Email with the Subject "Yahoo! Security Warning" is a Scam

Recently, I got this kind of email,it seems like Yahoo! official email and said that you need to confirm your account,password, and other information since Yahoo! will delete unused email account due to congestion. Well, after did some online research I am quite sure it is a scam. First, it asks our password, I guest Yahoo! does not need to ask our password and other info since they already have it. In addition this kind of email usually has many typos such as the Yahoo word lost its "!" mark, which shouldn't happen in official email.

Yahoo! Easter Egg

Did you know that the new Yahoo! homepage has a hidden easter egg? Click the "!" mark on top left of www.yahoo.com and you will find funny sound "yahuuuuuuuuuuhuhu"

Computer for Toddler

Your neighbor told you that her 3 years old daughter has been able to draw a digital picture using computer. Your 5 years old nephew sent you an email said he loves to play online game now. How about your 2 years old son? Can he use mouse? Is he interesting to play funny game in your PC? What the best age for starting toddler to learn about computer? When the world is becoming more linked with information technology it is normal for any parents to assume that children should have computer skills as young as possible.

In contrast, there are plenty of opinions which say that parents should wait at least until child enters kindergarten before allowing them using computer. The main reason for delaying is the danger of information technology for children. Some experts said that introducing children to computer too early can disturb their social skills development.

There will be numerous question and debate about this matter. Certainly, we have known that every child is special. They can have interest to various different subjects even before they are able to talk. Parents shouldn't push their interest to children. Here some tips about how to introduce computer for our kid which I got from some references and discussion:

1.Wait until they are at least 9 months old
Before 9 months, children don't have physical abilities to communicate with computer. They also can't sit in proper and convenient position to use computer. Children younger than 9 months will only consider the computer as common toy and normally they don't have enough attention span to recognize the image on the screen. It is better to let them develop their psychomotor abilities during this age.

2.Let children build their own interest
Once more, waiting is the wisest way. Wait for our child to show that she interested. How she uses the keyboard? What is her response when she watches picture from the screen? If she seems responsive, we can continue for it. If not, it doesn't matter, we can try next time without pushing her.

3.Computer is not a baby sitter
Don’t use the computer as an electronic babysitter. As parents we should be next to our child when she use computer. Teach her and show her interesting pictures and games. Using computer is an opportunity for parents to create share time with children. Talk interactively with her and observe her responses carefully.

4.Limit the Time
Don't let id spend too much time in front of computer. For toddlers 15-30 minutes a day is sufficient to construct their skills. Take her to another activity if there are signs of addiction.

5.Choose proper software
Remember, they are still developing their brain. Don't give too confusing game or software which can be frightening. Experience is the most important part to construct their intelligence. Therefore parents should be smart and careful to select the proper software for kids. Simplicity is more important than feature.

6.Don't give them any target, everything should be fun
Child's world is about playing. There is no need to drill them mastering some skills which aren’t proper for their age. Instead for providing software which needs math and reading skill, parents should give toddler software with simple issue such as recognizing sound, learning shape and colours, and cause-effect subject. Create enjoyable and fun condition for them, remember they can be easily distressed if asked to do something they don't like.

7.Give special attention to internet
When our kids are able to access the internet, it is time for us to be more aware than before. Internet is really a double sided coin, which can give good or bad impact at once. Of course there are many useful websites for our kids such as www.noggin.com and www.uptoten.com. However, on the other side we have known how internet can give such negative impact to our children development.

8.Put the computer under your surveillance
Don't put the computer at the children's room. They learn very fast, even before you teach how to turn on the computer, they will easily do it. To avoid unnecessary trouble or addiction it will be better if you put your computer at living room or other room which easy to watch.

Wish this note will be useful.

Reference:
www.babycenter.com
www.mrdad.com
www.pubs.logicalexpression.com

Eclipse Overview

This article describes the overview of the Eclipse IDE (www.eclipse.org)

Eclipse Platform
The Eclipse Platform is designed and built to meet the following requirements [8]:
- Support the construction of a variety of tools for application development.
- Support an unrestricted set of tool providers, including independent software vendors (ISVs).
- Support tools to manipulate arbitrary content types (e.g., HTML, Java, C, JSP, EJB, XML, and GIF).
- Facilitate seamless integration of tools within and across different content types and tool providers.
- Support both GUI and non-GUI-based application development environments.
- Run on a wide range of operating systems, including Windows and Linux.
- Capitalize on the popularity of the Java programming language for writing tools.

