safety
On a similar front it is now possible to choose a "secure" login when you visit this site. This actually ties your login session to your IP address.
Again this offers no increased security in the normal course of events, but if there were ever to be a security issue which resulted in a cookie or session theft due to XSS, or similar, then you would be protected if you chose this option.
There is a brief guide to this facility linked to from the login form.
Cross-Site Request Forgery Protection
This change is the most significant and is the one which caused me the most pain - as discussed above there is a potential weakness in the handling of many form submissions in online applications.
In the case of this current codebase I now insert a "session token" in each significant form, which will prevent the processing of rogue submissions rather than end-user page views.
This is a significant change, which appears to be working nicely, but as I'm all too aware there may be bugs. If you find them please do report them, either via mail or a site message.
I hope that was interesting reading both for regular visitors to this site, and for any potential web-application programmers.
If you'd like to disclose any security issues relating to this site I'm always prepared to listen and work with you. If you'd like to donate an SSL certificate for real secure logins that'd be a nice suprise too ;)

Continue Reading...

Embed a captcha system on any form on any website

Visit: http://www.captcha.cc/

Free captcha service
We're trying to run this for free, and pay for the hosting & bandwidth fees, etc. based on traffic to the home page and faq page (on which we will sell ppc ads), and also any custom orders or high-security level requests.

What do I paste in?
When you generate the code, you'll get some javascript, some input boxes, an image and a submit button. You need to paste ALL these form elements into your web form. You can put the image wherever you want. You can keep your old submit button and just put our onclick in it:.

Clean, Fast & Secure
Captcha.cc's service makes it extremely simple to place very hard captcha images in front of a form submission. These images are easy for humans to read, but very hard for computers to read. This cuts down on spam for blog comments, contact form submissions and much more.

Smart Options
Our system allows you to paste a "code-free" javascript-driven "faux captcha" on your site, or a "javascript-free" version, that uses a lightweight validator that can be dropped in to your CGI, Perl, ASP, PHP or (any other) code. Or you can use both, allowing the convenience of an AJAX validated captcha with the security of server authentication.

Reliable
We run multiple servers, each one takes over function when the other is down.

Simple Code
Our system uses a method of validation that doesn't require "callbacks" or any other cumbersome, slow methods that our competitors require. Captcha.cc is the easiest system to implement, while offering a high level of security.

Other Captcha's Are Too Easy
We offer a service to test whether a captcha is too easy. Tell us the URL of a captcha, and I'll develop a simple program for "cracking it". Many times the solution relies on insecure key generation or parameter passing - not just advanced OCR. Approximately 90% of the captchas we encounter are easily cracked. Want to know if yours is secure? Ask us to crack it!

Can't someone just be paid to crack yours?
Sure. It would be easy enough to hire soneone in a poor country for a penny a captcha. This would circumvent just about anything, and would be affordable for many spammers. That's why we do bot filtering and we can do a lot more if needed. If you're still getting spam, email us and I'll analyze it and develop a solution for free or as cheap as we can.

Simple Offline Validation
You can't build a captcha that's in any way secure without some server validation. Fortunately we've done just that. Simply hash the submitted text with your private keyphrase and compare it to the "cap_h" variable. You can do something like if (!$ok) die "Bad captcha", depending on your script. Remember, at this point, it's either a person who passed, or a bot - since the javascript will have already validated a real person. All the validation is done offline, so you don't have to worry about connecting to our service or writing complex API code.

Continue Reading...

Free online website builder - build a website

Build your new website online!

Advanced Online Drag & Drop website builder with hosting
FREE ONLINE SITE BUILDER - NO Personal or credit card info needed

Handzon Online website builder is PERFECT FOR: Personal websites, Business websites, eCommerce websites (Paypal websites, eBay websites), Non-profit websites.

Included with Handzon website builder

* - FREE Website builder
* - Unlimited access to the Online Website builder- Build a website 24/7
* - Live Editor, EASY website builder drag and drop editing* NO HTML
* - Unlimited number of web pages for the premium package
* - Website hosting included with every website building account
* - Free Website Templates
* - Live Edit Site Map
* - Paypal is integrated into the website application for ecommerce packages
* - Easy Product Editing when you build a web site for ecommerce packages
* - Meta Tag Generator for better search engine placement
* - Community Image Library - professional royalty free stock images for your web site
* - Dynamic Form Builder
* - Website Training Video Tutorials* on how to build a website online
* - Online web site builder training tutorial
* - Email/LIVE Chat Web site building support
* - Completely web-based (web site builder runs completely online)

Included with Handzon website builder

FREE Website builder
The handzon website builder is FREE without and credit card info or personal data needed. Use the website application to build a website without any strings attached!

Unlimited access to the Online Website builder- Build a website 24/7
Create a website and update your web site 24 hours a day. Retrieve customer orders and authorize credit card payments from anywhere worldwide 24/7.

Continue Reading...