Archive
Future Technologies…. Overview
In this Article, I have tried to put together few future technologies(Some of them are already reality in some shaper form) on which there is lot of Research happening in Microsoft World. This Article will help tech gurus to keep tab on progress of technology in these areas.
- Software Agents : A software agent is a software program that acts for a user or other program in a relationship of agency, Related and derived concepts include Intelligent agents (in particular exhibiting some aspect of Artificial Intelligence, such as learning and reasoning), autonomous agents (capable of modifying the way in which they achieve their objectives), distributed agents (being executed on physically distinct computers), multi-agent systems (distributed agents that do not have the capabilities to achieve an objective alone and thus must communicate), and mobile agents (agents that can relocate their execution onto different processors).
- Visual Studio agents 2010 – Visual Studio Agents 2010 include Test Controller 2010, Test Agent 2010 and Lab Agent 2010. Test Controller 2010 and Test Agent 2010 collectively enable scale-out load generation, distributed data collection, and distributed test execution. Lab Agent 2010 manages testing, workflow and network isolation for virtual machines used with Visual Studio Lab Management 2010.
- Life like software agents
- Software distribution agents
- Research Projects
- Natural Language Interpretation: Natural language processing (NLP) is a field of computer science and linguistics concerned with the interactions between computers and human (natural) languages; Specifically, the process of a computer extracting meaningful information from natural language input and/or producing natural language output.It began as a branch of artificial intelligence. In theory, natural language processing is a very attractive method of human–computer interaction.
- Excel formula’s
- Machine Translation – research project
- VoiceXML 2.0 contribution
- Few more research projects
- Machine Translation: Machine translation, is a sub-field of computational linguistics that investigates the use of software to translate text or speech from one natural language to another.
On a basic level, MT performs simple substitution of words in one natural language for words in another, but that alone usually cannot produce a good translation of a text, because recognition of whole phrases and their closest counterparts in the target language is needed. Solving this problem with corpus and statistical techniques is a rapidly growing field that is leading to better translations, handling differences in linguistic typology, translation of idioms, and the isolation of anomalies.
- Microsoft Translator(http://microsofttranslator.com)
- Windows Live Toolbar – add-in for user’s web sites
- Research on Syntax based MT, Phrase based MT, Word alignment, Language Modeling
- Office 2007/2010 Translate feature
- Procedural Storytelling- Procedural generation refers to content generated algorithmically rather than manually, and is often used to generate game levels and other content. While procedural generation does not guarantee that a game or sequence of levels are nonlinear, it is an important factor in reducing game development time, and opens up avenues making it possible to generate larger and more or less unique seamless game worlds on the fly and using fewer resources. This kind of procedural generation is also called “worldbuilding”, in which general rules are used to construct a believable world.
- Research on creating immersive 3D Worlds
- Digital Storytelling using Kinect
- Environmental storytelling
- Reduces game development time
- Machine augmented cognition- (AugCog) is a research field at the frontier between human-computer interaction, psychology, ergonomics and neuroscience, that aims at creating revolutionary human-computer interactions. For instance, various research projects aim at evaluating in real-time the cognitive state of a user (e.g. from EEG), and design closed-loop systems to modulate information flow with respect to the user’s cognitive capacity.
Human computer interaction that aims at creating revolutionary human-computer interactions
- Research on augmented cognition
- Cloud Computing - Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).
Cloud computing provides computation, software applications, data access, and storage resources without requiring cloud users to know the location and other details of the computing infrastructure.
- Windows Azure Platform
- Office 365
- Cyber-Warfare –Action by a nation-state to penetrate another nations computers or networks for the purposes of causing damage or disruption.
- Research on steganography and steganalysis
- Research on warfare commands and control systems
- 4G – 4G is the fourth generation of cellular wireless standards. It is a successor of the 3G and 2G families of standards.
- Windows Phone enablement on 4G
- O.S Support for 4G wireless and wired network
- Mesh networking is a type of networking where each node must not only capture and disseminate its own data, but also serve as a relay for other nodes, that is, it must collaborate to propagate the data in the network.
A mesh network can be designed using a flooding technique or a routing technique. When using a routing technique, the message propagates along a path, by hopping from node to node until the destination is reached. To ensure all its paths’ availability, a routing network must allow for continuous connections and reconfiguration around broken or blocked paths, using self-healing algorithms. A mesh network whose nodes are all connected to each other is a fully connected network. Mesh networks can be seen as one type of ad hoc network. Mobile ad hoc networks (MANET) and mesh networks are therefore closely related, but MANET also have to deal with the problems introduced by the mobility of the nodes.
- Toolkit for wireless mesh networking
- Research on mesh networking
- Photonics
The science of photonics includes the generation, emission, transmission, modulation, signal processing, switching, amplification, detection and sensing of light. The term photonics thereby emphasizes that photons are neither particles nor waves — they are different in that they have both particle and wave nature. It covers all technical applications of light over the whole spectrum from ultraviolet over the visible to the near-, mid- and far-infrared. Most applications, however, are in the range of the visible and near infrared light.
- Research on Photonics and nanostruct
- 5G - 5G (5th generation mobile networks or 5th generation wireless systems) is a name used in some research papers and projects to denote the next major phase of mobile telecommunications standards beyond the 4G/IMT-Advanced standards effective since 2011. At present, 5G is not a term officially used for any particular specification or in any official document yet made public by telecommunication companies or standardization bodies such as 3GPP, WiMAX Forum, or ITU-R. New standard releases beyond 4G are in progress by standardization bodies, but are at this time not considered as new mobile generations but under the 4G umbrella.
- Research on O.S compatibility and overall protocol expectations
- Multi-touch – In computing, multi-touch refers to a touch sensing surface’s (track pad or touchscreen) ability to recognize the presence of two or more points of contact with the surface. This plural-point awareness is often used to implement advanced functionality such as pinch to zoom or activating predefined programs.
