Exercise 12 - Modelling with UML or MVC?

Examine the Use Case(s) in Figure 9.2 and explain the MVC architecture of the online bookstore (the model, the view, and controllers) needed to Lookup Books and Add to Shopping Cart.

MVC architecture is a widely used approach to decouple an applications logic into separate objects. The parts of an MVC architecture include the model, view, and controller classes which have been discussed extensively in other workshops. For the online bookstore there will be a number of objects needed to complete the use case(s) "Lookup Books" and "Add to Shopping Cart" which are below:

Models
Orders
Books
Customers

Views
Search
Search_Results
Shopping_Cart
Book_Details
Customer
Order

Controllers
Books_Controller
ShoppingCart_Controller
Customer_Controller
Search_Controller

Exercise 11: TP monitors and transaction protocols

1. Give a description in your own words of the ACID properties of a transaction
The ACID model is one of the oldest and most important concepts of data theory. It sets forward 4 goals that every database management system must strive to achieve: Atomicity, Consistency, Isolation, and Durability. Any database that fails to meet any of these 4 goals should not be considered reliable.

Transactions are sequences of operations or smaller sub tasks to be executed all together successfully or else the entire transaction is void.

Atomicity: requires that all operation of a transaction be completed; if not, the transaction is completed aborted. If a transaction has 4 steps, all 4 steps must be successfully completed; otherwise, the entire transaction is aborted. So in other words, a transaction is treated as a single, indivisible, logical unit of work.

Consistency: indicates the permanence of consistent state. If for some reason a transaction is executed that violates data consistency rules, the entire transaction must be rolled back and the data restored to a state of consistent with those data rules. An example of this is within databases that a string is trying to write to a integer field in the database. This is not sticking to the rules of the database and is therefore breaking the state of the data, only an integer value can be stored in this field which would then take this to the next consistent state.

Isolation: means that the data used during the execution of a transaction cannot be used by a second transaction until the first one is completed. This property is particularly useful in multiuser database environments because several users can access and update the database at the same time.

Durability: ensures that any transaction committed successfully will not be lost, undone, even in the event of a system failure. A good example of this is say you make a payment on a banking website and you receive the receipt however this is never passed through to the database because of a server failure during the time of the transaction. This would be the ACID "D" rule.

2. Describe a TP monitor environment. How can a TP monitor stop an operating system being overwhelmed?

A TP or Transaction Processing Monitor is a control program that manages the transfer of data between multiple local and remote machines and the programs that serve them.

In a client/server environment how a TP monitor might be used to stop an operating system from being overwhelmed is to be placed between multiple machines and balance the load between these machines so that the operating systems are never overwhelmed with too much work.

Exercise 10 - Concurrency and Threading demonstration in Python

1. Find definitions for eight terms and concepts used in threaded programming:
Thread Synchronisation: Thread synchronisation keeps threads in order and working together coherently so as to accomplish a certain set of tasks which regards to acting and shielding against multithreading issues such as corrupted data, file locks, and deadlocks.

Locks: A lock is a sychronisation mechanism for enforcing limits on access to a resource in an environment where many threads or processes are executing (Wikipedia, 2010). An example is a thread accessing a file to write to. First the thread must obtain a lock before it can begin writing, once it has finished writing it can release the lock to another thread. This stops concurrent issues from occuring such as two threads trying to write to the same file at the same time.

Deadlock: A deadlock is a situation whereby two competing processes or threads are waiting for the other to finish and thus are stuck in a situation whereby they will be waiting forever.

Semaphores: A semaphore is a protected variable (or abstract data type) and constitutes the classic method for restricting access to shared resources in a multi-processing environment (Economic Expert, n.d.). Semaphore will generally takes one of two forms: binary or counting. A binary semaphore is a simple true/false flag that controls access to a single resource, and a counting semaphore is a counter for a set of available resources (Wikipedia, 2010).

Mutex (mutual exclusion): Mutex which is short for mutual exclusion object. In programming, a mutex is a program object that allows multiple program threads to share the same resource (i.e. file access) but not simultaneously. It is used for concurrent programming when accessing common resources simultaneously (Wikipedia, 2010).

Thread: In our topic guide is states that "a thread is a flow of control through the process". A process can have many threads which can be initiated by an event the process to do something concurrently. Threads are really just pieces of code or logic you want to run concurrently to accomplish something for the process.

