A discussion about Apple Innovation

I was trying to think about new technology that Apple has introduced and nothing came to mind. The following is a written discussion which entailed between myself and some friends I have who work in the computing industry. You may notice I am not exactly Apple's biggest fan and enjoy a good debate but I always strive to keep them fair and factual.

Obviously all views in this discussion are those of the individual persons and not the companies or organisations they are affiliated with.


Scott Smith (Software Engineer @ Thales Group)

"Thats a damn good question... Only thing that really jumps out is in the realm of video codecs. They developed a lot of the under lying technology for most of the formats we're use to seeing today.

This question is much easier to answer if the subject was Microsoft. You'd just have to head on over to Microsoft Research! Theres some damn cool stuff there!"

Grant Anderson (Web Dev Lecturer @ Abertay University)

"Microsoft get's a bad rap when you consider Windows is like the only non-Unix OS, they made one of the first mobile OS and IE isn't based on open source code.?"

Scott Smith (Software Engineer @ Thales Group) 

"Another good example of apples inventions is the GUI's we are use to today. They invented the concept of menu bars, and window buttons. Previous attempts before the Apple Lisa, in terms of GUIs, were screens made out of hyperlinks."

Grant Anderson (Web Dev Lecturer @ Abertay University)

"I'll give you the dropdown menus but the GUI was stolen by both Apple and Windows from Xerox"

Scott Smith (Software Engineer @ Thales Group)

"The concept of the GUI wasn't invented by Xerox either, they were just the first to commercially use it. First GUI was just hyperlinks and a pointer. I believe developed at Stanford"


Grant Anderson (Web Dev Lecturer @ Abertay University)


"Didn't know about Stanford Scott, I did know Berners-Lee didn't invent hyperlinks but I'd never looked up where they came from"

Simon Kilroy (Programmer @ Digital Goldfish) 

"Have you watched Pirates Of Silicon Valley Grant? It's pretty accurate in terms of the early days of both companies and shows how "innovative" they often both were."

Grant Anderson (Web Dev Lecturer @ Abertay University)

"that rings a bell actually...might need to revisit that one."


Su Zuki (@ Dell) 

"did u never hear of the powerPC microprocessor? that said...RISC is what powers the ARM architecture today....Based on which 90% of the smartphones run today....another example would be the laptop trackpad."

Grant Anderson (Web Dev Lecturer @ Abertay University)

"Apple didn't invent the microprocessor or the laptop trackpad."


Su Zuki (@ Dell) 

"it was called the AIM allaince (apple ibm and motorola)? the latest would be the intel apple alliance to invent the thunderbolt....."


Grant Anderson (Web Dev Lecturer @ Abertay University)

"I thought the first microprocessor was the Intel 4004?"


Su Zuki (@ Dell) 

"sure..intel 4004 was the first mp....but risc was way more powerful and futuristic than intel at the time...

apple may not be the most innovative company technology wise....but it sure upped the stakes....without the mac...we would still be sitting at windows me....and without the iphone...multi touch would still be in a lab...waiting for its turn to see the light of day.... i would say execution and time to delivery of apple based on its brand image was second to none...."

Grant Anderson (Web Dev Lecturer @ Abertay University)

"RISC sounds interesting. I would agree Apple have been successful at popularising technology. I'm not sure if we would still be at Windows ME, you have to give the various flavours of Linux their due. Was just reading about the PowerPC...didn't sound ground breaking unless I missed something?."


Su Zuki (@ Dell) 

"the PowerPC was a direct implementation of RISC"

Grant Anderson (Web Dev Lecturer @ Abertay University)

"Wasn't the first system to use RISC by the Control Data Corporation?"


James B R Frame (Sales Manager @ Samsung)

"Steve Jobs' patents:"

http://www.nytimes.com/interactive/2011/08/24/technology/steve-jobs-patents.html


Grant Anderson (Web Dev Lecturer @ Abertay University)

"the patents don't really consist of new technology just the way it's been assembled."


James B R Frame (Sales Manager @ Samsung)

"I would argue otherwise as the very word invent meaning : to devise / put together.
In the same way early man took a stone with a sharp edge and with grass or a vine bound it to a stick. Thus using existing things -Technologies and invented the axe and or hammer"


Grant Anderson (Web Dev Lecturer @ Abertay University)

"yes putting things together to create something new is an invention...however Steve Jobs was not the first to assemble any of the items listed there...he just done it slightly differently."


