http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life The web for me is a hobby where standards and best practices are daily bread. Security is a concern that everybody must be aware of its details for IT in general, and the web in particular, to be a safer place. My life, on the other hand, is that of a regular Lebanese citizen where politics and social issues are discussed on a daily basis. I hope you enjoy reading my blog and make sure to drop me a comment about any topic you find interesting. I just got off the phone with Alfa Call Center regarding a weird charge that occurred on my detailed bill where I found many roaming charges for the number +9613488888 each being charged at $0.299. The charge occurred within the period of my my last trip to Tunis. The weird thing about it is not only that I don't know what this number is, but also that the invoice is for the period 27-March till 27-April while the charges in question are for the period of 21-23 March. After spending 34 minutes with the Alfa Customer Service representative on the phone, below is the conclusion for how your Alfa Invoice displays charges as well as the detailed explanation about this issue. Whenever you travel outside Lebanon and use the SMS Romaing service, 2 charges apply: The first charge is related to the Alfa SMS service for the number that you are sending the SMS to. Currently, if the number is in Lebanon, the charge will be $0.09. If the number is outside Lebanon, the charge will be $0.18. The second charge is for the Roaming Service charged by the network that you are roaming through. This cost is variable from one country to another. For Tunis, the cost is currently at $0.299 per SMS. On your invoice, you will find one of two cases: If the charge occurs within one line, you will see it as type R (for Roaming) and the cost will be the cost of SMS + the cost of Roaming. If the charge is split into two entries, you will see it as one charge of type S (for SMS) and another charge of type R (for Roaming). For example, if you send an SMS from Tunis to Lebanon through roaming, the charge can appear either on one line as $0.389 or on two lines where the first line displays the cost of SMS as $0.09 and the second line displays the cost of roaming in Tunis ($0.299). If you send another SMS from Tunis to a country different than Lebanon, then the charge will appear either on one line as  $0.479 or on two lines where the first line displays the cost of SMS as $0.18 and the second line displays the cost of roaming in Tunis ($0.299). Another thing that should be noted as well is the fact that all roaming charges from external networks (Tunis in this case) are not charged in real time and can take up to 4-5 days for the charge to arrive to Alfa. If you travel around the end of your billing cycle, the SMS charge can occur on one invoice while the roaming charge will occur on the next bill. This last fact is what resulted in large number of charges of $0.299 being listed for the number +9613488888 which turned out to be the SMS Center number of Alfa. My trip to Tunis took place on March 21-23. Thus, the SMS charges appeared on my March bill. The Roaming charges, however, were not charged back due to the delay explained above and, thus, my April bill was charged with these numbers. If you ever face this situation with Alfa, now you can know the details without having to spend half an hour with them analyzing the charges over the phone. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/116_alfa_statement_roaming_charges.html Sat, 01 May 2010 09:08:45 +0000 The way Google Analytics works is very different from the way log file based statistics work. Log file based statistics follows a very clear process. It opens the log file at the server side, parses its contents and generates results based on that content. Google Analytics, on the other hand, uses JavaScript technology to create a cookie within the user browser and uses that cookie (and JavaScript) to track the user's behavior on the website. Although both tools provide VISITS statistics, Google Analytics tends to be more accurate due to the fact that cookies allow for differentiating between two users on the same virtual network while IP-based differentiation (the technique used by Log File Based Statistics) fails to work. There are many differences (when it comes to accuracy) between the two tools. The first tool, Log File Based Statistics, is intended for accuracy in number of hits, pages, bandwidth consumption, server load, etc. The second tool, Google Analytics, is intended for user behavior tracking, number of visitors, entry pages, exit pages, landing pages, etc. The above general description is very crucial for website administrators to understand where each tool is more effective and to also highlight the fact that using one tool does not eliminate the need to the other. Both tools are still needed to achieve all results properly (and effectively). If your concern is only statistical (hits, pages, consumption, etc.), Log File Based tools are