- Microsoft Surface
- Windows Touch technology
- Multi touch in Windows 7
- Multi touch programming platform
- Gesture recognition – Gesture recognition is a topic in computer science and language technology with the goal of interpreting human gestures via mathematical algorithms. Gestures can originate from any bodily motion or state but commonly originate from the face or hand. Current focuses in the field include emotion recognition from the face and hand gesture recognition. Many approaches have been made using cameras and computer vision algorithms to interpret sign language. However, the identification and recognition of posture, gait, proxemics, and human behaviors is also the subject of gesture recognition techniques.
- Microsoft Kinect
- Gesture recognizers for Tablet PC
- Speech recognition - Speech recognition is the translation of spoken words into text. It is also known as “automatic speech recognition”, “ASR”, “computer speech recognition”, “speech to text”, or just “STT”.
- Speech Recognition is technology that can translate spoken words into text. Some SR systems use “training” where an individual speaker reads sections of text into the SR system. These systems analyze the person’s specific voice and use it to fine tune the recognition of that person’s speech, resulting in more accurate transcription. Systems that do not use training are called “Speaker Independent” systems. Systems that use training are called “Speaker Dependent” systems.
- Windows Speech Recognition
- Speech Macros in Office
- Speech recognition programming SDK
- Kinect speech recognition
- Microsoft Research
- Augmented Reality – Augmented reality (AR) is a live, direct or indirect, view of a physical, real-world environment whose elements are augmented by computer-generated sensory input such as sound, video, graphics or GPS data. It is related to a more general concept called mediated reality, in which a view of reality is modified (possibly even diminished rather than augmented) by a computer. As a result, the technology functions by enhancing one’s current perception of reality. By contrast, virtual reality replaces the real world with a simulated one.
- Microsoft research – in the area of mobile phone
- Haptics – is a tactile feedback technology which takes advantage of the sense of touch by applying forces, vibrations, or motions to the user. This mechanical stimulation can be used to assist in the creation of virtual objects in a computer simulation, to control such virtual objects, and to enhance the remote control of machines and devices (telerobotics). It has been described as “doing for the sense of touch what computer graphics does for vision”. Haptic devices may incorporate tactile sensors that measure forces exerted by the user on the interface.
- Microsoft Surface haptics
- Holography – is a technique that allows the light scattered from an object to be recorded and later reconstructed so that when an imaging system (a camera or an eye) is placed in the reconstructed beam, an image of the object will be seen even when the object is no longer present. The image changes as the position and orientation of the viewing system changes in exactly the same way as if the object were still present, thus making the image appear three-dimensional.
- Microsoft research on Digital holography ,Virtual integral holography
- Telepresence - Telepresence refers to a set of technologies which allow a person to feel as if they were present, to give the appearance of being present, or to have an effect, via telerobotics, at a place other than their true location. Telepresence requires that the users’ senses be provided with such stimuli as to give the feeling of being in that other location. Additionally, users may be given the ability to affect the remote location. In this case, the user’s position, movements, actions, voice, etc. may be sensed, transmitted and duplicated in the remote location to bring about this effect. Therefore information may be traveling in both directions between the user and the remote location.
- Microsoft research with HP partnership
- Immersive Virtual reality – A fully immersive virtual reality to which the user connects through direct brain simulation. All senses would be stimulated diffusing the boundary between reality and fiction.
- Microsoft Research
- Game development
- Depth Imaging – is the name for a collection of techniques which are used to produce a 2D image showing the distance to points in a scene from a specific point, normally associated with some type of sensor device. The resulting image, the range image, has pixel values which correspond to the distance, e.g., brighter values mean shorter distance, or vice versa. If the sensor which is used to produce the range image is properly calibrated, the pixel values can be given directly in physical units such as meters.
- Basic API support
- Microsoft Research
- Near-field communication – is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi. Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.
- Microsoft Research
- Biometric sensors - applies biometrics to telecommunications and telecommunications to remote biometric sensing. With the emergence of multimodal biometrics systems gathering data from different sensors and contexts, International Standards that support systems performing biometric enrollment and verification or identification have begun to focus on human physiological thresholds as constraints and frameworks for “plug and play” telebiometric networks.
- Windows Biometric Framework (WBF)
- O.S compatibility for sensors
- Microsoft research
- Smart Power meters – A smart meter is usually an electrical meter that records consumption of electric energy in intervals of an hour or less and communicates that information at least daily back to the utility for monitoring and billing purposes. Smart meters enable two-way communication between the meter and the central system. Unlike home energy monitors, smart meters can gather data for remote reporting. Such an advanced metering infrastructure (AMI) differs from traditional automatic meter reading (AMR) in that it enables two-way communications with the meter.
- Microsoft Smart energy Reference architecture
- Battery metering
- Power and utilities industry : Delivery and smart grid solutions
- Machine vision - Machine vision (MV) is the process of applying a range of technologies and methods to provide imaging-based automatic inspection, process control and robot guidance in industrial applications. While the scope of MV is broad and a comprehensive definition is difficult to distil, a “generally accepted definition of machine vision is ‘… the analysis of images to extract data for controlling a process or activity.’”
- Microsoft research
- Computational Photography - Computational imaging refers to any image formation method that involves a digital computer. Computational photography refers broadly to computational imaging techniques that enhance or extend the capabilities of digital photography. The output of these techniques is an ordinary photograph, but one that could not have been taken by a traditional camera.
- Microsoft research
- Tablets – A tablet computer, or a tablet, is a mobile computer, larger than a mobile phone or personal digital assistant, integrated into a flat touch screen and primarily operated by touching the screen rather than using a physical keyboard. It often uses an onscreen virtual keyboard, a passive stylus pen, or a digital pen
- Microsoft Tablet PC
- Context aware computing – In computer science context awareness refers to the idea that computers can both sense, and react based on their environment. Devices may have information about the circumstances under which they are able to operate and based on rules, or an intelligent stimulus, react accordingly. Context aware devices may also try to make assumptions about the user’s current situation. Context-aware computing is a mobile computing paradigm in which applications can discover and take advantage of contextual information (such as user location, time of day, nearby people and devices, and user activity). Since it was proposed about a decade ago, many researchers have studied this topic and built several context-aware applications to demonstrate the usefulness of this new technology…
- Microsoft research
- Appliance robots- Operate your home appliances from web or remote location
- Microsoft robotics
- Microsoft research
- Robotic surgery
- Microsoft robotics
- Microsoft research
- Domestic robots – A domestic robot is a robot used for household chores.