Scott Smith (Software Engineer @ Thales Group)

"Steve Jobs never assembled anything... he was a business man, not an engineer lol"

Scott Smith (Software Engineer @ Thales Group) 

"First mass market laser printer was made by apple, and it was a beaut! Apple Laserwriter"


Grant Anderson (Web Dev Lecturer @ Abertay University)

"The only innovative part of the Laserwriter was the PostScript interpreter...made by Adobe."


Mark Daly (Web Developer) 

"postscript interpreter, I think Adobe stole the idea from macromedia?"

Scott Smith (Software Engineer @ Thales Group) 

"Theres a bit more to it than what Wikipedia says Mark. Specifically to do with the way that it printed fonts. Basically it knew a handful of common fonts and so printed them more accurately"


Scott Smith (Software Engineer @ Thales Group) 

"To be honest, I can think of more that Apple has invented than Google has. I mean, look at Android, they didn't even make that, they just bought it"

Grant Anderson (Web Dev Lecturer @ Abertay University)

"Really Scott. I must say I'm a bit of a Google fanboy. They have created some fantastic online applications which they give away for free...an ethos right at the heart of Tim Berners-Lee intention for the world wide web."

Scott Smith (Software Engineer @ Thales Group)

"really Grant? I hadn't noticed. You can't exactly say "give away for free" & "ethos" together when talking about google. They make there money by passing on your online activities to other companies that wish to advertise to you. But anyway... the question is... what have they invented. Because I really can't think of much. Search engines existed, online office tools existed. They bought their mobile OS, email similar to gmail has existed. Their social networking attempts are pretty awful (yes ping was awful too)"


Grant Anderson (Web Dev Lecturer @ Abertay University)

"They use advertising to pay for the mountain of other resources which are free...fair game in my opinion. I agree search engines existed but they did revolutionise the way they work using PageRank. As far as I know Analytics is quite unique, Google streetview was a first, they created a CAPTCHA program which simultaneously digitises books and makes them available through their book search"


Scott Smith (Software Engineer @ Thales Group) 

"In terms of innovation, the only one I'll give you is street view, as that was a massive project that really has 

changed the way we do things. I'm still amazed by it =]"

SQLIA

SQL Injection Attacks (SQLIA) are used to access or manipulate the data in a database by exploiting vulnerabilities which allow attackers to insert extra code into an SQL statement, altering it's behaviour. This is usually due to the allowance of what is known as 'direct user input', where user supplied data from a form is fed directly into segments of code and sent to the server without any validation or sanitization (Razvan, 2009).

There are various SQLIA techniques which can be used by an attacker depending on the desired outcome. The different techniques are usually not used in isolation but rather in differing combinations with one another.

Possibly the most common technique is tautology which works by injecting code into a conditional statement so that it always evaluates to true, for example “ ' OR 1=1 --”. This closes the first string and using an 'OR' operator bypasses it's argument allowing the tautology statement (1=1), which will always return true, to override it. The double dash at the end of the injected code will comment out any remaining SQL in the statement. This technique is commonly used to bypass pages requiring authentication in order to extract data (Heydari, et al., 2010).

Vulnerable SQL statement:

SELECT *

FROM users

WHERE username='$username'

AND password='$password';

$username and $password are user submitted

Altered SQL statement:

SELECT *

FROM users

WHERE username='admin'

AND password='' OR '1'='1';

Example adapted from Luong 2010 , p.11

The tautology attack example illustrated above would authenticate the attacker access under the admin account, provided there is an account with user 'admin', on the basis that although the password is unlikely to be blank, '1'='1' will always return true.

Attacks utilising the UNION SQL operator, known as union-query attacks, allow complete control of a secondary SQL query which is combined to the result set of the original. For example an attacker could input “' UNION SELECT <> --” which would close the first string and comment out the rest of the first query and then combine the empty results returned with the result's of the second query, created by the attacker (Balasundaram and Ramaraj, 2011).

