~~MB362 - Electronic and Mobile Commerce~~ Kitty's Learning Journal

Tuesday, April 05, 2005

My final post this semster

This will be my final post for in this blog (for this semester at least). Exam is coming. Anyway, had learned a lot by forcing myself to read up and search for different articled on Electronic and Mobile Commerce to build this blog.

Our final presentation is not done well. Although we have tried our best. We didn't finish the whole presentation within 15 mins. What a pity!

Anyway, I like this course. Where i made my first business plan. Do want to try it out. It was a learning through experience process, not memorizing like other subjects. (still worried about the exam)

I would like to thank Professor Gilbert and my groupmates. You teach and help me a lot. I will miss you all!

Monday, March 21, 2005

Artical 12 - Electronic Wallets - Past, Present, and Future

This whitepaper outlines the history of the wallet concept, the role of wallets in society and the need for electronic wallets as we enter the information age. It also provides insight into the future capabilities of electronic wallets and the role they will play in e-commerce.

What can we expect from our electronic wallets?

  • Price comparison shopping
  • Bill payment
  • Personal information access including medical, insurance, investment reporting…
  • Virtual personal organizer storing calendar, contact, tasks…
  • Wireless purchasing at physical locations
  • Device to device person to person payments
  • Online shopping from mobile devices such as mobile phones and PDAs

More information @ http://www.gpayments.com/pdfs/GPayments_eWallet_Whitepaper.pdf

Learning Journal - week 12

E-commerce is a kind of business. The final aim of a business is to create value for our customers. In doing this, we have to know who and where the customer is. More importantly, what do they need.

And finally, how to make them pay more conveniently.
• The basic functions of online payment systems
• The use of payment cards in electronic commerce
• The history and future of electronic cash
• How electronic wallets work
• The use of stored-value cards in electronic commerce

Monday, March 14, 2005

Learning Journal - week 11

This session mainly talked about the security issue of computers and the Internet.
• Online security issues
• Security for client computers
• Security for the communication channels between computers
• Security for server computers
• Organizations that promote computer, network, and Internet security

Security problem have been a harassment since the today we use PC and Internet. Viruses, hackers, terrorist... It seems that they can not be avoided as long as you can't be away from your computer. Most of us should have the experience of been invaded by viruses. I have twice already. It got me a lot of trouble. Computer can't be used, many work can't been done, can't watch movies...


Hackers behave like water, taking the path of least resistance. Today this path leads over SSL, past the firewall, where nothing exists between them, the website, and the information it holds. This is how a web hacker views the world. Using a browser and a few simple tricks, hackers can penetrate a website, access a credit card database or sensitive member information, and make off with the goods unseen.

As the enterprise network perimeter has become more secure, intruders have progressed up the software stack to focus on the website itself. A report published by Gartner states that 75% of cyber attacks occur at the application layer. Even more alarming is over 90% of websites we test have a medium to high level security issue.

These types of web attacks have familiar names like SQL Injection and Cross-Site Scripting. When securing our networks, we are conditioned to think in terms of firewalls, SSL, Intrusion Detection, and Anti-Virus. While these solutions certainly improve enterprise security, their impact on protecting the website is marginal. Contrary to popular belief, deploying a state-of-the-art firewall will not prevent a hacker from penetrating a gaping hole straight through to the website. To improve the security of our websites, we must dispel these and other largely held misconceptions surrounding web application security.

1) "A website that uses SSL is secure".
2) "A firewall protects the website, so it is safe from hackers".
3) "A network vulnerability scanner reported no security issues within the website, so it's secure".
4) "A web application vulnerability scanner reported no security issues within the website, so it's secure".
5) "Security assessments are performed on the website every year, so it's secure".

Secure Socket Layer (SSL)
SSL does NOT make a website secure. The tiny SSL lock symbol located at the bottom of a web browser indicates that the information sent to and from a website is encrypted and nothing more. SSL has no ability to protect the information stored on the website once it arrives. Many websites using strong 128-bit SSL have been hacked just the same as those who do not. The use of SSL has zero impact on the difficulty of breaking into a website and pillaging its data.

It's important to understand what role the lock symbol plays in the security landscape. Secure Socket Layer (SSL) is an encryption protocol that enables a website to prove to a user that they are who they claim to be; and not an imposter eavesdropping on the conversation. SSL also ensures that if someone intercepts the conversation between the user and the website, the exchange cannot be read. SSL has absolutely nothing to do with how secure a website is or the manner in which a user's private information is safeguarded. When private data is stored on the website, the risk is at the server, not in the communications link.

"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench." - Gene Spafford.

Firewalls allow web traffic to pass through to a website, but lack the ability to protect the site itself from malicious activity. A web application is software that turns a website into an online bank, e-commerce store, message board, etc. These web applications remain vulnerable to attack regardless of any firewall currently in place.