- Microsoft robotics
- Microsoft research
- Swarm robotics- Swarm robotics is a new approach to the coordination of multirobot systems which consist of large numbers of mostly simple physical robots. It is supposed that a desired collective behavior emerges from the interactions between the robots and interactions of robots with the environment. This approach emerged on the field of artificial swarm intelligence, as well as the biological studies of insects, ants and other fields in nature, where swarm behavior occurs.
- Microsoft research
How do I choose Content Management System?
If you are planning to decide on which Content Management System to adopt, first thing, you should have some information about what you or your organization is imagining from a CMS.
However, everybody cannot be so imaginative, so imagination is restricted to what you perceive as a Content management system, you will probably need additional information which will help you educate on what CMS products out there in market are offering, what is the trend, and what people are doing best to increase productivity through collaboration.
You can read this article which will educate you on what other areas you should consider before confirming on a specific CM Product. After reading this article, you will be well versed with the terminologies/ jargons which you will be hit by visiting individual CM product sites.
An ultimate aim of this article is to –
- Educate decision makers to understand typical CMS features
- Relate features to their own requirements
- Map features/requirements against any product for effective product selection
Below list should help you understand about most expected features of Content Management -
- Security
- Enterprise Search
- Integration
- Technology
- Deployment Flexibility
- Scalability
- Customer Service Support
- Localization
- Multi-Web Site Management
- Translation Management
- Brand Management
- Target Audience Marketing
- Multi-Channel Marketing
- Browser Support
- Workflows
- Supported Content Types
- Site Edit Feature
- Word Connector
- Archiving flexibility
- Content Distributor
- Visitor experience analytics
- Personalization
- Is it open source?
- Supported Web Servers
- SEO
- SaaS
- Cloud hosting option/Cloud Ready
- Mobile version support
- Version Control and Rollback features
- ad Management
- Real-time auditing
- Reporting
- Email integration
- Architecture
- Social networking support
- Disaster Recovery options
- Record Management support
- Web content Management support
- Multivariable Testing support
- Web Traffic analytics
- Business Analytics
- Image Edit options
- Background Job Processor
- Asynchronous Job processor
- GEOIP feature
- PDF generation feature
- Library/content Load balancing
- Diagnostics control
- Subscription control at folder/content level
- Tasks
- Web Alerts
- Wiki Support
- Blog features
- Content Editor
- Content Migration support
- Content Export formats
- User communities
- Third party components leverage
- Drag and Drop architecture
- Dynamic Page content and layout changes
- Tags and Catagories
- Comments and Likes
- Business intelligence
- Role and rights Management
I am also listing some good products that I Know about–
1. Company Name: Microsoft , www.Microsoft.com
Product Name: SharePoint 2007/2010 Server
Technology: Microsoft .Net
2. Company Name: Ektron , www.Ektron.com
Product Name: Ektron CMS
Technology: Microsoft .Net
3. Company Name: Ektron , www.Sitecore.com
Product Name: Sitecore CMS
Technology: Microsoft .Net
4. Company Name: dotCMS , www.dotCMs.org
Product Name: dotCMS CMS
Technology: Java
5. Company Name: CrownPeak , www.CrownPeak.com
Product Name: CrownPeak CMS
Technology:
6. Company Name: percussion , www.percussion.org
Product Name: Percussion CM1, CM2
Technology: Java
7. Company Name: oxcyon , www.oxcyon.org
Product Name: Percussion CM1, CM2
Technology: Java
8.Company Name: LimeLight , www.clickability.com
Product Name: Limelight
Technology:
9. Company Name: Autonomy interwoven, www. interwoven.com
Product Name: Autonomy interwoven WCM
Technology: Java
10. Company Name: beidgelinedigital, www. bridgelinedigital.com
Product Name: iAPPS Content Manager
Technology: Microsoft .NET
11. Company Name: SDL Tridion, www. sdltridion.com
Product Name: SDL Tridion WCM
Technology: Microsoft .NET
I hope this is helpful !!
- Laxmikant Patil
IE 6, 7, 8 Features, Loopholes and vulnerabilities
This white paper discusses the feature differences between different IE versions (i.e. IE 6, 7, 8 ) and vulnerabilities and loopholes found in these versions.
Microsoft Internet Explorer’s journey started in 1995(IE 1.0) and currently is in its 9th major generation available for free download as a Release Candidate. Microsoft’s work on IE has been always influenced by feedback from end users in the area of usability, performance, security. Ongoing development of web standards and work done by competitors like Mozilla Firefox, Google Chrome, Safari, and Opera also drives Microsoft for improvements. Microsoft has taken great efforts to keep increasing its market share by introducing IE on other operating systems like Apple Mac, Unix and mobile devices using Internet Explorer Mobile(with Windows Phone 7 and Windows CE).
Every version of IE passes through regression testing by Microsoft and the real users worldwide. Microsoft keeps on providing service packs/patches for issues identified by the end users and tries to keep IE updated against latest security threats/issues reported by the end users.
