If you're new here, you may want to subscribe to my RSS feed. So that you can read the latest updates about Web2.0 tools, Making Money Online, Tips in SEO, Ajax and many more. Thanks for visiting ProgramimiCOM!

A mailing list is the lifeblood of your online business. The old adage “the money is in the list” cannot be true enough — if you had a targeted list of prospects to contact each time you have a new product, you will be able to save a lot of effort by marketing it to your existing list of targeted prospects.

You can actually build up a targeted list of prospects that are interested in your products by offering a relevant download on your website. For example, let’s take a look at a very good example — apple.com. When you download the free iTunes and Quicktime software from their site, they will ask you to fill in an optional name and email form so that they can send you offers on songs that you can purchase via — guess where — iTunes!

In reality, you do not need to offer such a “heavyweight” download such as a full-feature software like iTunes.  You can attract prospects equally well with some quality freebies such as a simple report, a free wallpaper, and so on. The important thing is that your download offers enough value for the prospect to be willing to give away his/her own email address to get it.

However, slapping together a simple download and putting a link on your website won’t be enough to attract qualified prospects. You will have to do some homework in order for your lead-generating mechanism to work well for you.

First of all, you must place your download form prominently on your website. Preferably, dedicate a page to it and link to that page from every other page of your website. That way, there is no way your visitors cannot find the download page, and when they do, you’ll get some of them converted into your prospects!

Also, you have to put a little effort into promoting your download. Explain and elaborate on the values of the download, and why your visitors should download it. You might think why would anyone want to pass on a freebie, but most of your visitors would be too lazy to take the effort to download it because most of their downloads just sit on the harddisk collecting virtual dust. It is hence important to show your visitors why they should download your freebie.

• 0 Comments

For anything to work well, care must be taken to make firm, workable plans to execute it and the same goes for website designs. With a well thought out website design, you will be able to create a site that generates multiple streams of revenue for you. In fact, may websites turn into online wasteland because they are not well planned and do not get a single visitor. Gradually, the webmaster will not be motivated to update it anymore and it turns into wasted cyberspace.

The crucial point of planning your site is optimizing it for revenue if you want to gain any income from the site. Divide your site into major blocks, ordered by themes, and start building new pages and subsections in those blocks. For example, you might have a “food” section, an “accomodation” section and an “entertainment” section for a tourism site. You can then write and publish relevant articles in the respective sections to attract a stream of traffic that comes looking for further information.

When you have a broader, better-defined scope of themes for your website, you can sell space on your pages to people interested in advertising on your page. You can also earn from programs like Google’s Adsense and Yahoo! Search Marketing if people surf to those themed pages and click on the ads. For this very reason, the advertisement blocks on your pages need to be relevant to the content, so a themed page fits that criteria perfectly.

As Internet becomes more widespread, advertising on the Internet will bear more results than on magazines or offline media. Hence, start tapping in on this lucrative stream of profit right away!

• 0 Comments

What Is So Important About An Invalid Click and How Will It Affect Me?

More than anything, an invalid click is a big no-no and it will get your account terminated faster than anything else.  Having said that, an invalid click is when a publisher clicks on their own ads to add to their earning potential .  It’s also when a publisher asks others to click on their ads just to raise their revenue.  It also raises the advertiser’s costs and Google won’t tolerate this.  Google Adsense has state of the art technology and they know what’s going on.

Invalid clicks also happen when someone uses robots to click on ads or automated software.  It is any deceptive practice used to click on ads.

Invalid clicks are also unnecessary as there are plenty of money-making opportunities with valid clicks.  With an optimized website, useful content, and attractive ads, there’s no reason for anybody to even entertain the idea of using invalid clicks.

Having Control Over Your Adsense Account

You the publisher, have complete control over the advertisement that runs on your site.  You can choose to run only image ads, only text ads, or a combination of both.  Google recommends that you choose a combination of both to maximize your earning potential, but the decision is yours.

When making your ad decision, you also have the freedom to choose which type of ads run across your entire account (image or text) or you can narrow that decision to what type of ad might run on a particular page.

