Slashdot is reporting that a hole in Gmail could potentially allow nasty people to view your entire Gmail contact list remotely. This type of vulnerability is commonly called Cross-Site Scripting or XSS.

All you have to do is have Gmail open, and browse to a website with some malicious JavaScript. The loophole in Google’s code means that this website can siphon off all your contact information.

This attack appears not to be very widespread at the moment, and I have no doubt that Google will be fixing it very quickly – especially now that it’s made the headlines.

This seems a perfect opportunity to explain XSS – some of the ways it can happen and how much of a problem it poses.

XSS is a problem that every web application has to take very very seriously. It exploits JavaScript – a very useful technology, but also very powerful. If you remember, JavaScript powers all the Ajax stuff we’re seeing nowadays and provides a lot of extra functionality beyond just static pages of text and HTML forms.

One of the ways in which this can happen is that a malicious person will place some nasty JavaScript on their target site. Our malicious person can now run pretty much what they want on every visitor’s browser that visits the hijacked page. For example, they could steal people’s session information and save it to their server, which might let them break in to the affected accounts and use them for malicious purposes.

But that’s just one way in which XSS can happen and one possible outcome. The Wikipedia page on XSS has some real-life examples (there’s a bit of jargon to navigate here):

• Netcraft announced on June 16, 2006 that a security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft via their own anti-phishing toolbar. Soon after, Paypal reported that a “change in some of the code” on the Paypal website had removed the vulnerability.
• On October 13, 2005 Samy exploited a security flaw in MySpace resulting in over one million friend requests being made to its creators profile. Qualifying as a type 2 vulnerability, it used multiple XMLHttpRequests to propagate itself.

If you ever wondered why you are blocked from using JavaScript on sites like MySpace, and other sites where you can put HTML – this is why. You would have free reign to do all sorts of things, including XSS. Sure, it might just be a couple of irritating pop-alert boxes

XSS is a real problem – the good news is that if web developers are paranoid and take great care in building their applications safely, these holes are less likely to emerge.

The bad news is that there’s not very much the average user can do to avoid these problems. Aside from blocking JavaScript everywhere, or being selective about where it runs, which is a bit too clunky for most people, you just have to follow standard security practices and be prepared for these things to emerge.

It’s called Goggles, and it’s essentially a Flash-powered ‘flight simulator’ where you can fly over real images of the world and explore Google Maps with a little bit more finesse.

(Linux users – it requires Flash 8, which isn’t on Linux, but I found a workaround if you want to try this and other Flash 8 stuff out).

It’s an impressive demonstration of what the Google Maps API can do and it’s certainly an interesting project. A lot of sites and web services have made use of the Google Maps API; for example, Frappr uses it for all the maps, but this is the most inventive and most complex use of the API I have seen yet.

Google opened the API up so that site developers could do this sort of thing with Google’s data and a lot of Web 2.0 services also have (slightly less impressive) APIs, for example, Youtube has one so that you can include some of their video services on your site.

So what exactly is an API? Find out after the jump.

API stands for application programming interface, and it has historically been used to describe the sets of developer’s tools in operating systems that make it easier for them to build applications for that operating system. From Wikipedia:

An application programming interface (API) is the interface that a computer system, library or application provides in order to allow requests for services to be made of it by other computer programs, and/or to allow data to be exchanged between them.

So in the context of web APIs, it’s an online application hosted by someone that allows other web applications to exchange data with it. For Google Maps, that means Goggles (as an example) can query the Maps API for images of a particular location in the world, and Maps responds by sending the appropriate images. From that, Goggles creates the flying experience and as you move around, it anticipates when you’ll want a new piece of terrain and makes another request to get those images.

This is a bit simplified, but the main concept is mostly there. In fact, conceptually it is quite simple. Something (the client we’ll call it) asks for something and something else (the server) responds with an answer.

The use of APIs such as Google Maps is what is driving some of the new web technologies we’re starting to see now. Smaller companies and services inevitably don’t have the time or money to implement solutions of the complexity of Google Maps, for example, but by the APIs being open, everyone can benefit. Google gets their name on a few extra sites, the sites get cool functionality without building it themselves and the users get a better experience.

Everyone’s happy.

First things first, this is another post in the Explainer series. So, if you know what Linux and free/open source software are and/or don’t need refreshing, then you can just skip straight over this post.

If you don’t know what Linux is, or have only vaguely heard of it, this post is designed to give you a brief introduction into what Linux is, what the ideas behind it are, and how to give it a try (without wiping over anything on your computer).