Below section discusses features differences between different versions of IE (IE 6 to IE8) –
Feature Comparison
| Feature* | IE6 | IE7 | IE8 |
| Compatibility view | Yes | ||
| Accelerators | Yes | ||
| Web Slices | Yes | ||
| InPrivate Browsing | Yes | ||
| Tabbed Browsing | Yes | Yes, improved | |
| Search | Yes | Yes, improved | |
| SmartScreen filter | Lacks advancedSecurity features | Yes | Yes, improved |
| Favourites bar | Yes | Yes, improved | |
| InPrivate Filtering | Yes | ||
| Security(Malware, Phishing) | Yes | ||
| Cross Site Scripting Filter(XSS) | Yes | ||
| Click-Jacking Prevention | Yes | ||
| Domain Highlighting | Yes | ||
| Data Execution Prevention | Yes | ||
| DHTML | Yes | Yes | Yes, improved |
| CSS Support | Full CSS Level 1 Support | CSS 2.1 | CSS 2.1 |
| DOM Level | Full DOM Level1 Support | Level 2.0 | Level 2.0 |
| SMIL | SMIL 2.0 | ||
| MSXML | MSXML 3.0 | ||
| RSS | Yes | Yes | |
| Ajax Support | XMLHTTP as an ActiveX | XMLHTTP native support | XMLHTTP native support |
| Javascript | Yes | Improved | Improved, faster |
| O.S Support | No –Win 7,WS 08 R2, Vista, WS 08 | No – Win 7,WS 08 R2Yes – Vista, WS 08 | Yes –Win 7,WS 08 R2, Vista, WS 08 |
*Only selected features are considered for comparison
Vulnerabilities / Loopholes
Internet Explorer has been subjected to many security vulnerabilities and concerns, much of the malware, adware and computer viruses across the internet. A number of security flaws affecting IE originated not in the browser itself, but ActiveX-based add-ons used by it. Because the add-ons have the same privilege as IE, the flaws can be as critical as browser flaws.
Below are given some of the recent vulnerabilities and loopholes found in IE -
- Microsoft Internet Explorer 6, 7, and 8 could not properly handle objects in memory, which allowed remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, related to a “dangling pointer,” aka “Uninitialized Memory Corruption Vulnerability“.
- Remote code execution is one of the critical vulnerabilities observed in IE 6, 7, 8 browsers. This vulnerability could allow remote code execution if a user views a specially crafted web page using IE. One of the recent occurrences of it was fixed by Microsoft and security update was released.( http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx)
- Information Disclosure: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user and steal the information. This vulnerability was found in IE 6, 7, 8. ( http://www.microsoft.com/technet/security/advisory/980088.mspx)
- Microsoft Internet Explorer (IE6 to IE8) contained a memory corruption vulnerability, which could result in an invalid pointer being accessed after an object is incorrectly initialized or has been deleted. In certain circumstances, the invalid pointer access can be leveraged by an attacker to execute arbitrary code. This vulnerability is being actively exploited, and exploit code was publically available. (Attackers exploited this in the December 2009 and January 2010 during Operation Aurora, aka “HTML Object Memory Corruption Vulnerability.”)
- Microsoft Internet Explorer 6 and 7 did not properly handled objects in memory that (1) were not properly initialized or (2) are deleted, which allowed remote attackers to execute arbitrary code via vectors involving a call to the getElementsByTagName method for the STYLE tag name, selection of the single element in the returned list, and a change to the outerHTML property of this element, related to Cascading Style Sheets (CSS) and mshtml.dll, aka “HTML Object Memory Corruption Vulnerability.“
- Microsoft Internet Explorer 6, 6 SP1, 7, and 8 did not properly handle argument validation for unspecified variables, which allowed remote attackers to execute arbitrary code via a crafted HTML document, aka “HTML Component Handling Vulnerability.“
- GDI+ in Microsoft Internet Explorer 6 SP1 did not properly allocate an unspecified buffer, which allowed remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka “GDI+ TIFF Memory Corruption Vulnerability.“
- Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, allowed remote attackers to execute arbitrary code via a crafted TIFF image file, aka “GDI+ TIFF Buffer Overflow Vulnerability.“
- Heap-based buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1 allowed remote attackers to execute arbitrary code via a crafted PNG image file, aka “GDI+ PNG Heap Overflow Vulnerability.“
- Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1 allowed remote attackers to execute arbitrary code via a crafted WMF image file, aka “GDI+ WMF Integer Overflow Vulnerability.”
- Unspecified vulnerability in Microsoft Internet Explorer 6, 6 SP1, and 7 allowed remote attackers to execute arbitrary code via a crafted data stream header that triggers memory corruption, aka “Data Stream Header Corruption Vulnerability.“
- Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 did not properly handle transition errors in a request for one HTTP document followed by a request for a second HTTP document, which allows remote attackers to execute arbitrary code via vectors involving (1) multiple crafted pages on a web site or (2) a web page with crafted inline content such as banner advertisements, aka “Page Transition Memory Corruption Vulnerability.“
- Microsoft Internet Explorer 7, when XHTML strict mode is used, allowed remote attackers to execute arbitrary code via the zoom style directive in conjunction with unspecified other directives in a malformed Cascading Style Sheets (CSS) stylesheet in a crafted HTML document, aka “CSS Memory Corruption Vulnerability.“
- Microsoft Internet Explorer 6 through 8 allowed remote attackers to spoof the address bar, via window.open with a relative URI, to show an arbitrary URL on the web site visited by the victim, as demonstrated by a visit to an attacker-controlled web page, which triggers a spoofed login form for the site containing that page.
- Microsoft Internet Explorer 6.0.2900.2180 and earlier allowed remote attackers to cause a denial of service (CPU consumption and application hang) via JavaScript code with a long string value for the hash property (aka location.hash)
- Microsoft Internet Explorer 8.0.7100.0 on Windows 7 RC on the x64 platform allowed remote attackers to cause a denial of service (application crash) via a certain DIV element in conjunction with SCRIPT elements that have empty contents and no reference to a valid external script location.
- mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP SP3 allowed remote attackers to cause a denial of service (application crash) by calling the JavaScript findText method with a crafted Unicode string in the first argument, and only one additional argument, as demonstrated by a second argument of -1.
- Microsoft Internet Explorer 6.0 through 8.0 beta 2 allowed remote attackers to cause a denial of service (application crash) via an onload=screen [""] attribute value in a BODY element.
- The XSS Filter in Microsoft Internet Explorer 8.0 Beta 2 allowed remote attackers to bypass the XSS protection mechanism and conduct XSS attacks by injecting data at two different positions within an HTML document, related to STYLE elements and the CSS expression property, aka a “double injection.”
- Microsoft Internet Explorer 6 SP1 did not properly validate parameters during calls to navigation methods, which allowed remote attackers to execute arbitrary code via a crafted HTML document that triggers memory corruption, aka “Parameter Validation Memory Corruption Vulnerability.“
All of above vulnerabilities were confirmed and are published by National vulnerabilities database and appropriate actions were taken by the Microsoft. Please note that this is not the complete list of vulnerabilities found, this is just a list of recent vulnerabilities.
