Google Apps Mail – POP/IMAP/iPhone

As mentioned by our colleagues in Core Services first year students have been given Edge Hill University Google Mail accounts. We’re a couple of months into the semester and roll out seems to have gone OK. Students have been able to happily click on the Mail link in GO and be taken directly to their mail. On their main GO Home tab they’ll also have seen the Mail box which unfortunately wasn’t compatible with Google Mail. This has now been fixed as you can see here:

googlemailpanel

Clicking on the “Google Mail” title will take you to your inbox. But a new thing with Google Mail is that you can now click on individual emails and be taken directly to that message in your inbox.

Please note that the Google Mail box only shows you unread mail. So if you haven’t got any new messages waiting then they won’t appear.

This was all made possible due to a new development we’ve recently completed. Password syncing to Google Apps. Previously when you logged into Google Mail you either came through GO or you were redirected through GO to login. This meant that we were dealing with authentication and checking your passwords directly against our systems before handing you off to Google. Now we sync GO passwords with Google so if your not accessing your email through a web browser Google can check your password with it’s copy.

Doing this enables you to get your Google Mail in any format you like. You can now follow Google’s instructions on how to setup your client for POP, IMAP and even ActiveSync for Windows Mobile and iPhone!

When following the instructions remember that you are a Google Apps user, and that your username for this is the one shown on the top right when your accessing your Edge Hill University Google Mail account.

googleusername

Before contacting us with any problems ensure you check out Google’s very extensive Google Mail help.

Ste Daniels

R.I.P. GeoCities

under-constructionGeoCities, the site that hosted my first website – now thankfully lost in the depths of the ether – is no more.  Ten years after being bought by Yahoo! for a ridiculous amount of money the internet is a very different place and what people want from a personal webpage is very different.

On behalf of all the people who got their first taste of web “design” by uploading dodgy HTML and animated GIFs, thank you!

JANET CSIRT

Today I was at the JANET CSIRT Conference, held at the International Coffee Organisation facility in London (I booked on before I knew where it was being held… honest!).

The conference covered a variety of security related issues and I’ll cover a brief summary below.

A shared approach to Information Security – Matthew Cook, Loughborough University

The EMMAN Shared Information Security Service (ESISS) can provide a complete portfolio of services to your organisation. These services are designed to reduce the risk of significant information security breaches and reduce the associated costs of prevention, management, remediation and audit activities.

Matthew Cook gave an overview of some of the services offered by a new shared service from EMMAN. Much of it was what you’d expect – consultancy, penetration testing, network health checks and so on but I was surprised by one of their new services.

Currently in development/testing and to launch in the new year, they’ll be offering reputation management to monitor the interwebs and send a weekly report to technical and PR/marketing teams to alert them of any problems with your site.  It will check social networks like Twitter, blogs as well as more technical problems like spam comments on blogs linking to dodgy websites.

There are a number of companies that offer this type of service already and it will be interesting to see how they differentiate themselves.  I’ve not looked at many other services but ESISS’ pricing doesn’t seem outlandish… as long as it’s of benefit!

The issue I have with it is the weekly nature of the email reporting.  A week is a long time in Twitter. Recent examples of #janmoir and #carterruck have exploded in a matter of hours so waiting seven days before detecting and responding to criticisms online isn’t an option.

I do hope ESISS are successful with this service – there are far too many snake oil merchants in the reputation monitoring game and so an organisation without the commercial pressures would be welcome but whether they’re able to keep pace with the fast changing social media landscape – as well as provide their more traditional consultancy services – remains to be seen.

The Value of Security Testing – Rory McCune, NCC Group

A great Security Testing 101 session which really helped bring me up to speed with some of the terminology involved.  Showed the different levels of testing that can be undertaken.

The big thing I took away from this session is not to trust third party vendors.  They usually have no interest in security so either test software yourself, or as part of a consortium.  Get security written into contracts to ensure that it’s the vendor’s responsibility to fix any problems.