The Eclipse platform's principal role is to provide tool providers with mechanisms to use, and rules to follow, that lead to seamlessly-integrated tools. These mechanisms are exposed via well-defined API interfaces, classes, and methods. The Platform also provides useful building blocks and frameworks that facilitate developing new tools.

Eclipse Functionalities
Basically Eclipse has three main functionalities [9]:
- A Java Development Environment
Eclipse is a superlative Java development environment. The philosophy behind the Java development tools in Eclipse is to make development process as productive as possible by automating mundane and time consuming operations and by providing advanced tools to help the developer.
The Java editor provides syntax highlighting, code completion, code assist and several complementary views to show the structure of the code and the tasks left to complete.

- A Tool Integration Platform
Eclipse is more than just an IDE, it is also a foundation or technology platform for tool integration. Eclipse provides a common way for all members of a team to work together to create, manipulate, and manage sets of resources.
Eclipse accomplishes this by providing architecture and a set of Java frameworks that make writing integrated tools easier. Experienced developer can use Eclipse to build tools and to integrate the myriad of tools which are used for doing the jobs. For example, developer can use the power and extensibility in the Java Development Tools (JDT) to create additional integrated Java tools. This feature is the main reason why author selects Eclipse as platform for this thesis.

- Open Source Community
Eclipse.org is a collection of technical professionals united by a common interest in using and contributing to the production of a base for tool integration and a set of tools integrated on that base or platform. Through collaboration, corporate professionals, researchers, members of academia, and individual developers who build on Eclipse can further the goal of producing interoperable products and offerings.
From the Eclipse website http://www.eclipse.org, it can be observed that “the mission of Eclipse Project is to adapt and evolve the Eclipse technology to meet the needs of the Eclipse tool building community and its users, so that the vision of Eclipse as an industry platform is realized.” The Eclipse Tools project is for those extending the platform or delivering tools based on it.

The Eclipse Look
The Eclipse user interface basically has three main parts:
- Editors
Editors allow developer to create and change resources, and are associated with a specific resource type. The main focus of developer will be working in an editor. The panes surrounding the editor support the active editing.

- View
A view presents a way to navigate through resources or other information in Eclipse. In Eclipse, the developer is allowed to change resources through view. Modifications made in views show up immediately, as opposed to work done in editors, where developer needs to save changes before they appear.
View can be resized, stacked, tiled, and placed on the shortcut bar. Views complement the file opened in the editor. When developers change data in a view, the contents of that file are modified when they save the file.

- Perspective
A perspective in Eclipse defines a set of editors and views arranged in an initial layout for a particular role or task. For example, the debug perspective is designed for the task of debugging source code. The initial layout of the Resource perspective lists folders and files in the Navigator view, and contains an editor area and supporting views such as the Outline and Tasks views. Eclipse can have one or more perspectives open at a time. Perspectives also can be designed with a predefined set of functions available through the menu bar and toolbar that you can perform while in the perspective. Eclipse has the following perspectives.
- Resource
- Java
- Java Browsing
- Java Type Hierarchy
- CVS Repository Exploring
- Debug
- Install/Update
- Plug-in Development

The Eclipse user interface is shown in the next figure

Secure Programming Overview

Secure programming applies security approaches in the programming/coding phase of software development. Secure programming techniques should be applied by programmer during the coding phase in order to increase the security level of the software.
Since the numbers of the vulnerabilities of software are unlimited, it will be difficult to determine the most important factor in secure programming. From several references such as [1] and [2] there are some aspects that can be mentioned here as the important factors to be applied into secure programming for increasing security level of the software.

1. Avoid Buffer Overrun
When the size of an array input is not verified, it is possible to write outside the allocated buffer. If such an action takes place in memory addresses higher than the buffer, it is called a buffer overrun. By entering a hostile input, the attacker could read addresses of the input character in the memory if buffer overrun happens. Consequently, the validation of input string is an important factor in order to avoid buffer overrun. Actually this flaw is not a big issue in Java since Java has input validation tool, called bytecode verifier.

2. Applying Cryptography
According to [2], strong cryptography is a critical piece of information security that can be applied at many levels, from data storage to network communication. People always think that cryptography is important to protect data from attacking. However, people usually are not realizing that the misapplication of cryptography commonly leads to the security problem.

3. Generate Random Numbers Properly
Random numbers is often required in order to provide a key in cryptography. Although random numbers seem as unimportant factor but it could guide to a problem in secure programming. Generate random numbers by using predictable manner will ease attackers to disturb our software. Thus developers need to consider the secure method for generating random numbers.

