See the book at amazon.co.uk
Related Books
See Digital Media Tools, 3rd ed. at amazon.co.uk
See Digital Multimedia at amazon.co.uk
Visit our Amazon Associates Store
The authors are not responsible for the content of any external sites linked to from webdesignbook.org
All material on this site is ©2006–2007 MacAvon Media Productions and may not be reproduced without permission.
The Web Design Book Blog
Security Through Obscurity
A while ago I drew your attention to the way in which hackers are targeting the setup scripts of well-known Open Source applications. In particular, phpmyadmin is a popular target.
You might think that you could frustrate such attacks by changing the name of the directory in which the application is installed from the default, which normally includes the application’s name, making the target visible to intruders. Here is a recent list of URLs causing 404 errors on our server:
/MyAdmin/: 2 Time(s) /MyAdmin/scripts/setup.php: 2 Time(s) /PMA/scripts/setup.php: 6 Time(s) /PMA2005/scripts/setup.php: 6 Time(s) /admin/mysql/scripts/setup.php: 6 Time(s) /admin/phpmyadmin/scripts/setup.php: 6 Time(s) /admin/pma/scripts/setup.php: 6 Time(s) /admin/scripts/setup.php: 6 Time(s) /db/scripts/setup.php: 6 Time(s) /dbadmin/scripts/setup.php: 6 Time(s) /myAdmin/: 2 Time(s) /myAdmin//scripts/setup.php: 2 Time(s) /myAdmin/scripts/setup.php: 2 Time(s) /myadmin/: 2 Time(s) /myadmin/scripts/setup.php: 8 Time(s) /mysql-admin/scripts/setup.php: 6 Time(s) /mysql/: 2 Time(s) /mysql/scripts/setup.php: 8 Time(s) /mysqladmin/: 2 Time(s) /mysqladmin/scripts/setup.php: 8 Time(s) /mysqlmanager/scripts/setup.php: 6 Time(s) /nosuichfile.php: 5 Time(s) /noxdir/nosuichfile.php: 6 Time(s) /p/m/a/scripts/setup.php: 6 Time(s) /pHpMy/scripts/setup.php: 6 Time(s) /pHpMyAdMiN/scripts/setup.php: 6 Time(s) /php-my-admin/scripts/setup.php: 6 Time(s) /php-myadmin/scripts/setup.php: 6 Time(s) /phpAdmin/: 2 Time(s) /phpAdmin/scripts/setup.php: 2 Time(s) /phpMyA/scripts/setup.php: 6 Time(s) /phpMyAdmi/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.10.0/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.10/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.4/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.5/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.6/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.7/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.8/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.11.9/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.2.3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.2.6/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.0/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.4/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.5/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.6/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.7/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.8/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.3.9/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.0/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.4/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.5/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.6/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.7/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.8/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.4.9/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.0/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.4/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.5-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.5-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.5-rc2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.5/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.6-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.6-rc2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.6/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.7-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.7/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.8/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.5.9/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-alpha/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-alpha2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-beta1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-beta2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-pl2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-pl3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-rc2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0-rc3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.0/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.1-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.1-pl2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.1-pl3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.1-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.1-rc2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.2-beta1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.2-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.2-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.3-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.3-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.4-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.4-pl2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.4-pl3/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.4-pl4/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.4-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.4/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.5/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.6/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.6.7/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.6.8/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.6.9/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.7.0-beta1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.7.0-pl1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.7.0-pl2/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.7.0-rc1/scripts/setup.php: 