1. See Recent Posts link in the Admin Menu.
   • One by one open up each spam post in a new browser window.
     • On a Mac, hold down the Apple key while you click on the post..
     • On a PC hold down the Ctrl key while you click on each post.
   • You'll now have a bunch of browser windows with each of the spams open.
2. Now you select delete for each post.
   • To quickly get to the next browser window to make this process quick
     • On a Mac, Ctrl  and the Page Down key get you to the next browser page.
     • On a PC, the Ctrl and Tab buttons take you the next browser page.
3. Quickly go through each page and click delete.

All spam removed!

1. check the latest completed ticket report
2. fill in the entries under Features and Enhancements
   and Bug Fixes using the latest closed ticket information
3. Follow the QA Test Plan before publishing to Production

1. Installing the Eclipse IDE

Visit the Eclipse Homepage

• Click on the big yellow download eclipse button
• Scroll down to the bottom of the list and find Eclipse Classic
• Select the appropriate version for your operating system
  • For MAC OS: Eclipse Classic 3.4.1 (151 MB) - Mac OS X (151 MB)
  • For PC: Eclipse Classic 3.4.1 - Windows (151 MB)
• Chose a download location and save to disk
• Extract file to location of your choice
• Start the program using eclipse.exe

Note: You may need Java Runtime Enviroment to run Eclipse, you can find it here

2. Adding the SVN Plugin

Visit the Subclipse Instructions

• Substitute the URL in the "New Update Site" in the instructions with the url from the subclipse site
• The current url is http://subclipse.tigris.org/update_1.2.x

3. Installing MyLyn to sync Trac Ticket work requests

• Open Eclipse 3.3 (Europa) or later
• Select Help -> Software Updates -> Find and Install ...
• In the dialog window choose "Select New Features to Install"; then click "Next"
• Select the checkbox next to "Europa Discovery Site"; then click "Finish"
• Select a Mirror
• Open the Europa Discovery Site list of Packages that shows up and select MyLyn; Agree To The Terms: Click Next; Click Finish
• Agree to Install All despite some packages not being signed
• Agree to restart Eclipse

FAME Installation Instructions

• Instructions from OSFlash

FAME Components

• Installing Eclipse IDE - Download (i've just used the SDK, not the distros)
• Installing ASDT - How To Install
• Installing FDT Instead of ASDT - Instead of ASDT as an Eclipse plugin
• Installing SWFMill
• Installing MTASC - Download

FAME History

• Origin
• One Year Later

Sanitizing Input Strings

Most developers are aware of SQL Injection attacks and know how important it is to sanitize input strings such as names, email addresses and any other content. (kxcd has a very funny cartoon about such exploits). Steve Friedl has a good article on how attackers find such holes in your applications. It's critical for web application security that you make sure inputs are properly escaped before using them in database queries. Perhaps in a future post I'll talk about some strategies for doing that more effectively. And remember that you must sanitize all input, not just strings. Sure, you have a <select> list to allow the user to pick which type of pizza they want and you've given them numbers (1 = cheese, 2 = sausage, 3 = veggie combo, etc.) but that doesn't stop someone from sending you a request where the pizza type is a string with instructions to change the admin email address to their own.

Preventing Problematic Output

But it's not just SQL Injection attacks we must be concerned about with sanitizing user input. What happens to your application if a user can put HTML in their ...

I know that many people run their code and if it looks like it works they figure - Great, I'm done! But while seeing that it performs as expected is one test of your code, seeing your code in action gives you a much better sense of what's happening and whether it's going to do the right in every case.

Let's take a look at a contrived example in code. I'll use PHP since its what I'm using for most of my work these days, and I'll simplify the code so it's clear what's going on.

function getItemFromDBOrCache()
{
	$fInCache = false;

	$fINCache = foundInCache($row);

	if (!$fInCache) {	
		$row = fetchFromDB();
	}

	return $row;
}

If you run this code, your program should work fine. Yes, the cache isn't used, but if you don't have an easy way of checking that, you'll never notice the uppercase typo on the $fINCache line. But, if you set a breakpoint on this function and step through each line, you're very likely to notice the problem (even if there are several lines between the pieces of code in the example). You'd see the cache return the item and then the code still fetch the item from the database. Doing a good code review would probably also uncover this problem, but usually that's later in the development process. I suggest stepping through all new code when ...

The meat of the book (Part II)  is an explanation of the stages of the Security Development Lifecycle (SDL) process. The authors do a good job of explaining these steps and how you can implement them in your own project. I think the SDL is a great process for improving the security of a software project and would suggest anyone who is concerned about the security of their software project (which should be just about everyone working on a significant software project) should read this book.

I would recommend this book for managers and developers (even though the authors point out it is not a book with code samples and examples of how to write better code). I believe if developers know more about the how security issues crop up and can be handled, they will be better equipped to write solid code.

Last time I reviewed one of two books on security that I had recently read. This time I'll review the other book - Secure Coding: Princeiples & Practices by Mark G. Graff and Kenneth R. van Wyk (and published by O'Reilly which puts out excellent books in general).

This is a great book which I would recommend developers, testers and managers read. Even operations folks could get something out of this book. It's a different book from the Security Development Lifecycle in many ways. It's shorter and doesn't provide the step-by-step methods that SDL does. It is very easy reading, with just a few coding samples. It provides some great real-life examples of security flaws and some creative solutions.

Graff and van Wyk give you a lot of things to think about and some problems to avoid and ways to do things right.

One of their better suggestions is to come up with a metaphor of your application (or a particular feature) when you are designing the architecture. Rather than thinking about people making seat reservations (for an on-line ticketing system, for example) come up with a different model and think about how someone might attack that. Because, they point out, someone attacking you isn't necessarily following your model and architectural security flaws are the most difficult to solve.

This is another book I'd suggest you read and have on your shelf.

My main audience at this point is the development staff at Topaz Group. We are separated both by space and time. By space, because we are spread out and do not share offices or even the same area code. By time because I know there will be new developers coming after me, some of whom may join only after I leave. And while there will be development documents and design documents that may be private, I also want to write about how one does a good job of developing software.

Obviously, by making this public, I also hope that there will eventually be other readers (and, once we advance the tool some, we'll even turn on comments so you can make yourselves known). As with the Topaz Group developers, I would hope that I have some words of wisdom to new developers.

I've been in the business of developing software for over twenty years now (and "writing computer programs" for over thirty years if you take a broad definition of that phrase. Perhaps later I'll write down some of my early experiences for historical sake) and I've had the opportunity to learn from some remarkable people and make some mistakes, which helps the learning process. So, I'd like to pass on that learning to whomever is interested. Hopefully you'll find some of it useful and you'll come back to read more.

When we think of hosting we think of having guests at our house.  We think of music to play and finger food.

Our business is taking the time to understand the equivalent of tea time in the digital age.  Our business is communication, the kind of effective and enjoyable communication we look for at the homes of our friends and relations.

Just because so much transacts online now, does not mean the rules of courtesy, attention and mood have gone away.  Online communication with living breathing and valuable associations is our specialty.

To do this well we have a discipline of understanding technology, the tools of our trade.  Just as washing dishes isn't the point of tea, servers aren't the point of hosting - you are.

Here are some resources we should keep in mind for Email

"Non-spam"

• http://www.senderscorecertified.com