Enjoy ur trip to Technology

Packet FLow Diagrams

2010-04-09T17:38:00.000+05:30

Diagram2:

Setup DNS Server

2010-03-24T13:18:00.000+05:30

How to set up a home DNS server

by Shannon Hughes

Domain Name System

The Domain Name System (DNS) is the crucial glue that keeps computer networks in harmony by converting human-friendly hostnames to the numerical IP addresses computers require to communicate with each other. DNS is one of the largest and most important distributed databases the world depends on by serving billions of DNS requests daily for public IP addresses. Most public DNS servers today are run by larger ISPs and commercial companies but private DNS servers can also be useful for private home networks. This article will explore some advantages of setting up various types of DNS servers in the home network.

Click here to read more

Don't click here

Setup Home Web Server

2010-03-24T13:15:00.001+05:30

How to set up a home web server

by Jeff "Crash" Goldin

It seems like everybody's blogging and sharing digital photos online. This booming hobby (and business) sends many people to paid hosting companies to share their thoughts and images. Though many companies are reliable and inexpensive, with a little work and some relatively cheap hardware you can host your own files, save some money, and have complete control over what services are available and how your content is displayed.
Click here to read more....

Dont Touch Me

Joomla (Content Manager)

2010-02-27T23:44:00.001+05:30

What is Joomla?

Joomla is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla the most popular Web site software available. Best of all, Joomla is an open source solution that is freely available to everyone.

What's a content management system (CMS)?

A content management system is software that keeps track of every piece of content on your Web site, much like your local public library keeps track of books and stores them. Content can be simple text, photos, music, video, documents, or just about anything you can think of. A major advantage of using a CMS is that it requires almost no technical skill or knowledge to manage. Since the CMS manages all your content, you don't have to.

What are some real world examples of what Joomla! can do?

Joomla is used all over the world to power Web sites of all shapes and sizes. For example:

Corporate Web sites or portals
Corporate intranets and extranets
Online magazines, newspapers, and publications
E-commerce and online reservations
Government applications
Small business Web sites
Non-profit and organizational Web sites
Community-based portals
School and church Web sites
Personal or family homepages

Django

2010-02-27T23:42:00.001+05:30

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Developed four years ago by a fast-moving online-news operation, Django was designed to handle two challenges: the intensive deadlines of a newsroom and the stringent requirements of the experienced Web developers who wrote it. It lets you build high-performing, elegant Web applications quickly.

Credit Card Validation

2009-11-26T16:45:00.000+05:30

"""
    Provides functions & Fields for validating credit card numbers
    Thanks to David Shaw for the Luhn Checksum code 
    http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/172845)
"""

import re        
from django import newforms as forms

import datetime
        
def ValidateLuhnChecksum(number_as_string):
    """ checks to make sure that the card passes a luhn mod-10 checksum """

    sum = 0

    num_digits = len(number_as_string)
    oddeven = num_digits & 1

    for i in range(0, num_digits):
        digit = int(number_as_string[i])

        if not (( i & 1 ) ^ oddeven ):

            digit = digit * 2
        if digit > 9:

            digit = digit - 9

        sum = sum + digit

        
    return ( (sum % 10) == 0 )

# Regex for valid card numbers
CC_PATTERNS = {
    'mastercard':   '^5[12345]([0-9]{14})$',
    'visa':         '^4([0-9]{12,15})$',

}

def ValidateCharacters(number):
    """ Checks to make sure string only contains valid characters """
    return re.compile('^[0-9 ]*$').match(number) != None

        
def StripToNumbers(number):
    """ remove spaces from the number """
    if ValidateCharacters(number):

        result = ''
        rx = re.compile('^[0-9]$')

        for d in number:
            if rx.match(d):

                result += d
        return result
    else:
        raise Exception('Number has invalid digits')

def ValidateDigits(type, number):
    """ Checks to make sure that the Digits match the CC pattern """
    regex = CC_PATTERNS.get(type.lower(), False)

    if regex:
        return re.compile(regex).match(number) != None

    else:
        return False

def ValidateCreditCard(type, number):

    """ Check that a credit card number matches the type and validates the Luhn Checksum """
    type = type.strip().lower()
    if ValidateCharacters(number):

        number = StripToNumbers(number)
        if CC_PATTERNS.has_key(type):

            return ValidateDigits(type, number)
            return ValidateLuhnChecksum(number)

    return False

class CreditCardNumberField(forms.CharField):
    """ A newforms widget for a creditcard number """

    def clean(self, value):
        
        value = forms.CharField.clean(self, value)

        if not ValidateCharacters(value):
            raise forms.ValidationError('Can only contain numbers and spaces.')

        value = StripToNumbers(value)
        if not ValidateLuhnChecksum(value):

            raise forms.ValidationError('Not a valid credit card number.')
        
        return value


class CreditCardExpiryField(forms.CharField):
    """ A newforms widget for a creditcard expiry date """
    def clean(self, value):     
        value = forms.CharField.clean(self, value.strip())

        
        # Just check MM/YY Pattern
        r = re.compile('^([0-9][0-9])/([0-9][0-9])$')
        m = r.match(value)

        if m == None:
            raise forms.ValidationError('Must be in the format MM/YY. i.e. "11/10" for Nov 2010.')

        
        # Check that the month is 1-12
        month = int(m.groups()[0])

        if month < 1 or month > 12:
            raise forms.ValidationError('Month must be in the range 1 - 12.')

        
        # Check that the year is not too far into the future
        year = int(m.groups()[1])

        curr_year = datetime.datetime.now().year % 100

        max_year = curr_year + 10
        if year > max_year or year < curr_year:

            raise forms.ValidationError('Year must be in the range %s - %s.' % (str(curr_year).zfill(2), str(max_year).zfill(2),))

        return value   

# An example Form based on ModelForm.
class PaymentForm(forms.ModelForm):    
    cc_number = creditcards.CreditCardNumberField(required=False)

    cc_expiry = creditcards.CreditCardExpiryField()
   
    class Meta:
        model = Payment 
    
    """

        This function checks that the card number matches the card type.  
        If you don't want to do this, comment out this function.
    """
    def clean(self):

        if self.cleaned_data:
            if len(self.cleaned_data.items()) == len(self.fields):      
                if self.cleaned_data['method'] == 'cc':

                    the_type = self.cleaned_data.get('cc_type', '')

                    number = self.cleaned_data.get('cc_number', '')

                    if not ValidateDigits(the_type, number):
                        raise forms.ValidationError('Card Number is not a valid ' + the_type.upper() + ' card number.')

                    if not self.instance.is_payment_valid():
                        raise forms.ValidationError('Credit card payment could not be processed.  Reason is %s.  Check that card details are correct and try again.  If you still receive this error, check with your financial institution.' % (self.instance.gateway_resptxt))

        return self.cleaned_data

Snort

2009-11-03T17:18:00.001+05:30

Snort is a versatile, lightweight and very useful intrusion detection system. In this article we will look at Snort as a backup Intrusion Detection System for your enterprise network and see whether it can really scale up to the requirements of your enterprise networks.

Our failure establishes only this,
that our determination to succeed
wasn't strong enough.
--Bovee

The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. Snort uses a flexible rules language to describe traffic that it should collect or pass, and includes a detection engine utilizing a modular plug-in architecture. Snort has real-time alerting capability as well, incorporating alerting mechanisms for Syslog, user- specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump or as a packet logger that is useful for network traffic debugging. It can also be used as a full blown network intrusion detection system.
Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host.
Plug-ins allow the detection and reporting subsystems to be extended. Available plug-ins include database logging, small fragment detection, portscan detection, and HTTP URI normalization.

The ground that we will be covering with respect to Snort will be
- Snort as a straight packet sniffer like tcpdump.
- Snort as a packet logger. Useful for network traffic debugging etc.
- Snort as a full blown network intrusion detection system.

Compiling and installing Snort
Having downloaded Snort, untar the archive with the following command.
bash# tar -xvzf snort-1.6.3.tar.gz

This should do the trick and get it untarred into a directory snort-1.6.3. Having done this, next on the cards is a dependency check for various libraries and header files that Snort needs. You'll need to ensure that you have the sources for libcap. If not, you can download it from ftp://ftp.ee.lbl.gov/libpcap.tar.Z.
Download the libcap headers and untar the archive using the tar command with the similar switches as mentioned above. Enter the directory and carry out the following steps.
bash# ./configure
bash# make
Though we do not need any of the binaries, this is just a precautionary measure. Now, we'll compile Snort. Change into the directory in which Snort lies and issue the following command.
bash# ./configure --with-libpcap-includes=/path/to/your/libcap/headers
bash# make
bash# make install
Using
Now Snort is installed on your system. Let's start using Snort on your system. We'll start with the basics of using Snort as a Packet Sniffer and a Packet Analyser. Apart from running in a promiscuous mode, we will also discover rules that will help us log alerts to our Snort logs or redirect them to syslog.
Using Snort as a packet sniffer and packet analyzer is a pretty simple process. The man pages are very helpful as far as information regarding using Snort is concerned. Let's basically start with a simple command that makes Snort display all the command switches and then exit.
bash# snort -?

The output of the command is as follows.
-*> Snort! <*-
Version 1.6.3
By Martin Roesch (roesch@clark.net, www.snort.org)
USAGE: snort [-options]
Options:
-A Set alert mode: fast, full, or none (alert file alerts only)
'unsock' enables UNIX socket logging (experimental).
-a Display ARP packets
-b Log packets in tcpdump format (much faster!)
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-F Read BPF filters from file
-g Run snort gid as 'gname' user or uid after initialization
-h Home network =
-i Listen on interface
-l Log to directory
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-o Change the rule testing order to Pass|Alert|Log
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r Read and process tcpdump file
-s Log alert messages to syslog
-S Set rules file variable n equal to value v
-t Chroots process to after initialisaton
-u Run snort uid as 'uname' user (or uid) after initialization
-v Be verbose
-V Show version number
-? Show this information
are standard BPF options, as seen in TCPDump
Let's check out the next command wherein we set Snort to a verbose display of the packets sniffed and analyzed. The '-v' switch elicits a verbose response to Stdout. The '-d' switch elicits dumping the decoded application layer data and while '-e' shows the decoded ethernet headers. The '-i' switch specifies the interface to be monitored for packet analysis. The '-h' switch specifies which class of network packets has to be captured. e.g. - The command given below captures all the packets belonging to the class C internal IP's of the type 192.168.1.*.
freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24

If we wanted to generate alerts, the '-A' switch is of importance to us.
-A - Alert using the specified alert-mode. Valid alert modes include 'fast', 'full', 'none', and 'unsock'. Fast, writes alerts to the default 'alert' file in a single-line, syslog style alert message. Full, writes the alert to the 'alert' file with the full decoded header as well as the alert message. The command will then change to the following.
freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24 -A fast

Instead, if you wanted to send alert messages to the syslog daemon, you could use the '-s' switch instead.
-s - Send alert messages to Syslog. On Linux boxes, they will appear in /var/log/secure or /var/log/messages on many other platforms.
freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24 -s
Until now we haven't seen any actual logging taking place. All the packets sniffed and analyzed were just dumped to your screen. To have Snort dump the packets sniffed and analyzed to your logs, you will use the "-l" switch. That dumps all the data, regarding the packets analysed, to the directory log in the current path. You will have to create this directory. Do not expect Snort to create it at runtime.
freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24 -A full -l ./log
But, there is an inherent drawback to this type of packet analysis and reporting. One of the foremost problems that may be encountered can be visualized as follows. Assuming that you are using Snort on your Gigabit ethernet. The speed at which data will be flowing across the network is too much for your NIC working in promiscous mode. Many packets will be dumped because it may not be possible to keep up the pace of analyzing the large amount of high speed data transfers across your network segment. Thus, instead if using the "-l" switch you should use the "-b" switch. This will log packets in tcpdump format and produce minimal alerts. For example:
freeos:~ # snort -b -i eth0 -A fast -h 192.168.1.0/24 -s -l ./log
In this configuration, Snort has been able to log multiple simultaneous probes and attacks on a 100 Mbps LAN running at a saturation level of approximately 80 Mbps. In this configuration the logs are written in binary format to log in tcpdump format. To read this file back and break out the data in the familiar Snort format, just re-run Snort on the data file with the "-r" option and the other options you would normally use.

freeos:~ # snort -i eth0 -l ./log -h 192.168.1.0/24 -A fast -r ./log/snort-123@1016.log
This command deciphers the tcpdump-formatted log file ./log/snort-0123@1016.log and dumps the output in the normal Snort log format in the ./log directory.