the key. If your concern is marketing-oriented (i.e. visitors, behaviors, etc.), then Google Analytics is king. Why Are Numbers of Google Analytics Lower Than Those of Normal Log File Based Statistics? The following list is not an exhaustive one but is intended to list the many cases where numbers will look different: 1- JavaScript and Cookies: Google Analytics relies on JavaScript and Cookies. As such, all user agents that do not support these two will not be counted. An example of user agents that do not support these two are: PDAs, a large sector of hand-held devices, a large portion of mobile phones with default settings, referrals (websites that refer to portions of your website like an image, video, etc.), computers with hardened security settings on their PC, search engine bots, etc. 2- Cache Engines: Some cache engines serve pages to visitors from their internal cache engine without referring back to the original website. In this case, the cache engine will send what is known as a HEAD request to the server to check whether the page has been modified or not since last time it was fetched. The HEAD request is counted within LOG FILE BASED STATISTICS but is not counted within Google Analytics since some cache engines only request updates to main information files (like PHP) but not for each page entry (like JavaScript files or CSS files) 3- Visits Calculation Algorithm: the to tools are very different in terms of identifying a visit. Log file based statistics attaches a certain IP address within a certain amount of activity time to a certain visit. In other words, if an IP address is active within the log file (fetching content) for 20 minutes and then inactive for 30 minutes, and then active again; Log File Based Statistics might consider this activity as 2 distinct visits from the same IP address. Google Analytics, on the other hand, uses the cookie to track the visit and, thus, can be more relaxed in terms of the time for the visit to timeout. Some echoes are that Google Analytics might consider any activity within the next 3 hours as valid for the same current visit. Thus, don't expect the number of visits to be any similar at all. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/115_google_analytics_vs_log_file_based_statistics.html Mon, 19 Apr 2010 10:46:43 +0000 Today, I received an email from Mr. Ziad Baroud, the Minister of Internal Affairs, asking me to check my listing on the DGPS website. While the majority would like the fact that Mr. Baroud is using a one-to-one communication method to reach as much Lebanese citizens as possible, I did not like the fact that Mr. Baroud is encouraging spammers to send out such emails. Lebanon is already a spammed country. Tens of companies send out SPAM / JUNK emails every day. We all nag and complain from such emails and spend 20-30% of our email time identifying and deleting SPAM / JUNK emails before starting to actually reading legitimate emails. It would have been nice if Mr. Baroud had: Avoided spamming me by sending me an email that I did not ask to receive (this is what SPAMming is after all) Used a more modern e-Marketing tool to spread out the word. A banner on a few websites (Facebook, Google, Yahoo!, MSN, Tayyar, Yellow Pages of Lebanon, etc.) could have done the same effect if not better since it wouldn't be dropped into the JUNK folder like what happened with this message. Of course the banner would have cost him a little bit more but I don't believe that budget is a problem in this case. Used this case as an exercise to help him identify Lebanese SPAMMING companies and warn them to stop providing this service. Used this article as an alert to start pushing an Anti-SPAM rule / law into the Lebanese system. I would love to see a minister / parliament member / president / anybody in the Lebanese government starting to handle rules and regulations related to Technology. Digital signatures and Anti-SPAM rules are just the beginning. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/114_ziad_baroud_spamming.html Tue, 02 Mar 2010 06:32:57 +0000  This guy is marvelous! Watch and try the trick. You will like it... http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/113_a_couple_of_amazing_tricks.html Tue, 23 Feb 2010 20:19:02 +0000 The new Sensys radar (shown in the photo) is a clever radar for speeding drivers. This radar does not flash and, most importantly, does not need to measure your speed at the moment where you pass near it. In other words, if you speed between two cameras and slow when you reach the radar, it will uncover your trick. Most of us, speedy drivers, go over speed between any two radars and slow down when the radar is within range. This radar is a bit more clever in this sense. It will record your speed and time (after identifying your plate number) when you pass by the first radar and  will record your speed ad time when you pass by a second radar. This information is transmitted, through mobile connectivity, to a central system that will analyse your speed based on the given speeds, the