Secunia Study:
An independent security advisory firm “Secunia” has maintained vulnerabilities database in different versions of IE. This comparison of unpatched publicly known vulnerabilities in latest stable version browsers is based on vulnerabilities reports by Secunia (Secunia.com)
| Browser | Advisories | Vulnerabilities |
| IE6 | 150 | 227 |
| IE7 | 50 | 151 |
| IE8 | 18 | 77 |
SecurityFocus Study (SecurityFocus.com is an online computer security news portal and purveyor of information security services):
As per SecurityFocus report below is the list of vulnerabilities found in latest stable versions of IE
| Browser | Vulnerabilities |
| IE6 | 473 |
| IE7 | 26 |
| IE8 | 62 |
Conclusion
- If you are going to develop new web application and thinking of how many IE versions your application should support, then it is clear from above study that IE6 should be your least priority considering -
- Features available in IE7 and IE8 (and the efforts required to implement IE6 compatibility)
- (sample) 20 vulnerabilities (IE6-16, IE7-11, IE8-9))
- Software Giants like Google has begun the drive to phase out support for Microsoft’s web browser Internet Explorer 6 among other older browsers.
3. Nevertheless, Microsoft is making its own moves to make sure users have to upgrade for latest versions of IE. For example, Office Web Applications (browser versions of Word, PowerPoint, Excel, and OneNote) will support Internet Explorer 7, Internet Explorer 8. (Firefox 3.5 on Windows, Mac, and Linux, as well as Safari 4 on Mac). There’s no mention of IE6 in support list. It’s not officially supported, but customers will not be blocked from using it.
Glossary
Tabs: View and manage multiple websites in one browser window with enhanced browser tab browsing
Web Slices: Using Web Slices, you can keep up with frequently updated sites directly from the new Favourites Bar. If a Web Slice is available on a page, a green Web Slices icon will appear in the Command Bar. Click on this icon to easily subscribe and add the Web Slices to the Favourites Bar so you can keep track of that “slice” of the web.
Accelerators: Accelerators help you to use fewer clicks to get driving directions, translate words, and perform routine tasks.
Click Jacking: Click-jacking is an emerging online threat where an attacker’s web page deceives you into clicking on content from another website without you realizing it.
Malware: Malware is software that a cybercriminal can use to steal your bank account information, track everything you type, send out malicious software or spam, or harm your computer.
Phishing: In Phishing, a cybercriminal pretends to be a legitimate organization, such as your bank, in order to deceive you into giving up personal information such as credit card numbers and account information.
References
For Browser feature comparison
- http://windows.microsoft.com/en-IN/internet-explorer/products/ie-9/compare-browsers
- http://en.wikipedia.org/wiki/Internet_Explorer
- http://www.microsoft.com/windows/internet-explorer/compare/compare-versions.aspx
- http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
- http://www.microsoft.com/windows/products/winfamily/ie/ie7/features.mspx
- http://www.microsoft.com/windows/ie/ie6/evaluation/features/default.mspx
- http://www.webdevout.net/browser-support
Vulnerabilities
Kiosk Systems: Knowledge base for software professionals – Technology backgrounder
About kiosks
……. Kiosks were common in Persia, India, Pakistan, and in the Ottoman Empire from the 13th century onward ……. Indian Kiosk are generally called “Gumti” and sometimes “khokha” too……..
The first self-service, interactive kiosk was developed in 1977 at the University of Illinois at Urbana-Champaign by a pre-med student, Murray Lappe. …….
- http://en.wikipedia.org/wiki/
Introduction
Kiosk has been part of human life for many years and centuries. Above quote also focuses on how technology impacted kiosk to be operated independently to serve mankind. In modern world kiosk is not just a computer with a touch screen enclosed in a box – it is an integration of Mechanical, Computer Hardware, Software, Peripherals and Embedded Controllers, and to build it requires high order domain expertise and intellectual power.
This whitepaper targets
• Technical audiences who want to develop kiosk systems
• Organizations willing to start sale through kiosks
• Functional beginners who want to possess basic knowledge of the kiosk systems
In IT world it is a common scenario where client provides business objectives and high level requirement to build the complete system and they are not in a position to provide all the details of the system one is expecting to be developed.
The objective of this paper is to educate readers and help make them comfortable in developing kiosk systems
Business Scenarios
Some of the popular business examples where organizations around the world are building kiosk systems are Digital Photo Kiosk, Bill Payment Kiosk, School Kiosk, Prepaid Electricity Kiosk, Internet Kiosk, Ticketing Kiosk etc.
Based on the business intend of the kiosk one need to set the focus on certain aspects of the kiosk, like Digital Photo Kiosk uses internal printer to print pictures instantly, so printer functionality becomes the main focus here. Hence simple user interface and high quality printer will be the best expected option.
In cases like School Kiosk, student friendly user interface is a major concern. Parents top up students smart cards to avoid cash in school transactions, here smart card reader and cash acceptor devices play a major role. School kiosk can use thermal printers for receipt printing, as their receipts are not required to be preserved for long time, so thermal printer is ideal solution. Smart card reader should be contact less reader so that students can easily operate them and no need to have physical contact with the reader. Better cash acceptor minimizes the support efforts in case of failed transactions.
Designing Internet kiosk is major challenge in terms of security where in user is allowed to browse the web. Internet kiosks may not need many peripherals but better control on user’s access rights to minimize virus attacks. Security threats are major concerns.
Prepaid Electricity Kiosk is used to top up credit through consumer’s smart cards, and then the smart card can be inserted into electricity meter at home which allows equivalent amount of electricity to consume. Such system uses contact smart card reader for read/write operations along with receipt printer. Card reading and writing speed of the reader should be major focus here.
Ticketing Kiosk is used to vend tickets and provide various other allied services as a single window for the user. These kiosks have very user friendly interface as the user may not be computer savvy and have less patience to understand the functioning. User can perform multiple functions from such kiosk ranging from finding a train schedule, fare calculation between two stations, seat availability, ticket status and ticket issuance.