This kind of packet sniffing and analysis causes Snort to log all the packets on your network segment. But what if you wanted to log only certain type of packets. Yes, of course, there is a way out. Snort allows you to define your own rules for packet analysis. Use the '-c' command switch for this.
freeos:~ # snort -b -i eth0 -A fast -h 192.168.1.0/24 -s -l ./log -c ./rules.snort
For various rulesets that could be used along with Snort, take a look at http://www.snort.org/snort_rules.html.
Here ends our look at Snort. Following up will be another article that will help you ascertain the dangers that your system logs are prone to and the security measures you can put into place to prevent tampering of your precious system logs in case of a security breach.

Don't let life discourage you;
Everyone who got where he is
had to begin where he was.
-Richard L Evans

tmpwatch - removes files which haven't been accessed for a period of time

2009-11-03T15:50:00.000+05:30

tmpwatch recursively removes files which haven't been accessed for a given number of hours. Normally, it's used to clean up directories which are used for temporary holding space such as /tmp.
When changing directories, tmpwatch is very sensitive to possible race conditions and will exit with an error if one is detected. It does not follow symbolic links in the directories it's cleaning (even if a symbolic link is given as its argument), will not switch filesystems,
and only removes empty directories and regular files.
By default, tmpwatch dates files by their atime (access time), not their mtime (modification time). If files aren't being removed when ls -l implies they should be, use ls -u to examine their atime to see if that explains the problem.
If the --atime, --ctime or --mtime options are used in combination, the decision about deleting a file will be based on the maximum of this times.
The hours parameter defines the threshold for removing files. If the file has not been accessed for hours hours, the file is removed. Following this, one or more directories may be given for tmpwatch to clean up.

OPTIONS

-u, --atime: Make the decision about deleting a file based on the file's atime (access time). This is the default.
-m, --mtime: Make the decision about deleting a file based on the file's mtime (modification time) instead of the atime.
-c, --ctime: Make the decision about deleting a file based on the file's ctime (inode change time) instead of the atime; for directories, make the decision based on the mtime.
-a, --all: Remove all file types, not just regular files and directories.
-d, --nodirs: Do not attempt to remove directories, even if they are empty.
-f, --force: Remove files even if root doesn't have write access (akin to rm -f).
-t, --test: Doesn't remove files, but goes through the motions of removing them. This implies -v.
-s, --fuser: Attempt to use the "fuser" command to see if a file is already open before removing it. Not enabled by default. Does help in some circumstances, but not all. Dependent on fuser being installed in /sbin.
-v, --verbose: Print a verbose display. Two levels of verboseness are available -- use this option twice to get the most verbose output.

Send an HTML email with embedded image and plain text alternate

2009-10-24T11:43:00.001+05:30

Recipe 473810: Send an HTML email with embedded image and plain text alternate

HTML is the method of choice for those wishing to send emails with rich text, layout and graphics. Often it is desirable to embed the graphics within the message so recipients can display the message directly, without further downloads.

Some mail agents don't support HTML or their users prefer to receive plain text messages. Senders of HTML messages should include a plain text message as an alternate for these users.

This recipe sends a short HTML message with a single embedded image and an alternate plain text message.

Python

# Send an HTML email with an embedded image and a plain text message for
# email clients that don't want to display the HTML.

from email.MIMEMultipart import MIMEMultipart

from email.MIMEText import MIMEText
from email.MIMEImage import MIMEImage

# Define these once; use them twice!
strFrom = 'from@example.com'
strTo = 'to@example.com'

# Create the root message and fill in the from, to, and subject headers

msgRoot = MIMEMultipart('related')
msgRoot['Subject'] = 'test message'

msgRoot['From'] = strFrom
msgRoot['To'] = strTo

msgRoot.preamble = 'This is a multi-part message in MIME format.'

# Encapsulate the plain and HTML versions of the message body in an
# 'alternative' part, so message agents can decide which they want to display.
msgAlternative = MIMEMultipart('alternative')

msgRoot.attach(msgAlternative)

msgText = MIMEText('This is the alternative plain text message.')

msgAlternative.attach(msgText)

# We reference the image in the IMG SRC attribute by the ID we give it below
msgText = MIMEText('<b>Some <i>HTML</i> text</b> and an image.<br><img src="cid:image1"><br>Nifty!', 'html')

msgAlternative.attach(msgText)

# This example assumes the image is in the current directory
fp = open('test.jpg', 'rb')

msgImage = MIMEImage(fp.read())
fp.close()

# Define the image's ID as referenced above
msgImage.add_header('Content-ID', '<image1>')
msgRoot.attach(msgImage)

# Send the email (this example assumes SMTP authentication is required)
import smtplib
smtp = smtplib.SMTP()
smtp.connect('smtp.example.com')

smtp.login('exampleuser', 'examplepass')
smtp.sendmail(strFrom, strTo, msgRoot.as_string())

smtp.quit()

Discussion

While the practice of embedding images within the message provides a better experience for many users than linking to web-hosted images does it is important to consider the impact this has on message size and consequently on message download time.

An alternative implementation for sending HTML messages is provided in this recipe http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/67083, though it doesn't address embedding images and was written before the email package was incorporated into Python. The email package and its MIME-handling capabilities significantly reduce the amount of code required.

CAPTCHA: "Completely Automated Public Turing test to Tell Computers and Humans Apart"

2009-10-08T12:33:00.001+05:30

CAPTCHA: Telling Humans and Computers Apart Automatically

A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can't:

The term CAPTCHA (for Completely Automated Public Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University.

Get a Free CAPTCHA For Your Site

A free, secure and accessible CAPTCHA implementation is available from the reCAPTCHA project. Easy to install plugins and controls are available for WordPress, MediaWiki, PHP, ASP.NET, Perl, Python, Java, and many other environments. reCAPTCHA also comes with an audio test to ensure that blind users can freely navigate your site. reCAPTCHA is our officially recommended CAPTCHA implementation.

Test Drive a CAPTCHA

reCAPTCHA. Stop spam and help digitize books at the same time! The words shown come directly from old books that are being digitized.
SQUIGL-PIX. Our newest CAPTCHA!
ESP-PIX. A CAPTCHA script that's close to our hearts. Instead of typing letters, you authenticate yourself as a human by recognizing what object is common in a set of images. This was the first example of a CAPTCHA based on image recognition.

Below is an example for Embedding a sample Captcha in a CGi FIle.

#!/usr/bin/env python

######### don't change the following three lines: ###########
import cgi
import cgitb;cgitb.enable()
import time
from recaptcha.client import captcha

publickey = "<publickey>"
privatekey = "<privatekey>"

print "Content-Type: text/html\n\n"
print '''
<html>
<head>
<title>NO BOTS</title>
</head>
<body>
<form action="<ur cgi validator>" method="post">
<h2>Prove you are not a BOT</h2>
<script type="text/javascript" src="http://api.recaptcha.net/challenge?k=''' + publickey + '''"></script>
<noscript>
<iframe src="http://api.recaptcha.net/noscript?k=''' + publickey + '''" height="300" width="500" frameborder="0"></iframe><br>
<textarea name="recaptcha_challenge_field" rows="3" cols="40">
</textarea>
<input type="hidden" name="recaptcha_response_field" value="manual_challenge">
</noscript>
<input type = "submit" value = "Go">
</form>
</body>
</html>
'''

Below is an example for validating a Captcha in a CGi FIle.

#!/usr/bin/env python

######### don't change the following three lines: ###########
import cgi
import cgitb;cgitb.enable()
import time
from recaptcha.client import captcha

publickey = "<publickey>"
privatekey = "<privatekey>"

print "Content-Type: text/html\n\n"
form = cgi.FieldStorage()

response = captcha.submit(
        form.getvalue("recaptcha_challenge_field"),
        form.getvalue('recaptcha_response_field'),
        privatekey,
        "192.168.20.68",
        )

if not response.is_valid:
        print '''
        <html>
                <head>
                        <title>U BOTS</title>
                </head>
                <body>
                        <form action="<cgi captcha validator>" method="post">
                        <h2>YOU ARE A BOT!!!!!!!!!!!!!!</h2>
                        <h3>Else Try Again</h3>
                        <script type="text/javascript" src="http://api.recaptcha.net/challenge?k=''' + publickey + '''"></script>
                        <noscript>
                                <iframe src="http://api.recaptcha.net/noscript?k=''' + publickey + '''" height="300" width="500" frameborder="0"></iframe><br>
                                <textarea name="recaptcha_challenge_field" rows="3" cols="40">
                                </textarea>
                                <input type="hidden" name="recaptcha_response_field" value="manual_challenge">
                        </noscript>
                        <input type = "submit" value = "Go">
                        </form>
                </body>
        </html>
        '''
else:
        print '''
        <html>
                <head>
                        <title>Hurray ur not a BOT </title>
                </head>
                <body>
                        <form action="<cgi captcha validator>" method="post">
                        <h2>Hurray!!!!!!!!!!!!!!<br> :) you are A Human ;-)</h2>
                        <h3>You can Try Again Human</h3>
                        <script type="text/javascript" src="http://api.recaptcha.net/challenge?k=''' + publickey + '''"></script>
                        <noscript>
                                <iframe src="http://api.recaptcha.net/noscript?k=''' + publickey + '''" height="300" width="500" frameborder="0"></iframe><br>
                                <textarea name="recaptcha_challenge_field" rows="3" cols="40">
                                </textarea>
                                <input type="hidden" name="recaptcha_response_field" value="manual_challenge">
                        </noscript>
                        <input type = "submit" value = "Go">
                        </form>
                </body>
        </html>
        '''

Introduction to Public-Key Cryptography

2009-08-20T16:26:00.011+05:30

Introduction to Public-Key Cryptography

Public-key cryptography and related standards and techniques underlie security features of many Netscape products, including signed and encrypted email, form signing, object signing, single sign-on, and the Secure Sockets Layer (SSL) protocol. This document introduces the basic concepts of public-key cryptography

Internet Security Issues

Encryption and Decryption

Digital Signatures

Certificates and Authentication

Managing Certificates

Internet Security Issues All communication over the Internet uses the Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP allows information to be sent from one computer to another through a variety of intermediate computers and separate networks before it reaches its destination. The great flexibility of TCP/IP has led to its worldwide acceptance as the basic Internet and intranet communications protocol. At the same time, the fact that TCP/IP allows information to pass through intermediate computers makes it possible for a third party to interfere with communications in the following ways:

Eavesdropping. Information remains intact, but its privacy is compromised. For example, someone could learn your credit card number, record a sensitive conversation, or intercept classified information.

Tampering. Information in transit is changed or replaced and then sent on to the recipient. For example, someone could alter an order for goods or change a person's resume.

Impersonation. Information passes to a person who poses as the intended recipient. Impersonation can take two forms:

Spoofing. A person can pretend to be someone else. For example, a person can pretend to have the email address

jdoe@mozilla.com

, or a computer can identify itself as a site called

www.mozilla.com

when it is not. This type of impersonation is known as spoofing

Misrepresentation. A person or organization can misrepresent itself. For example, suppose the site

www.mozilla.com

pretends to be a furniture store when it is really just a site that takes credit-card payments but never sends any goods

Normally, users of the many cooperating computers that make up the Internet or other networks don't monitor or interfere with the network traffic that continuously passes through their machines. However, many sensitive personal and business communications over the Internet require precautions that address the threats listed above. Fortunately, a set of well-established techniques and standards known as public-key cryptography make it relatively easy to take such precautions.

Public-key cryptography facilitates the following tasks:

Encryption and decryption allow two communicating parties to disguise information they send to each other. The sender encrypts, or scrambles, information before sending it. The receiver decrypts, or unscrambles, the information after receiving it. While in transit, the encrypted information is unintelligible to an intruder.

Tamper detection allows the recipient of information to verify that it has not been modified in transit. Any attempt to modify data or substitute a false message for a legitimate one will be detected.

Authentication allows the recipient of information to determine its origin--that is, to confirm the sender's identity.

Nonrepudiation prevents the sender of information from claiming at a later date that the information was never sent.

The sections that follow introduce the concepts of public-key cryptography that underlie these capabilities.

Encryption and Decryption

Encryption is the process of transforming information so it is unintelligible to anyone but the intended recipient. Decryption is the process of transforming encrypted information so that it is intelligible again. A cryptographic algorithm, also called a cipher, is a mathematical function used for encryption or decryption. In most cases, two related functions are employed, one for encryption and the other for decryption. With most modern cryptography, the ability to keep encrypted information secret is based not on the cryptographic algorithm, which is widely known, but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encrypted information. Decryption with the correct key is simple. Decryption without the correct key is very difficult, and in some cases impossible for all practical purposes. The sections that follow introduce the use of keys for encryption and decryption. Symmetric-Key Encryption Public-Key Encryption Key Length and Encryption Strength

Symmetric-Key Encryption

With symmetric-key encryption, the encryption key can be calculated from the decryption key and vice versa. With most symmetric algorithms, the same key is used for both encryption and decryption, as shown in Figure 1.