The Ideas

Linux is a completely different way of doing things. Whereas usually you pay for software and are allowed to just use it, free and open source software (such as Linux, I’ll call it FOSS from now on) is different. The idea of FOSS is that everyone is allowed to use the software for whatever they want, and everyone has the right to take that software and improve it (provided they let everyone else do the same). Just because it’s ‘free’, though, doesn’t mean that you can’t sell it (more on this in Common Myths later). You might already be familiar with this idea if you’re using Firefox. Linux (and all the stuff that goes with it) make up an entire operating system made up of the free stuff. That means no Windows bits whatsoever, and it gives you 100% freedom.

The freedom that FOSS gives you means that for one particular task, there might be two or three programs made by the free software community that do that one task. Why? What’s the point? Well, some people prefer to work differently than others. Where one person wants a feature-packed program, another might prefer something a bit lighter and quicker, for example.

Distributions

This is how Linux works. There isn’t one version of Linux which is Linux. Linux is available in different flavours, called distributions (commonly also called ‘distros’). There are loads of these around, and there seem to be more popping up all over the place.

The most popular distros at the time of writing are Ubuntu, SUSE, Fedora and Mandriva (source: distrowatch.com). The idea here is the same – some distros are aimed at the new user, some at more experienced users etc. In my opinion the easiest one to pick up and use is Ubuntu (which might explain its popularity). Personally, though, I use a combination of Fedora, SUSE and CentOS (on different computers).

History

So how did this all come about? Well, the idea of creating a free operating system was first properly realised by Richard Stallman. He founded the GNU Project in 1983, which was aimed to create a totally free operating system.

By the early 1990s, GNU had a lot of the tools ready to build the complete operating system, but what they were missing was the heart of the system, a piece of software called the kernel. At the same time, Finnish student Linus Torvalds wrote an open source kernel, which was named Linux. People put the GNU tools and the Linux kernel together to make the Linux system we think of today.

There’s a lot of controversy that it should be called GNU/Linux instead of just Linux to acknowledge the contribution of the GNU Project’s tools which do make up a lot of the operating system. Personally, I find it quicker and easier to just call it ‘Linux’, considering that’s the dominating name anyway. In my opinion, the amount of controversy caused by the name is ridiculous and has been blown out of proportion, so I’m not going to dwell on it.

Unix

You might have heard the term Unix before and might be wondering how it’s related to Linux. Well, Unix (you might also hear the term POSIX) isn’t an operating system in itself, it’s a kind of operating system specification. Well, that is a simplified explanation but stick with it for now. There are loads of systems based on the Unix specification, free and non-free, including Linux.

Unix-based systems are often seen as being very stable. The idea of Unix has been around since the 1960s, and has been tried and tested for a very long time. In contrast, the Windows NT base (which powers Windows 2000/XP/Server 2003/Vista) has only really been used since 1993. I’m not trying to say Windows is unstable here, but you can see that 40 years standing the test of time compared to 13 means that Unix-based systems are likely to have undergone a lot more testing, which hopefully makes them stable.

This is why Linux systems tend to get used a lot more as servers (for example, Ubuntu Linux powers this website). Servers need to be running all the time, so they can’t afford to be unstable.

Desktop

Linux isn’t just for servers, though. Linux is now a perfectly capable desktop operating system for doing things like web browsing, email and office suite tasks (and of course software and web development).

As ever, there is more than one choice of software on the desktop. There are quite a few desktop environments (complete sets of desktop programs), but the most popular are Gnome and KDE. Gnome at the moment is the top desktop environment in terms of popularity, and it’s quite easy for the new user and power user alike. If you like tweaking options (like I do), KDE might be for you (like it is for me). There are of course alternatives, but I’ll stick with these two for simplicity.

Both have their merits and disadvantages, so you’ll probably want to try them both out and see which one you prefer. Ubuntu defaults to Gnome, and you can try the KDE version of Ubuntu, Kubuntu if you want to check out KDE.

Advantages and disadvantages

Linux is good for a lot of things, but it can’t do absolutely everything.

Advantages:

• Free and open source
• Virtually no viruses/malware for Linux
• Stable
• Loads of great FOSS programs are included, ready to run
• Security with built-in firewall and of course no virus protection needed
• Can try it without deleting anything on your computer

Disadvantages:

• Windows software generally doesn’t run on it (only a few things if you install special software)
• It sometimes can be a pain to set certain things up
• Not very good for gamers (the games generally don’t run)
• Sometimes get older versions of proprietary software (like Flash Player)
• You might not be used to the way Linux works

Having said that, Linux is well worth a try, even if you decide it’s not for you (which for some people it isn’t). And since it’s free and risk-free, why not?