Another type of attack attempts to execute stored procedures which come as standard with many database packages. These procedures are capable of interacting with the operating system and once an attacker has discovered the DBMS in use, SQLIA's can be implemented to execute them. Further to these are extended stored procedures, such as 'xp_cmdshell' which allows the execution of arbitrary command lines. For example “'exec master..xp_cmdshell 'dir'” will return a directory listing from the system (Balasundaram and Ramaraj, 2011).

A technique used in conjunction with others in a bid to bypass methods of prevention is the obscuring of the injected string. By using character encoding such as ASCII, hexadecimal, Unicode, etc. or breaking up SQL operators with comment blocks (/**/), scripts designed to search for injection, known as signature based detection, are less likely to succeed. For example the string “' OR 1=1; --” can be encoded using ASCII to become “' OR 1-1; --” or UNION can be replaced with UN/**/ION. String concatenation can also be used for this technique to join together parts of strings to create the malicious code using “+”, “||” or the SQL function “CONCAT”. For example 'UNI' + 'ON A' + 'LL' would become 'UNION ALL' but would not be detected by a script searching user input for the string 'UNION ALL'. (Luong, 2010).

Databases are not only targeted for the data they hold but the operation of the database can also be a target. A common technique used to deny database services is executing a SHUTDOWN command. This will prevent any systems using the database from functioning correctly until the database is manually restarted by the administrator (Balasundaram and Ramaraj, 2011).

The threats posed by SQL injection are obvious with an insecure system vulnerable to unauthorised access, manipulation, data loss, corruption etc. According to a report by information security and forensics company 7Safe, as can be seen in figure 1, SQL Injection accounted for 40% of online attacks in 2010 and contributed to a further 20% as part of a combined attack (2010).

Figure 1: Vulnerability leading to data compromise (7Safe 2010, p.18)

In these cases of data compromise monetary loss is a real threat with payment card information accounting for 85% of data loss in 2010 (7Safe, 2010). In 2009 credit card processor Heartland Payment Systems, along with four other companies were the target of an SQL Injection attack. This sophisticated operation resulted in the loss of data for 130 million credit and debit cards and the biggest identity theft case ever prosecuted in the US (Goodin, 2009). By mid 2010 Heartland Payment Systems had been forced to pay over $100 million in damages to credit card companies Mastercard, Visa and American Express (Leyden, 2010).

Defending against SQL injection should be a high priority when designing an online system. Although it is impossible to implement a 100% secure system without removing all user interaction there are steps that can be followed to minimise vulnerability. Any techniques implemented should be consistently re-evaluated and updated as it is likely only a matter of time until methods to over come them are found (Brown and Ragan, 2010).

SQL injection is made possible when user input is implemented as part of an SQL statement, therefore all user input should be kept to an absolute minimum and user input used should be scrutinised to the fullest extent. Characters used in any input should be limited to only those necessary. For example a name field will not require the hash character, a common SQL comment syntax. Unconventional strings of common characters should also be checked, for example another common SQL comment syntax the double hyphen. In most cases the only non-alphanumeric characters which will be required is a single hyphen, a single apostrophe and the '@' sign. A limitation can also be set on the types of operators allowed in SQL statements. For example if a statement is designed only to read data from a database then allowing only the use of the 'SELECT' operator with in the query would prevent data manipulation or deletion (Razvan, 2009).

There are some automated tools which can help prevent SQLIA such as the open source MySQL firewall GreenSQL, which works by evaluating SQL commands using a scoring matrix and blocking known administrative commands. Another firewall available is Applicure's dotDefender which works at application level using a set of security rules. A tool for use at development level is available from CodeScan Lab and works by scanning source code and generating a report highlighting vulnerabilities (Luong, 2010).

References:

7Safe. 2010. UK security breach investigations report: An analysis of data compromise cases. [online] Available from: http://7safe.com/breach_report/Breach_report_2010.pdf

Balasundaram, I. And Ramaraj, E. 2011. An approach to detect and prevent sql injection attacks in database using web service. International Journal of Computer Science and Network Security. 11(1), pp. 197-205. [online]. Available From:http://paper.ijcsns.org/07_book/201101/20110130.pdf

Brown, F. and Ragan, R. 2010. INFOSEC world conference 2010: Google and beyond. [online]. Available from: http://www.stachliu.com/slides/googleandbeyond.pdf