Figure 1 Symmetric-key encryption

Implementations of symmetric-key encryption can be highly efficient, so that users do not experience any significant time delay as a result of the encryption and decryption. Symmetric-key encryption also provides a degree of authentication, since information encrypted with one symmetric key cannot be decrypted with any other symmetric key. Thus, as long as the symmetric key is kept secret by the two parties using it to encrypt communications, each party can be sure that it is communicating with the other as long as the decrypted messages continue to make sense. Symmetric-key encryption is effective only if the symmetric key is kept secret by the two parties involved. If anyone else discovers the key, it affects both confidentiality and authentication. A person with an unauthorized symmetric key not only can decrypt messages sent with that key, but can encrypt new messages and send them as if they came from one of the two parties who were originally using the key. Symmetric-key encryption plays an important role in the SSL protocol, which is widely used for authentication, tamper detection, and encryption over TCP/IP networks. SSL also uses techniques of public-key encryption, which is described in the next section.

Public-Key Encryption

The most commonly used implementations of public-key encryption are based on algorithms patented by RSA Data Security. Therefore, this section describes the RSA approach to public-key encryption. Public-key encryption (also called asymmetric encryption) involves a pair of keys--a public key and a private key--associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data. Each public key is published, and the corresponding private key is kept secret. (For more information about the way public keys are published, see Certificates and Authentication) Data encrypted with your public key can be decrypted only with your private key. Figure 2 shows a simplified view of the way public-key encryption works.

Figure 2 Public-key encryption

The scheme shown in Figure 2 lets you freely distribute a public key, and only you will be able to read data encrypted using this key. In general, to send encrypted data to someone, you encrypt the data with that person's public key, and the person receiving the encrypted data decrypts it with the corresponding private key. Compared with symmetric-key encryption, public-key encryption requires more computation and is therefore not always appropriate for large amounts of data. However, it's possible to use public-key encryption to send a symmetric key, which can then be used to encrypt additional data. This is the approach used by the SSL protocol. As it happens, the reverse of the scheme shown in Figure 2 also works: data encrypted with your private key can be decrypted only with your public key. This would not be a desirable way to encrypt sensitive data, however, because it means that anyone with your public key, which is by definition published, could decrypt the data. Nevertheless, private-key encryption is useful, because it means you can use your private key to sign data with your digital signature--an important requirement for electronic commerce and other commercial applications of cryptography. Client software such as Communicator can then use your public key to confirm that the message was signed with your private key and that it hasn't been tampered with since being signed. Digital Signatures and subsequent sections describe how this confirmation process works.

Key Length and Encryption Strength

In general, the strength of encryption is related to the difficulty of discovering the key, which in turn depends on both the cipher used and the length of the key. For example, the difficulty of discovering the key for the RSA cipher most commonly used for public-key encryption depends on the difficulty of factoring large numbers, a well-known mathematical problem. Encryption strength is often described in terms of the size of the keys used to perform the encryption: in general, longer keys provide stronger encryption. Key length is measured in bits. For example, 128-bit keys for use with the RC4 symmetric-key cipher supported by SSL provide significantly better cryptographic protection than 40-bit keys for use with the same cipher. Roughly speaking, 128-bit RC4 encryption is 3 x 10²⁶ times stronger than 40-bit RC4 encryption. (For more information about RC4 and other ciphers used with SSL, see Introduction to SSL.) Different ciphers may require different key lengths to achieve the same level of encryption strength. The RSA cipher used for public-key encryption, for example, can use only a subset of all possible values for a key of a given length, due to the nature of the mathematical problem on which it is based. Other ciphers, such as those used for symmetric key encryption, can use all possible values for a key of a given length, rather than a subset of those values. Thus a 128-bit key for use with a symmetric-key encryption cipher would provide stronger encryption than a 128-bit key for use with the RSA public-key encryption cipher. This difference explains why the RSA public-key encryption cipher must use a 512-bit key (or longer) to be considered cryptographically strong, whereas symmetric key ciphers can achieve approximately the same level of strength with a 64-bit key. Even this level of strength may be vulnerable to attacks in the near future. Because the ability to surreptitiously intercept and decrypt encrypted information has historically been a significant military asset, the U.S. Government restricts export of cryptographic software, including most software that permits use of symmetric encryption keys longer than 40 bits. For detailed information about these restrictions as they apply to Netscape products, see Export Restrictions on International Sales. [Top]

Digital Signatures

Encryption and decryption address the problem of eavesdropping, one of the three Internet security issues mentioned at the beginning of this document. But encryption and decryption, by themselves, do not address the other two problems mentioned in Internet Security Issues: tampering and impersonation. This section describes how public-key cryptography addresses the problem of tampering. The sections that follow describe how it addresses the problem of impersonation. Tamper detection and related authentication techniques rely on a mathematical function called a one-way hash (also called a message digest). A one-way hash is a number of fixed length with the following characteristics:

The value of the hash is unique for the hashed data. Any change in the data, even deleting or altering a single character, results in a different value.

The content of the hashed data cannot, for all practical purposes, be deduced from the hash--which is why it is called "one-way."

As mentioned in Public-Key Encryption, it's possible to use your private key for encryption and your public key for decryption. Although this is not desirable when you are encrypting sensitive information, it is a crucial part of digitally signing any data. Instead of encrypting the data itself, the signing software creates a one-way hash of the data, then uses your private key to encrypt the hash. The encrypted hash, along with other information, such as the hashing algorithm, is known as a digital signature. Figure 3 shows a simplified view of the way a digital signature can be used to validate the integrity of signed data.

Figure 3 Using a digital signature to validate data integrity

Figure 3 shows two items transferred to the recipient of some signed data: the original data and the digital signature, which is basically a one-way hash (of the original data) that has been encrypted with the signer's private key. To validate the integrity of the data, the receiving software first uses the signer's public key to decrypt the hash. It then uses the same hashing algorithm that generated the original hash to generate a new one-way hash of the same data. (Information about the hashing algorithm used is sent with the digital signature, although this isn't shown in the figure.) Finally, the receiving software compares the new hash against the original hash. If the two hashes match, the data has not changed since it was signed. If they don't match, the data may have been tampered with since it was signed, or the signature may have been created with a private key that doesn't correspond to the public key presented by the signer. If the two hashes match, the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create the digital signature. Confirming the identity of the signer, however, also requires some way of confirming that the public key really belongs to a particular person or other entity. For a discussion of the way this works, see Certificates and Authentication. The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed some data, it is difficult to deny doing so later--assuming that the private key has not been compromised or out of the owner's control. This quality of digital signatures provides a high degree of nonrepudiation--that is, digital signatures make it difficult for the signer to deny having signed the data. In some situations, a digital signature may be as legally binding as a handwritten signature. [Top]

Certificates and Authentication

A Certificate Identifies Someone or Something Authentication Confirms an Identity How Certificates Are Used Contents of a Certificate How CA Certificates Are Used to Establish Trust

A Certificate Identifies Someone or Something

A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key. Like a driver's license, a passport, or other commonly used personal IDs, a certificate provides generally recognized proof of a person's identity. Public-key cryptography uses certificates to address the problem of impersonation (see Internet Security Issues). To get a driver's license, you typically apply to a government agency, such as the Department of Motor Vehicles, which verifies your identity, your ability to drive, your address, and other information before issuing the license. To get a student ID, you apply to a school or college, which performs different checks (such as whether you have paid your tuition) before issuing the ID. To get a library card, you may need to provide only your name and a utility bill with your address on it. Certificates work much the same way as any of these familiar forms of identification. Certificate authorities (CAs) are entities that validate identities and issue certificates. They can be either independent third parties or organizations running their own certificate-issuing server software (such as Netscape Certificate Server). The methods used to validate an identity vary depending on the policies of a given CA--just as the methods to validate other forms of identification vary depending on who is issuing the ID and the purpose for which it will be used. In general, before issuing a certificate, the CA must use its published verification procedures for that type of certificate to ensure that an entity requesting a certificate is in fact who it claims to be. The certificate issued by the CA binds a particular public key to the name of the entity the certificate identifies (such as the name of an employee or a server). Certificates help prevent the use of fake public keys for impersonation. Only the public key certified by the certificate will work with the corresponding private key possessed by the entity identified by the certificate. In addition to a public key, a certificate always includes the name of the entity it identifies, an expiration date, the name of the CA that issued the certificate, a serial number, and other information. Most importantly, a certificate always includes the digital signature of the issuing CA. The CA's digital signature allows the certificate to function as a "letter of introduction" for users who know and trust the CA but don't know the entity identified by the certificate. For more information about the role of CAs, see How CA Certificates Are Used to Establish Trust.

Authentication Confirms an Identity

Authentication is the process of confirming an identity. In the context of network interactions, authentication involves the confident identification of one party by another party. Authentication over networks can take many forms. Certificates are one way of supporting authentication. Network interactions typically take place between a client, such as browser software running on a personal computer, and a server, such as the software and hardware used to host a Web site. Client authentication refers to the confident identification of a client by a server (that is, identification of the person assumed to be using the client software). Server authentication refers to the confident identification of a server by a client (that is, identification of the organization assumed to be responsible for the server at a particular network address). Client and server authentication are not the only forms of authentication that certificates support. For example, the digital signature on an email message, combined with the certificate that identifies the sender, provide strong evidence that the person identified by that certificate did indeed send that message. Similarly, a digital signature on an HTML form, combined with a certificate that identifies the signer, can provide evidence, after the fact, that the person identified by that certificate did agree to the contents of the form. In addition to authentication, the digital signature in both cases ensures a degree of nonrepudiation--that is, a digital signature makes it difficult for the signer to claim later not to have sent the email or the form. Client authentication is an essential element of network security within most intranets or extranets. The sections that follow contrast two forms of client authentication:

Password-Based Authentication. Almost all server software permits client authentication by means of a name and password. For example, a server might require a user to type a name and password before granting access to the server. The server maintains a list of names and passwords; if a particular name is on the list, and if the user types the correct password, the server grants access.

Certificate-Based Authentication. Client authentication based on certificates is part of the SSL protocol. The client digitally signs a randomly generated piece of data and sends both the certificate and the signed data across the network. The server uses techniques of public-key cryptography to validate the signature and confirm the validity of the certificate.

Password-Based Authentication

Figure 4 shows the basic steps involved in authenticating a client by means of a name and password. Figure 4 assumes the following:

The user has already decided to trust the server, either without authentication or on the basis of server authentication via SSL.

The user has requested a resource controlled by the server.

The server requires client authentication before permitting access to the requested resource.

Figure 4 Using a password to authenticate a client to a server

These are the steps shown in Figure 4:

In response to an authentication request from the server, the client displays a dialog box requesting the user's name and password for that server. The user must supply a name and password separately for each new server the user wishes to use during a work session.

The client sends the name and password across the network, either in the clear or over an encrypted SSL connection.

The server looks up the name and password in its local password database and, if they match, accepts them as evidence authenticating the user's identity.

The server determines whether the identified user is permitted to access the requested resource, and if so allows the client to access it.

With this arrangement, the user must supply a new password for each server, and the administrator must keep track of the name and password for each user, typically on separate servers. As shown in the next section, one of the advantages of certificate-based authentication is that it can be used to replace the first three steps in Figure 2 with a mechanism that allows the user to supply just one password (which is not sent across the network) and allows the administrator to control user authentication centrally.

Certificate-Based Authentication

Figure 5 shows how client authentication works using certificates and the SSL Protocol. To authenticate a user to a server, a client digitally signs a randomly generated piece of data and sends both the certificate and the signed data across the network. For the purposes of this discussion, the digital signature associated with some data can be thought of as evidence provided by the client to the server. The server authenticates the user's identity on the strength of this evidence. Like Figure 4, Figure 5 assumes that the user has already decided to trust the server and has requested a resource, and that the server has requested client authentication in the process of evaluating whether to grant access to the requested resource.

Figure 5 Using a certificate to authenticate a client to a server

Unlike the process shown in Figure 4, the process shown in Figure 5 requires the use of SSL. Figure 5 also assumes that the client has a valid certificate that can be used to identify the client to the server. Certificate-based authentication is generally considered preferable to password-based authentication because it is based on what the user has (the private key) as well as what the user knows (the password that protects the private key). However, it's important to note that these two assumptions are true only if unauthorized personnel have not gained access to the user's machine or password, the password for the client software's private key database has been set, and the software is set up to request the password at reasonably frequent intervals.

Important Neither password-based authentication nor certificate-based authentication address security issues related to physical access to individual machines or passwords. Public- key cryptography can only verify that a private key used to sign some data corresponds to the public key in a certificate. It is the user's responsibility to protect a machine's physical security and to keep the private-key password secret.

These are the steps shown in Figure 3:

The client software, such as Communicator, maintains a database of the private keys that correspond to the public keys published in any certificates issued for that client. The client asks for the password to this database the first time the client needs to access it during a given session--for example, the first time the user attempts to access an SSL-enabled server that requires certificate-based client authentication. After entering this password once, the user doesn't need to enter it again for the rest of the session, even when accessing other SSL-enabled servers.

