: Boost Your Website Performance; In times where websites behave more and more like web applications, with a constantly growing set of features, most likely developed with JavaScript, it is still of crucial importance that the website responds to user actions as fast as possible......

Boost Your Website Performance

Date:12/27/2007

In times where websites behave more and more like web applications, with a constantly growing set of features, most likely developed with JavaScript, it is still of crucial importance that the website responds to user actions as fast as possible. A couple of months ago, Yahoo! published a set of Exceptional Performance Rules, which - if you adhere to them - can improve the performance of your site significantly. So I had a look how these rules can help me to improve the stats for my own site, www.klauskomenda.com.
1.Reducing HTTP Requests
Even from a not-so-much technical and geeky perspective, this makes sense. If the browser needs to communicate with the server less often, this will make the website load fast (”less talk, more action”). For me, I have chose two measures to achieve this:
a. through Minification
To reduce the number of HTTP requests for JS and CSS files, I decided to “minify” them into one file each. This not only reduces the number of HTTP requests, but also shrinks the filesize down by removing unnecessary whitespace, comments etc. The minified JavaScript file gets included as close as possible to the closing body tag, the CSS file gets called as soon as possible in the document.
b. by creating CSS Sprites
Of course I see the point in generating CSS Sprites which then contains all (or at least) many of the background-images you use on the site and then position them using CSS properties. I can certainly see the advantages of using a tool like CSS Sprite Generator (done by my co-workers Ed and Stuart) but I decided no to because of the following reasons:
·YSlow and Firebug are telling me that I am using 7 background images. I think that is not too bad.
·My background images have mixed formats (JPG, GIF and PNG). Now I could make all of them PNGs and create a CSS Sprite. But I think it does not necessarily make sense, cause you use JPGs for certain images (pictures) and GIFs for images with greater areas of solid colours (e.g. comic illustrations). So mixing all of them into one does not make much sense to me.
·Most likely, I am doing some little design changes here and there and I certainly don’t want to recreate my CSS Sprite every time.
So I dropped that measure from my list, even though it might mean my score will not increase that much.
2.Adding an Expires Header
To ensure that elements are cacheable I configured Apache in a way that it sets an Expires header for 3 days in the future. This means that before those 3 days are over, the browser will always use the cached version of the image/CSS/JS/HTML file (if there is one). The requirement for this to work is that the mod_expires module is installed on your Apache webserver. You can check for that by doing a phpinfo(). If that is not the case and you don’t have access to the httpd.conf file, you won’t be able to set the Expires Header through Apache. If you do have access to the httpd.conf file, add the following line to the LoadModule section and restart Apache.
Yahoo! recommends to set the Expires header to +10 years after the time of the request. This might be fine for Yahoo!, but this only seems to be wise if you are dead-serious that this file will never ever gonna change. Cause if you do change it on the server, it won’t force any change on the client side…the user agent will not even bother looking for a new version of that file if it is already in the cache. So unless you rename the file, it will never get picked up by the browser until 2017…I mean, unless you clear the cache, of course.
3.Turning on Gzipping
This can be done using the mod_deflate module, which got introduced in Apache with version 2.0. Again, check if that module is available using phpinfo().
4.Putting CSS at the top of the document
Due to the fact that I used one basic stylesheet and, from within that one, imported the other stylesheets using the @import rule, for some reason, YSlow tells me that those stylesheet are not located in the HEAD section anymore. Because of the fact that the CSS is now minified, there is now only one single request to the CSS file using:
<link rel="stylesheet" href="[path to minified CSS file]" type="text/css">
5.Configuring ETags…maybe not
As this website does not receive high traffic - and I therefore do not run a serverfarm - and based on Jeff Attwoods article, I decided not to configure ETags at all on the server side. If, for some reason, you would like to do it, you are free to do so by making another addition to your .htaccess file. The following turns off ETags altogether:
Conclusion
By following the Exceptional Performance Rules (well, rather treating them as guidelines and using them based on Web Development common sense applied to your site/project) I was able to improve the performance of this site as follows:
As you can see, the overall performance scores improved quite significantly. They could even be improved by further reducing the number of HTTP requests (using CSS Sprites) or trying to further minify CSS and JavaScript files. Generally, I feel that the Exceptional Performance Rules are excellent guidelines if you want to improve the performance of any particular site. As stated above, before blindly trying to follow these rules, one needs to verify how valid each of these rules is for the site he or she is working on. The rules were made with websites in mind who serve several million visitors a day - if you own one of those sites, then certainly follow these rules. If not (which is more likely), try to find out which of these rules really make sense in your case.
Refer: http://www.klauskomenda.com/archives/2007/11/10/boost-your-website-performance/