distance between the two radars and the time taken to travel between them. If the time taken is shorter than the maximum allowed, the radar will report your car as a speeding one and, thus, you will get the ticket. The ticket has been recently installed in many locations in Doha and I am pretty sure it is either being used where you are or will be shortly deployed. Therefore, it is time for us all to start admitting that technology is finally being used where it is supposed to be used. Drive safely and take care and beware! http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/112_a_new_speed_radar_that_you_cannot_fool.html Mon, 22 Feb 2010 19:10:36 +0000 If you receive an email related to the suspension of your Standard Chartered account with a link to www.standardchartered.ae in it asking you to login in order to update your account settings, don't click on it. Beware of it. This is a phishing email leading to a phishing website and has been reported as such. Just don't click the link in that email. The website it takes you to is: http://sinhwatech.com/V1/Standardbankae.html I checked it again right now and Google is reporting it as a phishing website but it is good to note it here just in case you didn't have the Google bar installed. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/107_standard_chartered_email_amp_website_phishing.html Sun, 21 Feb 2010 00:39:33 +0000 Recently, I am noticing many individual walking around with huge lighters in hands and (barely) in pockets. Huge lighters (similar to the one shown in the picutre) are being considered as pretty cool these days by many. While I agree that such a thing is somehow cool, we must be aware of the many risks associated with this type of lighters especially when using them in crowded places (like restaurants) or when temperature is high (like the summer). It is a well known fact that a small lighter (almost 1/8 the size of the huge lighter) can cause sever damage to the ears if it explodes. Small lighters usually explode under high temperatures only. If a small lighter falls down from a table, for example, it rarely explodes and, as such, you are usually safe carrying it into crowded places as long as you keep it away from direct contact with fire. The huge lighter, however, does not share these same characteristics. The lighter that I bought as tall as a half-liter water bottle (check picture). While experimenting, it exploded from a height of 2 meters as soon as it touched the floor on its base. Another lighter exploded after 1 second from touching the fire. Don't try experimenting unless you are extremely careful. An exploding huge lighter is very dangerous. Tens of small pieces fly around randomly and can cause harm and cause sever damage to the eyes and other body parts. This leads us to conclude the following simple points: Huge lighters can explode easily if they fall down from low heights (1-2 meters) Huge lighters can explode after 1-2 seconds from being exposed to direct fire contact (unlike small lighters that can bare around 5 seconds) Huge lighters cause sever damage to humans when they explode especially to ears (the explosion sound is very harmful) and to the eyes (from the small flying pieces) Huge lighters should not be allowed in public places (for public safety) It would be better if you simply avoid buying them especially if you have kids around at your place I hope this helps us all learn about the harm that may be caused by this type of lighters so that we can enjoy the forthcoming summ http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/106_huge_lighters_security_alert.html Sat, 20 Feb 2010 12:01:39 +0000 Today, I spent some time updating my blog with few stuff that should have been here a long time ago. AddThis is now active for you to share / bookmark articles A print button is finally there with an empty layout suitable for printing ReCaptcha is now implemented instead of the old AuthImage plugin Related articles are now displayed when you view an article Emails are required now when posting comments (so that I can reply to you at least) A mobile version is now available. To use it, simply go to www.victorsawma.com/mobile/ http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/105_few_blog_updates_to_share.html Sun, 14 Feb 2010 22:05:20 +0000 In December 2009, NetDesignPlus officially opened its newest branch in Shuwaikh, Kuwait. With this opening, we will be able to better serve our Kuwait clients by being closer and in direct contact with them regarding our online services including web development, design, hosting and consultancy. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/103_netdesignplus_in_kuwait.html Fri, 05 Feb 2010 18:53:44 +0000 Yesterday, I booked my first ticket online with Malev Hungarian Airlines. My trip is from Beirut to Gotenburg on July 2010. The total fare to be charged "as per the website" was 567 USD for the roundtrip. The confirmation email (and yes I still have it and is attached below) confirms that the total charges should 567 USD. Yet, my credit card was charged 609 USD. Being pretty familiar with Credit Card charges, I decided that this should be some sort of conversion between USD / Euro while processing the payment through their payment gateway. Thus, I gently sent them an email asking them to refund the difference. Today, I received a reply back from them asking me to contact client service on a Hungarian phone number. I did. The woman on the other side simply checked, confirmed the price (567 USD) and said that everything is OK lol I told her that the card was charged 609 USD. She was surprised first but, then, she remembered (surprisingly she did) that there is something that they call a "Service Fee" that is worth 30 Euros for the Lebanon region and that changes from region to region. What a joke! She couldn't even confirm that the service fee is 30 Euros. She said that it should be around 30 Euros but there is no way for her to know the exact figure. The worse part is that she is admitting that they have hidden fees. The worst part is that she cannot now what the exact fee should be. No comment from me on this. I know that this will be my last time to book with them online unless some magic occurs and someone points how something so unprofessional can happen with an airline reservation system.   http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/102_hidden_fees_with_malev_hungarian_airlines_online_booking_system.html Thu, 04 Feb 2010 15:18:11 +0000 Today, I guided a workshop about high-availability database solutions at NDU. The workshop went for 6 straight hours (from 9:30 till 15:30) and was attended by more than 50 students from various universities in Lebanon. The workshop was organized by the NDU IEEE branch in collaboration with the Computer Science Club. I started the workshop with a general overview of availability issues in Database solutions. Then, I moved to a more detailed description of Database Replication and Database Clustering before moving forward to the hands-on implementation that included the following: How-to install / configure MySQL Cluster on Centos How-to configure a database for asynchronous data replication How-to configure a Cluster for real-time synchronous data mirroring How-to configure load-balancing using the "balance" tool and Linux VFS (overview) The unique thing behind this workshop was the ability to achieve a working solution that includes a Cluster Manager, 2 Cluster Nodes, 2 Cluster API nodes and a load-balancer while using only 3 server machines. The solution architecture was simple and included the following machines:  192.168.0.1: this machine acted as the load balancer and the cluster manager. All requests to database operations in applications have to go through this machine which will, in turn, forward them to either 192.168.0.2 or 192.168.0.3. A slightly different solution will be to use Linux VFS to share a load-balanced IP address (e.g. 192.168.0.10) on 192.168.0.2 and 192.168.0.3. In this case, application database operations will have to go to the shared IP address (192.168.0.10) 192.168.0.2: this machine acted as a cluster node and a MySQL API node. 192.168.0.3: this machine acted as a cluster node and a MySQL API node. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/101_ieee_high_availability_database_workshop.html Sun, 13 Dec 2009 08:41:04 +0000 This year's halloween gathering was exceptional with the large number of babies present lol Enjoy the pictures ;)   [Visit this halloween's album] http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/100_halloween_2009.html Sat, 05 Dec 2009 08:10:14 +0000 The creator of this picture won a million dollar in Van cogh' talents competition which took place in Italy. Please take a closer look at the picture. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/98_one-million_dolar_picture.html Mon, 16 Nov 2009 07:13:58 +0000 What will Google Wave's primary power be in? Will it be Social Networking and thus competing with Facebook or will it be Cloud Computing and thus computing with Microsoft Live and Yahoo? Just a note for anyone reading this and willing to give his / her opinion. To get more information about Google's Wave, visit the URL below: https://wave.google.com/wave http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/97_google_wave_social_networking_or_cloud_computing.html Wed, 30 Sep 2009 19:59:50 +0000 Did you lose access to your Hotmail / MSN / Live account and cannot reset your password using normal techniques (like Secret Question / Answer or Alternate Email)? If yes, here is the link that allows you to "try" to recover your account by contacting Microsoft directly. https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs Click on the link above and fill in as much information as possible. Make sure you use an email address that you have access to. The more information you provide (contacts in your address book, folders, email activity, etc.) the more convincing your request will be for the staff member who will be reviewing your request. Normally, if convinced, Microsoft will simply reset your account password and send it over to the email address that you provide. Pay attention not to get confused between the stolen account email address and the email address that you want to receive the recovered password on. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/96_how_to_recover_your_hotmail__msn__live_passport_account.html Fri, 25 Sep 2009 07:13:37 +0000 A beautiful report from CNN about the best party city on earth. No wonder they chose Beirut. Watch the Report (Real Player required) http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/95_beirut_cnns_best_party_city.html Thu, 03 Sep 2009 06:32:18 +0000 I was having an interesting discussion yesterday about web programming languages with a friend of mine during which we tackled various programming languages (PHP, Java, VB and C#) and their competitive nature for web programming. I found it very useful to place a summary (yet a detailed one) about this topic due to the interestingly arguable nature of this topic... PHP:Past, Current and Future I will start with PHP simply because it is still my favourite web scripting language. Back in 1998, when I first tackled PHP, many programmers that I knew used to make fun out of it (same way they used to make fun out of Search Engine Optimization back then as well ;) starting from its recursive name (PHP stands for PHP Hypertext Processor) reaching the naive (yet powerful) nature of the language back then. I always had my bet that one day PHP will have to evolve into an application development language (like Java or C# nowadays). Luckily now, I can safely say that is almost here with the presence of the ZendServer, PHP 5, Zend Framework and PHP-GTK. A good business solution nowadays can easily outbeat other applications in terms of performance, stability and speed of production simply by using the tools listed just above. Although these tools are not yet well-know at the commercial levels, they are being introduced (as far as I know) at many academic levels and will make it (in the very near future) to the commercial setting. As far as the community is involved, I can safely say that PHP did a huge progress over the past two years. Back in 2003-2004, many programmers (and I was almost going to be one of them) moved into JSP with the J2EE being so powerful back then giving up while waiting for a mature and stable PHP framework to support them. Being stubborn, I insisted back then on sticking to PHP and worked for almost 4 months (full-time) back then to produce my first set of PHP modules to be used for Rapid Application Development (RAD) within websites. Lately, I ported my modules into CakePHP and Zend Framework whose combined power is ultimate for high-traffic websites that can serve hundreds of thousands of requests / hour peaking at thousands of concurrent requests with as low as 10% of CPU usage and 1 GB of RAM. A very simple, yet convincing example of this are two websites that I developed: www.yellowpages.com.lb and www.al-sharq.com. For commercial confidentiality purposes, I cannot reveal numbers in here. Yet, you can visit these websites to get a glance about the dazzling power behind PHP performance when combined with Linux, MySQL, APC and the Zend Framework.   Java: The Enterprise Programming Language I just love Java! I love its powerful architecture, community and powerful solutions. Yet, one main feature lacks Java to make it into the daily websites that people visit: low resource footprint. Java is well known for its huge resource utilization at the server level. A normal website developed in JSP will require at least 2 GB of RAM to properly cache JSP files. Performance, on the other hand, cannot be surpassed by any other web programming languate that I know about (make sure to add your comment if you know about one). The only thing is that you cannot have 50 websites sharing the same server unless you have at least 8 GB of RAM dedicated for the JSP container.   Visual Basic: Bye Bye! VB is dying. Believe it or not, this language will not make it to the 2015 year. If you don't dump it now, Microsoft will in the few coming years (if not months) to give way for C#. Although it will still be used at the OS level, I don't see any reason why programmers will still be using it (unless they are like some of my friends who insist on using VB simply because they know VB and are too lazy to learn another language :)   C#: The Microsoft Bet! Let us talk some facts here. Microsoft learned a lot from VB and learned a lot from J++ and learned a lot from the various applications / servers / services that were offered back in the recent past. As a result, Microsoft has put all of the experience gained into releasing an object-oriented language that is powerful (like Java), easy to learn (like VB) and with a low footprint (supposedly low) like PHP. I am not claiming in any way that I am a C# expert in here (believe I am not one) but I recently benchmarked a web application developed using C# for one of my clients during a security audit and I was surprised by the various security features that were introduced at the security level (especially exceptions) and at the performance level (the server handled 1024 concurrent requests / second for almost 2 minutes before it crashed). I must mention here that this benchmark is completely related to the way the application was written but it helped me gain a little more experience with how C# handles run-time errors and introduced me to the performance tweaks that IIS can help with if programmers get to know them. This lead me to conclude that Microsoft will be pushing forward with C# for the years to come with the hope to get back the old days of VB programming and move forward from there.   