Whatis.com Solutions Directory

In the Apple OS X operating system, the dock is a user-modifiable row of function or application icons that appear on the computer desktop so that the user can find and select any of them quickly. The user can reposition the dock and also elect to have each function or application icon magnify as the user rolls the mouse over it.

The OS X dock is generally comparable to the taskbar in a Windows operating system. The dock should not be confused with a docking station... More...

Seeking a cost-effective way to cut its reliance on tape backups at its remote offices, real estate firm Investors Real... More...

Vendors and distributors push technology leasing as a way to battle tightening credit lines and dried up cash flow. But... More...

Paco, your book -- "Web Security Testing Cookbook" -- is about techniques for finding Web security flaws. Why is it important to have a plan and approach Web security testing in a systematic and methodical way?

QA and testing teams are being asked to do more with less, and that "more" often includes increased attention to specialized concerns like security. To meet these tough expectations, you have to have a good plan and a good set of tried-and-true methods to build your security test cases right.
What Web security vulnerabilities are the most predictable -- the ones you know you're going to find regardless of how secure the application supposedly is?

It's always the usual suspects: cross-site scripting (XSS) and SQL injection. I do security assessments throughout the financial sector (retail banking, financial services) as well as routine retail and commercial services. It seems like everybody is susceptible to these two attacks, and testers just don't have the time, tools, and expertise to test for them.
Just how important are manual analysis techniques when testing Web applications such as those you outline in Chapter 9 -- Seeking Design Flaws? If you use good tools, do you really need to look at the application the old-fashioned way?

We'll never eliminate the human element. One of my colleagues just finished assessing a major retail bank's site and Recipe 9-5 in the book found something major. At this bank, initial passwords were the same as user IDs. Knowing that, an attacker could try popular user IDs or user IDs that were generated using the site's standard formula and begin taking over accounts that had not been initialized by their rightful owner. No tool has the smarts to intuitively figure out that this is a bad idea, even though humans smack their foreheads as soon as they see it.
During your Web security testing, what is the craziest thing you've seen Web developers do to "lock down" an application using security by obscurity?

The craziest thing I've seen, of course, is nothing. Lots of people deny the problem and do nothing. I've seen people try to make long lists of all the SQL verbs and keywords (e.g. SELECT, UPDATE, WHERE, DROP TABLE). It never works. The worst was in response to a human resources (HR) system that allowed job seekers to submit HTML resumes over the Internet. I pointed out that the HTML could contain lots of malicious JavaScript that would run in the HR director's Web browser. Their solution was to only accept file names ending in .txt or .pdf. If, however, your .txt file was actually HTML with JavaScript, Internet Explorer happily interpreted it as a Web page, executing the malicious JavaScript. They were satisfied.
There's a big focus on Web application source code these days. Just how important is static source code analysis in the overall Web security equation?

Source code analysis is a vital complement to what we're describing in our book. Our techniques are outside-in techniques, and they find symptoms of problems. Ultimately, the problem is in the code, and it has to be found and fixed there. Source code analysis tools are the inside-out half of that equation.
For people entering the field of information security, specifically Web application testing, what are the advantages of using freeware and open source tools that you use in your book?

Free tools can be worthwhile even if they fill a narrow, vital niche. Expensive tools need to be broadly applicable to justify their return on investment. Source code lets you keep using a tool even if its authors abandon it. Many of us test legacy software with historical batteries of tests. Source code for our tools helps us keep old tools around to test our legacy software.
Is it your experience that these free Web security testing tools are every bit as good as their commercial alternatives?

Major commercial scanning tools represent thousands of man-hours of test case development and test automation that you can't build from scratch with free tools. Those tools are unwieldy, though, when your developers fix a specific vulnerability, and you need to build a test case for that one fix. To build individual security test cases, use our techniques. To assess an entire application from top to bottom, use a commercial tool.
You have an entire chapter dedicated to testing Ajax security. Can you recommend any must-have tools for uncovering Ajax flaws or is manual analysis the most dependable way to find client-side weaknesses?

The must-have tools are Firefox with the Firebug and TamperData add-ons and a good proxy like WebScarab, Paros, or Burp. As source code analyzers get better at JavaScript, they'll start to add to our security picture. The complex interplay between server-side code that generates a DOM (Document Object Model) on the fly and client-side code that asynchronously operates on DOM later limits the security defects that can be found automatically.

Paco Hope is a technical manager at Cigital. His areas of expertise include software security, security testing, and online casino gaming. He specializes in analyzing the security of software, software systems, and software development processes.