ΔTOP

Mobile video monitoring for the transportation industry

Date:12/14/2007

GE-Security has introduced advanced and fully integrated video monitoring systems, using highly sophisticated video processing and encryption with state-of-the-art cellular/wireless communication - specifically engineered to answer key concerns of the transportation industry.
"These three GE-Security systems are geared towards high mobility, wireless connectivity and near realtime responsiveness," says Lauren Sher, GE-Security's country manager for South Africa.
"Fast video servers (FVS) are accessible at any time, in any location, including mobile applications such as buses and trains, and may be designed for one or multiple sites," Sher comments.
Any Internet connection, including LAN/WAN, WiFi or mobile phone coverage (GPRS), can enable connection to site(s) with the viewing of live video, control of pan/tilt cameras and playback of recorded sequences.
The configuration possibilities enable FVS to be connected to a normal telephone line, ISDN, ADSL, GSM/GPRS or a virtual private network.
"This flexibility enables the possibility of monitoring numerous small sites very effectively. In addition, live pictures and recordings from internal and external cameras can be checked from anywhere in the world, via a PC, laptop, PDA or GSM to the Internet; and, thus, to a fast video server," she explains.
The company's MVS-4-GPS series is a line of integrated video gateways that combines the full security functionality and high-level video streaming performance of the fast video server.
"The GE-Security MVS-4-GPS is designed specifically for today's tough and demanding transport surveillance requirements. This recorder can stream near realtime video from a moving vehicle - be it a bus, train or car - directly to a control room or even to GPRS-equipped PDAs or mobile telephones out in the field. A built-in GPS (global positioning system) receiver gives the controller realtime co-ordinates on a moving map, so the exact vehicle location can be monitored at all times," Sher maintains.
Sher adds that the MobileView system helps transit systems save money, by deterring crime and vandalism, as well as disposing of false and misleading claims more quickly.
"When a driver starts a vehicle equipped with a MobileView system, cameras automatically begin recording events and documenting actions on-board the vehicle. This not only acts as a crime deterrent, but also allows transit agencies to quickly resolve issues or identify culprits.
GPS tracking lets management know exactly where any vehicle is at any time. An audio option provides synchronised audio during image playback. Recorded images can be viewed from a laptop in the field, through a docking station, or via a central station through the use of a wireless local area network (LAN)," she concludes.
Refer: http://securitysa.com/news.aspx?pklNewsId=26481

ΔTOP

Regarding The Security Of Your E-Commerce Website: Be Very Afraid

Date:11/16/2007

Argh! Someone in my blog reading list came up with a list of knowledge worker tools / social networking technologies and was asking if s/he had covered all the bases, but I can't find the article. Why? Because I came across a related list that I wanted to share. And in looking for that list, I came across another.
So, yet another entry from the November 2007 Communications of the ACM was a piece on Making Knowledge Work in Virtual Teams by Dominic M. Thomas, Robert P. Bostrum and Marianne Gouge. The article describes a model process by which team leaders approach technology-related interventions and suggests that, with this model in mind, guidance be provided to those team leaders on how and when to make those interventions.
But the relevant thing here is the list of information and communication technologies (ICT's) that were uncovered in the survey, listed in order of prevalence of use
·audio conferencing
·email
·phone
·fax
·project management tool
·calendar
·development support tool (IDE)
·chat (many-to-many)
·document versioning tool
·instant messaging 91-to-1)
·file servers
·groupware / teamspace (asynchronous)
·postal mail
·knowledge portal
·virtual meeting tool (synchronous)
·desktop sharing
·threaded discussion
·web pages (static / informational)
·videoconferencing
·group decision tool
And the other article is from Eric Mack's KMWorld notes of Dave Pollard on Social Tools and Knowledge Sharing. Pollard, of course, is responsible for a lot of knowledge management and related thinking at How to Save the World. Along with running commentary about the talk, Eric's post lists a variety of tools in the vein of social networking and communications, which Pollard breaks down into four categories. I've recreated those here:
· People-Connectors
·People finders (Linked-in)
·Social Network Mappers (InFLow orgnet.com)
·Proximity locators (DodgeBall)
·Affinity Detectors (NTag)
·Social publishing and information sharing
·Journals (blogs, Podcasts)
·Social Bookmarks
·Meme Diggers (what is important)
·Collaboration and Communication
·Wikis (FluWiki)
·Forums (Yahoo Groups)
·Project Collaboration (BaseCamp is a good example)
·Document Collaboration (Google Docs)
·MindMaps (Freemind)
·VOIP/Virtual Presence (Skype, GoToMeeting)
·OpenSpace/Peer Production
·SNA/Sensor/GIS Mashups
·example: tracking Disease outbreaks
·Home monitoring
·Travelogues
Of course, along with all these technical items, there are the basics of getting people together:
·Watercooler
·Coffee pot!
·Lunch / dinner
Refer: http://blog.jackvinson.com/archives/2007/11/15/various_social.html