Goodin, D. 2009. The Register: TJX suspect indicted in Heartland, Hannaford breaches. [online] Available from: http://www.theregister.co.uk/2009/08/17/heartland_payment_suspect/

Heydari, M. Z., Massrum, M and Tajpour, A. 2010. 2nd International conforence on education technology and computer: Comparison of SQL injection detection and prevention techniques. [online] Available from: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5529788

Leyden, J. 2010. The Register: Heartland coughs $41m to settle MasterCard claims. [online] Available from: http://www.theregister.co.uk/2010/05/20/heartland_mastercard_settlement/

Luong, V. 2010. Intrusion detection and prevention system: SQL-Injection attacks. [online] Available from: http://www.cs.sjsu.edu/faculty/stamp/students/luong_varian.pdf

Razvan, R. 2009. Proceedings of the 3rd international conference on communications and information technology: Over the SQL injection hacking method. [online] Available from: http://www.wseas.us/e-library/conferences/2009/vouliagmeni2/CIT/CIT-19.pdf

Google Hacking

Google hacking is a technique for discovering a variety of website vulnerabilities and exploitations including database error messages which are used for foot printing. Complex search queries are constructed and then executed using popular search engines such as Google and Bing (Abdulghani, et al., 2010).

intitle:shop filetype:php "You have an error in your SQL syntax near"

Example of constructed query used in Google Hacking

If sensitive data has been crawled and indexed by a search engine then attackers can find it by using cleverly constructed search queries using built-in search operators such as the Google search operators shown in figure 1. Using these operators attackers can create very effective filters in order to return highly focused results. Due to some services such as Google caching pages attackers can even be granted anonymity whilst viewing a copy of a proposed target (Lancor and Workman, 2007).

Figure 1: Google search operators

Despite attempts by Google to reduce the risk of Google hacking it remains a significant threat (Brown and Ragan, 2010). Not only can it be used for foot printing databases but also finding sensitive information, vulnerabilities in open source code and gaining access to security cameras (Abdulghani, et al., 2010; Brown and Ragan, 2010).

Defending against Google hacking should be a high priority when designing an online system. Although it is impossible to implement a 100% secure system without removing all user interaction there are steps that can be followed to minimise vulnerability. Any techniques implemented should be consistently re-evaluated and updated as it is likely only a matter of time until methods to over come them are found (Brown and Ragan, 2010).

The prevention of Google hacking generally falls under three categories: error handling, access restriction and security of common platforms. The first two categories are fairly straight forward. Error messages which could potentially be produced by the system should be suppressed on a site wide policy. Access to non-public files and directories should be restricted and 'robot.txt' files should be configured correctly. Any unnecessary files or directories should also be removed from the server. The security of common platforms refers to the use of a publicly available system such as a CMS and is slightly more complicated to defend, depending on the amount of systems used, as the vulnerabilities need to be understood for each individual system. These systems are easier targets for attackers as information about structures, file names, administrator pages etc. is easily accessible from the vendor (Lancor and Workman, 2007).

Information on carrying out this technique can be found at the Google Hacking Database (GHDB) and should be used to “hack yourself” to check for vulnerabilities (Brown and Ragan, 2010).

SearchDiggity, provided by security consultants Stach & Liu, allows a domain to be automatically searched using both Google and Bing on thousands of constructed queries to test for vulnerabilities (Brown and Ragan, 2010). The company also provide an alerts system which consists of a real-time RSS feed of newly indexed pages containing vulnerabilities.

References:

Abdulghani, M. A., Lubis, M., Reh, H. B. and Yaacob, N. I. B. 2010. Proceedings of regional conference on knowledge integration in ICT: A study on implementation and impact of Google hacking to internet security. [online] Available from: http://www.kuis.edu.my/ictconf/proceedings/298_integration2010_proceedings.pdf

Brown, F. and Ragan, R. 2010. INFOSEC world conference 2010: Google and beyond. [online]. Available from: http://www.stachliu.com/slides/googleandbeyond.pdf

Lancor, L. and Workman, R. 2007. Using Google hacking to enhance defense strategies. [online] Available from: http://legacy.lclark.edu/~jmache/sec/google.pdf

Notepad++

Some say Dreamweaver is for noobs and Notepad is for men and I could argue there is some truth in this. As a web developer using a plain text editor aids the learning of clean coding, sound semantics and CSS property:value pairs. However Dreamweaver isn't without it's useful features like syntax highlighting and built-in FTP.