Event: Wikipedia (2010) states that a event in computing is an action that is usually initiated outside the scope of a program and that is handled by a piece of code inside the program. Typically events are handled synchronous with the program flow, that is, the program has one or more dedicated places where events are handled. Typical sources of events include the user who presses the keyboard or hardware devices such as a timer.

So an example of this might be a user in the application clicks a button "Submit". An event of onclick is fired within the program flow to execute the "Submit" function within the code.

Waitable Timer: A waitable timer object is a sychronisation object whose state is set to signaled when the specified due time arrives. There are two types of waitable timers that can be created: manual-reset and sychronisation which both can be used as a periodic timer (Microsoft, 2010)

2. A simple demonstration of the threading module in Python (threaddemo.py) tat uses both a lock and semaphore to control concurrency is by Ted Herman at the University of Iowa. The code and the sample output below are worth a look. Report your findings.

The threaddemo.py script which was provided gives us a chance to see how threading can be utilised. The script itself declares at first the total number of tasks that can be run at 10. But there is a limitation semaphore of 3 tasks than can only be run concurrently. There is also the use of a mutex object whereby only 1 of the 3 tasks can only update a certain running variable at a time, and if not waits for the other operation to finish.

Exercise 9 - Electronic payments and security

1. Find out about SET and the use of RSA 128-bit encryption for e-commerce

As the internet expands and grows, the use of e-commerce applications for purchasing goods and services will also increase. Security is a major concern that must be addressed before real adoption of using the internet for shopping, and purchasing goods. SET or Secure Electronic Transactions is an open protocol which was jointly developed by Visa and MasterCard, in conjunction with many leading computer vendors such as IBM in 1996. The SET open standard is used for protecting the privacy, and ensuring the authenticity of electronic transactions over the internet (Reilly, n.d.). However, SET was never really adopted at any substantial level, because of a number of reasons which included:

• Clients needed to install a digital wallet or e-wallet
• Cost and complexity for banks and merchants to offer cupport of this standard vs the relatively low cost of existing SSL based alternatives
• Distribution logistics of certificates to clients.
  

SET has several parts / layers of security:

• digital wallets / e-wallets
• digital certificates
• digital signatures
• symmetric encrytion (DES) Data Encryption Standard
• asymmetric, or public key encryption - RSA 128 bit Encryption

Lets run through how SET actually works, from a detailed description from ISACA.org

1. The cardholder goes to a merchant's web site and selects the items he or she wants to purchase. The cardholder then clicks on the checkout button or its equivalent.

2. This triggers wallet software to be invoked on the cardholder's PC. The software presents several credit cards which the cardholder possesses, and one is chosen. The wallet software also receives the digital certificates of two entities: the merchant and the acquiring bank (also called a payment gateway). These two certificates are validated by traversing the hierarchy of trust, through messages sent on the Internet to all the entities on the trust chain.

3. The wallet software then generates a message containing two parts: the order information and the payment information. The order information contains information confirming the order, whereas the payment information contains the card number and the amount. The payment information is encrypted using a random symmetric key, which, in turn, is encrypted with the payment gateway's public key, so that only the payment gateway can decrypt it. In other words, the merchant will never know the details of the card number of its customer. This data is sent automatically to the merchant's web site.

4. The merchant's computer will first validate the cardholder's digital certificate. Then it will send the payment information to the payment gateway (which is the acquiring bank's computer).

5. The payment gateway will verify the digital certificates of both the merchant and the card holder and decrypt the message to access the card number and the amount.

6. Then the payment gateway will interface with the legacy systems of the acquiring bank to send the transaction to the card brand, which will then send it to the issuing bank for authorization.

7. This authorization response is then encrypted in the usual fashion and sent to the merchant, who, in turn, will validate the message and store the response. Then the merchant will arrange to ship the goods.

A more detailed article about SET can be found on ISACA.org by Ganesh Ramakrishnan
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=21545&TEMPLATE=/ContentManagement/ContentDisplay.cfm

The most well known public key encryption system is RSA. RSA stands for Rivest, Shamir and Adleman who first publically described it (Wikipedia, 2010). RSA is widely used in electronic commerce protocols and is the first algorithm to be known suitable for signing as well as encryption (Wikipedia, 2010)

RSA uses a key length of 3072 bits which is the equivalent to 128 bit symmetric key. According to Wikipedia, this key size should sufficient till around 2030 before it isn't as resistant to cracking the key.