6 Time(s) /phpMyAdmin-2.7.0/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.1/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.2/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.3/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.4/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.5/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.6/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.7/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.8/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.7.9/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0-beta1/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0-rc1/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0-rc2/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0.1/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0.2/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0.3/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0.4/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.0/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.1-rc1/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.1/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.2/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.3/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.4/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.5/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.6/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.7/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.8/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.8.9/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.9.1/scripts/setup.php: 5 Time(s) /phpMyAdmin-2.9.2/scripts/setup.php: 5 Time(s) /phpMyAdmin-2/scripts/setup.php: 5 Time(s) /phpMyAdmin-3/scripts/setup.php: 5 Time(s) /phpMyAdmin-4/scripts/setup.php: 5 Time(s) /phpMyAdmin/: 2 Time(s) /phpMyAdmin/scripts/setup.php: 9 Time(s) /phpMyAdmin1/scripts/setup.php: 5 Time(s) /phpMyAdmin2/: 2 Time(s) /phpMyAdmin2/scripts/setup.php: 7 Time(s) /phpMyAds/scripts/setup.php: 5 Time(s) /phpadmin/: 2 Time(s) /phpadmin/scripts/setup.php: 4 Time(s) /phpm/scripts/setup.php: 5 Time(s) /phpmanager/scripts/setup.php: 5 Time(s) /phpmy-admin/scripts/setup.php: 5 Time(s) /phpmy/scripts/setup.php: 5 Time(s) /phpmyad-sys/scripts/setup.php: 5 Time(s) /phpmyad/scripts/setup.php: 5 Time(s) /phpmyadmin/: 2 Time(s) /phpmyadmin/scripts/setup.php: 9 Time(s) /phpmyadmin2/: 2 Time(s) /phpmyadmin2/scripts/setup.php: 7 Time(s) /pma/: 2 Time(s) /pma/scripts/setup.php: 7 Time(s) /pma2005/scripts/setup.php: 5 Time(s) /scripts/setup.php: 5 Time(s) /sqladmin/scripts/setup.php: 5 Time(s) /sqlmanager/scripts/setup.php: 5 Time(s) /sqlweb/scripts/setup.php: 5 Time(s) /vhcs2/tools/pma/scripts/setup.php: 5 Time(s) /web/phpMyAdmin/scripts/setup.php: 5 Time(s) /webadmin/scripts/setup.php: 5 Time(s) /webdb/scripts/setup.php: 5 Time(s) /websql/scripts/setup.php: 5 Time(s)
(In case you’re wondering, phpmyadmin is not installed anywhere on our server.)
Pretty much any obvious alternative name you might choose has been tried, not to mention nosuichfile (sic). So if you want to hide your phpmyadmin installation by using an obscure directory name, you really need to choose something that has no obvious connection with phpmyadmin, PHP, SQL, mySQL, databases or administration. Even if you install phpmyadmin into a directory called jamsandwich, though, you are not really making the installation more secure. Eventually, intruders will find a way of scanning directories looking for known patterns of files and sub-directories within them.
Your safest option is not to install phpmyadmin at all. Use the command line, or Rails migrations or their equivalent, if you can. If you need to administer the database through a Web interface make sure you keep the installation up to date so that known security holes are plugged, and choose hardened passwords or use certificates to verify logins. By all means obscure the directory name, but don’t call it jamsandwich. They might know that one now.
— Nigel Chapman · 28 July 2010
MacAvon Media Services for Lecturers
We are pleased to announce the launch of our Services for Lecturers at the MacAvon Download Store.
If you are a lecturer or instructor using, or considering using, one of our books in teaching a course at a university or other institution of higher education, you can request a free Lecturer’s Account, giving you access to the services for lecturers. At present, there are two services.
Lecturers can obtain free PDF copies of Web Design, Digital Media Tools and Digital Multimedia for evaluation or private use. This is an alternative to our publisher’s normal evaluation copy service. We hope our new service will be especially useful for lecturers in countries where it takes a long time for printed books to be delivered. (If you prefer your evaluation copies on paper, you can still request them using the form on each book’s support site in the normal way, or from Wiley’s own Web site.)
With a Lecturer’s Account at MacAvon Media you can also create what we are calling Course Bundles. A course bundle is a collection of one or more PDF documents selected personally by a college lecturer or instructor to recommend to students on their own course for purchase at a specially discounted price. Course bundles may include any number of chapters or other available documents, and may be a mixture of chapters from different books. When you create a course bundle you are provided with a unique URL (which ideally you should embed in your course support page), so that your students can go directly to the correct page to purchase the bundle you have created. Discounts are always applied to course bundles, depending on the number of documents included in the bundle.