Common myths

“Linux is communistic/promotes communism”

I disagree, because although Linux is free, the free is talking about freedom. You are perfectly allowed to sell Linux (provided that you let everybody else as well). Companies like Red Hat and Novell make a lot of money out of selling Linux systems to businesses (and individuals as well, if you want boxed copies and printed manuals). Also, Richard Stallman explicitly says on the GNU site that making money from free software projects is OK.

“Linux is insecure because people can see the code and find and exploit bugs”

The fact that everyone can see the code also means that the developers (and ordinary people) can spot the bugs and fix them quickly. Being open source means that bugfixes and patches can be released really quickly, because there are loads of people ready to build and test the patches.

“Linux is only for geeks/is hard to use”

I don’t agree. Linux is used by geeks, but the popularity of friendly distributions like Ubuntu mean that it’s really easy for normal people to use Linux too. There might be a learning curve, but so was there when you first learnt to use a computer.

“I can’t read or write Microsoft Office documents with Linux”

It’s true that Microsoft Office per se can’t run on Linux (not without some special software and the patience to get it to work), but OpenOffice.org is a full office suite included with most distros which has pretty damn good compatibility with most Office documents.

“Application X (insert favourite application) doesn’t run on Linux”

Granted, most Windows applications won’t run on Linux without emulators and scary stuff. But there’s a fairly good chance there’s an open source alternative. Just Google “open source” plus the type of application you want and see what results you get.

“Linux only runs on PCs/is only 32-bit”

Not true either. Linux can run on loads of systems, not just bog-standard PCs, including 64-bit AMD and Intel processors, PowerPC-based Macs, Intel Macs, and obscure machines like SPARC machines, Alpha computers… even iPods (in a cut-down form, of course).
There’s loads more myths I’m sure, but I’ve hopefully cleared up a few here.

So how do I give Linux a try?

Now this is easy. You don’t have to pay anything (less the cost of a blank CD) and you can give Linux a whirl without touching your hard drive. Most distributions offer ‘Live CDs’ that run straight from disc (some distros are dedicated Live CDs). They allow you to boot straight from the CD into a fully-configured Linux distro, and get started right away! Most also offer the option to install using the same CD, if you later decide to take the plunge and install to your hard drive. One thing to bear in mind, however, is that anything you save will get deleted when you finish running the Live CD (best to save anything you want to keep to a USB stick).

To download a Live CD, just go to your distro of choice’s website and look for the Live CD. In the case of Ubuntu (which I’d recommend to newbies), the Desktop CD is a Live CD which you can also install to hard drive. Live CDs are usually one CD’s worth of data, so they’re about 600-700 MB of download. You’ll end up with a .iso file which contains a copy of the whole CD ready to burn.

Once you’ve downloaded the .iso file, you should be able to burn it to disc using your CD burning software (look for the Burn ISO Image to Disc option). If you don’t have suitable software, I can recommend the free tool ISO Recorder (for Windows XP) which will burn it for you.

Now put the burnt disc in your drive and restart your computer. In most cases, you should boot into your new Linux operating system. If it doesn’t work, you need to enable CD booting in your BIOS, but that’s out of the scope of this tutorial. By the way, to get back to your previous setup, restart and quickly remove the disc. Have fun!

While this is quite a big post, it’s only a very quick introduction. If you run into any problems, check out Google Search specifically for Linux and there are some good Linux forums out there which will help you. Good luck and I hope you at least enjoy the experience of something totally different.

A great example of the use of Ajax, compared to traditional techniques would be Gmail and Hotmail. Gmail makes great use of Ajax, meaning that if someone sends you an email while you are looking at your inbox, it appears in your inbox without you refreshing the page. Or if you archive a message, it disappears from your inbox without refreshing. This allows you to work much faster, because you don’t have to wait after every action, as you did in earlier webmail services, like Hotmail. In Hotmail, every time you change a view you have to refresh the page. The next version of Hotmail (currently in beta version) is Windows Live Mail, and that uses lots of Ajax to create an experience as much like a conventional program such as Outlook as possible. Ajax is important because it is one of the major fuels of Web 2.0. Without Ajax, no-one would use services like Writely, because it would be so inefficient, and the experience so inferior to using a program such as Microsoft Word.

For further specific information about how Ajax works, see Wikipedia. For examples of Ajax websites, just read Techcrunch, or have a look at this use of Ajax to power a remote desktop.