As of right now, you are not able to differentiate your image ad click rate from your text ad click rate.  You can of course, differentiate your click rate from one site as opposed to another site.  Say, for example, you run only image ads on one site and only text ads on another site.  By setting up channels to track both sites, you can see which site has the better click rate.  Of course, you have to take into consideration there would be more factors than whether you were running text or image ads.  The content, the placement of the ads in general, even the color could make a difference.

Refer to the Google Adsense Support Site for specific instructions on how to enable or disable image ads.  Remember, it’s all up to you!

• 0 Comments

Installing Apache on Windows, why? Because let’s face it Windows is easy, and well Apache sure beats using IIS. This tutorial is meant for the person who would like to set up there own little web server. It’s not meant for the IT Person running a fortune 500 company. But hey if you want go ahead.

Instalation:

First thing you need is to download the webserver. Now for windows
users your gonna want to go download the .exe . The apache website is www.apache.org Your gonna wanna head to the apache
binaries sections for Win32 I believe it is at http://www.apache.org/dist/httpd/binaries/win32/
There you will be able to download a version of apache.

Now before you download it you gonna want to make a folder. This folder is
where your gonna server your root directory. Now if you don’t want to do
this it’s ok. You can use the default path if you want. Put usually this helps
in setting up other things like php, and MySQL. Most people do is they create
a folder in the C:\ directory called WWW or somthin. You can name it whatever you want.

Ok so have downloaded the Apache Web Server. Your ready to go with the setup.
No the version I have downloaded was apache_2.0.36-win32-x86-no_ssl.msi This
was a newer version and supposedly supposed to be more secure. The first screen you get when your in the setup is The welcome screen we don’t care much about that
but owell so hit next. The next screen is the terms and service. And yes
your going to agree to the terms duh. The next screen is some documentation.
I never really read it but if you want go ahead and do it. Once your done
hit next again. Know we see a screen that says enter a network domain. Erase what is ever in there and type localhost. Now the next box says
Servername, erace what is ever in the box and put in localhost.
The next is Administrators e-mail address. Go ahead and fill that in.
But make sure to change it. Now there are 2 little radio buttons.
Pick the one that best suites your needs. Now that we got that all
filled out. Hit Next and you’ll go to a screen that asks you which
type of install you want to do. Then hit next.

If you wanted to server out of your one special folder. Change the
file location of were your gonna install apache. Or just leave it at the default path. Click install and it should be on
it’s way. Once it’s done installing hit the finish button.

The test:
First were gonna check to see if Apache installed correctly.
This is how we do it. Open up Internet Explorer and type in ” http://localhost” . If everything went smooth then you should
be seeing a message that looks like this” Seeing this instead of the website you expected?” Yippee!!!
Apache is working. See now wasnt’ that really simple. Ok now were gonna
do some fun stuff.

Alright now that we got or test done lets move on to changing some of this
stuff that apache did on default. In Internet Explorer if you installed
on the deafult path. Make your way to C:\Program Files\Apache Group\Apache2
This is your Main Apache Directory were you can find everything. If you want
take a short break and run around. There are some cool things there. Don’t
worry if you don’t understand what’s in these files just yet.

Break Time:
Go take a leak, get some pepsi and somthin to eat. If you got smokes light
them up in your new found glory.

Alright so now you’ve got apache installed and your about to start dishing out
your web pages that you took so much time on to build. Head to the folder called
htdocs, this is your main folder. There should be a whole bunch of pages What i do
is i select them all and move them to another folder. The htdocs folder is the best
folder in the world. It’s gonna be one of the places you spend most of your time
dishing out content for the world. Ok so get rid of all that stuff that is in your
htdocs folder. And move all your great content inside replacing it. Alright so now
once we moved all are content inside the htdocs folder and we tested it to make
sure it was there. http://localhost remember. Now let’s get out of there. Go to
Apache’s main directory. Now just to be aware of what is going on and get a good
example of how Apache Functions head off to a folder called “conf” This is the
configuration files Apache Uses. If you ever wanted to install php and other
server side scripting languages this is where you would do it. Now you get 2 copys
Use 1 as a backup and never edit it at all. Go ahead and open the folder and open
“httpd.conf” Read it very carefully cause in this tutorial were not gonna read
about it. I just want you to know it’s there. Anytime you edit the httpd.conf file
you must re-start apache in order for it to work. Another good tip for you new people
to apache is you may notice the log files. Yes there great and make sure to make backups
of the logs they will come in handy. As security precautions. I also recommend getting
a firewall set up. There are lots of great security features that apache has but this
is a tutorial to installing apache.