The client unlocks the private-key database, retrieves the private key for the user's certificate, and uses that private key to digitally sign some data that has been randomly generated for this purpose on the basis of input from both the client and the server. This data and the digital signature constitute "evidence" of the private key's validity. The digital signature can be created only with that private key and can be validated with the corresponding public key against the signed data, which is unique to the SSL session.

The client sends both the user's certificate and the evidence (the randomly generated piece of data that has been digitally signed) across the network.

The server uses the certificate and the evidence to authenticate the user's identity. (For a detailed discussion of the way this works, see Introduction to SSL.)

At this point the server may optionally perform other authentication tasks, such as checking that the certificate presented by the client is stored in the user's entry in an LDAP directory. The server then continues to evaluate whether the identified user is permitted to access the requested resource. This evaluation process can employ a variety of standard authorization mechanisms, potentially using additional information in an LDAP directory, company databases, and so on. If the result of the evaluation is positive, the server allows the client to access the requested resource.

As you can see by comparing Figure 5 to Figure 4, certificates replace the authentication portion of the interaction between the client and the server. Instead of requiring a user to send passwords across the network throughout the day, single sign-on requires the user to enter the private-key database password just once, without sending it across the network. For the rest of the session, the client presents the user's certificate to authenticate the user to each new server it encounters. Existing authorization mechanisms based on the authenticated user identity are not affected.

How Certificates Are Used

Types of Certificates SSL Protocol Signed and Encrypted Email Form Signing Single Sign-On Object Signing

Types of Certificates

Five kinds of certificates are commonly used with Netscape products:

Client SSL certificates. Used to identify clients to servers via SSL (client authentication). Typically, the identity of the client is assumed to be the same as the identity of a human being, such as an employee in an enterprise. See Certificate-Based Authentication for a description of the way client SSL certificates are used for client authentication. Client SSL certificates can also be used for Form Signing and as part of a Single Sign-On solution.

Examples: A bank gives a customer a client SSL certificate that allows the bank's servers to identify that customer and authorize access to the customer's accounts. A company might give a new employee a client SSL certificate that allows the company's servers to identify that employee and authorize access to the company's servers.

Server SSL certificates. Used to identify servers to clients via SSL (server authentication). Server authentication may be used with or without client authentication. Server authentication is a requirement for an encrypted SSL session. See SSL Protocol.

Example: Internet sites that engage in electronic commerce (commonly known as e-commerce) usually support certificate-based server authentication, at a minimum, to establish an encrypted SSL session and to assure customers that they are dealing with a web site identified with a particular company. The encrypted SSL session ensures that personal information sent over the network, such as credit card numbers, cannot easily be intercepted.

S/MIME certificates. Used for signed and encrypted email. As with client SSL certificates, the identity of the client is typically assumed to be the same as the identity of a human being, such as an employee in an enterprise. A single certificate may be used as both an S/MIME certificate and an SSL certificate. See Signed and Encrypted Email. S/MIME certificates can also be used for Form Signing and as part of a Single Sign-On solution.

Examples: A company deploys combined S/MIME and SSL certificates solely for the purpose of authenticating employee identities, thus permitting signed email and client SSL authentication but not encrypted email. Another company issues S/MIME certificates solely for the purpose of both signing and encrypting email that deals with sensitive financial or legal matters.

Object-signing certificates. Used to identify signers of Java code, JavaScript scripts, or other signed files. See Object Signing.

Example: A software company signs software distributed over the Internet to provide users with some assurance that the software is a legitimate product of that company. Using certificates and digital signatures in this manner can also make it possible for users to identify and control the kind of access downloaded software has to their computers.

CA certificates. Used to identify CAs. Client and server software use CA certificates to determine what other certificates can be trusted. See How CA Certificates Are Used to Establish Trust.

Example: The CA certificates stored in Communicator determine what other certificates that copy of Communicator can authenticate. An administrator can implement some aspects of corporate security policies by controlling the CA certificates stored in each user's copy of Communicator.

The sections that follow describes how certificates are used by Netscape products.

SSL Protocol

The Secure Sockets Layer (SSL) protocol, which was originally developed by Netscape, is a set of rules governing server authentication, client authentication, and encrypted communication between servers and clients. SSL is widely used on the Internet, especially for interactions that involve exchanging confidential information such as credit card numbers. SSL requires a server SSL certificate, at a minimum. As part of the initial "handshake" process, the server presents its certificate to the client to authenticate the server's identity. The authentication process uses Public-Key Encryption and Digital Signatures to confirm that the server is in fact the server it claims to be. Once the server has been authenticated, the client and server use techniques of Symmetric-Key Encryption, which is very fast, to encrypt all the information they exchange for the remainder of the session and to detect any tampering that may have occurred. Servers may optionally be configured to require client authentication as well as server authentication. In this case, after server authentication is successfully completed, the client must also present its certificate to the server to authenticate the client's identity before the encrypted SSL session can be established. For an overview of client authentication over SSL and how it differs from password-based authentication, see Authentication Confirms an Identity. For more detailed information about SSL, see Introduction to SSL.

Signed and Encrypted Email

Some email programs (including Messenger, which is part of Communicator) support digitally signed and encrypted email using a widely accepted protocol known as Secure Multipurpose Internet Mail Extension (S/MIME). Using S/MIME to sign or encrypt email messages requires the sender of the message to have an S/MIME certificate. An email message that includes a digital signature provides some assurance that it was in fact sent by the person whose name appears in the message header, thus providing authentication of the sender. If the digital signature cannot be validated by the email software on the receiving end, the user will be alerted. The digital signature is unique to the message it accompanies. If the message received differs in any way from the message that was sent--even by the addition or deletion of a comma--the digital signature cannot be validated. Therefore, signed email also provides some assurance that the email has not been tampered with. As discussed at the beginning of this document, this kind of assurance is known as nonrepudiation. In other words, signed email makes it very difficult for the sender to deny having sent the message. This is important for many forms of business communication. (For information about the way digital signatures work, see Digital Signatures.) S/MIME also makes it possible to encrypt email messages. This is also important for some business users. However, using encryption for email requires careful planning. If the recipient of encrypted email messages loses his or her private key and does not have access to a backup copy of the key, for example, the encrypted messages can never be decrypted.

Single Sign-On

Network users are frequently required to remember multiple passwords for the various services they use. For example, a user might have to type a different password to log into the network, collect email, use directory services, use the corporate calendar program, and access various servers. Multiple passwords are an ongoing headache for both users and system administrators. Users have difficulty keeping track of different passwords, tend to choose poor ones, and tend to write them down in obvious places. Administrators must keep track of a separate password database on each server and deal with potential security problems related to the fact that passwords are sent over the network routinely and frequently. Solving this problem requires some way for a user to log in once, using a single password, and get authenticated access to all network resources that user is authorized to use--without sending any passwords over the network. This capability is known as single sign-on. Both client SSL certificates and S/MIME certificates can play a significant role in a comprehensive single sign-on solution. For example, one form of single sign-on supported by Netscape products relies on SSL client authentication (see Certificate-Based Authentication). A user can log in once, using a single password to the local client's private-key database, and get authenticated access to all SSL-enabled servers that user is authorized to use--without sending any passwords over the network. This approach simplifies access for users, because they don't need to enter passwords for each new server. It also simplifies network management, since administrators can control access by controlling lists of certificate authorities (CAs) rather than much longer lists of users and passwords. In addition to using certificates, a complete single-sign on solution must address the need to interoperate with enterprise systems, such as the underlying operating system, that rely on passwords or other forms of authentication. For information about the single sign-on support currently provided by Netscape products, see Single Sign-On Deployment Guide.

Form Signing

Many kinds of e-commerce require the ability to provide persistent proof that someone has authorized a transaction. Although SSL provides transient client authentication for the duration of an SSL connection, it does not provide persistent authentication for transactions that may occur during that connection. S/MIME provides persistent authentication for email, but e-commerce often involves filling in a form on a web page rather than sending an email. The Netscape technology known as form signing addresses the need for persistent authentication of financial transactions. Form signing allows a user to associate a digital signature with web-based data generated as the result of a transaction, such as a purchase order or other financial document. The private key associated with either a client SSL certificate or an S/MIME certificate may be used for this purpose. When a user clicks the Submit button on a web-based form that supports form signing, a dialog box appears that displays the exact text to be signed. The form designer can either specify the certificate that should be used or allow the user to select a certificate from among the client SSL and S/MIME certificates that are installed in Communicator. When the user clicks OK, the text is signed, and both the text and the digital signature are submitted to the server. The server can then use a Netscape utility called the Signature Verification Tool to validate the digital signature. For more information about support for form signing in Netscape products, see Netscape Form Signing.

Object Signing

Communicator and other Netscape products support a set of tools and technologies called object signing. Object signing uses standard techniques of public-key cryptography to let users get reliable information about code they download in much the same way they can get reliable information about shrink-wrapped software. Most importantly, object signing helps users and network administrators implement decisions about software distributed over intranets or the Internet--for example, whether to allow Java applets signed by a given entity to use specific computer capabilities on specific users' machines. The "objects" signed with object signing technology can be applets or other Java code, JavaScript scripts, plug-ins, or any kind of file. The "signature" is a digital signature. Signed objects and their signatures are typically stored in a special file called a JAR file. Software developers and others who wish to sign files using object-signing technology must first obtain an object-signing certificate. For more information about support for object signing in Netscape products, see Netscape Object Signing: Establishing Trust for Downloaded Software.

Contents of a Certificate

The contents of certificates supported by Netscape and many other software companies are organized according to the X.509 v3 certificate specification, which has been recommended by the International Telecommunications Union (ITU), an international standards body, since 1988. Users don't usually need to be concerned about the exact contents of a certificate. However, system administrators working with certificates may need some familiarity with the information provided here.

Distinguished Names

An X.509 v3 certificate binds a distinguished name (DN) to a public key. A DN is a series of name-value pairs, such as uid=doe, that uniquely identify an entity--that is, the certificate subject. For example, this might be a typical DN for an employee of Netscape Communications Corporation:

uid=doe,e=doe@netscape.com,cn=John Doe,o=Netscape Communications Corp.,c=US

The abbreviations before each equal sign in this example have these meanings:

uid

: user ID

e

: email address

cn

: the user's common name

o

: organization

c

: country

DNs may include a variety of other name-value pairs. They are used to identify both certificate subjects and entries in directories that support the Lightweight Directory Access Protocol (LDAP). The rules governing the construction of DNs can be quite complex and are beyond the scope of this document. For comprehensive information about DNs, see A String Representation of Distinguished Names.

A Typical Certificate

Every X.509 certificate consists of two sections:

The data section includes the following information:

The version number of the X.509 standard supported by the certificate.

The certificate's serial number. Every certificate issued by a CA has a serial number that is unique among the certificates issued by that CA.

Information

Information about the user's public key, including the algorithm used and a representation of the key itself.

The DN of the CA that issued the certificate.

The period during which the certificate is valid (for example, between 1:00 p.m. on November 15, 1996 and 1:00 p.m. November 15, 1997)

The DN of the certificate subject (for example, in a client SSL certificate this would be the user's DN), also called the subject name.

Optional certificate extensions, which may provide additional data used by the client or server. For example, the certificate type extension indicates the type of certificate--that is, whether it is a client SSL certificate, a server SSL certificate, a certificate for signing email, and so on. Certificate extensions can also be used for a variety of other purposes.

The signature section includes the following information:

The cryptographic algorithm, or cipher, used by the issuing CA to create its own digital signature. For more information about ciphers, seeIntroduction to SSL.

The CA's digital signature, obtained by hashing all of the data in the certificate together and encrypting it with the CA's private key.