We know that many courses using our books only need to refer to some chapters. Course Bundles allow students to buy only the chapters required for their course instead of paying for the whole book. As PDF documents, the chapters in a bundle can be read on a variety of devices, including mobile ones, and they relieve students of the physical burden of carrying around some fairly heavy books. For students in countries where purchase of books published overseas may be difficult or take a long time, PDF course bundles provides instant delivery of their course material. They also provide protection from the risk of malware associated with using bit torrents and from potential defrauding by the increasing number of sites which claim to offer PDF downloads of popular textbooks but require users to provide credit card details and pay a subscription or other fee. When students buy from MacAvon Media they are buying direct from the authors. If they purchase course bundles they have the added security of knowing that their lecturer has personally selected and approved the material they are buying.
Course bundles can include chapters from all three of our printed books. They are the only way in which chapters from Digital Multimedia can be bought in PDF form. Over the coming months we will be creating new material that will be available exclusively in PDF from the MacAvon Download Store. All such material will be available for inclusion in course bundles.
We must emphasize that Lecturers’ Accounts are only available to bona fide lecturers or instructors at recognized institutions, and we ask anyone requesting a Lecturer’s Account to provide some means of verifying their identity and status (either a current college Web page confirming their contact details and position, or a photo or scan of their college ID card). Regrettably, we must reserve the right to refuse requests if we are not satisfied that they are genuine.
We hope that many lecturers will find these services valuable. If you are a lecturer, we encourage you to find out more and request an account. (There is no charge of any kind, and we do not ask for any financial details.) If you are a student, and would like to be able to buy course bundles, please tell the lecturer on your course about our Services for Lecturers.
— Nigel and Jenny Chapman · 5 July 2010
Web Applications and Mobile Apps
I don’t know whether Web Design students are asked to write essays, but if they are I shouldn’t be surprised to see titles cropping up this year along the lines of “Does the spectacular rise of mobile phone ‘apps’ indicate the coming end of the Web?”
Cameron Moll wrote a short piece on this subject recently. My interest in the matter is similar to his. If there is to be a second edition of Web Design: A Complete Introduction, I had been expecting to add a chapter on the Mobile Web, since it seemed that the Web would acquire even greater importance following the growth in the use of mobile devices. Right now, this doesn’t seem to be what’s happening.
Considering the options for a possible mobile application may clarify what’s going on.
For a while I’ve been idly thinking about creating a flashcard type of application, based on the data that drives the interactive glossary on this site and the other support sites for our books. We are not fans of rote learning, but we are aware that many of the readers of our books are not native English speakers, and that those readers may appreciate this sort of assistance with learning the specialized vocabulary.
The application could be simple, just displaying a glossary term, giving the student a chance to define it, then disclosing the stored definition to see whether they had got it right. Their progress would be recorded, so they could see which terms they needed to revise. Possibly, a tagging and classification scheme could be added, so attention could be confined to certain areas. It would probably also be a good idea to have an annotation facility, so for example, a student could provide alternative definitions in their own language or translations for each term.
Consider two options for implementing a system like this.
Such an application could easily be implemented on a server, using Rails or some equivalent framework. The data is already available in a relational database. We know how to implement users’ accounts so letting each student maintain their own records and notes would be simple. A bit of CSS and JavaScript could provide a nice interface. If this were done, the site could be accessed from anywhere, without being tied to a single computer, and with a bit of care it could be made usable on any device, whether a conventional computer running OS X, Windows or Linux, an iPhone OS device, or some other mobile device using Android or Windows Phone.
In contrast, making an iPhone (or iPod Touch) application would entail writing an Objective-C program, calling Cocoa Touch APIs for manipulating the interface and data. I have to confess that, despite more years’ programming experience than I care to count, I find the prospect of doing that thoroughly intimidating. I know that experienced iPhone developers tell us that Objective-C is wonderful and that anybody who prefers something a little higher-level, a bit more up-to-date and less like a clumsy graft of Smalltalk onto C – Ruby, for instance – has no right to call himself a real programmer, but I have to disagree. But even if I’m wrong, and Apple’s development tools are so great that creating an iPhone app is really a pleasant exercise in programming, at the end of it, I’d have an application that would only run on an iPhone or iPod Touch. It’s generally agreed that a non-trivial amount of redesign would be needed even for the iPad. For Android, I’d have to start again, this time using Java.
So why are developers frantically writing Objective-C for a single platform when they could be using more agreeable languages and frameworks to create web apps that would be accessible on anything?