Alright so now you’ve got your webpages up. But the only way people will be able to view
your pages is my typing in your ip address. This is a bumper. Lets look at some free
re-directories. www.n2v.net, This is a cool one. You sign up put your ip adress of your
new webserver in and whalla your done. Type in www. .n2v.net and it goes to your server
and brings up your super nice webpages. Now if you go to google and search for free
domain names or re-directors you should come up with alot. Many People already know
about the www.dot.tk one of the coolest things in the world. Free .tk very simple
That’s all you need. It works perfect for my webserver and I’ve got around 3,000 hits
so it’s working good. If you don’t wanna do it you don’t have to. But it just
makes it simple.

Alright that comes to the conclusion of installing Apache Win32 for WINDOWS users.
Very easy. One last thing Please Read more of the Apache
Documentation either on there website or in your Apache2
directory. If you liked reading this tutorial on how to setup Apache check my
website for others at www.bonfire.tk . Yes there will be follow ups. I’ll be
writing another apache tutorail soon so you can set up PHP. The most awesome
scripting language ever built. And also another on how to secure Apache and yes
ALL FOR WINDOWS!! .

• 0 Comments

Masking or anonymizing a Web server involves removing identifying details that intruders could use to detect your OS and Web Port80 Software has developed an IIS server module called ServerMask to combat the majority of issues explored here for the Windows Web Server.

The Server Header Tells All
Most Web servers politely identify themselves and the OS to anyone who asks. Using a network query tool like Sam Spade or this Header Check, you can discern the HTTP Server header. Just request a Web site’s home page and examine the resulting HTTP headers or “banners” sent back by the server. Among them, you will likely find something like this:

Server: Microsoft-IIS/5.0

There is not much mystery here. Apache’s default settings make it no less identifiable:

Server: Apache/2.0.41-dev (UNIX)

You can remove or obscure this HTTP Server header in a variety of ways, depending on your platform. Apache 2.x users who have the mod_headers module loaded can use a simple directive in their httpd.conf file, as follows:
Header set Server “New Server Name Goes Here”

Unfortunately, mod_headers cannot alter the Server header in prior versions of Apache, so 1.3.x users will have to resort to editing the defines in httpd.h and recompiling Apache to get the same result. IIS users can install IISLockDown and use the configuration option in URLScan’s INI file for removing or replacing the header. Be careful with URLScan if you are using Cold Fusion application server — the way the current version replaces the Server header wreaks havoc with CFM pages. In fact, removing the header is the way to go when using URLScan, since if you try replacing the header it moves to the bottom of the header order — which pretty much gives away that you are running URLScan on IIS.

Unsightly File Extensions
Displaying file extensions like .asp or .aspx in a site is a clear indication that you are running a Microsoft server and, in general, hiding file extensions is a good practice to mask the technology generating dynamic pages. You can change your application mappings (.asp becomes .htm or .foo, etc.), but such one-to-one mapping can make mixing server-side technologies painful and does nothing to alleviate headaches during site migrations. Doing without file extensions altogether is an even better idea, not only for security but also for ease-of-migration and content negotiation. Apache people will want to take a look at mod_negotiation. Watch out, though, for the Content-Location header in the server’s response, which can give away the file extension that is not shown in the URL. You might have to suppress this header separately using mod_headers. In a similar vein, Port80 offers a tool called PageXchanger that allows file extension hiding in IIS.

Half-Baked Cookies
The ASP session ID cookie, used by the Session object to maintain client state, is another dead giveaway:

Set-Cookie: ASPSESSIONIDQGQGGWFC=MGMLNKMDENPEOPIJHPOPEPPB;

You can disable ASP Session State so that this cookie is not placed, but you lose the convenience of using the Session object to maintain client state. You could also create an ISAPI filter to change the names of any session ID cookie. On the other hand, ASP sessions are resource intensive, and turning them off improves the performance and scalability of your ASP application, while also helping to anonymize your server.