Notepad++ is like the helpful offspring of Dreamweaver and Notepad. At it's core it is a plain text editor but it comes with all kinds of niceties like:

• Built-in FTP allows you to work in real time on your servers
• Tabs allow you to easily work on multiple files at once
• Not only is syntax highlighted but also connecting braces and html tags
• The webedit plugin and shortcut mapper allow you to easily wrap html tags around content
• An 'Edit with Notepad++' option is added to the context menu to allow fast editing of files
• Default file type can be set for any new tabs opened
• It's open source with a good community with lots of interesting plugins easily installable.

Give Notepad++ a try and see what you think!

CSS Trickery

It can be frustrating making your website work properly in all browsers, especially when you use little CSS tricks. These are some of the tricks I use which usually work in most browsers.

Central Floating Column Website

This is a common layout used for websites and is usually achieved by wrapping the website content in a div with a declared width and automatic margin.

.wrapper{

width:80%;

margin:0 auto;

}

note: width can be either % or pixels (px), the example uses shorthand margin (margin: top right bottom left).

However this technique is not supported in IE. The text-align property of the html/body tag needs to be set to center, the text-align for the website content can then be set back to left in the wrapper class.

CSS becomes:

html, body{

text-align:center;

}

.wrapper{

text-align:left;

width:80%;

margin:0 auto;

}

Div Height

Some say the height of a div cannot be set as a percentage, others say it can only be achieved by setting the size of a hidden image in the div, both are wrong.

A div's height is relevant to it's parent and so to set a div's height, the height of the parent ie. body must be declared. For example:

html, body{

width:100%;

height:100%;

}

.content{

width:100%;

height:100%;

}

Floats

Floats are often misunderstood. They do not float to the side of the content, the content floats around them. As well as declaring the floated element, the point at which to stop floating content around it needs to be declared using the 'clear' property. I usually use preset classes for the floats and clear so they can be easily implemented.

.fltlft{

float:left;

}

.fltrt{

float:right;

}

.clear{

clear:both;

}

Hover

CSS Psuedo-class ':hover' is usually used as part of anchor tags for links, however they can be used on almost any tag. For example:

.my_div:hover{

border: 1px solid #000000;

}

However in order for this to work the DOCTYPE needs to be declared in the HTML file.

<!DOCTYPE HTML>
<html>
<head>
...

Guide to Components

There are a lot of numbers and letters out there in the computer component world but hopefully this guide will explain what to look out for.

It refers mainly to modern highend components for gaming or multimedia design.

Processor

Recommended: AMD, Intel

Cores

There are currently three main cores Dual(2), Quad(4) and Hex(6), the more the better.

Speed

Ranging from around 2MHz to 4MHz, the faster the better.

Cache

Modern CPU's have an L3 cache ranging from around 2MB to 8MB, the higher the better.

Socket

CPU and motherboard sockets need to match to fit properly.

Motherboard

Recommended: ASUS

, EVGA, Gigabyte, Micro-Star International (MSI), Sapphire, XFX

Chipset (northbridge)

There are two main chipset manufacturers AMD and Intel. Although they have speeds it is easier to distinguish chips by their model.

The main AMD models are 890FX, 890GX, 880G & 870 in descending order of 'power'.

more info: http://www.amd.com/us/products/desktop/chipsets/8-series-integrated/Pages/amd-8-series-chipset-feature-comparison.aspx

The main Intel models are X58, P67(B3) & P55 in descending order of 'power'.

Note: P67(B2) chips have been recalled

due to a hardware bug and should be avoided.

more info: http://www.intel.com/products/desktop/chipsets/index.htm?iid=chipsets_body+dt_all

Front Side Bus (FSB)

Speed of data transfer

between CPU and northbridge. The higher the better.

Multi-GPU

The chipset determines what graphics cards (ATI/Nvidia) can be used in a multi card setup (CrossfireX/SLI). Some X58 and P55 b

oards can support both SLI and CrossfireX but any board considered should be checked for what configuration is supported.

Socket

This determines what processors the board supports.

