Time the United States March 18, from Tipping Point launched the Third Competition Pwn2Own began hacking technology. During the first day of competition, the contestants need to try to break through there is a complete patch hit the mainstream browsers (IE8, Firefox, Chrome, Safari) as well as severe restrictions on the smart mobile phone (Blackberry, Android, iPhone, Nokia / Symbian, Windows Mobile) . As a three-day awards competition, Zero Day Initiative will provide a browser vulnerability discoverer 5000 U.S. dollars and donated the use of computers, and intelligence found that the vulnerability of the mobile phone will be 10,000 U.S. dollars plus incentives smart break by one year the right to use the mobile phone .

Pwn2Own at the first day of competition, the smart cell phone security has stood the test, while mainstream browsers are not so lucky, the two winners were Charlie Miller and Nils break the Safari (twice), IE8 and Firefox .

Last year’s winners, one of Charlie Miller at the first day of competition in the browser attack, just two minutes when once again break through Mac OS X’s Safari browser.

Another participant Nils, while at the platform Windows7 goods IE8 successfully broke through the security protection, including protection of the use of Microsoft’s latest technology-DEP (Data Execution Prevention, Data Execution Prevention) and ASLR (Address Space Layout Randomization, Address space layout randomization), this act so that the safety of IE8 again aroused widespread public concern, Nils finally won the latest Sony Vaio notebooks and 5000 U.S. dollars in prize money.

However the first two surprises are good only just begun. Not long after, Nils again allow participants Pwn2Own boiling, he used Safari a vulnerability mapping tool, Express win Apple Safari browser and access to 5000 U.S. dollars at the incentives and white apple. At the success of a breakthrough after two mainstream browsers, Nils moves FireFox browser will fall under the cut. It is the second day of competition at Pwn2Own Medium, Nils will challenge Google Chrome, and is likely to become four of the latest mainstream browsers 0day founders.

Good quality image with optimized size will do not only save your bandwidth but also speed up your site loading time. Smush.it is very useful when you want optimize your images without reducing the quality, for your web site. The service allows you to upload image files directly from your machine or given urls. You can also install Smush.it Firefox extension as well.

If you want to add watermark to your photos when you’re blogging from internet cafe or the machine that doesn’t have Photoshop or photo software, Picmarkr is best choice for you. Picmarkr is an online tool allow you to add watermark text and image with just few clicks. You can choose photos from your computer as well as your Flickr, Facebook and Picasa account.

After your photos uploaded, you can insert your custom watermark text or image and choose the position and text style that you want to display.

Finally, it will give you download images links that have watermark which you set in Picmarkr.

TinyChat allows you to create a private chat room with a single click and tell your friends to visit a link from TinyChat (example: tinychat.com/kevin) to chat with you.

With NU Dolphin TOUCH, Guaranteed Waterproof quality level by the International certified IPX7 you can Share all the greatest fun from all kinds of outdoor activities, such as Swimming, Surfing, Snorkeling, SPA, Mountaineering, Fishing, Jogging, Biking. Dolphin TOUCH world 1st Waterproof Curved Touch pad MP3 Player comes with 4GB embedded Nand Flash Memory (960songs of MP3/WMA) and built in FM tuner.

Dolphin TOUCH from NU measures 66.4×21×21 mm with built in180mAh/3.7V rechargeable battery. Standard accessories include Waterproof earphone/USB cable/ Clip / Fastening bands / Armband /Cleaning cloth/High-End stereo earphone/ User manual disc.

Unfortunately, because it is just announced a few days ago, there is no detailed pricing.

By Matt Raible

This post was originally titled “FTE vs. Contract in this Economy”, but it didn’t seem to capture the essence of this entry. I wanted to write about why I think contracting is better in this down economy, but I also wanted to write about how you you might go about setting up your own company. Starting a company is relatively easy from a legal standpoint, and hopefully I can provide some resources that’ll make it even easier.