Here are the data and signature sections of a certificate in human-readable format:

Certificate:
Data:
Version: v3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US
Validity:
 Not Before: Fri Oct 17 18:36:25 1997
 Not  After: Sun Oct 17 18:36:25 1999
Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US
Subject Public Key Info:
 Algorithm: PKCS #1 RSA Encryption
 Public Key:
     Modulus:
         00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48:e6:2a:2a:86:
         ed:27:40:4d:86:b3:05:c0:01:bb:50:15:c9:de:dc:85:19:22:
         43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00:
         98:ce:7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72:b5:e9:
         73:49:38:76:ef:b6:8f:ac:49:bb:63:0f:9b:ff:16:2a:e3:0e:
         9d:3b:af:ce:9a:3e:48:65:de:96:61:d5:0a:11:2a:a2:80:b0:
         7d:d8:99:cb:0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54:
         91:f4:15
     Public Exponent: 65537 (0x10001)
Extensions:
 Identifier: Certificate Type
     Critical: no
     Certified Usage:
         SSL Client
 Identifier: Authority Key Identifier
     Critical: no
     Key Identifier:
         f2:f2:06:59:90:18:47:51:f5:89:33:5a:31:7a:e6:5c:fb:36:
         26:c9
Signature:
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
 6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c:01:69:8e:54:65:fc:06:
 30:43:34:d1:63:1f:06:7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb:
 f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9:c6:11:0a:02:a2:e0:cc:
 2a:75:6c:8b:b6:9b:87:00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5:
 b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85:6d:d6:59:e8:41:42:a5:
 4a:e5:26:38:ff:32:78:a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8:
  dd:c4

Here is the same certificate displayed in the 64-byte-encoded form interpreted by software:

How CA Certificates Are Used to Establish Trust

Certificate authorities (CAs) are entities that validate identities and issue certificates. They can be either independent third parties or organizations running their own certificate-issuing server software (such as the Netscape Certificate Server). A list of third-party certificate authorities is available at Certificate Authority Services. Any client or server software that supports certificates maintains a collection of trusted CA certificates. These CA certificates determine which other certificates the software can validate--in other words, which issuers of certificates the software can trust. In the simplest case, the software can validate only certificates issued by one of the CAs for which it has a certificate. It's also possible for a trusted CA certificate to be part of a chain of CA certificates, each issued by the CA above it in a certificate hierarchy. The sections that follow explains how certificate hierarchies and certificate chains determine what certificates software can trust. CA Hierarchies Certificate Chains Verifying a Certificate Chain

CA Hierarchies

In large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several different certificate authorities. For example, the number of certificates required may be too large for a single CA to maintain; different organizational units may have different policy requirements; or it may be important for a CA to be physically located in the same geographic area as the people to whom it is issuing certificates. It's possible to delegate certificate-issuing responsibilities to subordinate CAs. The X.509 standard includes a model for setting up a hierarchy of CAs like that shown in Figure 6.

Figure 6 Example of a hierarchy of certificate authorities

In this model, the root CA is at the top of the hierarchy. The root CA's certificate is a self-signed certificate: that is, the certificate is digitally signed by the same entity--the root CA--that the certificate identifies. The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the higher-level subordinate CAs. Organizations have a great deal of flexibility in terms of the way they set up their CA hierarchies. Figure 6 shows just one example; many other arrangements are possible.

Certificate Chains

CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by successive CAs. Figure 7 shows a certificate chain leading from a certificate that identifies some entity through two subordinate CA certificates to the CA certificate for the root CA (based on the CA hierarchy shown in Figure 6).

Figure 7 Example of a certificate chain

A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy. In a certificate chain, the following occur:

Each certificate is followed by the certificate of its issuer.

Each certificate contains the name (DN) of that certificate's issuer, which is the same as the subject name of the next certificate in the chain.

In Figure 7, the Engineering CA certificate contains the DN of the CA (that is, USA CA), that issued that certificate. USA CA's DN is also the subject name of the next certificate in the chain.

Each certificate is signed with the private key of its issuer. The signature can be verified with the public key in the issuer's certificate, which is the next certificate in the chain.

In Figure 7, the public key in the certificate for the USA CA can be used to verify the USA CA's digital signature on the certificate for the Engineering CA.

Verifying a Certificate Chain

Certificate chain verification is the process of making sure a given certificate chain is well-formed, valid, properly signed, and trustworthy. Netscape software uses the following procedure for forming and verifying a certificate chain, starting with the certificate being presented for authentication:

The certificate validity period is checked against the current time provided by the verifier's system clock.

The issuer's certificate is located. The source can be either the verifier's local certificate database (on that client or server) or the certificate chain provided by the subject (for example, over an SSL connection).

The certificate signature is verified using the public key in the issuer's certificate.

If the issuer's certificate is trusted by the verifier in the verifier's certificate database, verification stops successfully here. Otherwise, the issuer's certificate is checked to make sure it contains the appropriate subordinate CA indication in the Netscape certificate type extension, and chain verification returns to step 1 to start again, but with this new certificate. Figure 8 presents an example of this process.

Figure 8 Verifying a certificate chain all the way to the root CA

Figure 8 shows what happens when only Root CA is included in the verifier's local database. If a certificate for one of the intermediate CAs shown in Figure 8, such as Engineering CA, is found in the verifier's local database, verification stops with that certificate, as shown in Figure 9.

Figure 9 Verifying a certificate chain to an intermediate CA

Expired validity dates, an invalid signature, or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail. For example, Figure 10 shows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier's local database.

Figure 10 A certificate chain that can't be verified

For general information about the way digital signatures work, see Digital Signatures. For a more detailed description of the signature verification process in the context of SSL client and server authentication, see Introduction to SSL. [Top]

Managing Certificates

The set of standards and services that facilitate the use of public-key cryptography and X.509 v3 certificates in a networked environment is called the public key infrastructure (PKI). PKI management is complex topic beyond the scope of this document. The sections that follow introduce some of the specific certificate management issues addressed by Netscape products. Issuing Certificates Certificates and the LDAP Directory Key Management Renewing and Revoking Certificates Registration Authorities

Issuing Certificates

The process for issuing a certificate depends on the certificate authority that issues it and the purpose for which it will be used. The process for issuing nondigital forms of identification varies in similar ways. For example, if you want to get a generic ID card (not a driver's license) from the Department of Motor Vehicles in California, the requirements are straightforward: you need to present some evidence of your identity, such as a utility bill with your address on it and a student identity card. If you want to get a regular driving license, you also need to take a test--a driving test when you first get the license, and a written test when you renew it. If you want to get a commercial license for an eighteen-wheeler, the requirements are much more stringent. If you live in some other state or country, the requirements for various kinds of licenses will differ. Similarly, different CAs have different procedures for issuing different kinds of certificates. In some cases the only requirement may be your email address. In other cases, your Unix or NT login and password may be sufficient. At the other end of the scale, for certificates that identify people who can authorize large expenditures or make other sensitive decisions, the issuing process may require notarized documents, a background check, and a personal interview. Depending on an organization's policies, the process of issuing certificates can range from being completely transparent for the user to requiring significant user participation and complex procedures. In general, processes for issuing certificates should be highly flexible, so organizations can tailor them to their changing needs. The Netscape Certificate Server, part of the Mission Control family of products, allows an organization to set up its own certificate authority and issue certificates. Issuing certificates is one of several managements tasks that can be handled by separate Registration Authorities.

Certificates and the LDAP Directory

The Lightweight Directory Access Protocol (LDAP) for accessing directory services supports great flexibility in the management of certificates within an organization. System administrators can store much of the information required to manage certificates in an LDAP-compliant directory. For example, a CA can use information in a directory to prepopulate a certificate with a new employee's legal name and other information. The CA can leverage directory information in other ways to issue certificates one at a time or in bulk, using a range of different identification techniques depending on the security policies of a given organization. Other routine management tasks, such as Key Management and Renewing and Revoking Certificates, can be partially or fully automated with the aid of the directory. Information stored in the directory can also be used with certificates to control access to various network resources by different users or groups. Issuing certificates and other certificate management tasks can thus be an integral part of user and group management. In general, high-performance directory services are an essential ingredient of any certificate management strategy. The Netscape Directory Server, part of the Mission Control family of products, is fully integrated with the Netscape Certificate Server to provide a comprehensive certificate management solution.

Key Management

Before a certificate can be issued, the public key it contains and the corresponding private key must be generated. Sometimes it may be useful to issue a single person one certificate and key pair for signing operations, and another certificate and key pair for encryption operations. Separate signing and encryption certificates make it possible to keep the private signing key on the local machine only, thus providing maximum nonrepudiation, and to back up the private encryption key in some central location where it can be retrieved in case the user loses the original key or leaves the company. Keys can be generated by client software or generated centrally by the CA and distributed to users via an LDAP directory. There are trade-offs involved in choosing between local and centralized key generation. For example, local key generation provides maximum nonrepudiation, but may involve more participation by the user in the issuing process. Flexible key management capabilities are essential for most organizations. Key recovery, or the ability to retrieve backups of encryption keys under carefully defined conditions, can be a crucial part of certificate management (depending on how an organization uses certificates). Key recovery schemes usually involve an m of n mechanism: for example, m of n managers within an organization might have to agree, and each contribute a special code or key of their own, before a particular person's encryption key can be recovered. This kind of mechanism ensures that several authorized personnel must agree before an encryption key can be recovered.

Renewing and Revoking Certificates

Like a driver's license, a certificate specifies a period of time during which it is valid. Attempts to use a certificate for authentication before or after its validity period will fail. Therefore, mechanisms for managing certificate renewal are essential for any certificate management strategy. For example, an administrator may wish to be notified automatically when a certificate is about to expire, so that an appropriate renewal process can be completed in plenty of time without causing the certificate's subject any inconvenience. The renewal process may involve reusing the same public-private key pair or issuing a new one. A driver's license can be suspended even if it has not expired--for example, as punishment for a serious driving offense. Similarly, it's sometimes necessary to revoke a certificate before it has expired--for example, if an employee leaves a company or moves to a new job within the company. Certificate revocation can be handled in several different ways. For some organizations, it may be sufficient to set up servers so that the authentication process includes checking the directory for the presence of the certificate being presented. When an administrator revokes a certificate, the certificate can be automatically removed from the directory, and subsequent authentication attempts with that certificate will fail even though the certificate remains valid in every other respect. Another approach involves publishing a certificate revocation list (CRL)--that is, a list of revoked certificates--to the directory at regular intervals and checking the list as part of the authentication process. For some organizations, it may be preferable to check directly with the issuing CA each time a certificate is presented for authentication. This procedure is sometimes called real-time status checking.

Registration Authorities

Interactions between entities identified by certificates (sometimes called end entities) and CAs are an essential part of certificate management. These interactions include operations such as registration for certification, certificate retrieval, certificate renewal, certificate revocation, and key backup and recovery. In general, a CA must be able to authenticate the identities of end entities before responding to the requests. In addition, some requests need to be approved by authorized administrators or managers before being services. As previously discussed, the means used by different CAs to verify an identity before issuing a certificate can vary widely, depending on the organization and the purpose for which the certificate will be used. To provide maximum operational flexibility, interactions with end entities can be separated from the other functions of a CA and handled by a separate service called a Registration Authority (RA). An RA acts as a front end to a CA by receiving end entity requests, authenticating them, and forwarding them to the CA. After receiving a response from the CA, the RA notifies the end entity of the results. RAs can be helpful in scaling an PKI across different departments, geographical areas, or other operational units with varying policies and authentication requirements. Future versions of the Netscape Certificate Server will support the creation of customizable registration authorities. [Top]

Last Updated: 10/09/98 10:35:45

CYWGIN

2009-08-13T19:28:00.003+05:30

Cygwin is a Linux-like environment for Windows. It consists of two parts:

A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality.

A collection of tools which provide Linux look and feel.

The Cygwin DLL currently works with all recent, commercially released x86 32 bit and 64 bit versions of Windows, with the exception of Windows CE.

Note that the official support for Windows 95, Windows 98, and Windows Me will be discontinued with the next major version (1.7.0) of Cygwin, which is in beta testing right now.

What Isn't Cygwin?

Cygwin is not a way to run native linux apps on Windows. You have to rebuild your application from source if you want it to run on Windows.

Cygwin is not a way to magically make native Windows apps aware of UNIX ® functionality, like signals, ptys, etc. Again, you need to build your apps from source if you want to take advantage of Cygwin functionality.

FAQ:

1.1.	What is it?
	The Cygwin tools are ports of the popular GNU development tools for Microsoft Windows. They run thanks to the Cygwin library which provides the UNIX system calls and environment these programs expect. With these tools installed, it is possible to write Win32 console or GUI applications that make use of the standard Microsoft Win32 API and/or the Cygwin API. As a result, it is possible to easily port many significant Unix programs without the need for extensive changes to the source code. This includes configuring and building most of the available GNU software (including the packages included with the Cygwin development tools themselves). Even if the development tools are of little to no use to you, you may have interest in the many standard Unix utilities provided with the package. They can be used both from the bash shell (provided) or from the standard Windows command shell.
1.2.	What versions of Windows are supported?
	Cygwin can be expected to run on all modern 32 bit versions of Windows, except Windows CE. This includes Windows 95/98/ME/NT/2000/XP/2003 and the WOW64 32 bit environment on released 64 bit versions of Windows. As far as we know no one is working on a native 64 bit version of Cygwin. Since Cygwin is a community-supported free software project, patches to provide support for other versions would be thoughtfully considered. Paid support contracts or enhancements are available through Red Hat. For information about getting a Red Hat support contract, see http://cygwin.com/license.html. Keep in mind that Cygwin can only do as much as the underlying OS supports. Because of this, Cygwin will behave differently, and exhibit different limitations, on the various versions of Windows.

Email Address Validation Anyone??

2009-07-09T19:05:00.002+05:30

Hi All, There is a goood Article which i have found related to Email Address Validation which says not to validate Email Address Strictly and i too agree with it. Go through the below mentioned Links to check this out.