In the traditional network security mindset, the idea has been to "Let the good guys in and keep the bad guys out." This is done through the use of firewall ACL's (Access Control Lists). Securely configured ACL's will deny everything from passing into a network except an allowed set of activity such as web traffic and email. Perform a port scan against any website and you will see port 80 open (for http traffic) and often port 443 (for SSL traffic). Generally speaking all other traffic is blocked by the firewall. No one from the Internet really needs to share your credit union's printer do they?

After an ACL has allowed a visitor beyond the firewall and through to the website, all security protections provided become meaningless. The firewall has protected the printer, escorted email where it belongs and let the whole world into the website. The firewall's job is done. There is a new web security problem. How do you let the whole world in and make sure they play nice?

Network Vulnerability Scanners
Starting in the early 90's with a tool called SATAN, system administrators and security professionals have utilized vulnerability scanners to point out network security issues. After fixing all the reported security issues, the site should be secure enough to be placed on the Internet. However, these vulnerability scanners neglect the security of web applications running on the web server, which usually remain full of holes.

Network vulnerability scanners function by transmitting specially crafted traffic to target servers and collecting responses. The responses are analyzed and compared to thousands of "well-known" security vulnerability signatures (AKA checks). When a match is made between a check and a host response, a security issue is reported. Up-to-date scanners achieve over 99% vulnerability coverage on the average network, but sparsely target the web application layer.

Network vulnerability scanners miss the web application layer because there are no well-known security issues present in a customized website. Few organizations use the same software for their web applications. Therefore no existing weaknesses could be preprogrammed into the scanner ahead of time. It is important to understand that while the average web application in use today is woefully insecure, a network vulnerability scanner is incapable of identifying flaws other than those within its signature database. An off-the-shelf scanner will likely give a website a thumbs up, while five minutes later a web security expert would find a way to directly query the backend database and sensitive data.

Web Application Vulnerability Scanners
Even the best web application vulnerability scanners are only capable of identifying half of the security issues that could reside within a website. Security experts must find the rest. Web application vulnerability scanners are programmed to focus on the particulars of the web application environment. Scanning remotely, web application vulnerability scanners discover security issues within web applications without the aid of preexisting vulnerability signatures, source code or binaries. The reported results of a scan may include weaknesses with terms such as Cross-Site Scripting and SQL injection. However, today's web application vulnerability scanning technology is not as mature as its network-scanner cousins. Even a slight deviation from website programming standards can cause scanners to report thousands of false-positives, or even worse miss numerous vulnerabilities.

In the web application security world, scanners achieve only 50% vulnerability coverage and suffer from a larger false positive rate. Further, a scanner will never find a certain set of vulnerability classes since they require complex logical analysis currently reserved to human intelligence. A good example is the checkout process of an e-commerce website. A web application scanner might be able to access the first step of the process automatically, but is incapable of testing the rest of the flow for potential weaknesses. It is impossible for a scanner to determine if a price change made at step #2 will be mistakenly allowed by the website.

Security Assessments
The high rate of change in normal website code causes rapid decay in the accuracy of last week's security report, never mind last year's report. While it is responsible (and often times required) to have yearly security assessments performed on a website, the common web application life span requires more frequent security reviews. As each new revision of a web application is developed and pushed out to the public, the potential for new security issues increases. Every change to the website has the potential to introduce new security vulnerabilities, therefore security assessments need to be performed on an ongoing basis.

Whether a website is in the process of being developed of currently serving members, there are many security considerations that need to be considered. Hopefully this information has dispelled some myths surrounding web application security and shed new light on the value of available security solutions. Here are some recommendations to help improve web application security:
Business Managers: Web application security assessment should be performed several times a year as web applications are updated. Every new line of code is potentially a new security issue.

Security Professionals: Use web application vulnerability scanners in combination with manual tests. The pairing ensures completeness throughout a large site and allows the operator to focus more attention on pinpointing logical issues with the application.

Application Developers: Never trust client-side input. This is the #1 cause of security vulnerabilities. Hundreds of millions of people you don't know have access to your software. Don't use what you don't expect to receive.

Monday, March 07, 2005

Article 10 - UK games industry 'needs support'

The video games industry in the UK is looking healthy but could do with more government support, according to a report by analysts Screen Digest.

More software and games are being sold overseas than are imported, a good sign for the economy, said the report.

I am just thinking where are these games exported to? China should be a big market. While from another point of view, as a Chinese, I am really worried. Firstly, it is true that many local game companies in China are not strong enough compared to some foreign ones. So that the market share is not domestic. Secondly, sometimes, games can be a hazard to teenagers. I know of my friends in China who sunk in the online games and just can’t get out. Forget eat, sleep, study… Game can be a big market, it’s true. But is it really good for us?

The Screen Digest report also highlighted the growing trend of buying games from places other than physical shops, such as online.

"Mobile and online have become significant markets in their own right and we expect all forms of networked games exploitation to account for 20% of the total Western world market by 2008," said Ben Keen, Screen Digest analyst.