-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. He's still trying to pin down exactly how the certifications and degrees he has earned have benefited his career, but he knows deep down that they have. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blogkbeaver@principlelogic.com.

Paco Hope, co-author of the "Web Security Testing Cookbook," talks about the importance of having a security testing plan and what tools and techniques are necessary. More...

Why do Web servers represent such a compelling target for hackers?

It's been interesting [to see] how the bad guys are changing their tactics over time. Traditional network security has gotten better. If you go back a decade where bad guys were attacking different protocols and ports that were available from the Internet. Thankfully, now it's pretty much standard for every organization to have a network-based firewall. So a lot of those doors were being closed off. Now a days the door that is almost always left open is the Web. Pretty much every organization let's [traffic] through port 80 and port 443. The bad guys and the penetration testers … know that those ports are always open.
Is it really just about the firewall? Should the firewall and SSL be the only means of protection?

No. A network firewall helps to block some of the other ports if you are running some other services and you don't want people getting to them. SSL does of course have a place. It helps really to do encryption and that's the main reason people use it. The only thing that it helps protect against is if I'm going to send my credit card information to Amazon or another website, I'm going to send it via SSL because if there is somebody in between that computer and that website and they're sniffing traffic, I don't want them to see my information so they can steal it. But SSL is not adequate for protecting against today's Web attacks because what happens if I'm the attacker. I can go through an SSL tunnel. SSL is not going to stop me from going through your website. If you're going to protect your Web servers and look for these types of attacks you have to be able to look inside encrypted traffic. That's another reason why Web app firewalls are becoming more popular because that's another feature they can provide.
We seem to be seeing more reports of groups getting together to try to get developers to think about security. Do you think it is working?

I see some evidence that there's starting to be some momentum. I would agree that more developers need to be trained in secure coding. A lot of the bugs that we see in the field that are being exploited are injection types of flaws. It's general input validation that is lacking when you're taking some input from a client and you don't do any kind of balance checking to make sure it's the right size, format and character sets. If you're not doing that, that's why things like SQL injection attacks work. Those types of things are not being taught. Getting universities to change their curriculum is not very easy. The number one problem that I've seen in businesses, organizations and development is the lack of contractual language specifically [addressing security requirements]. What's missing is not only functional requirements, but also security requirements. How do you handle errors? Do you fail securely? How are you doing authentication? Those need to be spelled out. Also when you are giving deliverables to your customer, if it's not up to snuff from a security perspective, the paying customer doesn't have to pay money to fix it.
SearchSecurity radio: You are affiliated with the Web Application Consortium and you are doing some threat classification work for them. Tell us about that.

We're working on version two right now. One compare and contrast is the open Web Application Security Project (OWASP). We're kind of sister organizations with the same goals. We want to educate the community on Web application security problems and we offer different papers and research. OWASP has a top ten list of vulnerabilities. It's very useful and it's gotten a lot of publicity mainly because a top ten is much more consumable. With our threat classification, we wanted to expand upon that. What we're finding is that so many people were gravitating to the top ten list that they would focus on those but they need to realize there are other vulnerabilities out there. So we're expanding out and trying to list a bunch of the vulnerabilities and the attacks that can exploit those. We break it down to some different areas: authorization, authentication issues, injection flaws, error messages, and logic issues as well, but mainly we're also updating in the next version to include XML vulnerabilities because those are becoming more prevalent with the technology that's out there.
Two years ago you told Stephen Northcutt in an interview that virtual patching is going to become more popular because it speeds the mitigation of Web application vulnerabilities. Do you still feel that way?

Yes. When you identify a Web application defect or flaw, how quickly can you fix it? The idea of virtual patching is to say you have some sort of a toolset, device or appliance, external to the Web application, where you can go in and essentially create a rule set or policy that describes the vulnerability or the attack. If somebody remotely tries to exploit that vulnerability the policy will stop it. Nine times out of 10 writing a virtual patch is done on a Web application firewall. That's mainly because a Web application firewall is going to have enough flexibility and accuracy to describe that vulnerability and when somebody's trying to exploit it. From an external hacker's perspective, that vulnerability is virtually patched. They try and exploit it and it doesn't work. They have no idea if it was patched in the code for real. The point is they cannot exploit it. Virtual patches shrink the time-to-patch window.
Web application security expert Ryan Barnett would like to see every company use a Web application firewall. But Barnett, director of security at Web application firewall vendor Breach Security Inc., knows that companies need to use more than just firewalls and SSL encryption to defend against external attacks. Barnett, a SANS Institute faculty member and member of the Web Application Security Consortium, also serves as the team lead for the Center for Internet Security Apache Benchmark Project. In this interview, he explains why Web servers represent such a fertile ground for hackers, whether developers will begin to create more secure coding and the benefits of a technique called virtual patching, which tricks hackers into thinking a Web application has been patched. More...