First of all, I believe that contracting is better in this economy for a very simple reason:

When you’re a contractor, you’re prepared to be let go.

There’s really nothing like being laid off. It sucks. It often shocks you and makes you depressed. The good part is you usually get a good afternoon’s worth of drinking out of it, but that’s about it. Severance is cool, but let’s face it – you’d much rather be employed.

As a contractor, you’re always looking for your next gig. You’re prepared for the worst. You’re more motivated to learn marketable skills. You’re constantly thinking about how you can market yourself better. Writing (blogging, articles, books) is an excellent way to do this and I believe it’s rare that FTE are as motivated to do these kinds of things.

Being a contractor forces you to better yourself so you’re more marketable.

People’s biggest fear of contracting is that they’ll have a hard time finding their next gig. In my career, I’ve rarely had an issue with this. There’s always contracts available, it’s just a matter of how much you’re going to get paid. Yes, I’ve had to suck-it-up and make $55/hour instead of $125/hour, but that was back in 2003 and $55/hour is still more than I would have made as a FTE.

The other thing that makes me believe contracting is better in this economy is I believe companies are hiring more short-term contractors than employees. I don’t know if this is because they consider employees liabilities and contractors expenses, but something about it seems to make the books look better.

So you’ve decided to take my advice and try your hand at contracting. Should you setup your own Corporation or LLC?

Starting a Company
Yes, you should absolutely start your own company. As a Software Developer, chances are you’re going to make enough to put you in the highest tax bracket. If you’re a Sole Proprietor (no company), you will pay something like 35% of your income to taxes and you can be sued for everything you own by your clients.

Should you create an LLC or Corporation? I started Raible Designs in May 1998. I started out as an LLC and later converted to an S Corp. For the first few years, I made $30-$55/hour and this seemed to work pretty well. I believe this was similar to having a Sole Proprietorship (because I was the only employee), except that I was protected from lawsuits.

In 2001, I got my first high-paying gig at $90/hour and my Accountant suggested I change to an S Corp to save 10K+ on self-employment tax. I’m certainly not an expert on the different types of business entities, but this path seemed to work well for me. It was $50 to convert from an LLC to an S Corp. I’m not sure if you can go from an S Corp to an LLC. The beauty of an S Corp is the corporation typically gets taxed at 15%, so you can run a lot of things through your business and pay less taxes. Date nights can be business meetings, vacations can be Shareholders Meetings, seasons tickets can be client entertainment and you can write off your car and fuel costs.

There’s lots of good resources on the web that describe the different business entity options. My favorite is A List Apart’s This Web Business IV: Business Entity Options. Another good resource is How to form an LLC.

The hardest part of starting a new business is coming up with a good name. My advice is to make sure the domain name is available and pick something you like. I chose Raible Designs because I designed web sites at the time. Raible is a pretty unique name, so that’s worked well having it as part of my business name. Googlability is important – don’t choose a generic name that will make you difficult to find. Potential clients should be able to google your business name and find you easily.

Once you’ve picked a name, the business establishment part is pretty easy. In Colorado, you can File a Document with the Secretary of State. Their site also allows you to reserve a name if you’re not quite ready to make the leap.

You’ll also need to get a Federal Employer Identification Number (FEIN) from the IRS. The IRS has a good Starting a Business article and also allows you to Apply for an Employer Identification Number (EIN) Online.

Once you’ve got all the documents setup, you’ll want to create a bank account for your business. I’m currently using Wells Fargo and really like how software-friendly they are. Their online banking is clean and easy to use. They also support QuickBooks for the Mac. They have Payroll Services to allow you to pay your quarterly taxes online as well as setup direct deposit, but I’m not using them.

For payroll, I use PayCycle and have nothing but good things to say about them. I have the Small Business Package at $42.99 per month. This package allows me to pay myself and employees + up to 5 sub-contractors with direct deposit. It also allows me to pay both Federal and State quarterly taxes online. Of course, if you can also get an Accountant to do this for you.