Traffic monitoring and basic anomaly detection with Netflow – Nick Reynolds, ULCC

Using the NetFlow protocol built into Cisco and some other network kit, Nick showed how they are monitoring traffic at student residences and FE colleges in London. Building on basic MRTG charts they provide more advanced reporting for staff within colleges who may not have the time or skills to undertake regular monitoring.  From there they have built pattern analysis software which can look for unusual traffic patterns passing through routers as a sign of breaches in security or usage policies.  Still a little rough looking but it shows what’s possible using a few open source tools and a little development time.

SQL Injectors – Simon Baker, SEC-1

How to scare a web manager in 35 minutes…!  Using Microsoft SQL Server and ASPX as examples – not tools we develop in directly, but we do have third party SQL Server/IIS systems – Simon demonstrated a few SQL injection attach vectors which seem alarmingly easy.  Different attacks accomplish different things but with certain versions of SQL Server it’s even possible to execute commands!

If ever there was an argument for using an ORM to ensure all database interaction is correctly escaped then a session like this will prove it!  Prize goes to this session for best use of an xkcd comic strip in a presentation:

Web Application Security, OWASP – Dinis Cruz, OWASP

Somehow Dinis managed to get through three presentations each with dozens of slides in his 40 minute slot!  I must admit it was a little bit too much to take in, but the general gist was that OWASP (Open Web Application Security Project) is great and that we should all get involved.  It certainly seems to have a lot to offer.  Their best known project is their Top Ten website vulnerabilities:

  1. Cross Site Scripting
  2. Injection Flaws
  3. Malicious File Excecution
  4. Insecure Direct Object Reference
  5. Cross Site Request Forgery
  6. Information Leakage and Improper Error Handling
  7. Broken Authentication and Session Management
  8. Insecure Cryptographic Storage
  9. Insecure Communications
  10. Failure to Restrict URL Access

The use of a mature web framework helps avoid many of these problems but it’s probably time for us to do a full audit.

OWASP also offer a huge amount of other material from books to approval processes and tools.  One of their project strands concentrates on Education to get students trained up with the correct skills.  Dinis said something along the lines of:

The majority of IT Security professionals are screwed because they don’t know how to code.

Computing students and developers alike are well placed to get the skills required to create intrinsically secure websites – so-called “security experts” will struggle to match them on the details.

P2P File-Sharing and Copyright Infringement – Morgan Doyle, NetFort Technologies

Final session of the day was an interesting review of some research undertaken at NetFort into use of peer-to-peer file sharing – specifically BitTorrent – in a university environment and how it can be detected, tracked and reported on.  The reasons for wanting to do this were twofold – to be able to account for excessive bandwidth usage and to respond to DMCA notices.

I must stress that I Am Not A Lawyer, but I thought that DMCA was a American law so I’m not sure how it applies to UK file sharers, and that in most cases illegal filesharing was a civil offence.  I’m not condoning breaking the law, but I do question whether it’s the job of universities to do the dirty work of rights holders.

Wrap Up

ICO translation boothsSo on the whole a very interesting day.  Not necessarily what I expected but very useful and it’s given me lots to think about.  The International Coffee Organization is a great venue – where else can you find translation booths and flags on the wall?!  I must admit I was slightly disappointed in the quality of the coffee.  It was okay filter coffee but I would have expected something a bit more… gourmet?

Finally, it was interesting to note how little backchannel activity there was on The Twitter. A single post from someone saying they were at the conference with the rest posted by me with a few comments from my followers. What – if anything – does this say about networking or security professionals in Higher Education? ;-)

Hot or Not?

HeatmapInspired by University of Bath’s post about how they deleted the internet, last week we installed some heatmap software to plot where on a page users click.  We’ve had it running on a few pages and already some interesting patterns are showing.

We’ll be using these heatmaps to help up determine what’s working on the site and analyse behaviour patterns when migrating the intranet across to GO and in developing new designs for the homepage.