View full article @ http://news.bbc.co.uk/2/hi/technology/4355913.stm

Monday, February 28, 2005

Article 9 - So what's the point of 3G?

Are you really clear about this question: waht is the point of 3G? I don't know. Finding the answer is a bit more tricky, as the phone companies are discovering.

All the UK's mobile operators have launched 3G services and in 2005 they will start working hard to persuade existing customers to trade up and make efforts to poach new patrons from rivals.
But although the operators think that their customers are ready for 3G it is far from clear that their networks are as well prepared.

The big difference between 3G and existing phones lies in the network.
Third-generation networks are inherently more complicated because of the amount and sorts of data that people will want.

1. The vastly greater carrying capacity of 3G networks means that voice calls get much cheaper (This is a big problem for phone firms which currently get most of their money from people talking to each other. )

2. To compensate, operators running 3G networks have to get people using, and paying for, data services such as video clips, music tracks, games, weather reports etc.

Learning Journal - week 9

This is the first class after recess.

The development of some electronic devices/mobile terminals were introduced:
􀂄 Pagers and cell phones
􀂄 MP3 players
􀂄 Personal digital assistants
􀂄 Tablet PCs
􀂄 Laptops
􀂄 Synchronization of mobile devices

Mr Gilbert took some old and heavy mobilephones and PDAs for us to see. Compared with what we are using today, they are hardly to use.

Monday, February 21, 2005

Article 7 - Bloggers Unite! And Start Making Some Money

This article tells us about a new way of doing e-business. That is, through the blogs. Can you imaging? Your blogs can help you make money. Of course, you have to make it popular; otherwise people won’t pay for it.

The reality of blogonomics are tough. It's not a get-rich-quick thing, nor is that why most bloggers are into it. Gaffin concedes he's not making much money off the ads -- a few bucks for every 1,000 times they're viewed on his site. But, he says, "If you become successful and become really popular, sure, you can make some serious money.

See full article @ http://www.ecommercetimes.com/story/41333.html

Learning Journel - week 7

In this class, we learnt about:
• Web server basics
• Software for Web servers
• Internet utility programs
• Web server hardware

The rapidly growing number of people in China who can use Internet is really amazing today. But there is a problem that the Chinese government is trying to keep tighter and tighter control over those web users. It is true that you can’t get access to many web sites in China because the Chinese authorities control access to information on the web.

"People everywhere want to be able to use the internet for political communication, for getting news and information"
Christopher Cox, US Congressman

The way the company does it is not new. It allows a user inside China to access the internet, not through a system controlled by the government, but through a proxy server.
"The basic method of these technologies is to find a helpful computer in the United States or Canada or Europe that is willing to act as an intermediary for requests," said Ben Edelman, a fellow at Harvard Law School's Berkman Center for Internet and Society.

Detailed information @ http://news.bbc.co.uk/1/hi/technology/3548035.stm

Monday, February 07, 2005

Learning Journal - week 10

Next week we have to submit the proof-of-concept. We are quite confident in our concept. As stated in article 10, "Mobile and online have become significant markets in their own right and we expect all forms of networked games exploitation to account for 20% of the total Western world market by 2008". Our idea is actually based on an interesting mobile and online game. The only thing is that we not sure whether we can present it clearly. And constructing the website will be time consuming. Anyway, we have to do it.

Article 5 - Mobile boss Snook moves into health care

Hans Snook once predicted we would receive calls via earrings.

"I don't do anything unless it is fun. I have to believe in it, it has to be good for people. And it has to be profitable "
- Hans Snook, chairman of Carphone Warehouse

1985: Joined Hutchison Telecommunications in Hong Kong and rose to become chief of Hutchison UK
1994: Founded Orange
2001:Left Orange after France Telecom bought it
2002: Became chairman of Carphone Warehouse, and of Orange Thailand
2003: Moved into the health business

More detailed @ http://news.bbc.co.uk/2/hi/business/4328431.stm

Learning Journel - week 5

3G System Capabilities
(Before studying MB362, I have never heard of 3G. Don't know what is it about. But
Mr Gilbert assumed we all knew that. I was really confused. So I have to search the Internet to get a general idea.)

Capability to support circuit and packet data at high bit rates:

  • 144 kilobits/second or higher in high mobility (vehicular) traffic
  • 384 kilobits/second for pedestrian traffic
  • 2 Megabits/second or higher for indoor traffic
    Interoperability and roaming

Common billing/user profiles:

  • Sharing of usage/rate information between service providers
  • Standardized call detail recording
  • Standardized user profiles
  • Capability to determine geographic position of mobiles and report it to both the network and the mobile terminal

Support of multimedia services/capabilities:

  • Fixed and variable rate bit traffic
  • Bandwidth on demand
  • Asymmetric data rates in the forward and reverse links
  • Multimedia mail store and forward
  • Broadband access up to 2 Megabits/second

More detailed information @ http://www.fcc.gov/3G/#sec2