ΔTOP

10 Tips to Monitoring the Competition

Date:11/23/2007

The old adage, "keep your friends close, and your enemies closer", is applicable not only to personal relationships but business relationships as well. While I'm not suggesting that you befriend your competitors, it is important that you are cognizant of your competitors' business ventures and methods.
It is important to realize that while monitoring your competitors is essential, it could easily become an obsession. Therefore, it is crucial that you strike a balance when incorporating it into your business plan. There are several ways to conduct successful stealth competitive intelligence operations. While it is fanciful to imagine yourself as a secret agent or spy, none of these techniques are difficult, hidden or secretive. In fact, most of them are tools or services available to all businesses.
1. Ego Searches what are ego searches?
Ego searches are keywords or keyword phrase searches for a specific brand, product, or company name. Ego searches are a great way to monitor mentions of a competing product. You can automate the set up of ego searches using RSS, so anytime a competitor's product or brand name is mentioned in the news, blogosphere, or print you receive notification and the details in an RSS feed.
How to Setup Ego Feeds - http://www.feedforall.com/ego-searches.htm
Create RSS Ego Searches - http://www.rss-tools.com/ego-search-feeds.htm
2. Competitive Intelligence
Competitive Intelligence is defined as the process of gathering actionable information in a competitive environment. Competitive Intelligence is researching the business environment or techniques that another business uses. Competitive Intelligence is often used to influence a strategy for business development.
First, it is necessary to know your competition. Background research can be conducted using the tools at DNS Stuff http://www.dnsstuff.com , and various other websites. The DNS stuff website will allow you to do a whois lookup. A number of other research tools are also available on the site.
3. Google Alerts
Receive notification via email on the latest relevant Google search results (web, news, etc.). Define the Google Alerts using a competitor’s company name or product name. http://www.google.com/alerts
http://www.googlealert.com/ (3rd party tracking service) - Google Alert is the web's leading automated search and web intelligence solution for monitoring your professional interests online. It tracks the entire web for your personalized topics and sends you new results by daily email.
4. Meta Tags
Have you ever considered what keywords or phrases a competitor is targeting on their website? Have a peak at their meta tags by simply viewing the webpage source. Pay particular attention to the header tags that include title, description, and keywords. Are these keywords part of your marketing mix?
5. Information
Arm yourself with information. The Googspy website is particularly useful when used properly. Enter a keyword, company name, or domain, click the results and view the companies top 25 competitors. If any of those websites are using pay per click on Google, you will also be able to obtain a partial list of the adwords they have purchased. The website gives you a glimpse inside competitors, but the list they provide is by no means exhaustive. http://www.googspy.com
6. Incoming Links
There are a number of ways to determine who is linking to a competitor.
A simple search can be conducted in Google and MSN for "link:domain.com" (replace domain.com with competitor's domain). In Yahoo enter a search for "linkdomain:domain.com" (again replacing domain.com with your competitors name). The search will produce all webpages that provide a link to your competitor. Ideally you can request links from the websites as well.
Other BackLink Tools - http://www.webuildpages.com/tools/
Search for Places to Submit to; this site auto-generates http://www.webuildpages.com/search/ another tools that works in a similar way - http://tools.seobook.com/general/link-suggest/ ; simply enter the keyword and a list of sites that will allow you to request links appears.
7. Alexa Ranking
Use Alexa to determine not only who is linking to a competitor, but also to determine what sites are related (list yours). Alexa monitors web traffic trends, and a list of similar websites. Alexa also has the ability to show a website's popularity trends. http://www.alexa.com
8. Website Monitoring
It is generally a good practice to monitor competitors, and you can do this using a tool like CodeMonitor. CodeMonitor takes a snapshot of a websites' HTML and notifies of any changes. The differences in the web pages are highlighted, making it easy to discern what changes occurred. CodeMonitor is a free online tool, that can be found at: http://www.emarketingperformance.com/tools/codemonitor/
9. Comparison Tools
MarketLeap has some great search comparison tools that allow for you to compare domains and ranking. Marketleap's Trend/History report gives you a view of how you or a competitors website's Search Engine Saturation has performed over time. It also verifies search engine placement based on keywords so you can quickly discern a competitors ranking for various phrases in the top search engines. http://www.marketleap.com/publinkpop/
10. Other Useful Spy Tools
Domain tools has a mark alert that allows you to monitor the use of a trademark. They also have a number of domain tracking and monitoring tools that can be helpful. http://www.domaintools.com/
Keep in mind that while you should be aware of the direction a competitor is moving. I do not advocate copying a competitor. These tools above are to assist businesses in monitoring their competition. I am not suggesting that you replicate, duplicate, or copy anything that a competitor does. Use the competitive intelligence to make sound business decisions about the direction you want to take.
Refer: http://www.small-business-software.net/spy-on-competitors.htm