Send These to the Recycle Bin
WebDAV: Another way of identifying Microsoft servers is their implementation (from Windows 2000 and IIS 5.0 on) of WebDAV — the HTTP Extensions for Distributed Authoring and Versioning. WebDAV itself is not unique to Microsoft or IIS; it is a proposed standard (RFC 2518) with an IETF Working Group. Microsoft’s WebDAV support, however, adds a lot of information to the headers sent back by the server, especially when an HTTP OPTIONS request is made. If you are not using WebDAV (to support Outlook Web Access or Web Folders, etc.), you can disable it entirely by editing the registry or by using IISLockDown and URLScan.

Public Header: Certain Web servers betray their identity by displaying the Public header in HTTP responses. Few popular Web Servers send this header in response to OPTIONS requests (while almost all respond with the similar Allow header). The presence of Public is a good indication you are connected to either an IIS box or Netscape Enterprise 3.6. The Public header can be removed with a custom ISAPI filter (IIS) or NSAPI plug-in (Netscape).

Integrated Windows Authentication: IIS users should not rely on “Integrated Windows Authentication” — especially not as a way of hiding anything on the server. This method betrays the very secret it would keep, since a script or visual hacker can identify the Windows box by means of the WWW-Authenticate headers sent by the server. When a file or directory is protected by NT Challenge-Response authentication, one of the authentication headers contains the string “NTLM” (NT LAN Manager) — a Microsoft-specific form of HTTP authentication.

Get Your Headers Straight
The number and sequence of your HTTP headers and the presence or absence of certain platform-specific headers provide handy ways for more sophisticated hackers to fingerprint your Web server. A relatively unexplored area of server profiling, this will become a more common exploit as administrators start to implement countermeasures against obvious HTTP vulnerabilities like the Server header. For IIS users, a custom ISAPI filter can alter the Microsoft-specific header order or sequence to emulate, say, a default Apache installation. Apache users can accomplish any header order emulation they wish by experimenting with the location and order of Header directives in mod_headers.

Whose Default is That?
Default messages, pages and scripts of all kinds often contain clues to server identity, and these should be removed or modified accordingly. Software behind the Web server often bubbles error messages back through the HTTP request/response cycle, and customized HTTP errors can mask application server, database server, Web server and OS identity. For IIS, CustomError makes it easy for developers to deploy custom 404 and other HTTP error pages. This article shows how to implement custom HTTP errors in Apache. Avoid this on a development server, since, when done properly, it prevents database and server-side scripting errors from being seen — making it tough for developers to debug their applications! Remove or hide any Web or application server administration pages, scripts or documentation installed under your server’s Web root, and make sure to replace those default home pages.

• 1 Comment

I will be speaking about ModSecurity at ApacheCon Europe in Amsterdam later this year. I hear ApacheCon Europe 2007 (also in Amsterdam) was great so I am looking forward to participating this year. Interestingly, for some reason or another, this will be the first time ModSecurity will be “officially” presented to the Apache crowd, in spite of the fact we’ve been going at it for years. As always, the best part is meeting the people you’ve been communicating with for years.

“Intrusion detection is a well-known network security technique — it introduces monitoring and correlation devices to networks, enabling administrators to monitor events and detect attacks and anomalies in real-time. Web intrusion detection does the same but it works on the HTTP level, making it suitable to deal with security issues in web applications. This session will start with an overview of web intrusion detection and web application firewalls, discussing where they belong in the overall protection strategy. The second part of the talk will discuss ModSecurity and its capabilities. ModSecurity is an open source web application firewall that can be deployed either embedded (in the Apache HTTP server) or as a network gateway (as part of a reverse proxy deployment). Now in its fifth year of development, ModSecurity is mature, robust and flexible. Due to its popularity and wide usage it is now positioned as a de-facto standard in the web intrusion detection space.”