Memory

This determines the type, speed and maximum memory supported.

Expansion (PCI) Slots

These will determine what cards (Graphics, Audio, WIFI etc) can be attached. PCIe 2.0 is measured in three spee

ds x16, x8 & x4, usually decreasing per slot as more cards are added.

Size

There many form factors but the two main sizes are ATX(standard) and micro-ATX (mATX).

Graphics Card

Recommended: ASUS, EVGA, Gain

ward, Gigabyte, HIS, Micro-Star International (MSI), Palit, PNY, Sapphire, XFX, Zotac

Cores

Some expensive highend cards have two cores but most will have one.

Core Clock

Ranging from around 600MHz to 1000MHz, the faster the better.

Memory

Graphics memory is in GDDR5 format and ranges from around 512MB to 4GB, the higher the better.

Memory Clock

Ranging from around 800MHz to 1500MHz, the faster the better.

Memory Interface

Ranging from around 64bit to 256bit, the higher the better.

DirectX Support

Cards should support the latest DirectX version (currently 11).

Resolution

There are many resolutions which dif

fer between cards and outputs (DVI/HDMI) but in general they will likely be between HD720 and WQXGA, the higher the better.

Memory (RAM)

Recommended: Corsair, Crucial, G-Skill, Kingston, OCZ

Size (storage)

Usually ranging from around 1GB to 4GB per module.

Type

The latest memory type is DDR3.

Speed

Ranging from around 1066MHz to 2000MHz, the higher the better.

Latency

Ranging from CL5 to CL9, the lower the better.

Power Supply Unit (PSU)

Recommended: Antec, Be Quiet, Coolermaster, Corsair, Enermax, Kingwin, OCZ, Silverstone, Thermaltake

Power

Ranging from around 300W to 1200W, the higher the better.

Connectors

Modular units only need required connectors to be attached, Non-modular unit's connectors can not be detached.

Connector outputs should match up with required power inputs on motherboard and graphics cards.

The following site can be used to get an idea of the power a system will require.

http://extreme.outervision.com/psucalculatorlite.jsp

Solid State Drive

Recommended: Corsair, Crucial, Kingston, Seagate, OCZ, Western Digital

Capacity

Ranging from around 8GB to 1TB, the higher the better.

Read/Write

Ranging from around 30MB/s to 740MB/s, the higher the better.

Hard Drive

Recommended: Seagate, Western Digital

Size

Either 2.5" (laptop/SSD) or 3.5" (standard).

Capacity

Ranging from around 30GB to 3TB, the higher the better.

Speed

Either 54,000rpm (laptop), 72,000rpm (standard) or 10,000rpm, the higher the better.

Cache

Ranging from around 8MB to 64MB, the higher the better.

Cooler

A custom water cooling system is the best performing cooling solution however these are expensive and complicated to install, therefore I have left them out.

Recommended: Coolermaster, Corsair, Noctua, Thermalright, Prolimatech, Zalman

Their isn't a quantifiable way to choose a cooler but there are plenty of reviews out there. This is a list of some of the well regarded coolers:

• Thermalright Ultra 120
• Prolimatech Megahalems
• Coolermaster V8
• Corsair H5O or H7O
• Noctua NH-D14

Case

Recommended: Antec, Coolermaster, Corsair, Lian Li, Silverstone

Again it is hard to quantify what makes a good case and mainly it will be down to personal preference. The case should support the motherboard form factor, have enough room for any graphics cards and fans should have dust filters.

There are plenty of reviews online and this is a list of some of the most popular cases:

• Coolermaster HAF 932
• Coolermaster Cosmos
• Antec 1200
• Silverstone Raven 2

This has taken a lot longer than I first thought so I hope it is of use. I'm sure there are plenty of opinions and recommendations out there so feel free to leave them in the comments.

Font Embedding

Until recently, when undertaking a new website project I would tell clients and designers that their choice of fonts was very restricted. However CSS3 has made embedding fonts practical and some fantastic online services have made it simple, providing free multi-format font files supported in all major browsers. Google Web Fonts allows easy direct linking to their files but have a limited selection of fonts, however with user submitted fonts this selection should grow. For now I have been enjoying using Font Squirrel who have a great selection and their @font-face kits provide all the files you need plus the code to embed them.