The answer most often given is that apps provide a better user experience. (This is the prime concern of Cameron Moll’s piece I referred to earlier.) With a lot of ingenuity, you can provide users with a rich interface on a website by way of CSS and JavaScript, as SproutCore demonstrates, for instance. However, you can’t provide them with the native user experience they are used to. On a desktop platform, for example, you can’t take over the menu bar – it’s already taken by the browser. So this means that you can’t easily implement the fundamental interface mechanism of selecting something then choosing an operation to perform on it from a menu on the menu bar. On mobile devices, whose limited screen space has led to the development of new interface conventions, the situation is worse. You may be able to implement something that resembles the conventional interface using clever scripting (SproutCore Touch claims to do this, although the demo was displaying everything back to front in an entertaining fashion last time I looked) but then you will have sacrificed your platform-independence because what seems natural on an iPhone won’t seem natural on a MacBook.
There has been so much emphasis on the user experience of mobile devices, especially Apple’s, that this single factor may be seen as compelling. There are some other advantages to coding native apps instead of using the Web, though.
First, there is the lack of responsibility for the user’s data. With a Web app of the sort outlined earlier, the database on your server is the sole repository for everybody’s records and notes. The sad story of Magnolia should never be forgotten in this context. A single mistake leading to the loss of some users’ data will sink an application forever. At the very least then, you will have to include a secure backup strategy when you launch a Web application. Indeed, security in general will become a major concern: you don’t want the site to be hacked either. If you write an app, each user’s data will stay on their own device and its security will be their responsibility.
Second, rather obviously, they will be able to use the application when they are not connected to the Internet. There are new Web standards being developed that allow Web applications to be used in offline mode, but these are not universally implemented, so in offering a Web application you are demanding that your users be online. This may not always be possible or, depending on the tariff policies in their country, it may entail costs that they do not find acceptable.
Third, and perhaps most enticingly for the developer, when you write native apps you don’t need to worry about browser incompatibilities. You are writing for one platform with precisely known and documented capabilities. Either it works or it doesn’t. For Web applications, the more you strive for a rich interface by using CSS3 features and scripting APIs that go beyond the DOM standards, the more you will run into the limitation of common browsers. (At least now it is acceptable not to support Internet Explorer 6, but IE7 can still cause plenty of headaches.) Unless you are prepared to invest a lot of effort in coping with incompatibilities you will stick to the established standards, which means that your interface will be fairly basic. This shouldn’t matter as long as it works, but users have higher expectations, precisely because of native apps.
And it should go without saying that the native app will run faster.
If these reasons don’t add up to a case for apps, perhaps consideration of money will be more convincing. If you write an iPhone app, you can submit it to the App Store and if it is approved it will go on sale there, at the price you specify. Apple will only take 30%. If your app is good and you can get people to notice it, they will pay. You probably won’t get rich, but you may feel that you are getting repaid for your development work.
But what of a Web application? This too requires work, which you have a reasonable right to expect to get paid for. It also has associated hosting costs – if you give a Web application away for nothing, you aren’t just foregoing profit, you will lose money. The glib answer to the question of how to recoup it is by advertising. I would never consider this option, as I abhor advertising, but even if this were not so, you can only make money off adverts if you are able to get paid for every page view, and this is only possible if you have a popular site. If you expect to make money from Google adwords’ pay-per-click model, you will probably be disappointed.
The only other option is to charge a subscription for access to your Web application. This is a perfectly reasonable thing to do, but whereas people are willing to pay to download an app, they seem to be much more reluctant to pay even the cost of a cup of coffee for a year’s access to a website. The tradition of free access to the Web is too well established at present, as newspapers are learning. Perhaps also, the missing feeling of possession that comes from having all your data elsewhere contributes here. If you download an app, you feel you have got something and it’s yours. If you subscribe to a site, you feel you are paying for something transitory and won’t have anything to show for it at the end.
None of this answers the hypothetical exam question posed at the beginning, but it should help show you why there’s a question to be answered. If you are ever confronted with the question, you might also ask yourself why the question isn’t usually asked in the context of desktop computing, only mobile devices.
— Nigel Chapman · 29 April 2010