ΔTOP

Regarding The Security Of Your E-Commerce Website: Be Very Afraid

Date:11/16/2007

Argh! Someone in my blog reading list came up with a list of knowledge worker tools / social networking technologies and was asking if s/he had covered all the bases, but I can't find the article. Why? Because I came across a related list that I wanted to share. And in looking for that list, I came across another.
So, yet another entry from the November 2007 Communications of the ACM was a piece on Making Knowledge Work in Virtual Teams by Dominic M. Thomas, Robert P. Bostrum and Marianne Gouge. The article describes a model process by which team leaders approach technology-related interventions and suggests that, with this model in mind, guidance be provided to those team leaders on how and when to make those interventions.
But the relevant thing here is the list of information and communication technologies (ICT's) that were uncovered in the survey, listed in order of prevalence of use
·audio conferencing
·email
·phone
·fax
·project management tool
·calendar
·development support tool (IDE)
·chat (many-to-many)
·document versioning tool
·instant messaging 91-to-1)
·file servers
·groupware / teamspace (asynchronous)
·postal mail
·knowledge portal
·virtual meeting tool (synchronous)
·desktop sharing
·threaded discussion
·web pages (static / informational)
·videoconferencing
·group decision tool
And the other article is from Eric Mack's KMWorld notes of Dave Pollard on Social Tools and Knowledge Sharing. Pollard, of course, is responsible for a lot of knowledge management and related thinking at How to Save the World. Along with running commentary about the talk, Eric's post lists a variety of tools in the vein of social networking and communications, which Pollard breaks down into four categories. I've recreated those here:
· People-Connectors
·People finders (Linked-in)
·Social Network Mappers (InFLow orgnet.com)
·Proximity locators (DodgeBall)
·Affinity Detectors (NTag)
·Social publishing and information sharing
·Journals (blogs, Podcasts)
·Social Bookmarks
·Meme Diggers (what is important)
·Collaboration and Communication
·Wikis (FluWiki)
·Forums (Yahoo Groups)
·Project Collaboration (BaseCamp is a good example)
·Document Collaboration (Google Docs)
·MindMaps (Freemind)
·VOIP/Virtual Presence (Skype, GoToMeeting)
·OpenSpace/Peer Production
·SNA/Sensor/GIS Mashups
·example: tracking Disease outbreaks
·Home monitoring
·Travelogues
Of course, along with all these technical items, there are the basics of getting people together:
·Watercooler
·Coffee pot!
·Lunch / dinner
Refer: http://blog.jackvinson.com/archives/2007/11/15/various_social.html