System Architecture
Major components in the system are
1. Kiosk – This is a PC where kiosk application is running with peripherals
2. Server – Server runs the business logic
3. Database Server – for storage of data
4. Back office application – This application component is required to manage kiosks & their peripherals
Kiosk Software Architecture
1. Device monitoring: This monitoring ensures that all the peripherals are ready for use.
2. Remote Management software: Utility for kiosk remote management
3. Multimedia support: Any utility/third party software for enhanced graphical support like Adobe flash/ Microsoft Silverlight / DirectX technology.
4. OS tamper proofing: This is the most important software running on kiosk, this software restricts user accessing computer resources. User should not be able to modify registry values or system files.
Software and Hardware Components
Software Components
System Software
First thing comes to mind while designing kiosk is kiosk operating system. One has to choose the OS for various parameters like
* Integration with any existing system
* Ease of management by team
* Security
* Initial Purchase cost
* Maintenance Cost
* Future Support fomr OS manufacturer
The three main contenders in the kiosk OS market are
o Microsoft Windows
o Linux
o Apple
Microsoft Windows
Microsoft provides complete family of products those can be used as kiosk OS like
• Windows XP Embedded
• Windows Embedded POSReady 2009
• Windows CE 5.0
• Windows Embedded CE 6.0
• Windows XP Professional
• Windows XP Embedded is one of the mostly used OS on kiosk
• XP Embedded is much cheaper to license and this version of XP is pretty stable and can be tailored to Windows XP and deploy on embedded version without change
• XP Embedded has a great future as Windows Embedded Standard is a next generation of Windows XP Embedded
• Another special OS from Microsoft is Windows Embedded POSReady 2009 for point of sale solutions.
• Embedded POSReady has features for seamless connectivity with peripherals, servers and services
• Windows CE 5.0 is a distinctly different operating system and kernel, rather than a trimmed-down version of desktop Windows
• Windows CE 5.0 is best choice if you need to change OS code for hardware interfacing or some special reason. A distinctive feature of Windows CE compared to other Microsoft operating systems is that large parts of it are offered in source code form. Products like Platform Builder (an integrated environment for Windows CE OS image creation and integration, or customized operating system designs based on CE) offered several components in source code form to the general public.
• Windows Embedded CE 6.0(a renamed version of Windows CE 6.0) OS can be used to develop small footprint devices with a componentized, real-time operating system. OS image of size 300KB can be built with 700 components. When size is a matter of concern use this OS.
• Windows XP Professional is one of the most widely used OS for Kiosk similar to Embedded XP version. Windows XP Professional is easily upgraded with the latest hot fix or service pack.
• You can use Windows XP Professional for kiosk because of its robustness and most stable OS in the market nowadays. It has come out of all the hardware interface related problems that it had initially.
• XP Professional enjoys the latest development technologies for building the kiosk applications such as Microsoft .Net framework, Windows Presentation foundation, Microsoft Silverlight technology.
• The XP Embedded will not have the same end-user help functionality available in Windows XP Pro
• XP Embedded is componentized version of Windows XP Professional, hence you can develop on embedded version without change
• XP Embedded has a great future as Windows Embedded Standard is a next generation of Windows XP Embedded
• Another special OS from Microsoft is Windows Embedded POSReady 2009 for point of sale solutions.
• Embedded POSReady has features for seamless connectivity with peripherals, servers and services
• Windows CE 5.0 is a distinctly different operating system and kernel, rather than a trimmed-down version of desktop Windows
• Windows CE 5.0 is best choice if you need to change OS code for hardware interfacing or some special reason. A distinctive feature of Windows CE compared to other Microsoft operating systems is that large parts of it are offered in source code form. Products like Platform Builder (an integrated environment for Windows CE OS image creation and integration, or customized operating system designs based on CE) offered several components in source code form to the general public.
• Windows Embedded CE 6.0(a renamed version of Windows CE 6.0) OS can be used to develop small footprint devices with a componentized, real-time operating system. OS image of size 300KB can be built with 700 components. When size is a matter of concern use this OS.
• Windows XP Professional is one of the most widely used OS for Kiosk similar to Embedded XP version. Windows XP Professional is easily upgraded with the latest hot fix or service pack.
• You can use Windows XP Professional for kiosk because of its robustness and most stable OS in the market nowadays. It has come out of all the hardware interface related problems that it had initially.
• XP Professional enjoys the latest development technologies for building the kiosk applications such as Microsoft .Net framework, Windows Presentation foundation, Microsoft Silverlight technology.
Linux
• Linux OS is also used for Kiosk because its bit more stable and secure
• If you want to take advantage of open source nature of Linux, you may choose this OS
• Before you take decision make sure that it requires better understanding of OS to implement and manage the kiosk when you start doing a lot of custom work or integration with third party components, hardware, etc., it would be necessary.
• Linux also has embedded version but is not so popular in kiosk world
• Internet kiosk are popular using Linux ( RedHat Linux)
Apple
You will find very few people using Mac based kiosk e.g. WKiosk by App4Mac. It’s not so popular as Kiosk OS.
OS/2
IBM OS/2 was the most popular OS for building ATM’s but after IBM announced that they are discontinuing the OS/2 industry support after December 2004. There are very few kiosks build using this OS those too very initially.
From security point of view any kiosk OS your choose has to be secured from public access.User should not be able to tamper OS underneath. Few steps must be taken to secure OS from tampering.
Here are the few ways so run XP in kiosk mode (secure)
1. Use Group Management Policy console to restrict access to public user which is a restricted user, so that kiosk user cannot change/tamper OS files
2. There are several custom programs from vendors like SiteKiosk, Kioware,SoftStack etc which offers a great secure shell incorporated for your kiosk application
3. Use Windows SteadyState shared access computing tool for Windows XP and above to restrict
access to kiosk OS and data. It’s freely available with licensed copies of Windows XP and
Windows Vista 32 bit OS. Windows SteadyState tool is the next version of Microsoft shared computer toolkit.