SET uses RSA however the majority of bulk encryption is accomplished in DES, and RSA is mainly used for signatures and public-key encryption of data encryption keys and bankcard numbers (RSA, 2010)

More information can be found in regards to DES and RSA on Cryptography World Cryptography Guide (http://www.cryptographyworld.com/algo.htm)


2. What can you find out about network and host-based intrusion detection systems?
First we must define what is an intrusion detection system. An IDS is a device (or application) that monitors network and/or system activities for malicious or suspicious activity, and alerts the systems administrator accordingly. There are two main types of IDS's which are network and host based. (Wikipedia, 2010)

Network IDS, are placed in certain points of a network such as the entry and exit points of the DMZ so that it can monitor incoming and outgoing traffic on a network and to look for suspicious activity.
NIDS usually employ a sophisticated algorithm that examines each and every packet in realtime to determine if it meets any of the criteria for "malicious" or "suspicious" activity. If it finds out that the packet or sequence of packets meets certain criteria an alert is raised and sent to the system administrator.

Host Based IDS acts similar manner as NIDS, but is only located on the individual host, and can only monitor that host. Usual items that can be monitor include failed login attempts to the machine, network traffic coming in and out of the machine, monitor administrator tasks on the machine.

All intrusion detection systems use one of 2 detection techniques: either statistical anomaly based, or signature based (Wikipedia, 2010).

Statistical anomaly based IDS - A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered

Signature-based IDS - Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats


3. What is phishing?
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication (Wikipedia, 2010). Phishing is typically carried out by email or instant messaging. Phishing is an example of social engineering techniques used to fool users, and exploit the poor usability of web security technologies.

Many banks the world over and australia have been subject to this and their customers. Here is an article detailing what scammers do when phishing.

http://www.zdnet.com.au/latest-phishing-scam-most-devious-ever-139116416.htm?omnRef=http%3A%2F%2Fwww.google.com.au%2Fsearch%3Fq%3Dphishing%2Bwestpac%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-GB%3Aofficial%26client%3Dfirefox-a


4. What is SET and how does it compare to SSL as a platform for secure electronic transactions? Is SET in common use?

As already mentioned in question 1, SET or Secure Electronic Transactions is an open protocol which was jointly developed by Visa and MasterCard, in conjunction with many leading computer vendors such as IBM in 1996. The SET open standard is used for protecting the privacy, and ensuring the authenticity of electronic transactions over the internet, through the use of digital wallets, certificates and signatures, and use of DES and RSA 128bit encryption.

SSL or Secure Sockets Layer is a protocol that provides security for communications over the Internet. The protocol itself sits in the OSI model between the network and application layers. It is a transparent protocol meaning it is invisble to the client but can be used by any TCP based application.

Both these protocols are used to encrypt and protect information being sent across the internet. However SSL is more adopted and common practice for companies to use as it is relatively easy to setup and its far less complex and cost effective than SET. SET is more secure than SSL as it has additional safeguards added to ensure data is fully secure.

SET is not really in common use due to the complexity and costs involved, but however with the rise of financial crimes and the lower security of SSL. SET could become a factor in the near future due to its additional safeguards making financial transactions more secure.


5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?
Cookies are text files stored locally on a user machine by the web browser when sent from a web server. They consist of one or more name-value pairs containing information which may be encrypted

i.e. NAME = "David Mckay", LOCATION = "SYDNEY"

There are 2 basic types of cookies: persistent and nonpersistent. Persistent cookies are stored locally on a clients machine so that it can be used across different sessions. Nonpersistent cookies are not stored locally and can be only used in the same session and never again.

Cookies are usually used for storing authentication, session tracking, site preferences, cart contents etc for the website visited so that when a user comes back to the website this can be automatically loaded.

Security is not necessarily improved with the use of cookies as these can be manipulated and changed threatening authentication. So the use of storing usernames and passwords should be avoided.

Cookies do not act maliciously on a computer system, they are not viruses and cannot access you hard drive. However, cookies can pose a security risk in terms of a user's privacy and anonymity on the internet (Wikipedia, 2010).