A stick of BarCamp Blackpool rock to the first person to identify which page the above heatmap comes from [excludes members of Web Services].

PHPNW09 Round Up

Last weekend Janeth, Andy and Simon (from Business Systems Solutions) headed over to Manchester Conference Centre for the second Annual PHP North West Conference. Organised by volunteers from the PHPNW user group it has a great community feel to it yet has a great reputation.

A few thoughts about some of the sessions I attended…

The Uncertainty Principle – Kelvin Henney

Nice start to the conference and a well presented talk.  Main thing I picked up was that when presented with a choice you may not have to make a decision immediately.

Passing the Joel Test in the PHP world – Lorna Mitchell

Lorna Mitchell’s talk looked at how relevant the Joel Test is to PHP development.  We have some way to go before we pass completely and it’s something I’ll be looking at over the next few weeks.

Tools and Talent – Rowan Merewood

Plusnet’s Rowan Merewood gave a really good presentation about how they go about developing and deploying new tools.  I was a little preoccupied finishing my own talk so I’ll be interested to take another look at the video.

Making your life easier: Xdebug – Derick Rethans

I’ve been aware of Xdebug for a long time, and I may have even tried it out but this talk showed some of the nice ways it can be used.  Probably worth us having another look at deploying it on our development server.

Building an Anti-CMS – Michael Nolan

That’ll be me!  Think it went okay – a few suggestions for improvements on joind.in but it could have gone much worse!  You can see a slidecast of the talk on another post.

Integrating Zend Framework and symfony – Stefan Koopmanschap

Skoop’s talk covered how Zend and Symfony can be used together.  We actually already do this – our search engine is powered by Zend Lucene – but there’s probably more components we can use, and some of the new Symfony components look like they have potential.

Everything you wanted to know about UTF-8 – Juliette Reinders Folmer

Maybe a little too detailed for 10am on a Sunday morning, but interesting to see how difficult this problem is to solve.

Intro to OOP with PHP – Rick Ogden

Pretty basic introduction to OOP but we often forget that not everyone learns this stuff so it was good to see.

PHP 5.3 – Hot or Not? – Sara Golemon

If PHP 4′s unwillingness to die is anything to go by then 5.3 may take a while to adopt widely. There’s some nice features though and if they’re required for a future version of symfony then it’s well worth us starting to make use of them.

jQuery – Michael Heap

We use jQuery pretty extensively as part of GO and our corporate website so I understood most of the code demonstrated but it was nice to see how to create plugins.

That’s all for my quick round up of PHP North West 2009.  Overall a very good event.  Thanks must go to Jeremy, his team at Solution Perspective Media and Lorna Mitchell, without whom the conference wouldn’t happen.

Building an Anti-CMS

At last weekend’s PHP North West Conference I delivered a talk titled Building an Anti-CMS (and how it’s changed our web team).  Feedback has generally been pretty positive so I thought I’d open it up to a bit of constructive criticism from inside the sector (because every web team reads our blog, right?!).

Video from the talk itself is due out within the next month but I re-recorded some audio to turn it into a slidecast to make it a bit more useful:

I’ve given a number of talks before at Edge Hill, at BarCamps and at IWMW but for PHPNW I’ve tried to further develop my style of presentation. Over the last 6 weeks I’ve watched quite a few “Lessig style” talks – making use of lots of short sentences and pictures and not being afraid to have nothing on the screen.

It leads to a massive slidedeck – 86 slides for 13 minutes – and there’s far less room to ad lib but it gets away from some of the things that annoy me about regular death by powerpoint. I’ll let you make up your own mind whether it’s worked!

The end of Argleton is nigh!

I mentioned Argleton a year ago, Mister Roy has walked there and even the Ormskirk Advertiser has covered the issue but soon its days may be numbered!

Google has announced a new feature to allow users to report problems and suggest changes to maps. It’s currently only available in the US but you can see how it will work on this video:

I’ll be slightly sorry to see Argleton go but I’ll be glad to have my childhood home back!

Via Webmonkey.