Having a good Accountant and Financial Advisor (for your retirement plan) will likely be an essential part of your business.. LinkedIn’s Service Providers is a good way to find recommended professionals in your area. For example, click here to search for Accountants and then click the change location link in the top right corner to specify your zip code.

Finally, you’ll need insurance. The Hartford has a good Small Business package that costs around $500/year. It’s liability limits have worked for all of my clients and I’m covered if my laptop ever gets stolen. For Health Insurance, I recommend using eHealthInsurance.com to find a good provider for you. I don’t get sick or hurt much, so I typically get a disaster prevention plan with a $5K deductible. For dental insurance, brush your teeth. Vision insurance typically sucks, so I wouldn’t buy it. Yes, our health care system in the US needs work and I believe if everyone had a small business, it might get more affordable a lot quicker.

Over the next few days, I’ll post some additional advice I’ve received on retirement plans, deducting a home office, drawing up contracts and how to come up with a good rate. If you’re an Independent Software Developer and have any additional advice, I’d love to hear it.

By Matt Raible

This morning, I added Dion and Ben’s talk titled Ajax: The State of the Art. Below are my notes from the event.

Ajax started out as a bunch of hacks. It showed that we could take our web interfaces and do a lot more with them. A hack isn’t necessarily a bad thing. Often, they turn into something much more elegant over time. The new browsers have many amazing capabilities that we haven’t taken advantage of yet. We’ve seen discussions on Ajax go from how to do XHR to frameworks and how rich and mature they are. Dojo is great for Enterprise Development (packing system, namespaces). jQuery is well-suited for lightweight developers (PHP). Prototype is fantastic for people who do a lot of JavaScript development and take it very seriously.

Today’s Ajax landscape is mature, really rich, and really exciting. Today, Dion and Ben are going to talk about technologies they’re really excited about for the future.

Canvas
The building blocks of the web are text, boxes and images. With canvas, it really makes a lot more things possible. You can do bitmap rendering and image manipulation. They’re showing a slide with Doom and Mario Kart running. Canvas 3D does true 3D rendering. Firefox and Opera have done prototypes of this. Can you do canvas-type things today in a browser? Yes, if you use Flash or Curl. Dion and Ben are excited about canvas over plugins for the following reasons:

• No start-up delay
• Available on mobile devices today
• Rendering fidelity with browser (especially important for typography)
• No bridges necessary (no marshalling/unmarshalling)
• Not a plug-in

The <canvas> tag originally came from Apple’s Dashboard. Dashboard’s programming model was in HTML and JavaScript. Dashboard is using WebKit under the covers. Today, canvas support exists in every major browser except for IE. The good news is there are Flash and Silverlight bridges to add support to IE. There’s also an ActiveX component that wraps the Firefox implementation and allows it to run in IE.

SVG
Dion and Ben aren’t that excited about SVG because it’s such a huge spec. We’ve been struggling with the HTML standard for the last 10 years and the thought of another huge spec for the next 10 years isn’t that appealing.

Fast JavaScript
Almost all major browsers have a Fast JavaScript implementation. Chrome has V8, Safari has SquirrelFish Extreme, Firefox has TraceMonkey and Opera has Carakan. This is exciting because of industry trends and how companies are trying to reduce computation cycles in data centers. The more computing that can be put on the client, the better. IE doesn’t have anything, but Dion and Ben believe they are working on something.

Web Workers
Interface latency is awful for applications. Jakob Nielsen once said:

0.1 second is about the limit for having the user feel that the system is reacting instantaneously. 1.0 second is about the limit for the user’s flow of thought to stay uninterrupted, even though the user will notice the delay.

Anything that takes longer than a tenth of a second should be pushed to a background thread. Unfortunately, there are no threads in the web. Maybe we can add threads to JavaScript? Brendan Eich has said that “Threads suck” and there’s very little chance for threads getting into JavaScript. Gears brought Worker Pools and this is going into HTML 5 as Web Workers. You could also use Java applets to do this. With the latest Java Plugin, many of applets’ long-standing issues have been solved.