Application Software
Several development platforms and technologies are available for developing software.
Care should be taken while selecting development platform, languages, and tools for the development.
Guidelines
1. Choose languages, platform, library which is the latest one and has life for at least next 10 years
2. While selecting any third party tool/library/control make sure that source code of it is available with you
3. Always follow best practices demonstrated by giant IT players like Microsoft, Sun etc
4. Kiosk development is similar to any other product except high level of modularity should be achieved for easy deployment and software upgrades.
5. Application should not only satisfy functionality but also performance, usability, maintainability
6. Choosing RDBMS is also crucial decision, Microsoft SQL Server and Oracle are major RDBMS in the market, considering network of 100 kiosks SQL server is most preferred.
7. Before purchasing any hardware perform proof-of-concept and confirm that hardware is compatible with application your building and OS.
Hardware Components
This section describes the most commonly used devices in the kiosk system
1. Printer: This section focuses on thermal printers only, which is the most preferred printer for kiosk.
It’s very important to choose a printer after proper analysis. Ask below questions to yourself
1. Usage – number of chits printed per day
2. Printing speed
3. Output quality i.e. paper size and color
4. What is the initial investment
5. Consumables and maintenance charges
6. Printer form factor
7. Support for different fonts
8. Support for graphics printing
List to cross check before you select thermal printer –
• Print method – should be direct thermal and not thermal transfer method
• Fonts available
• Column capacity
• Character size, character set, characters per inch
• Interface – RS232,USB etc
• Print Speed – e.g. 170mm/sec
• Paper dimensions
• Driver support
• EMC and safety standards
• Mass – kilograms
• Auto paper cutter availability
• High MTBF
Examples: Epson, CADMUS
2. Cash Acceptor Devices:
Despite the growing popularity of alternate payment methods, cash remains a popular form of payment.
Following points should be considered while selecting cash acceptor
1. Find out the number of transactions per day and total capacity of the cash acceptor, usually its in the range of 500-1000 cash notes
2. How many denominations do you want to accept through kiosk system
3. Maintenance cost considering long time use
4. You want acceptor to accept single note at a time or multiple notes, how notes should be stored, separate denominations in separate compartments or same.
Check time required to validate the note and move note into cash box
5. Future enhancement capabilities of the note acceptor should be demonstrated considering possibilities of changes in the security measures in notes in future by the government
6. Same note acceptor should be able to configure for validating currencies for different countries, usually this can be done by changing the validation logic in embedded IC
7. Cash acceptor should support kiosk application know about
o Total cash present in the cash box,
o Any errors occurred in the note validation
o Cashbox full notification
o Complete log of events happening inside note acceptor for trouble shooting purposes
8. It’s a common problem with cash acceptors, if they kept running long time without reset or after few years of use, they start jamming and inserted notes either remains without getting stacked properly, sometime even it can damage the note by winding it.
9. Verify the type of interface available with cash acceptor RS232, USB etc
10. Power requirements. Usually its DC 24 V, 10Amps
11. Check the weight, size of the acceptor. It should fit into kiosk cabinet.
12. Cash recognition method i.e. optical , magnetic etc
3. Smart card Reader/Writer
There are two types of card readers used with kiosk. Following are the points to be considered while selecting card reader
Contact Smart Card Reader/Writer:
• Interface – prefer USB
• Easy of use
• Smart card acceptor-Landing type (ensures longer card life and minimum damage to the cards outer surface)
• Firmware should be easily upgradeable for future updates
• Power source should be USB
• Check whether your smart card reader has passed Microsoft windows hardware quality lab certification program.
• Card reader confirms to the ISO 7816, PC/SC specification, and PC/SC driver should be available
Contact less Smart Card Reader/Writer
• Easy for use
• Operation LED indicator
• Buzzer should be available
• High-speed transactions
• Should have USB interface avoid RS232 interface
• Confirms PC/SC 2.0 specification
• RoHS Compliant
• CE and FCC Compliant
• Confirms ISO/IEC 14443 or ISO 15693 which allows communications at distances up to 50 cm.
Graphical User Interface guidelines –
Do’s
•Large buttons
•Use textured background
•Make touchable areas obvious
•Limit choices
•Keep user guiding as much possible
•Have simple navigation buttons like back, forward, start
•User should be notified on button click by some beep sound, use 3-D button effect
•Use standard layout for numeric screen similar to ATMs or mobile
•Keep simple English message or messages in regional languages
•Display user name somewhere on screen
•User should not know OS underneath
•Let your GUI promote your company brand
Don’ts
•No title bar
•No start menu
•No double clicking any where
•No pull down menus
•No scrolling or scroll bars
•No dragging or dropping
•Do not use web application as kiosk application
•Turn the cursor off
•Avoid black color for background
•Avoid solid colors
•Don’t change themes at a level where user will get confused by seeing change
•Avoid too many animating objects on the screen
Disaster Recovery
Guidelines
1.Disaster recovery plan should be ready while preparing design of the kiosk system. Plan should be prepared for cases considering software crashes, database corruption, server /hardware failures, network outages, theft, software viruses, unauthorized access or hacking etc
2.Whenever disaster happens recover data which is at logically complete state
3.Kiosk system should have ability to disable certain features temporarily to avoid further losses
4.Remote access to kiosk should be available at any point of time
5.Data loss due to disaster can be minimized by taking regular database backups
6.Transactions should be uploaded to server as soon as they are completed. If your kiosk support offline transactions mode, take care that transaction data is not stored on the kiosk for long time.
7.Refer ISO/IEC 24762:2008 standard for more information
Troubleshooting
Guidelines
1. Implement software and hardware logs
2. Implement email alerts on certain exceptions
3. Keep SQL queries ready to find out the mismatch in the database
4. Perform device test at every restart, don’t allow transaction if this test fails
5. Implement uniform Error code methodology, one should easily relate error code to error source
Tools
1. LogParser Utility – to parse log files and analyze the problem
2. Implement optional application instrumentation to capture application specific information
Here are some tools for remote control of kiosk
Microsoft Windows: Symntec PCAnywhere,GotoMyPC,LogMeIn Pro, radmin, RDC, rdesktop
Linux: Symntec PcAnywhere,GotoMyPc,KRDC,LogMein Pro, rdesktop
Mac OSX:Symntec PcAnywhere, Apple Remote Desktop, LogMein Pro,rdesktop
Security
Guidelines:
1. The Payment Card Industry (PCI), Security Standards Council has taken several steps in managing the data security standards that govern the industry.