4. Applying Anti-Tampering
Reverse engineering has been known as a threat to the security of software. Although there are no easy answers for avoiding reverse engineering from a compiled code but developer can still apply anti-tampering methods in order to create obstacles for people who wants to gain the protecting information in their software.

5. Design Error Handling Properly
The most common problem in error handling occurs when the internal error messages provide too detail information such as stack traces which should not be revealed to the user. This simple information can be used by an attacker to disturb our software.

6. Injection Flaws
There are many programs which work by accessing the other programs or operating system features. If developers write a code that access to the operating system and the code does not have any protection, a malicious code could be implanted in the program and there will be possibility that the malicious code will be able to access the operating system also.

Besides the aspects above there are still many aspects for secure programming.
Java, which will be used as the platform of this research, is known as a programming language with large numbers of security features:
1. Java has no pointers, it means that a Java code is not able to directly access arbitrary memory locations in the address space.
2. As mentioned above, Java has bytecode verifier. This feature is very useful for avoiding buffer overflow attacks because this feature checks the length of the input before the execution. If the length is not proper Java will reject the input.
3. Java has fine-grained control over resource access for both applets and applications. For instance, an applet could be prohibited from writing or reading to disk space.
4. Java has a large number of library functions for cryptographic building blocks and SSL and authentication and authorization.

Currently, there are many existing methods and tools to help programmer for increasing the security level of their code. Some of them are:

A. Cryptography in Microsoft .NET platform [3].
The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private key data. All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). One CSP, the Microsoft RSA Base Provider, is included with the MS Windows operating system.
Each CSP provides a different implementation of the Cryptography API layer. Some provide stronger cryptographic algorithms, while others contain hardware components such as smartcards [plastic cards containing microchips that hold security data about the user]. In addition, some CSPs may occasionally communicate with users directly, such as when digital signatures are performed using the user's signature private key.

B. The Java Authentication and Authorization Service (JAAS) [4].
The Java Authentication and Authorization Service (JAAS) is a set of Java APIs that can be used for two purposes:
- For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
- For authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

JAAS authentication is performed in a pluggable fashion. This permits Java applications to remain independent from underlying authentication technologies. New or updated technologies can be plugged in without requiring modifications to the application itself. JAAS authorization extends the existing Java security architecture that uses a security policy to specify what access rights are granted to executing code. That architecture, as introduced in the Java 2 platform, was code-centric. That is, the permissions were granted based on code characteristics: where the code was coming from and whether it was digitally signed and if so by whom. With the integration of JAAS into the Java 2 SDK, the java.security.Policy API handles Principal-based queries, and the default policy implementation supports Principal-based grant entries. Thus, access control can now be based not just on what code is running, but also on who is running it.

C. The IBM Secure Shell Library for Java [5].
The Secure Shell (SSH-2 or simply SSH) is a protocol for secure remote log-in and other secure network services over an insecure network. The protocol consists of three major components:
- The Transport Layer Protocol provides server authentication, confidentiality, and integrity.
- The User Authentication Protocol authenticates the client to the server.
- The Connection Protocol multiplexes the encrypted tunnel into several logical channels.

IBM Secure Shell Library for Java is a lightweight implementation of the IETF SSH-2 protocol. The library currently implements only the basic SSH features such as password log-in and command execution. Advanced features such as tunning and X-forwarding are currently not supported.
A session is started with a handshake in order to determine the security mechanisms to be used (the client and server must, of course, agree on this). The process is as follows:
1. Decide on security parameters.
2. Establish a shared secret in order to protect the communication.
3. Authenticate the previous exchange.
4. Authenticate the client and server.

This process is similar to that of the SSL protocol (for good reason). From a high-level point of view, the main difference between the two is that SSL relies on a PKI and, therefore, on X.509 certificates. The SSH protocol was created with extensibility in mind and consequently supports a wide range of authentication methods, including passwords and X.509 certificates.

References
[1] Howard, M., LeBlanc, D., “Writing Secure Code – Practical Strategies and Techniques for Secure Application Coding in A Networked Word”, Microsoft Press, 2003
[2] Viega, J., Messier, M., “Secure Programming Cookbook – for C and C++”, Sebastopol, CA, O’Reilly & Associates, Inc., 2003.
[3] Microsoft Library http://msdn.microsoft.com/library/?url=/library/en-us/dncapi/html/msdn_cryptapi.asp
[4] Java Authentication and Authorization Service Documentation
http://java.sun.com/products/jaas/overview.html
[5] IBM Secure Shell Library for Java Documentation
http://www.alphaworks.ibm.com/tech/sshlite