Enjoy ;)

Extending JavaScript Objects and Classes

2009-07-04T12:45:00.003+05:30

Extending JavaScript Objects and Classes

Summary

You can dynamically create properties and methods of existing objects through simple assignment.
Using the prototype property of intrinsic JS Objects, you can extend the functionality of the very objects you know and love in ways that can make your coding far easier.

Background — Objects in JS

In JavaScript, objects can have properties dynamically added to them. [This comes as no surprise to JS programmers who have written something like myObject.backgroundColor='black' or myObject.style.backgroundcolor='black' instead of the correct myObject.style.backgroundColor='black' and consequently pulled out their hair for hours trying to figure out why the background color wasn't changing. The answer to "Why isn't this working?!" (i.e. "Because you coded it wrong") isn't nearly so enlightening as the information that it looked like it was working because the JavaScript engine was happily creating a new (meaningless) property of the object and setting it to the string value 'black'.]

For the curious, this feature of JS is possible because the language is evaluated at run-time, and because all Objects are implemented as hash tables. This also explains why it's possible to refer to the same property either directly or as a string:

var spacing = myTable.cellSpacing;
var spacing = myTable['cellSpacing']; //equally as valid

and why you can create property names that no reasonable compiler would ever accept, such as:

myTable['% What stupid name!']=someValue;

That JS auto-creates and references previously-undefined properties can be dangerous, as mentioned above—the JS interpretter never yells at you if you attempt to read the value of, or go ahead and set the value of a property that just doesn't exist. On the other hand, this can be a real boon over compiled programming. For example, assume you are a web developer and you want to keep track of how many times the user changes the value of a certain text input (say, the quantity of items ordered). With a traditional compiled OOP language you'd need to subclass the input object and create a custom flavor that allows a timesChanged property. With JavaScript, you simply write:

if (myInput.timesChanged==null) myInput.timesChanged=1;
else myInput.timesChanged+=1;

and the JS Interpretter creates that property for that object instance on the fly.

Compared to those who know that you can create custom properties for any object on the fly, fewer know that you can create custom methods for objects just as easily and in virtually the same way. For example, the following is legal JavaScript code:

function Poke(){
  alert('Owch! Stop that!');
}
myTable.poke = Poke; // When passing a function as a pointer, do not use the () after the name

myTable.poke();      // Using the parentheses invokes the method.

myTable.yellAttributes=function(){ //This is known as creating an anonymous function on the fly
  var atts = "border:"+this.border
             +"; cellpadding:"+this.cellPadding
             +"; cellspacing:"+this.cellSpacing;
  alert(atts);

}
myTable.yellAttributes();

Extending an object by adding a custom method can be quite convenient, but it only applies to that particular object's instance. What if you wanted to modify the entire existing class to add new functionality? For this, we use the prototype property.

The `prototype` Property

To add a property or method to an entire class of objects, the prototype property of the object class must be modified. The intrinsic object classes in JavaScript which have a prototype property are:

Object.prototype — Modifies both objects declared through the explicit new Object(...) contructor and the implicit object {...} syntax. Additionally, all other intrinsic and user-defined objects inherit from Object, so properties/methods added/modified in Object.prototype will affect all other intrinsic and user-defined objects.
Array.prototype — modifies arrays created using either the explicit new Array(...) constructor or the implicit [...] array syntax.
String.prototype — modifies strings created using either the explicit new String(...) constructor or the implicit "..." string literal syntax.
Number.prototype — modifies numbers created using either the explicit new Number(...) constructor or with inline digits.
Date.prototype — modifies date objects created with either the new Date(...) contructor.
Function.prototype — modifies functions created using either the explicit new Function(...) constructor or defined inline with function(...){...}.
RegExp.prototype — modifies regular expression objects created using either the explicit new RegExp(...) constructor or the inline /.../ syntax.
Boolean.prototype — applies to boolean objects created using the explicit new Boolean(...) constructor or those created using inline true|false keywords or assigned as the results of a logical operator.

Adding properties or methods to the prototype property of an object class makes those items immediately available to all objects of that class, even if those objects were created before the prototype property was modified.

It is with great sadness that I must point out that Internet Explorer does not inherit its DHTML objects from Object, and I can find no way to modify the prototype for the class of any of its web-based objects. (For example, window.constructor is an empty property on IEWin6, whereas Mozilla 1.2 reports that Object is the constructor of the window object.) This is why above the terms "instrinsic" and "user-defined" are used to qualify the object types. If you want to make a custom method for all textareas on a page for IEWin, you need to extend the object using Microsoft's proprietary behaviors. For example, you would specify the following CSS rule textarea { behavior:url(extendArea.htc) }

Note that adding a public property to a class of objects creates a single value which all instance objects share. However, modifying this value through this.globalPropertyName will result in a local public property of the object being created and set. Modifications to the class-wide property must be made through the prototype property of the class. This is demonstrated in the following code snippet:


Person.prototype.populationCount=0;
function Person(name,sex){

  Person.prototype.populationCount++;
  this.getName=function(){ return name }
  this.getSex=function(){ return sex }

  this.setSex=function(newSex){ if (confirm('Really change the sex of "'+name+'" to '+newSex+'?')) sex=newSex; }

  this.kill=function(){ Person.prototype.populationCount-- }
}
var gk = new Person('Gavin','male');

var lrk = new Person('Lisa','female');

//Following yields "There are 2 people in my world."

alert("There are "+gk.populationCount+" people in my world.");

//Following creates a new public property of 'gk' and sets it to 102
gk.populationCount+=100;


var geo = new Person('George','male');
alert('GK thinks there are '+gk.populationCount+' people, but everyone else knows there are '+lrk.populationCount+' people.');

//Above yields "GK thinks there are 102 people, but everyone else knows there are 3 people."

If you use private properties (e.g. 'sex' above) in your object, you need private methods to access them (e.g. getName() above). Note that these private methods eat up a lot of memory with each instantiation of the object, and so it's often better to be 'sloppy' by allowing your properties to be publically accessible, so that the accessor methods can be shared throughout the class's .prototype, saving memory.

Following are a bunch of examples of useful ways to extend various intrinsic objects using the prototype property.

Example 1 — Adding `slice()` to Arrays

The slice() method of an array object returns a subsection of the array. While quite useful, this method was not part of the original ECMAScript specification, and not supported by all JavaScript interpretters. When writing code which may be run on older browsers where you'd like to slice some arrays, you can either write code which doesn't use this convenient method (an annoying approach) or you can roll your own implementation of slice().

To do this propertly, we need to know exactly what the slice() method does. From MSDN:

arrayObj.slice(start,[end]); "The slice method copies up to, but not including, the element indicated by end. If start is negative, it is treated as length + start where length is the length of the array. If end is negative, it is treated as length + end. If end is omitted, extraction continues to the end of arrayObj. If end occurs before start, no elements are copied to the new array."

Thus armed, following is a custom implementation of the slice() method. By using Array.prototype this method is made available to all array objects. Note that even if the following isn't the most efficient code possible, it will only be used on those few browsers where the slice() method isn't available. (As it turns out, the implementation below is almost identical in speed to the built-in method.)

//Only add this implementation if one does not already exist.

if (Array.prototype.slice==null) Array.prototype.slice=function(start,end){

  if (start<0) start=this.length+start; //'this' refers to the object to which the prototype is applied

  if (end==null) end=this.length;
  else if (end<0) end=this.length+end;
  var newArray=[];
  for (var ct=0,i=start;i<end;i++) newArray[ct++]=this[i];
  return newArray;

}

As you can see, the first three lines change the parameters passed in to values useful for the for loop, and then this method simply creates a new array, copies the desired items over one at a time, and then returns that new array as the result of the method. (Like most methods in JScript, the original object is not modified.)

Examples of other useful methods which may not be present in older JS implementations that you may want to add to the Array object are pop(), push(), and concat().

Example 2 — Date Formatting

Outputting a lot of dates to the browser, and want to format them nicely? The following code adds a customFormat() method to the Date class which allows you to have a Date object turn into a string formatted just the way you like. Simply include this small block of code (in a separate client-side library file, directly in your JS ASP page...whatever) and all date objects will suddenly be able to cleanly format themselves.

Date.prototype.customFormat=function(formatString){

  var YYYY,YY,MMMM,MMM,MM,M,DDDD,DDD,DD,D,hhh,hh,h,mm,m,ss,s,ampm,dMod,th;
  YY = ((YYYY=this.getFullYear())+"").substr(2,2);
  MM = (M=this.getMonth()+1)<10?('0'+M):M;
  MMM = (MMMM=["January","February","March","April","May","June","July","August","September","October","November","December"][M-1]).substr(0,3);
  DD = (D=this.getDate())<10?('0'+D):D;
  DDD = (DDDD=["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"][this.getDay()]).substr(0,3);
  th=(D>=10&&D<=20)?'th':((dMod=D%10)==1)?'st':(dMod==2)?'nd':(dMod==3)?'rd':'th';
  formatString = formatString.replace("#YYYY#",YYYY).replace("#YY#",YY).replace("#MMMM#",MMMM).replace("#MMM#",MMM).replace("#MM#",MM).replace("#M#",M).replace("#DDDD#",DDDD).replace("#DDD#",DDD).replace("#DD#",DD).replace("#D#",D).replace("#th#",th);

  h=(hhh=this.getHours());
  if (h==0) h=24;
  if (h>12) h-=12;
  hh = h<10?('0'+h):h;
  ampm=hhh<12?'am':'pm';
  mm=(m=this.getMinutes())<10?('0'+m):m;
  ss=(s=this.getSeconds())<10?('0'+s):s;
  return formatString.replace("#hhh#",hhh).replace("#hh#",hh).replace("#h#",h).replace("#mm#",mm).replace("#m#",m).replace("#ss#",ss).replace("#s#",s).replace("#ampm#",ampm);

}
var now=new Date();
alert("Today is "+now.customFormat('#DDDD#, #MMMM# #D##th#')+"\nThe time is "+now.customFormat('#h#:#mm##ampm#')+".");

Example 3 — Number Formatting

This example extends the Number class to support a few methods for attractive formatting. Notice how it extends the String class with a new method for inserting a substring.

Number.prototype.toCurrency=function(noFractions,currencySymbol,decimalSeparator,thousandsSeparator){

  var n,startAt,intLen;
  if (currencySymbol==null) currencySymbol="$";
  if (decimalSeparator==null) decimalSeparator=".";
  if (thousandsSeparator==null) thousandsSeparator=",";
  n = this.round(noFractions?0:2,true,decimalSeparator);
  intLen=n.length-(noFractions?0:3);
  if ((startAt=intLen%3)==0) startAt=3;
  for (var i=0,len=Math.ceil(intLen/3)-1;i<len;i++)n=n.insertAt(i*4+startAt,thousandsSeparator);
  return currencySymbol+n;

}
Number.prototype.toInteger=function(thousandsSeparator){
  var n,startAt,intLen;
  if (thousandsSeparator==null) thousandsSeparator=",";
  n = this.round(0,true);
  intLen=n.length;
  if ((startAt=intLen%3)==0) startAt=3;
  for (var i=0,len=Math.ceil(intLen/3)-1;i<len;i++)n=n.insertAt(i*4+startAt,thousandsSeparator);
  return n;

}
Number.prototype.round=function(decimals,returnAsString,decimalSeparator){
  //Supports 'negative' decimals, e.g. myNumber.round(-3) rounds to the nearest thousand

  var n,factor,breakPoint,whole,frac;
  if (!decimals) decimals=0;
  factor=Math.pow(10,decimals);
  n=(this.valueOf()+"");         //To get the internal value of an Object, use the valueOf() method

  if (!returnAsString) return Math.round(n*factor)/factor;
  if (!decimalSeparator) decimalSeparator=".";
  if (n==0) return "0."+((factor+"").substr(1));
  breakPoint=(n=Math.round(n*factor)+"").length-decimals;
  whole = n.substr(0,breakPoint);
  if (decimals>0){

     frac = n.substr(breakPoint);
     if (frac.length<decimals) frac=(Math.pow(10,decimals-frac.length)+"").substr(1)+frac;
     return whole+decimalSeparator+frac;
  }else return whole+((Math.pow(10,-decimals)+"").substr(1));

}

String.prototype.insertAt=function(loc,strChunk){
  return (this.valueOf().substr(0,loc))+strChunk+(this.valueOf().substr(loc))

}

var quantity=1056;
var costPer=3.9;
var totalCost=quantity*costPer;
alert(quantity.toInteger()+" items at "+costPer.toCurrency()+" per item amounts to a total of "+totalCost.toCurrency());

//Yields "1,056 items at $3.90 per item amounts to a total of $4,118.40"

For a far terser, faster, and general purpose number formatter, see Number.prototype.format.js.