2. Encryption methodology should be implemented for sensitive data and logging
3. Remote monitoring tool should be used
4. Provide adequate virus protection(Block not required ports, firewall restrictions)
5. Focus User & Network Access Management
6. Operating system access control
7. Kiosk application should not get affected by attacks like SQL injection, validate every user input before processing it.
8. Refer SO/IEC 17799 and BS7799-2 / ISO27001 standards for more information
Change Management and Software upgrades
Guidelines
1. Software upgrades are usually done in phased manner
2. Kiosk and server communication should happen through ‘process codes’ defined, this will help server to be always backward compatible
3. Kiosk application should have one report for viewing versions of the application components (Executables, DLLs, images, themes)
4. Smoke test should be performed after every upgrade
Tools
1. Use next release of Microsoft’s Systems Management Server (SMS), i.e. System Center Configuration Manager 2007 for task automation, compliance management, and policy based security management allowing for increased business agility.
2. Use BITS (Binary intelligence transfer service) technology for file transfer
What should go in technical specifications document ?
Introduction
Technical specifications documents(TSD) plays a major role in conveying understanding of the project to any reader. Typically in the software industry there are two types of users who refer to TSD.
1..Developers, Project Managers who will be directly working on the Project
2. Client Personnels like Technical architect, CIO’s, Project Managers
I personally believe there should be two documents created for each intended audience. The reason is each set of user expects certain things from the document which may prove unnecessary to the other.
Document for customer overlook:
Generally customer approves the technical design, so it is obvious to convince the customer and assure him that all the technical details are covered in the document and system can meet desired goals. So while preparing document it is very necessary cover all such points those will help convincing the client techincal person. Technical architect from client will not be interested to know details at class levels or class diagrams, he will be interested to know Whether system is complying its requirements, those may be interms of
- Functionality,
- Performance,
- Deployement environment,
- Network requirements etc
and finally how you are depicting the overall architecture,
- Which technologies you are proposing,
- Is there any third party component used,
- Are there any licensing considerations,
- Need more hardware to be purchased
- Which best practices you are proposing etc .
So one should prepare a document may be consists of around 25-30 pages which will provide complete outlook of the system.
Document for Development team:
Development team is actual user of the document, they will be interested in knowing internals of the system. How system is divided into parts, how each part works, their dependencies, sequence, resuse, specific performance considerations, best practices and their details etc.It will be good if you can provide some sample programs and links to documentation sites for their further study.
Although, it differs from organization to organization whether single document is prepared or more than one. I am providing list of topics/areas those should be considered in the TSD.
1. Overall High Level Architecture(block diagrams)
2. Detail architecture(block diagrams)
3. Component diagram/architecture
4. Technological implementation of each component or module( if different languages used for respective module)
5. How components will be packaged and will be made ready for installation/deployment(Software Packing)
6. Sequence diagrams for important operations
7. Deployment methodology( e.g. clickonce deployment, XCOPY)
8. Folder structure( Development as well as deployment)
9. How components or assemblies would be versioned and source controlled
10. Dataflow diagrams
11. State Diagrams
12. Deployement diagrams
13. Network Architecture
14. How Logging /Event Logging/Email alerts will be implemented
15. How data( database, log files) purging will be done
16. Reporting methodology used(SSRS, CR and why?)
17. Naming conventions( Coding, assemblies, database objects)
18. Tiered and Layered Architecture
19. Security aspects and requirements( Application and network)
20. Performance aspects and requirements( Load testing methodology)
21. Pluggable and generic components
22. Highlight design patterns used
23. Database diagrams(ERD)
24. Disaster recovery plans and considerations in the application
25. Encryption methodology
26. How exceptions are handled
27. Class diagrams
28. Important algorithms
29. Usability Aspects
30. Data access technology proposed
31. Performance counters ( for troubleshooting)
Hope this is helpful !
Laxmikant Patil
Windows Azure platform – Tools and Utilities
I was looking for tools available on Windows Azure Platform, thought to share with you all. Certainly this is not the complete list available out there but I found these are useful to start with. My next post will cover few more tools -
1. Windows Azure Monitoring Management Pack(http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4f05f282-f23a-49da-8133-7146ee19f249):
-
Copy and move blobs between folders, containers or even different accounts.
-
Rename and delete blobs, create new containers and folders.
- Upload local files/directories and downloadblobs or entire blob folders.
- Supports downloading/uploading of page blobs.
- Auto-resume upload of large files.
3.Windows Azure Stoarge Explorer(http://azurestorageexplorer.codeplex.com/): Azure Storage Explorer is a useful GUI tool for inspecting and altering the data in your Windows Azure Storage storage projects including the logs of your cloud-hosted applications. All 3 types of cloud storage can be viewed and edited: blobs, queues, and tables.
21. Azure Database Upload(http://azuredatabaseupload.codeplex.com/):
22. Azure file upload(http://azurefileupload.codeplex.com/):
23. DocaAzure utilities(http://www.softpedia.com/get/Programming/Components-Libraries/DocaAzure.shtml) : DocaAzure is a handy package that contains various utilities to help you with your Windows Azure development. DocaAzure is developed in C# and includes:
* Lightweight messaging framework
* IDbSet implementation for Azure Tables
* SMTP relay and server
* Azure Tables & Blobs Backup to the same or other Storage Account
* Some other useful utilities
This is open source prokect, The key themes for these projects are providing guidance on below scenarios -
1. Moving to the Cloud
2. Developing for the Cloud
3. Integrating the Cloud
Deployed in a worker role, the code creates an FTP server that can accept connections from all popular FTP clients (like FileZilla, for example) for command and control of your blob storage account.