ΔTOP

Regarding The Security Of Your E-Commerce Website: Be Very Afraid

Date:11/02/2007

As you read this, hackers are scanning your servers for open ports. Or perhaps at this moment a hacker is pasting funny strings into your catalog request form to steal credit card numbers. Worse yet: your machines might already be compromised -- and you don't even know it.
Yes, my intent is to scare. And yes, I sound paranoid.
I'm not. As one security expert interviewed for this article told me with no trace of humor, "It's not paranoia when they really are trying to get you."
We're catalogers: our days should be spent worrying about merchandise, customer satisfaction, and postal increases.
But in this article I'll suggest that as a catalog executive, you must understand the all-too-real business risk of web attacks, and then take steps to reduce that risk.
On Language: Hackers Versus Crackers
On language: computer cognoscenti use "hacker" as a compliment, meaning a programming wizard. And such folks sometimes use "cracker" to denote malevolent hackers.
In this article, though, we shall use the more common negative meaning of "hacker":
Hacker: A person who illegally gains access to and sometimes tampers with information in a computer system.
Let's begin by dispelling three myths, then offer five tips.
Myth: Small Companies Do Not Face Web Security Threats
Myth #1: We are a small company, we don't have any enemies; so we're not much of a target.
Hopefully, your company doesn't have serious enemies intent on your destruction. (Some firms do: for example, the SCO Group is routinely targeted by hackers for their legal claims to Linux.)
Even if hackers aren't specifically targeting your site, you're still a target.
Hackers covet your resources: your bandwidth, your mail server, and your credit card numbers. Just as an addict might rob for cash for drugs yet hold no personal ill-will towards their victims, so too hackers attack sites without malice, simply to steal resources.
Yes, your site is a target.
Myth: Our Web Site Isn't Complicated, So It Is Probably Safe
Myth #2: Our web site isn't really complicated, so it is probably safe.
Even the simplest website allows the public access to one of your servers. To serve web pages, a computer must listen to the outside world and respond.
By definition, web servers are exposed, and exposed machines face risk. Are you sure your servers are locked down, patched, and secure?
Moreover, if your website has a database behind it -- and most do -- the risk is even greater. Less-than-perfect coding exposes you to possible SQL injection attacks, described below.
Your seemingly-simple site likely isn't -- again, this increases your risk.
Myth: Outsourcing Solves Web Security Issues
Myth: We've outsourced our website, and those guys have this covered.
Many catalogers outsource some or all of their web applications and web hosting.
When outsourcing, you still bear responsibility for ensuring your outsourcing partner follows security best practices. (Some are described below.)
Know what questions to ask, ask them, and make sure you like the answers.
The responsibility for security is still ultimately yours.
Next, we offer five security tips, along with take-away "Executive Questions" to ask your IT team or outsourcing partner.
Tip: Web Security Isn't A Product, It Is A Process
It would be easy if you could purchase something to ensure your site was safe. You can't. Security is an ongoing process that involves all aspects of your company, and the threats are continually evolving.
When you make decisions on site functionality or technology, always ask about the security implications.
Jeff Cornejo of Blue Ridge InterNetworks, a firm helping catalogers with secure websites, suggests, "Whenever you make a decision about your site, the first question is 'how will this affect the bottom line?', and the immediate second question should be 'how will this affect site security?'"
Executive Questions:
·Who in our organization has responsibility for ensuring our web site is secure?
·What training have they had on this topic?
·When was our last site security review?
Tip: Patch Your Server's Operating System Regularly
Whether your web server runs Microsoft, Linux, or something else, you must regularly update its operating system with the latest security patches.
Some patches fix recently-discovered holes in operating system. Other patches apply to certain products. You must keep your OS and the products you use up-to-date with patches, lest hackers exploit well-known vulnerabilities against you.
To give some sense of the speed of onslaught: a security expert interviewed for this article noted if you placed an unpatched version of MS Sql Server 2000 on a web server, it would almost certainly catch the well-known "SqlSlammer" virus from the internet -- and do so within five minutes.
The SANS Institute is an invaluable resource for web security.
Each Monday SANS publishes a free newsletter called @RISK summarizing the worst vulnerabilities detected the past week, and the correct response to protect yourself.
Executive Questions:
·Do we maintain our own web servers, or do we outsource them?
·Who is responsible for patching our server operating system?
·How frequently do we apply patches?
·When did we last patch?
·Who monitors the weekly SANS vulnerability alerts?
·Who covers when that person is on vacation?
Tip: Turn Off Every Port And Service You Don't Absolutely Need
A "service" is a program that allows a computer to serve web pages, send or receive mail, etc
A "port" is a channel on which a server listens to and talks to the outside world.
Many operating system installations turn on unneeded services by default. For example, unless explicitly told otherwise, a newly installed server might leave port 23 open for telnet, and port 21 open for FTP.
Every open port and service exposes you to additional risk. Turn off everything that isn't needed.
Here's a Halloween analogy.
Leaving on your front porch light and hanging outdoor decorations is, in effect, inviting trick-or-treaters to your home. (That's like opening a port on a server.)