Example 4 — Boolean XOR

JavaScript provides a boolean AND operator (&&), a boolean OR operator (||), and a boolean NOT operator (!). But it is missing a boolean XOR operation. (In English, XOR can be stated as "If A is true or B is true, but not if both are true.") The following simple code adds an XOR() method to the Boolean object.

Boolean.prototype.XOR=function(bool2){
  var bool1=this.valueOf();
  return (bool1==true && bool2==false) || (bool2==true && bool1==false);
  //return (bool1 && !bool2) || (bool2 && !bool1);

}
true.XOR(false); //returns a value of true

(The above method requires the passed value to be an actual boolean value to succeed. The second option, commented out, will attempt to cast bool2 to a boolean value for the comparison. If that line were used instead, values of 0, null, '' and undefined would be interpretted as false, and other non-empty values such as 1 or "foo" will be interpretted as a value of true.)

Example 5 — Extending Arrays to Support Set Mathematics

The following code is presented as an example of a non-trivial expansion to the Array object which allows it to support Set Mathematics. It also shows a case where prototype can be used to overwrite existing implementations. (In this case, some browsers have an incorrect version of Array.splice() that doesn't return single-item arrays, but instead returns the item itself.)

//This JavaScript library is copyright 2002 by Gavin Kistner and Refinery, Inc.

//Reuse or modification permitted provided the previous line is included.
//mailto:gavin@refinery.com
//http://www.refinery.com/

/***************************************************************************************************
* JavaScript Array Set Mathematics Library
* version 1.2.1, April 26th, 2002  [IEMac5.1-/IEWin5.0-/OldNS .splice() replacement works properly]

*
* Methods: array1.union( array2 [,compareFunction] )
*          array1.subtract( array2 [,compareFunction] )

*          array1.intersect( array2 [,compareFunction] )
*          array1.exclusion( array2 [,compareFunction] )

*          array1.removeDuplicates( [compareFunction] )
*
*          array1.unsortedUnion( array2 [,compareFunction] )

*          array1.unsortedSubtract( array2 [,compareFunction] )
*          array1.unsortedIntersect( array2 [,compareFunction] )

*          array1.unsortedExclusion( array2 [,compareFunction] )
*          array1.unsortedRemoveDuplicates( [compareFunction] )

*
*
* Notes:   All methods return a 'set' Array where duplicates have been removed.
*
*          The union(), subtract(), intersect(), and removeDuplicates() methods
*          are faster than their 'unsorted' counterparts, but return a sorted set:
*          var a = ['a','e','c'];
*          var b = ['b','c','d'];
*          a.unsortedUnion(b)  -->  'a','e','c','b','d'

*          a.union(b)          -->  'a','b','c','d','e'

*
*          Calling any of the methods on an array whose element pairs cannot all be
*          reliably ordered (objects for which a < b, a > b, and a==b ALL return false)
*          will produce inaccurate results UNLESS the (usually) optional
*          'compareFunction' parameter is passed. This should specify a custom
*          comparison function, as required by the standard Array.sort(myFunc) method
*          For example:
*          var siblings = [ {name:'Dain'} , {name:'Chandra'} , {name:'Baird'} , {name:'Linden'} ];
*          var brothers = [ {name:'Dain'} , {name:'Baird'} ];
*          function compareNames(a,b){ return (a.name < b.name)?-1:(a.name > b.name)?1:0 }

*          var sisters=siblings.unsortedSubtract(brothers, compareNames);
*
***************************************************************************************************/


if (Array.prototype.splice && typeof([0].splice(0))=="number") Array.prototype.splice = null;

if (!Array.prototype.splice) Array.prototype.splice = function(ind,cnt){

  var len = this.length;
  var arglen = arguments.length;
  if (arglen==0) return ind;
  if (typeof(ind)!= "number") ind = 0;
  else if (ind<0) ind = Math.max(0,len+ind);
  if (ind>len){

     if(arglen>2) ind=len;
     else return [];
  }
  if (arglen<2) cnt = len-ind;
  cnt = (typeof(cnt)=="number") ? Math.max(0,cnt) : 0;
  var removeArray = this.slice(ind,ind+cnt);
  var endArray = this.slice(ind+cnt);
  len = this.length = ind;
  for (var i=2;i<arglen;i++) this[len++] = arguments[i];
  for (var i=0,endlen=endArray.length;i<endlen;i++) this[len++] = endArray[i];
  return removeArray;

}

//*** SORTED IMPLEMENTATIONS ***************************************************
Array.prototype.union=function(a2,compareFunction){
  return this.concat(a2?a2:null).removeDuplicates(compareFunction);

}
Array.prototype.subtract=function(a2,compareFunction){
  if (!compareFunction) compareFunction=null;
  var a1=this.removeDuplicates(compareFunction);
  if (!a2) return a1;
  var a2=a2.removeDuplicates(compareFunction);
  var len2=a2.length;
  if (compareFunction){

     for (var i=0;i<a1.length;i++){
        var src=a1[i],found=false,src;
        for (var j=0;j<len2&&compareFunction(src2=a2[j],src)!=1;j++) if (compareFunction(src,src2)==0) { found=true; break; }

        if (found) a1.splice(i--,1);
     }
  }else{

     for (var i=0;i<a1.length;i++){
        var src=a1[i],found=false,src;
        for (var j=0;(j<len2)&&(src>=(src2=a2[j]));j++) if (src2==src) { found=true; break; }

        if (found) a1.splice(i--,1);
     }
  }

  ret

To Forward all Traffic from one machine to another IPTABLES

2009-06-24T14:41:00.004+05:30

Following Rules are Required to Forward all Traffic From __YOURMACHINE__ to __NEWGATEWAY__
    /sbin/iptables -t filter -I FORWARD -s __YOURMACHINE__ -i eth0 -p tcp -j ACCEPT
    /sbin/iptables -t nat -I PREROUTING -s __YOURMACHINE__ -i eth0 -p tcp -j ACCEPT
    /sbin/iptables -t mangle -I PREROUTING -s __YOURMACHINE__ -i eth0 -j ROUTE --oif eth0 --gw __NEWGATEWAY__

JavaScript Object Notation (JSON)

2009-06-17T17:27:00.002+05:30

Abstract

JavaScript Object Notation (JSON) is a lightweight, text-based,
language-independent data interchange format.  It was derived from
the ECMAScript Programming Language Standard.  JSON defines a small
set of formatting rules for the portable representation of structured
data.

1.  Introduction

JavaScript Object Notation (JSON) is a text format for the
serialization of structured data.  It is derived from the object
literals of JavaScript, as defined in the ECMAScript Programming
Language Standard, Third Edition [ECMA].

JSON can represent four primitive types (strings, numbers, booleans,
and null) and two structured types (objects and arrays).

A string is a sequence of zero or more Unicode characters [UNICODE].

An object is an unordered collection of zero or more name/value
pairs, where a name is a string and a value is a string, number,
boolean, null, object, or array.

An array is an ordered sequence of zero or more values.

The terms "object" and "array" come from the conventions of
JavaScript.

JSON's design goals were for it to be minimal, portable, textual, and
a subset of JavaScript.

Why JSON?

The benefit of JSON is that it is recognized natively by JavaScript. No need for parsing an XML document to extract the data and get it throught the net.

JSON and XML

Benefits of JSON: - The easiness of reading. - The easiness of using. Benefits of XML: - XML is extensible. - It is widely used and recognized by almost all programming languages. Unfortunally, both XML and JSON are enable to integrate a large amount of data in binary form.

The syntax of JSON

The components of JSON: - An object: contains objets or attributes. - A scalar variable: Number, String, Boolean. - An array. - Literal values: null, true, false, "string of characters", and numerical values.

Object

It contains a member or a list of members, and each member has the form:

"name" : "value"

The syntax of the object is:

{ member, member, .... }

Array

A collection of values, separated by commas. [ value, value, ....]

Values

A value may be: an object, an array, a litteral (string, number, true, false, null).

Nothing more is required to create a JSON file!

Example of JSON file

A simple example, designing a menu: It is an object made of members that are an attribute and an array that holds other objects, the rows of the menu.

{
"menu": "File",
"commands": [
    {
        "title": "New",
        "action":"CreateDoc"
    },
    {
        "title": "Open",
        "action": "OpenDoc"
    },
    {
        "title": "Close",
        "action": "CloseDoc"
    }
 ]
}

The XML equivalent:

<?xml version="1.0" ?>
<root>
<menu>File</menu>

<commands>
   <item>
       <title>New</value>
       <action>CreateDoc</action>
   </item>

   <item>
       <title>Open</value>
       <action>OpenDoc</action>
   </item>
   <item>

       <title>Close</value>
       <action>CloseDoc</action>
   </item>
</commands>
</root>

How to use the format

The JSON file allows to load data from the server or to send data to it, in this format. For example, storing the content of a form, just filled by an user. This involves three steps: the browser processing, the server processing, and the data exchange between them.

Client side (browser)

This is rather easy, as JSON is a part of the JavaScript definition. The content of a file, or the definition of the data is assigned to a variable, and this variable becomes an object of the program.

Server side

JSON file are used by various programming languages, including PHP and Java thanks to parsers that allow to get the content and that may even convert it into classes and attributes of the language. The json.org includes a C parser and a list of parsers in other languages.

Data exchange

Loading a file may be accomplished from JavaScript in several ways: - direct including of the file into the HTML page, as a JavaScript .js external file. - loading by a JavaScript command. - using XMLHttpRequest. The JSON file is parsed by the eval() JavaScript function. Sending the file to the server may be accomplished by XMLHttpRequest. The file is sent as a text file and processed by the parser of the programming language that uses it.

Example

The XMLHttpRequest code:

var req = new XMLHttpRequest();
req.open("GET", "file.json", true);
req.onreadystatechange = myCode;   // the handler
req.send(null);

The JavaScript handler:

function myCode()
{
 if (req.readyState == 4)
 {
      var doc = eval('(' + req.responseText + ')');
 }
}

Using the data:

var menuName = document.getElementById('jsmenu');   // finding a field
menuName.value = doc.menu.value;           // assigning a value to the field

How to access data:

doc.commands[0].title      // read value of the "title" field in the array
doc.commands[0].action     // read value of the "action" field in the array

For a Demo click here:

To add a partition which stores data in RAM of Linux

2009-06-16T15:47:00.002+05:30

__REQUIREDPATH__ means the path of the temporary partition which you want

echo "tmpfs __REQUIREDPATH__ tmpfs rw,size=10M" >> /etc/fstab
mkdir __REQUIREDPATH__
Change ownership appropiately
mount -t tmpfs -o size=10m tmpfs __REQUIREDPATH__

Note: You will have to do the above steps again whenever your machine is rebooted. or add the above steps in /etc/rc.local For Eg: __REQUIRESPATH__ = "/var/tempdata/"

Superuser password Lost ?? & Single user not working ??

2009-06-10T12:48:00.003+05:30

If "single user" mode doesn't let you in, then

Boot a "live distro" CD, like Ubuntu
Obtain a commandline (run xterm or terminal or something)
Get root; with "live boot" distros, this is usually dead simple, as the root password is usually provided as part of the documentation
Mount your real root directory onto an unused directory of the live boot environment (i.e. onto /mnt). Make certain you mount it rw
cd to your newly-mounted root directory
Enter the following command: "chroot . /bin/bash" to obtain a command prompt that uses your newly-mounted root directory and /it's/ files (including it's etc/passwd and etc/shadow)
Enter the passwd command to change roots password. When you are done
Enter "exit" to quit the chroot shell
cd to the real /
Umount your installation's root directory
Shutdown and Reboot

What this does is permit the password program from /your/ installation to work on the password files from /your/ installation, by running everything in an environment that starts with your installation as the root filesystem. Up to the point where you chroot, you are just establishing a running environment, but when you chroot, you have effectively re-established /your/ installation, with access as root.

VLAN: Virtual Local Area Network and IEEE 802.1Q

2009-06-09T13:02:00.002+05:30

Definition of: virtual LAN Also called a "VLAN," it is a logical subgroup within a local area network that is created via software rather than manually moving cables in the wiring closet. It combines user stations and network devices into a single unit regardless of the physical LAN segment they are attached to and allows traffic to flow more efficiently within populations of mutual interest. VLANs are implemented in port switching hubs and LAN switches and generally offer proprietary solutions. VLANs reduce the time it takes to implement moves, adds and changes. VLANs function at layer 2. Since their purpose is to isolate traffic within the VLAN, in order to bridge from one VLAN to another, a router is required. The router works at the higher layer 3 network protocol, which requires that network layer segments are identified and coordinated with the VLANs. This is a complicated job, and VLANs tend to break down as networks expand and more routers are encountered. The industry is working towards "virtual routing" solutions, which allows the network manager to view the entire network as a single routed entity.

Understanding /etc/modules.conf

2009-06-08T19:42:00.002+05:30

Loading modules for the hardware

All modules and settings are controlled in /etc/modules.conf for mandrake and /etc/conf.modules for redhat. Other methods are using the lilo.conf and /boot/grub/menu.lst.