6. What makes a firewall a good security investment? Access the internet, find two or three firewall vendors. Do they provide hardware, software or both?
A firewall is a part of a computer system or network that is designed to block unauthorised access while permitting authorised communications. This device allows greater control and monitors all inbound and outbound traffic on a network.

Why a firewall is a good security investment is that it stops unwanted intrusions from coming into your network. Its makes logical sense similar to you not wanting strangers just walking through the front door of your house.

Firewalls are very much common practice in nearly all organisations as this protects very sensitive and confidential equipment and data from being accessed externally.

Some of the vendors which provide firewall include CISCO, and Norton. These 2 vendors are quite different in that CISCO provides hardware based firewalls, where as norton is a software based company provides security products that include software based firewalls.


7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
According to Nielson (n.d.) "trust is hard to build - and easy to lose", this holds very true when it comes to e-commerce sites. In order to build trust of an e-commerce site there are a few Nielson mentions that can be done in order to build rapport and a sense of trust between the consumer and the site.

1. Make sure security is up to date with the latest technologies. Use of SSL or SET
2. Respect their privacy on the internet by not trying to make your customers give you sensitive information when they really dont have too.
3. Have reputable brands and companies mentioned on the site
4. Have a good refund and returns policy
5. Have a professional looking and friendly website
6. Have contact information and information about the company on the site
7. Display testimonals on the site


8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy.
PGP or Pretty Good Privacy is a computer program that provides cryptography privacy and authentication. PGP is often used for signing, encrypting and decrypting email to increase the security of email communications.

PGP uses a serial combination of hashing, compression, symmetric cryptography and assymmetric cryptography.


The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?
Some of the ones banks are putting in place are 2nd factor authentication methods such as RSA token key or via SMS tokens sent when logging into a banking website or undertaking a transaction on the website.

Ruby vs Java

Check out this SlideShare Presentation:

Ruby vs Java

View more presentations from Belighted.

References

Lenz, R. (2007) "Learn Ruby On Rails: The Ultimate Beginner's Tutorial" http://www.sitepoint.com/article/learn-ruby-on-rails/2/

Sun Microsystems (2008) "MySQL Documentation" http://dev.mysql.com/doc/index.html

Kim, A.J. (2000). Community Building on the Web: Secret Strategies for Successful Online Communities. London: Addison Wesley

Eustace, K. (2009). ITC 594 - E-systems Infrastructure Development Study Guide. Wagga Wagga: Charles Sturt University.

Andreas Kuhrwahl, W. W., Thomas Jachmann. Chapter 4. RESTful web applications Retrieved 23/03/2010, 2010, from http://jsf-spring.sourceforge.net/reference/ch04.html

Wikipedia (2010). Ajax Programming Retrieved 01/04/2010, 2010, from http://en.wikipedia.org/wiki/Ajax_(programming)

Wikipedia (2010). Representational State Transfer Retrieved 23/03/2010, 2010, from http://en.wikipedia.org/wiki/Representational_State_Transfer

Wikipedia (2010). Peer-to-peer architecture retrieved 27th March 2010, from http://en.wikipedia.org/wiki/Peer-to-peer

Wikipedia (2010). Wireless Mesh Networks Retrieved 15th March 2010, from http://en.wikipedia.org/wiki/Wireless_mesh_network

Wikipedia (2010). Black box retrieved 15th March 2010, from http://en.wikipedia.org/wiki/Black_box

Wikipedia (2010). Black box retrieved 15th March 2010, from http://en.wikipedia.org/wiki/White_box_%28software_engineering

Wikipedia (2010). Price Comparison Service Retrieved 17 Mar 2010, 2010, from http://en.wikipedia.org/wiki/Price_comparison_service

Wikipedia (2010). Online Community Retrieved 17 Mar 2010, 2010, from http://en.wikipedia.org/wiki/Online_community

Wikipedia (2010). Key Size. Retrieved 22nd May 2010, from http://en.wikipedia.org/wiki/Key_size

Wikipedia (2010). Intrusion Detection System. Retrieved 22nd May 2010, from http://en.wikipedia.org/wiki/Intrusion_detection_system