If you leave on the light, you should be ready to answer the bell and hand out candy. (That's like a running a service.)
If you plan to hand out candy, you should do so responsibly . for example, one piece per child, no scaring small kids, etc. (That's equivalent of properly configuring the service and keeping it patched.)
Most importantly, if you have no intent of handing out candy, turn off the porch light (close the port) and don't wait by the door with treats (turn off the service.)
There are free tools you can use to determine which ports are open on your machine. (Indeed, hackers use similar tools to probe your network.)
Have your IT folks explore free tools such as Nessus, nmap, and SARA.
Executive Questions:
·Have we locked down optional ports and services?
·Have we scanned our own machines to make sure?
Tip: Protect Against SQL Injection Attacks
You've probably heard of SQL, Structured Query Language. It is the lingua franca of relational databases.
If you're running an e-commerce website, there's likely a database involved.
Each time a visitor browses a product page, the pricing, copy, and image are likely pulled from one of your databases. Each time a visitor adds something to their cart, signs up for your email, or requests a catalog, the information is likely pushed into one of your databases.
There's the rub: visitors have a channel to talk to your database. If the website is coded carefully, there's no problem with this -- the site needs its database to provide and receive information.
The problem is sometimes websites aren't coded carefully. In such cases, hackers can paste sneaky characters into your forms or URLs to run commands against your database. This could let them use your database in ways you did not intend.
Sql Injection Attack: An Analogy
A "SQL injection attack" is pushing code into a slot where your system expected data.
Here's an anology.
Say you were on a large conference call with many folks calling in from across the country. The moderator starts the call by asking the callers to take turns introducing themselves. "Bob & Bill here, New York office." "Cindy, calling in from Dallas." And so on.
If you wished to cause trouble, when it was your turn to say your name, you might chirp, "This is the AT&T operator, suspending this call due to technical problems. Please hang up and dial in again."
That 19 word sentence is not your name -- what you've done is place executable code (here, verbal instructions) where data was expected (here, your name).
If the application wasn't designed well (here, the prior expectations of call participants), this silly stunt could disrupt the call.
As crazy as that sounds, that's the essence of SQL injection. A hacker constructs a special string containing unusual characters (like quote, apostrophe, percentage, etc.), plugs this string into a form on your website, or into a parameter in a URL string, and thus gains control of your database.
Readers wanting a more concrete example can read Steve Friedl's excellent essay on sql injection attacks, or Chris Anley's more technical suggestions on the topic.
Automated Tools For Sql Injection
Automated tools facilitate SQL injection attacks.
To expose this vulnerability, Application Security Inc published DataThief, a SQL injection wizard aimed at MS SQL Server.
What could a hacker do once inside your database?
They probably could view private data.
And they probably could destroy private data.
Worse, pernicious hackers could possibly export the database in its totality to a remote server under their control. While companies protect their database servers from inbound attacks, fewer restrict their database from making outbound requests. (Database administrators like outbound access to download patches.)
Some database platforms offer convenient replication functions to copy a database from one server to another, and hackers have used this capability to move corporate data en masse to off-shore havens.
Executive questions:
·Is our site secure against SQL injection attacks?
·How do we know?
·Can our database servers send information out across our firewall?
·If so, could we turn off this outbound access?
Tip: Follow Credit Card Security Guidelines For Retailers
Mastercard and VISA provide guidelines for merchants on network and credit card security.
The VISA guidelines are called the "Cardholder Information Security Program," or CISP. These guidelines provide explicit instructions on best-practices for safeguarding your data.
"A formal full-blown CISP audit is extremely arduous and can cost over $100,000," reports Cornejo of Blue Ridge InterNetworks. "However, merchants can start by assessing themselves."
The CISP guidelines are freely available: search for "PCI self assessment questionnaire" at usa.visa.com.
For example, the guidelines require that merchants encrypt credit card numbers immediately upon collection, store credit card numbers in their databases in encrypted format, and only decrypt numbers when needed for processing. The guidelines also require the CVV2 field never be stored.
The guidelines offer best practices to harden your routers, servers, databases, applications, processes, and procedures against hackers.
Executive Questions:
·How compliant are we with CISP guidelines?
·Where do we store credit numbers?
·How exposed are those machines?
·Do we store credit card numbers in the database encrypted or in plain text?
·Do we store CVV2 numbers?
Understand The Risk Of Web Attack
Web site security is a huge topic. This article just scratches the surface. You can find an expanded list of references and links at here.
However, security is a complex technical challenge, and is an area where expert advice is well worth the expense.
As a catalog executive, you must understand the risk of web attack is real and significant. Your site is probably vulnerable. Your site is definitely a target. Ignoring this issue threatens your site, your brand, and your customers.
May your fear drive you to action, and may your actions safeguard your site from hackers.
Refer: www.rimmkaufman.com/articles/web-security-for-catalogers/onepage.html