By using the lilo.conf the modules are load as part of the kernel (built in), but the correct way of doing this is using the modules.conf file.

Before I go to the actual configuration, you may want to try some of these commands related to modules:

Commands		Description
/sbin/lsmod		Lists all configured modules on your system
/sbin/modprobe -l		Lists all available modules
/sbin/modprobe -c		Lists all configured aliases
/sbin/modprobe -r [module]		Removes a loaded module rmmod
/sbin/modprobe [module]		Loads a module same as insmod
man modprobe		Loads the documentation for modprobe

Note: For all new modules downloaded or compiled must be moved to /lib/modules/[kernel version]/ for the system to be able to use it.

After moving the modules to the appropriate directory, run depmod -a to let the system know about the new module, to test the module run this: modprobe [module name] if the module is loaded without error that means everything is OK. If you get any error messages, that means the module is wrong, or maybe the device is already running with the appropriate driver. Believe me it happens.

Modules loaded in the /etc/modules.conf, are loaded as alias of drivers. For example:

          Alias          Device          Driver
         alias          eth0            8139too

Many of the modules require further configurations, like I/O addresses and IRQ numbers. The following is an example of a parallel port assigned in the file modules.conf

        alias parport_lowlevel parport_pc
       options parport_pc io=0x378 irq = 7

It is very easy to identify, io=0x378 and irq = 7, is the address and irq assigned to the first onboard parallel port in your system.

When you install additional hardware in your system, you have to manually edit the modules.conf, unless hard drake allows you to configure it.

Step 2

From the assumption of our next two-port installation we continue…

The modules.conf already contains some information; edit it to add the new information.

This port1 (integrated on the motherboard):

       alias parport_lowlevel parport_pc
      options parport_pc io=0x378 irq=7

You could just add the parameters required in the same line or create it separately for each port. Combination of the ports 1,2,3:

alias parport_lowlevel parport_pc
options parport_pc io=0x378, 0x6400, 0x6500 irq=7, 5, auto

As you can see in the io=0x378, 0x6400, 0x6500 are the IO address for each parallel port1, port2 port3. The port2 and port3 belongs to the dual ports B&C.

The IRQs= 7, 5, auto are assigned to the port1, port2 and port3. You can either set the IRQ number manually or set it to get first available IRQ automatically.

As I have already stated, you could also separate the settings as in the following:

Separation of ports by line

       alias parport_lowlevel parport_pc
      options parport_pc io=0x378 irq=7
 
      alias parport_lowlevel parport_pc
      options parport_pc io=0x6400 irq=5

      alias parport_lowlevel parport_pc
      options parport_pc io=0x6500 irq=auto

If you exit the editor and save the file, restart the system. The parallel ports lp0, lp1 and lp2 should be enabled now and is ready to use. Other hardware may require special procedures, read the documentations or browse the web for help. You could also load modules or special configuration in other way such as search for it and execute it at boot time, this could be accomplished by creating a bash file. Call it whatever you want, makes it +x executable and add it in /etc/rc.d/ Before you attempt the rc.d, try adding it in /etc/modules this file is used to load from the kernel; as far as the documentation concerns. Note I am not referring to modules.conf, which is in the same directory.

IMPORTANT

Possible explanation to modules.conf alias

The modules.conf mystery puzzled me. I decided to read the documentation
in the kernel sources. Here's what I found

>From /usr/src/linux/Documentation/modules.txt
---------------------------------------------
Whenever a program wants the kernel to use a feature that is only
available as a loadable module, and if the kernel hasn't got the
module installed yet, the kernel will ask the kerneld daemon to take
care of the situation and make the best of it.

This is what happens:

       - The kernel notices that a feature is requested that is not
         resident in the kernel.
       - The kernel sends a message to kerneld, with a symbolic
         description of the requested feature.
       - The kerneld daemon asks e.g. modprobe to load a module that
         fits this symbolic description.
--------
Here's the important point that I think solves the mystery:
--------
       - modprobe looks into its internal "alias" translation table
         to see if there is a match.  This table can be reconfigured
         and expanded by having "alias" lines in "/etc/modules.conf".
--------

So, as I see it, the ppp aliases *should* already be in modprobe's
internal alias translation table. People with older versions of modutils
might not have it in their modprobe's alias tables, and so would need
the alias lines in /etc/modules.conf .

(NOTE: The following documentation file is a bit old, but it is still
relevant. There is no longer a kerneld daemon, IIRC, but I might be
mistaken.)

Important Note was added by
Jan Michael Ibanez
Student, University of Asia & the Pacific

Perl (Practical Report and Extraction Language.)

2009-06-03T12:03:00.003+05:30

Today if have found a good link to learn Perl Script. Click on the title to start Learning Perl

TCPDUMP

2009-02-21T21:34:00.003+05:30

TCPdump is a very powerful command line interface packet sniffer. It must be launched as root or with superuser rights because of the its use of the promiscuous mode or to be sure to have sufficent privilileges on a network device or a socket. Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface. Wireshark can be used to read the logs captured by TCPdump too.

1. TCPDUMP DOWNLOAD

2. TCPDUMP USE

1. TCPDUMP DOWNLOAD: To download TCPdump:

#apt-get install tcpdump

To see the TCPdump dependencies:

#apt-cache depends tcpdump

tcpdump Depends: libc6 Depends: libpcap0.8 Depends: libssl0.9.8 To see the installed TCPdump version:

#apt-cache policy tcpdump

tcpdump: Installed: 3.9.4-2ubuntu0.1 Candidate: 3.9.4-2ubuntu0.1 Version table: *** 3.9.4-2ubuntu0.1 0 500 http://security.ubuntu.com dapper-security/main Packages 100 /var/lib/dpkg/status 3.9.4-2 0 500 http://ch.archive.ubuntu.com dapper/main Packages

2. TCPDUMP USE To display the Standard TCPdump output:

#tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1 21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown) 21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 To display the verbose output:

#tcpdump -v

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1 22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown) 22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 Network interfaces available for the capture:

#tcpdump -D

1.eth0 2.any (Pseudo-device that captures on all interfaces) 3.lo To display numerical addresses rather than symbolic (DNS) addresses:

#tcpdump -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36 22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1 22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138) 22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535 To display the quick output:

#tcpdump -q

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 Capture the traffic of a particular interface:

tcpdump -i eth0

To capture the UDP traffic:

#tcpdump udp

To capture the TCP port 80 traffic:

#tcpdump port http

To capture the traffic from a filter stored in a file:

#tcpdump -F file_name

To create a file where the filter is configured (here the TCP 80 port)

#vim file_name

port 80

To stop the capture after 20 packets:

#tcpdump -c 20

To send the capture output in a file instead of directly on the screen:

#tcpdump -w capture.log

To read a capture file:

#tcpdump -r capture.log

reading from file capture.log, link-type EN10MB (Ethernet) 09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527 09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86 09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86 09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527 The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface. The capture.log file is opened with Wireshark.

To display the packets having "www.openmaniak.com" as their source or destination address:

#tcpdump host www.openmaniak.com

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:

#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp

To display the packets content:

#tcpdump -A

Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes 20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840 ....g.................... ............ 20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183 ....g.I@............. ........ 20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183 ....g.I@.......8..... ......EN 20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183 ....g.I@......`$..... ...=..ENUSER teddybear 20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183 ....h.I@............. ...>..E^ 20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183 ....h.I@......#c..... ......E^PASS wakeup 20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183 ....h.I@.,........... ......Ez 20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183 ....h.I@.,........... ......EzSYST 20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183 ....h.I@.?.....j..... ......Ez 20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183 ....h.I@.?........... ......EzQUIT 20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183 ....h.I@.g........... ......E. 20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183 ....h.I@.h.....e..... ......E. We see in this capture the FTP username (teddybear) and password (wakeup).

IP Address Range Function in Python

2009-02-12T17:23:00.006+05:30

def ipAddrRange(startAddr, endAddr):
 def incrAddr(addrList):
    addrList[3] += 1
    for i in (3,2,1):
      if addrList[i] == 256:
         addrList[i] = 0
         addrList[i-1] += 1
 def asString(addrList):
     return ".".join(map(str,addrList))
 startAddrList = map(int,startAddr.split("."))
 endAddrList = map(int,endAddr.split("."))
 curAddrList = startAddrList[:]
 yield asString(curAddrList)
 for i in range(4):
     while curAddrList[i] < endAddrList[i]:
         incrAddr(curAddrList)
         yield asString(curAddrList)

for addr in ipAddrRange("10.255.255.250","11.0.0.20"):
print addr

E-mail Alert on Root SSH Login

2009-02-12T15:05:00.003+05:30

Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you're dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.

So lets get started!

vim /root/.bashrc

Scroll to the end of the file then add the following:

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" you@yourdomain.com

Replace YourServerName with the handle for your actual server

Replace you@yourdomain.com with your actual email address

Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.

Note: This is a great tool for servers that have multiple admins or if you give someone SSH access for whatever reason, although you should give out the root password to as few people as humanly possible and be sure to change it often.

This will not magically alert you when a hacker runs the latest kernel exploit on your server and logs into SSH because they will create their own SSH/telnet connection. You should keep your system up to date, install a firewall and follow the latest security releases.

How To Tail (View) Multiple Files on UNIX / Linux Console

2009-02-10T17:58:00.002+05:30

tail is one of the best tool to view log files in a real time (tail -f /path/to/log.file). The program MultiTail lets you view one or multiple files like the original tail program. The difference is that it creates multiple windows on your console (with ncurses). This is one of those dream come true program for UNIX sys admin job. You can browse through several log files at once and do various operations like search for errors and much more.

Install MultiTail

Type the following command under Debian / Ubuntu Linux: $ sudo apt-get update $ sudo apt-get install multitail If you are using FreeBSD, enter: # portsnap fetch update # cd /usr/ports/sysutils/multitail # make install clean

How To View Multiple Files Like tail Command

To view /var/log/messages and /var/log/auth.log, enter: # multilog /var/log/messages /var/log/auth.log Sample output:

How do I run a command and view a log file?

Simply use command as follows: # multitail /var/log/iptables.log -l "ping server.nixcraft.in" OR # multitail /var/log/httpd.log -l "netstat -nat" The -l option allows command to execute in a window. Do not forget to use "'s if the external command needs parameter! (e.g. -l "ping host").

How do I display 3 logfiles in 2 columns?

To see all 3 files related to anti mail server gateway, enter: # multitail -s 2 /var/log/maillog /var/log/FuzzyOcr.log /var/log/antivirus.log multitail has many other useful options. Please read man page for further details: man multitail

Enjoy ur trip to Technology

Packet FLow Diagrams

Setup DNS Server

How to set up a home DNS server

by Shannon Hughes

Domain Name System

Setup Home Web Server

How to set up a home web server

by Jeff "Crash" Goldin

Joomla (Content Manager)

What is Joomla?

What's a content management system (CMS)?

What are some real world examples of what Joomla! can do?

Django

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Credit Card Validation

Snort

tmpwatch - removes files which haven't been accessed for a period of time

OPTIONS

SEE ALSO

Send an HTML email with embedded image and plain text alternate

Recipe 473810: Send an HTML email with embedded image and plain text alternate

Discussion

CAPTCHA: "Completely Automated Public Turing test to Tell Computers and Humans Apart"

CAPTCHA: Telling Humans and Computers Apart Automatically

A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can't:

Test Drive a CAPTCHA

Introduction to Public-Key Cryptography

Internet Security Issues

Encryption and Decryption

Digital Signatures

Certificates and Authentication

Managing Certificates

Public-key cryptography facilitates the following tasks:

Encryption and Decryption

Symmetric-Key Encryption

Public-Key Encryption

Key Length and Encryption Strength

Digital Signatures

Certificates and Authentication

A Certificate Identifies Someone or Something

Authentication Confirms an Identity

Password-Based Authentication

Certificate-Based Authentication

How Certificates Are Used

Types of Certificates

SSL Protocol

Signed and Encrypted Email

Single Sign-On

Object Signing

Contents of a Certificate

A Typical Certificate

CYWGIN

What Isn't Cygwin?

Email Address Validation Anyone??

Extending JavaScript Objects and Classes

Extending JavaScript Objects and Classes

Summary

Table of Contents

Background — Objects in JS

The prototype Property

Example 1 — Adding slice() to Arrays

Example 2 — Date Formatting

Example 3 — Number Formatting

Example 4 — Boolean XOR

Example 5 — Extending Arrays to Support Set Mathematics

To Forward all Traffic from one machine to another IPTABLES

JavaScript Object Notation (JSON)

1. Introduction

Why JSON?

JSON and XML

The syntax of JSON

Object

Array

Values

Example of JSON file

How to use the format

Client side (browser)

Server side

Data exchange

The `prototype` Property

Example 1 — Adding `slice()` to Arrays