Wikipedia (2010). Phishing. Retrieved 22nd May 2010, from http://en.wikipedia.org/wiki/Phishing

Wikipedia (2010). HTTP Cookie. Retrieved 22nd May 2010, from http://en.wikipedia.org/wiki/HTTP_cookie

Wikipedia (2010). Lock. Retrieved 22nd May 2010, from http://en.wikipedia.org/wiki/Lock_%28computer_science%29

Wikipedia (2010). Semaphore. Retrieved 23rd May 2010, from http://en.wikipedia.org/wiki/Semaphore_%28programming%29

Wikipedia (2010). Mutex. Retrieved 23rd May 2010, from http://en.wikipedia.org/wiki/Mutual_exclusion

Wikipedia (2010). Location-based service. Retrieved 23rd May 2010, from http://en.wikipedia.org/wiki/Location-based_service

Wikipedia (2010). Web service. Retrieved 27th May 2010, from http://en.wikipedia.org/wiki/Web_service

Spiritus-Temporis.com (2005). Web service. Retrieved 27th May 2010, from http://www.spiritus-temporis.com/web-service/advantages-of-web-services.html

Microsoft (2010). Waitable Timer Objects. Retrieved 23rd May 2010, from http://msdn.microsoft.com/en-us/library/ms687012%28VS.85%29.aspx

Economic Expert (n.d.). Semaphore (programming). Retrieved 23rd May 2010, from http://www.economicexpert.com/a/Semaphore:programming.htm

Reilly, David (n.d.). Secure Electronic Transactions: An Overview. Retrieved 22/05/2010, from http://www.davidreilly.com/topics/electronic_commerce/essays/secure_electronic_transactions.html

Ramakrishnan, Ganesh (n.d.) Secure Electronic Transaction (SET) Protocol. ISACA.org. Retrieved 22/05/2010, from http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=21545&TEMPLATE=/ContentManagement/ContentDisplay.cfm

RSA (2010). RSA Laboratories. What is SET?. Retrieved 22/05/2010 from http://www.rsa.com/rsalabs/node.asp?id=2287

Nielson, Jakob (n.d.). How to build trust on your eCommerce website. Retrieved on 22nd March 2010 from http://www.technologymatters.com.au/articles/building_trust.htm

Griss, Martin (2001). Software Agents as Next Generation Software Components. Retrieved on 23rd March 2010 from http://martin.griss.com/pubs/cbse-agents.pdf

El-Masri, A. & Suleiman, B. (2005). The Second International Conference on Innovations in Information Technology (IIT’05): A Framework for Providing Mobile Web Services. Retrieved 27th May 2010 from the IT Innovations website http://www.it-innovations.ae/iit005/proceedings/articles/D_1_IIT05_Elmasri-1.pdf

Elevator Pitch 1

Remember the old quote "Rome was not built in a day", this holds very true in regards to the development of this ePortfolio site, and also the knowledge gained from this subject. These too were not built in a day but gained over many.

It is becoming increasingly clearer that the world-wide web is transforming the business world quite dramatically and fast. More content is moving online, businesses are increasingly using more web technologies to integrate key systems, so as to gain that ever so important strategic advantage over their competitors. This masters subject ITC594 aims to provide insight into the development and implementation of e-Systems; the frameworks and tools utilised in creating these systems; and the core architectures surrounding these systems.

Throughout the duration of this programme of work, I have built a good foundation of knowledge in regards to e-Systems infrastructures; background and overview of e-commerce and distributed applications; frameworks on which e-Systems are built on; understanding of the latest in technologies affecting businesses who want to provide e-Systems, the tools and technologies involved which help enable businesses to integrate and communicate, and lastly how these systems are developed using an intuitive web application design framework "Ruby On Rails".

To be ahead of the competition, you must be fast and agile when it comes to the development of e-Systems. This is why frameworks like "Ruby on Rails" which have been detailed and discussed as part of this programme of work are helping developers design and implement web applications faster and more efficiently through the use of common design patterns such as MVC; design paradigms like 'Convention over configuration' which essentially means that the developer only has to take care of the unconventional aspects of the application, as the rest is taken care of by the framework.

I look forward to even further enhancing my knowledge in this particular growth area with the other workshops and exercises, and to further build and grow my knowledge on my 'ePortfolio', very similar to how Rome was built overtime.