ΔTOP

Web traffic monitoring Comparison: Google vs. VisiStat

Date:10/26/2007

Usability/Look and Feel
Google provides their traditional simple and clean interface with AJAX integration, so navigating from report to report is seamless. When a user logs in, he/she is immediately presented with an Executive Overview, which displays both colourful and easy to read charts showing visitor and referral data. Google also offers a few other summary dashboards targeting conversions, marketing (referring sources, campaigns, and keywords) and content (top content, exits, and entrance points). Google has left hand navigation where reports are logically grouped into a tree/node menu system. The date range selector is simple to use and makes it very easy for users to select a given day/week/month or apply a custom data range.
VisiStat’s interface relies heavily on icons and graphics to best represent their reports. Their interface is somewhat unconventional, in that it uses both top and left side navigation, where the top navigation consists of 10 different icons representing the various types of reports, and the side is an expandable menu which lists the reports vertically. The side navigation is effective in saving real estate but I wish it would follow me down the page as I scroll through a report. The reports are clear and are easy to read by a user - no matter what their level of expertise is. Another small option that would be nice to have is once a user has selected a date or range, to hold that value for every report thereafter.
[Google Analytics: 8/10]
[VisiStat: 7/10]
eports and Data
I heard that Google numbers (page views/visitors) are slightly lower compared to other analytics vendors and I notice this almost consistently when I compare my Google numbers to that of my StatCounter. VisiStat in July was 10% higher in page views and 2.5% lower in Unique Visitors than Google. This being said, no analytics software is 100% accurate - in many cases probably not even 70% accurate so you have to take all data with a grain of salt and measure metrics in terms of percentages (and watching for trends) rather than using them for hard numbers.
I find that Google’s reports appeal to different users in an organization because of the customizable views its reports include (Executive, Marketer and Webmaster). I also like the accessibility of the segment feature which helps further break down metrics such as top pages and referring domains. I think I have been a little spoiled by using SiteCatalyst and HBX’s path analysis so Google’s and VisiStat’s pathing reports really don’t stack up. I know I am comparing Google Analytics and VisiStat but SiteCatalyst and HBX make it much simpler to see abandonment rates and determine pathing trends. Having Google AdWords reporting with in the rest of the analytics is a nice bonus when having to compare organic vs. PPC performance.
VisiStat offers many different reports all with easy to read charts and numbers. When viewing summary reports such as their visitor Totals report I am able to segment to see visitors by hour with a single click and then further segment that hour down to Referring URL, ISP information, Geo Location and content viewed with an additional click. A standard piece of functionality that they need to add consistently to all their reports is the ability to see data for a selected data range, rather than just the top X or a summary of all-time data. However, unlike Google, VisiStat’s reports are always in real-time, in fact they have a report which shows visitors and activity as they are browsing through your site.
[Google Analytics: 7/10]
[VisiStat: 7/10]
Bang for the Buck
It’s difficult to compete with something that’s free of cost, such as Google Analytics, but with starting prices of $15-19/month, VisiStat comes pretty close. Google’s product is free and now can be setup within 15 minutes. Once you're all setup you will have access to an excellent analytics solution which includes the ability to track up to 5 different sites, user management and over a dozen quality reports. Version 4 of VisiStat comes with some pretty cool add-ons geared towards measuring user behaviour such as: Click Path, Custom Page Tracking, Link Tracking and Live Page Visits. VisiStat’s ad-ons, such as their AdCam (campaign management trackers) and PageAlarm (website monitor) can be added for less than $10/month each.
[Google Analytics: 9/10]
[VisiStat: 7.5/10]
Refer: http://www.enquiro.com/marketing-monitor/Web-Analytics-Comparison-Google-VisiStat.asp

ΔTOP

Companies step up e-mail monitoring

Date:10/19/2007

According to research from Forrester Consulting, 44 per cent of large corporations in the United States now pay someone to monitor and snoop on what's in the company's outgoing mail, with 48 per cent actually regularly auditing e-mail content.
The Proofpoint-sponsored study found the motivation for the mail paranoia was mostly due to fears that employees were leaking confidential memos and other sensitive information, such as intellectual property or trade secrets, with 76 per cent of IT decision makers concerned about the former and 71 per cent concerned about the latter.
Porn and ropey jokes still figure on the list of concerns for execs, though, with 64 per cent admitting to worrying about "inappropriate content and attachments" on the e-mails. What worries those in charge of tech most about their staff e-mails differs depending on the size of the business, the study found.
The smaller the enterprise, the more likely it was to worry more about attachments and less likely to be troubled by the possibility the e-mail won't be up to compliance standards set by Sarbanes-Oxley and other legislation.
Understandably, with Basel II and similar looming, financial services was the vertical that is the most concerned with meeting compliance targets--as they should be, it appears.
A survey of UK financial institutions found that around half would be unable to find an e-mail over three years old; storing e-mail is a key demand of the new legislation.
Refer: http://news.zdnet.com/2100-1009_22-5276512.html

ΔTOP

Is your web site healthy-summary of web site monitoring service

Date:09/16/2007

Hypothetical situation
Scene A:
Here is your online shop which brings you a lot of money,but one day, your web site can not be accessed from somewhere and you know nothing about this. Later,when you find your income decreases sharply; even someday, you find your site can not be visited by anyone.
Scene B:
I'm a huge internet user and love reading novels and visiting BBS sites. Recently, I found that one of my favorite BBS sites could not be accessed. I was very frustrated, because they site was very unstable. Then I decided to leave this BBS and look for a new BBS that has more stability.
The point is: the health of your web site is critical! Its value could be related to your money, online friends or your business, etc. but "what is a healthy web site?"
The definition to a healthy web site
We define a healthy website to include two things,accessibility and the speed. Either one of these factors can determine whether your website is considered healthy.
"The problem is how do I know my web site is healthy from users from all over the world?"
How do you know your web site is healthy?
Online monitoring service, basically, is to monitor the accessibility and reacting time of client's web site in certain intervals and in certain locations. Once there is something abnormal, monitoring service will send clients alarms like:on what time and date, from which location, your web site is not accessible. Through this kind of alarm and routine check, you can find problem quickly and then try to fix it, so you can avoid the leaving of visitors.
Online monitoring service is more than just providing accessibility and reacting time functions. You can also get your rival sites' healthy status; you can know if the ISP provides you with high quality service; you can even customize monitoring parameters and data reports.All these are more your imagination!
“Where I can get such service?” at present, only some companies provide such service, like:Keynote, Gomez. But the price is expensive; also there is service from some small companies, like:SiteUptime. But its service is really limited though its price is low; there are some new service provides, like:YouMonitor.Us which provides high performance and free service.You can have a try!