Conclusion Let me make this conclusion short. If you want the details behind it, read the article again. If you are new to programming and are interested in Website development, learn PHP. This is the key to go. If you just love Microsoft, learn C#. If you want to make it into Enterprise programming, learn Java. Better yet, why not learn them all?       http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/94_the_future_of_web_programming.html Wed, 02 Sep 2009 20:02:01 +0000 Two of my students, namely Elie Khoury and Wissam Salameh, implemented a virtual Ecosystem implementation that simulates life in an aquatic system including Sharks, Fish and Plants. The implementation is so beautiful that it allows any application user to test the proper settings required for an aquatic to avoid extinction or to simply simulate the life in such a medium for research purposes. The final report can be downloaded by clicking on the following link. http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/93_ecosystem_virtual_implementation.html Sat, 04 Jul 2009 07:13:59 +0000 Written By Regina Brett, 90 years old, of The Plain Dealer,  Cleveland , Ohio "To celebrate growing older, I once wrote the 45 lessons life taught me. It is the most requested column I've ever written. My odometer rolled over to 90 in August, so here is the column once more." Life isn't fair, but it's still good. When in doubt, just take the next small step. Life is too short to waste time hating anyone. Your job won't take care of you when you are sick. Your friends and parents will. Stay in touch. Pay off your credit cards every month. You don't have to win every argument.  Agree to disagree. Cry with someone. It's more healing than crying alone. It's It's ok to get angry with God. He can take it. Save for retirement starting with your first paycheck. When it comes to chocolate, resistance is futile. Make peace with your past so it won't screw up the present. It's OK to let your children see you cry. Don't compare your life to others. You have no idea what their journey is all about. If a relationship has to be a secret, you shouldn't be in it. Everything can change in the blink of an eye. But don't worry; God never blinks. Take a deep breath. It calms the mind. Get rid of anything that isn't useful, beautiful or joyful. Whatever doesn't kill you really, does make you stronger. It's never too late to have a happy childhood.  But the second one is up to you and no one else. When it comes to going after what you love in life, don't take NO for an answer. Burn the candles, use the nice sheets, and wear the fancy lingerie. Don't save it for a special occasion. Today is special. Over prepare, and then go with the flow. Be eccentric now. Don't wait for old age to wear purple. The most important sex organ is the brain. No one is in charge of your happiness but you. Frame every so-called disaster with these words 'In five years, will this matter?' Always choose life. Forgive everyone everything. What other people think of you is none of your business. Time heals almost everything. Give time, time. However good or bad a situation is, it will change. Don't take yourself so seriously. No one else does. Believe in miracles. God loves you because of who God is, not because of anything you did or didn't do. Don't audit life. Show up and make the most of it now Growing old beats the alternative -- dying young. Your children get only one childhood. All that truly matters in the end is that you loved. Get outside every day. Miracles are waiting everywhere. If we all threw our problems in a pile and saw everyone else's, we'd grab ours back. Envy is a waste of time. You already have all you need. The best is yet to come. No matter how you feel, get up, dress up and show up. Yield. Life isn't tied with a bow, but it's still a gift. Friends are the family that we choose for ourselves   http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/92_the_45_lessons_of_life.html Wed, 17 Jun 2009 06:40:13 +0000 Today, Mark and Lilo welcomed their new GORGEOUS baby: Lynn :) I just love you guys and you both know that! Alla y3ayyesha w terba bdalelkon ;) The first photos are here (the nurse didn't let me take more :( )   http://www.victorsawma.com/1_victors_blog_about_the_web_security_and_life/archive/91_lynns_birth.html Sun, 15 Feb 2009 09:58:14 +0000