Desktop Integration
The ability to build desktop apps as web apps is very exciting. There’s a few technologies that demonstrate this: Fluid, Mozilla Prism, Adobe AIR, Appcelerator Titanium and Gears. The Palm Pre demonstrates the logical extension of this. The Palm Pre uses the web stack as its developer SDK. It’s very cool that web developers don’t have to learn anything new to become a Palm developer. Desktop integration is exciting especially if we can access desktop applications like email and address book.

The Ajax frameworks that are out there have done a lot to make web development simpler. However, there’s still a lot of pain with CSS and cross-browser issues. What if you took canvas and combined it with a sophisticated grid-based layout in JavaScript?

There’s a lot of platforms out there: Microsoft Silverlight, Adobe Flash, Apple Cocoa and Sun’s JavaFX. The web often isn’t considered a platform. Dion and Ben believe there should be an Open Web Platform. The problem right now is there is no central location to find out how to get stuff done. You have to search and find resources from many different locations. Mozilla is putting it’s resources into creating an Open Web Platform. This site will consist of 4 different areas:

• Home
• Documentation (for different frameworks, browsers, quirks)
• Dashboard (state of the open web)
• Roadmap (what’s going on)

This is not just Mozilla, it’s very much a community effort. This is something that Ben and Dion have been working on. But there’s something else they’ve been working on too. They’ve been talking about all these cool things, but what about an interesting application to test all these technologies?

Bespin
As they looked at code editors, most of them provide awful user experiences. Bespin is the Editor of Your Dreams and contains the following features:

• Accessible from anywhere – any device in any location
• Simple to use, like Textmate (not heavyweight like Eclipse) – an editor, not an IDE
• Wicked Fast – performance, performance, performance
• Rock-solid real-time collaboration, like SubEthaEdit – it just works
• Integrated command-line, like vi – Fun like Quicksilver, social like Ubiquity
• “Self-hosted” environment, like Emacs – For extreme extensibility, but with JavaScript!

Dion and Ben are showed a screen shot of Bespin and now they’re doing a demo. The core editor has what you’d expect with syntax highlighting and line numbers. Canvas doesn’t have text-selection by default, so they had to write it from scratch. The command line allows you to get help, run core command and also to subscribe to commands that others write. You can change your keybindings to emacs or vi as well as many other settings. Much of Bespin is event-driven, so you can easily plugin new behavior for different events.

For viewing files, they couldn’t bring themselves to use a tree. Instead, they developed a file-browsing interface that looks very much like Apple’s Finder. Personally, I like Finder, but wish it had Windows Explorer’s path bar that allows you to simply type in the path without mouse clicks. Back to the command line. They’ve done a lot to make things more discoverable so users can easily find the power of the editor.

Bespin could be used to engage developers more with open source projects. Checking out projects, modifying code and creating patches can be a real pain. Bespin could be used to interface with open source projects in the cloud. You could login, modify code and easily patch/build with the click of a button. One other thing they want to do is to have the server do code-analysis as you’re developing.

Is it OK to love a software tool? You must love your software tools. What we do as Software Developers is one of the most difficult jobs on the planet. Programmers, like poets, start with a blank slate and create something from nothing. If you don’t love your tools, you’ll start resenting what you do. If you don’t love your tools, it shows in your work. – Dave Thomas at RubyConf08

Thunderhead
A GUI Toolkit written with canvas and JavaScript. Allows you to do layouts with very little thought. It’s a lab experiment that’s in progress, stay tuned for more information.

All users care about is the user interface. Dion and Ben believe there’s a key to creating compelling user experiences. It all has to do with managing expectations. It’s not that different from how you manage relationships in your life. Expectations for movies and games have changes drastically over the years. What used to be the web (animated gifs and awful web pages) has also changed drastically (video of Apple’s online store). What was cool with MapQuest got changed drastically with Google Maps. What we have today isn’t the end of the game – expectations will continue to change. However, users have different expectations for software.