ΔTOP

New trend of web site monitoring

Date: 09/16/2007

Recently, competition between web sites becomes more and more severe. After competing on new ideas, how to provide constant efficient service becomes another fighting point.
Everybody is clear that web site performance is important, but because most of people's energy is put on creative design, function development and network spreading, at last performance now becomes a limitation.
Meanwhile,as a web master of a small web site, I am not willing to sit in front of screen to monitor the site all the time. I don't want to hire two employees to monitor the site 24*7 hours, for it is too expensive. As a result, it is a big problem to monitor web site in an economic and efficient way.
After a period of time's research, I'd like to share my experience.
Monitoring can be divided into internal monitoring and external monitoring
Internal monitoring
Internal monitoring is to monitor the situation of memory, CPU and disk read/write on the server through programs and scripts.
The present method that I can achieve is to get monitoring value through various monitoring commands(top, vmstat and free)
For example, as we known, order free can see the usage of memory.Normally, the value of free + buffers + cached can be seen as the amount of available memory. We can get this value regularly and compare it with pre-defined threshold value. Once it is above the threshold value, email will be sent to us through sendemail order
CPU, disk and process are similar.
Such monitoring scripts can basically meet our low level monitoring need. If needed,you are welcome to send us email to get source codes (meigenzh@gmail.com)
External monitoring
On the basis of internal monitoring, we can think if we can make others to monitor our service without logging on our server.
If there is way that we can simulate end users action and monitor our service externally, once simulating users are not satisfied – web site service is abnormal, we can be informed by email, telephone or mobile phone message. Then our work load can be reduced.
Seems the requirement is a little too high,and you can't make it. It's ok. Why not try the luck on the internet. Here are some services:
1、Internet supervision
Address:http://internetsupervision.com
Monitor your web site for free. Testing interval is 15 minutes during the first 90 days, after that,interval becomes 24 hours. Its advertisement code is required to be added into your web site.
According to its introduction, the monitoring focuses on accessibility, performance and content. They provide five manual monitoring locations: Washington DC, Detroit, Chicago, Los Angeles and Santiago. The other two are in Gloucester, UK and Sydney.
As to free users, testing interval is 15 minutes during the first 90 days, after that,interval becomes 24 hours. Its advertisement is required to be added into your web site. And you must accept annual web investigation.
2、Monitwitter
Address: http:// twitter.com
This is a famous the third party implementation service by Twitter. Monitwitter means Monitor + Twitter. It provides user's web site's running information. It mainly focuses on errors and load times monitoring. After registering an account, users can add their own web sites, and each user can add more than one web sites. While adding web site, user need to add their twitter account information. Error information is sent to you only when there is abnormal situation accruing. Load times are to monitor the loading time of the web site. You will be informed for each ping, but if you feel it is too frequent, you can open a twitter account to receive load time information
3、YouMonitor.Us free monitoring service (recommended)
Address: http://youmonitor.us
The service in this site basically can meet our personalized requirements
In main page, you can experience its external service to monitor one web site without registering
Here, you have real-time visiting speed statistics in five cities.Among them, there are three monitoring points coming from China Hangzhou, Shanghai and Beijing.
Besides providing average visiting speed, it also gives the speed comparison chart where we can see clearly the difference between your site and those big sites
After testing,we find: the location of monitoring on the same site is different. That means there are many monitoring points. YMU itself claims that its monitoring points locate all over the world.
After registering and logging in, I can specify where the monitoring comes from. For example, if my web site faces to USA users, I can configure my monitoring location to any stats of USA. Its minimum monitoring interval is 1 minute.
Free user can use free service and need to provide one web server as a monitoring point. My present service includes:
•There are simulated end user visitor accessing from 10 different locations in china
•5 minute monitoring interval
•Email notice service
•10 mobile phone message notice per month
I feel 10 mobile phone messages a month are not enough, but it is free service anyway.
Now, my web site is monitored totally by YMU. I needn’t go to see m web site frequently if there is no business analysis.