• 0 Comments

A very interesting research paper titled “Apache Prefork MPM Vulnerabilities” was released a few days ago, as you can see in the corresponding Bugtraq post. The paper describes, in detail, the dangers of allowing third-parties to run code under the same account as the Apache web server. This normally happens when dynamic content is produced using Apache modules (e.g. PHP) or when CGI scripts are configured to run without suEXEC. This topic itself is not new. You will find several articles on runtime process infection following this Google search link. I warn about this problem throughout my book and especially in Chapter 6, which is dedicated to those situations when more than one party is using the one Apache installation. However, it is one thing to know that something is possible and another to demonstrate, step by step, how it is done. Another interesting finding resulting from this paper is that it is possible to send a SIGUSR1 signal, as root, to any process on the system instead of just to Apache children processes. This is an issue that will have to be fixed in one of the future versions of Apache.

This problem with running code as the same identity as the web server is well understood (and has been for years) among the advanced Apache users. The solution is to always execute CGI scripts through suEXEC and to never allow third parties access to any of the modules. The real problem is that, as with any other product, there are few people who understand Apache inside out (and they can protect themselves) but there also those who are using the technology but do not have the luxury of learning everything there is about it (and there are many legitimate reasons for that).

The solution is obvious. Apache must be safe out of the box! We should dispense with the idea of running things in the same process. Process isolation facilities (either suEXEC or something else) should be installed and running by default on all installations. We can and should make provisions for those who know what they are doing to shoot themselves in the foot, of course. But the only reason to attempt to run things in the same process is performance and I suspect, in this day and age, virtually all users will be happy with the performance of their web server doing things in a secure manner.

• 0 Comments

Last week I spent some time stress-testing Apache 2.2.3 configured to work as a reverse proxy. I discovered (actually, re-discovered would be more accurate) two issues worth sharing.

1. Memory consumption of an Apache process will steadily increase as the number of processed requests rises. This is very easy to see if you send thousands of requests per second, with each request going to the same process. This has to be either a memory leak or a memory fragmentation issue. To deal with this you need to recycle processes before they become too large (and cause the operating system to start swapping). The MaxRequestsPerChild directive is meant to help with this. By setting its value to something other than zero (which means “unlimited”) you are telling Apache to shut down every process that goes over the limit. No problems there. Except that it’s where the second problem comes in.

2. The MaxRequestsPerChild directive does not work as the name suggests. Apache does not count requests - it counts *connections*. This creates a problem if you have persistent connections enabled in your configuration - you don’t know how many requests will come over a connection. It is probably safe to assume the number will not be large in most cases but you won’t know if someone will try to abuse this problem and force a large number of requests over a single connection (e.g. by using a specially programmed script). To be on the safe side you need to divide your ideal MaxRequestsPerChild value with the MaxKeepAliveRequests value. This will prevent the Apache processes from growing too large. But there’s a side effect - Apache will now recycle its worker processes more often. As your final step you need to make sure there are enough idle processes around (using MinSpareServers) to jump in as soon as an active process goes down. Yo need to have a few of these processes because there is a performance penalty associated with the creation of a new process and because Apache creates new processes at a rate of one every second.

• 0 Comments

My book was translated to Japanese and published by O’Reilly Japan! This is, apparently, old news, as they did it back in 2005, but I only found out about it from the three-montly royalties statement I received in April.

While we are on the subject of writing, I am starting to get the itch again. There are two or three topics I would like to explore further. Topics such as web application firewalls and ModSecurity, web application security, and application security patterns. On the other hand, I have a few compelling reasons against writing another book:

• It takes a lot of time (time better spent building Thinking Stone into a stronger business).

• It’s lonesome (but this can be dealth with by finding someone to co-author the book with me.
• My hands and arms haven’t fully recovered from the first book. (This one is the most compelling reason of all - I barely managed to finish Apache Security in the first place. If you are using keyboard extensively make sure to read about RSI and always keep Workrave active.)

• 0 Comments

It’s been exactly one year since my book, Apache Security, was published. I was very glad to learn Amazon.com are now enabling book authors to talk to their audience. It is unfortunate this feature did not exist at the time - I would have loved the opportunity to point those looking at this page to the book’s web site - http://www.apachesecurity.net.

I have always believed publication is just a first step in the life of a book (a long step in my case, as I spent eight months writing), and that the best stuff comes only after a book has been in use for a year or two. Let’s face it, we (the authors) don’t know nearly as much as our collective readership does. Therefore I invite you, the reader, to send me your feedback and make the second edition of Apache Security much better!

• 0 Comments