Alan Cooper has done some interesting work in this area. The software designer needs to focus in on a user’s goals. There are basic things you can apply to all users, for instance “sex sells”. An example of this is Delicious Library. This application allows you to keep track of things in your home such as books, movies, music and games. They made $500K in 3 months and made $54K the first day, with no advertising.

The quality of any software is determined by the interaction. If the interaction isn’t good, it will poison the entire experience. Donald Norman has a good quote: “Attractive things work better”. In society, this is often called “Dress for Success”.

The Open Web is hear to stay because it has:

• An Easy Programming Model
• Easy Remoting
• Extensive Customization Vectors (e.g. GreaseMonkey)
• Easy Deployment
• Great Widgets
• Great Visual Effects
• Great Mobile Story
• Desktop Integration
• State-of-the-Art Plug-ins

Bespin is a tech preview that they hope to release next week. Thunderhead will be released at the same time.

Conclusion
This was a great talk and easily the most inspiring of the conference. Dion and Ben always do a great job and the sexiness of their presentation made it all the more appealing.

Engineers in Microsoft’s Internet Explorer group continue to refine a new security feature designed to block malicious scripts that can be injected into trusted websites to steal email and account credentials. Judging from the magnitude of the problem, their task may never be completed.

Among the multitude of revisions introduced in last week’s release of Internet Explorer 8 were tweaks intended to make the browser’s cross-site scripting (XSS) filter better withstand tricks for concealing malicious characters in web addresses. Some of the world’s foremost web application security experts helped, an indication of the difficulty of containing the threat.

One fix enables input to be treated as a stream of individual bytes rather than characters, a change that prevents attackers from evading the filter using Chinese characters in web addresses. Because of the way certain characters, including “<” are rendered in Chinese, bad guys were able to sneak them into malicious URLs that weren’t detected by versions of the Microsoft beta browser.

A similar technique that uses a PHP function known as “stripslashes,” which removes backslashes from strings, had also been used to bypass the IE XSS filter. The protection now generates additional signatures that offer alternate interpretations of the input.

Other fixes involve scenarios that use extremely long UTF-8 sequences or injections of FORM and ISINDEX elements. Nulls in HTTP responses and Object tags using the CODETYPE attribute have also received attention.

Over the past few years, XSS vulnerabilities have emerged as an Achilles Heel for some of the biggest and most sensitive websites. In December, researchers found several XSS flaws on the site of American Express that potentially could have allowed attackers to steal users’ authentication cookies. Other sites that have been bitten by the bugs include Google Mail, Yahoo, MySpace, and Facebook.

XSS attacks allow attackers to inject hostile code into a targeted domain by taking advantage of a common practice among web developers who allow one website to link to images and scripts hosted from a second site. When Microsoft’s XSS filter encounters code that’s hosted on a different site, a heuristics engine inspects the URL and POST data and uses regular expressions to identify possible XSS vulnerabilities.

This is an extremely tall order for any browser. The ability of one site to link to code hosted on another site is a key architectural design at the heart of today’s website, so filtering carries the risk of breaking many websites if not executed carefully. And the list of techniques for evading such filters is long and only getting longer.

Several top-flight researchers helped Microsoft pinpoint the weaknesses. They include Yosuke Hasegawa, 80sec, Ronald van den Heetkamp, Amit Klein, and Gareth Heyes.

Microsoft’s goal seems to be to protect users against the most dangerous XSS threats without degrading the performance of legitimate websites. Contrast that with the NoScript extension for the competing Firefox browser, which does a great job of blocking many XSS attacks but also has the potential to confuse many less-sophisticated users.

The constantly expanding number of ways for bad guys to evade the Microsoft filter means its design is likely to remain an iterative, ongoing process with plenty of additional tweaks to come.