Here's the archive of posts to WhatIs.com's Our Latest Discovery. To see our most recent discoveries, visit this page.

You can subscribe to the RSS feed for our latest discovery here.

At RouterGod.com, celebrities like Don King, Darva Conger, Alicia Silverstone, Paul Hogan, and Anne Nicole Smith, each in their own special way, explain some technical aspect of networking or something like a Cisco router. Is this just a joke? No! You will actually learn something! For example, start with boxing promoter Don King's explanation of "IP Extended Access Lists." (The site was recommended to us by Arabella in our "Web Sites You Recommend" discussion forum.) Reviewed on August 13, 2002. Previous Discoveries The Immediately Useful

ReferenceDesk.org provides links to all kinds of experts. Got a question for an astronaut? Need to talk to a nurse? You can find an expert for almost any subject you can think of. We've consulted Ask Mr. Excel, Ask an IT Professional, and Ask the Computer Experts with good success. Reviewed December 3, 2001; last visited on August 12, 2002

With one click, you can view all your favorite Web sites on one scrollable page by using Quickbrowse (http://www.quickbrowse.com), a metabrowser developed by reporter Marc Fest. How does Quickbrowse work? You enter the URLs you would like to view, press submit and in a few seconds the pages come back to you on one scrollable master page. You can set up as many master pages as you'd like and save them as bookmarks or have them e-mailed to you each day. Quickbrowse is free. Reviewed on December 7, 2000; last visited on August 12, 2002.

Such a simple idea. An expert for everything with just a mouse click or two. And just call it ALLEXPERTS.COM (http://www.allexperts.com). Incredibly, someone out there is just waiting for your question about where to go camping, how to wash your dog, or where to rent a bicyle in Beijing. If fact, we asked the last question ourselves this past week (because we plan to travel there) and got an extremely helpful answer back within 24 hours from a woman who had lived in Beijing for two years. ALLEXPERTS is also remarkable for being utterly without graphic images, well-organized, and obviously optimized for people who are in a hurry. Each of their 3,100 volunteer experts describes the expertise he or she offers and you choose which person to send your question to. You're also invited to become a volunteer expert yourself. We were impressed with the range of subjects covered: medical, love, sports, performing in plays, repairing appliances...there is almost no subject that is not covered. We haven't tested the site yet for nitty computer or Internet questions (for these, also see Experts Exchange (http://www.experts-exchange.com), but we plan to soon. Is the Web really is an enormous expanding mind that is building a supermind for the future? It's possible. Meanwhile, here is a site that can help you figure out how to wash your dog. Reviewed on March 14, 1999; last visited on August 12, 2002.

Experts Exchange (http://www.experts-exchange.com) looks to us like another idea teetering on the brink of greatness. What it lacks in visual appeal it easily surpasses in concept and results, based on the one time we used it. The idea is this: After you've exhausted all the Web sites offering free advice about JavaScript, modems, OS/2, printers, or whatever it is, you just wish you could get connected to a real person that knows. Experts Exchange has a system for getting you connected. Initially, it's free, but even if you have to pay, you may well decide this site is worth it. We're not going to explain here exactly how it works, but we will say it's organized so that you can find an expert, exchange notes with the expert, and express whether you are satisfied with the results. It solved a critical problem for whatis.com recently, and we plan to try it again in the future. If you try it, we'd like to know how it works out for you. Reviewed on January 3, 1999; last visited on August 12, 2002.

When we recently came across The Librarians' Index to the Internet, we explored it and then made it one of the top five entries in our bookmark list. It's as though a thousand members of a fanatic but somehow sensible-minded religious order, each assigned to a subject speciality, spent days and nights roaming the Internet and then picked out only the most useful or appealing sites, described them, and indicated other subjects they were related to. The devotees who have created this masterwork of usefulness are librarians at the California State Libraries, centered in Berkeley. The home page offers a Yahoo-like hierarchical directory, but unlike Yahoo and similar directories, the Librarians' Guide quickly gets you to preselected sites that someone thinks is valuable and useful. We think you will need to explore this guide to understand how good it is. The URL is http://sunsite.berkeley.edu/InternetIndex/. We've added this site to our "library resources" page (locate it after selecting "Handy" on our menu). Reviewed on September 27, 1998; last visited on August 12, 2002.

Suppose you're reading a Web page and a word comes along that you don't understand. Why not be able to just put your mouse over the word and say "What? " - and have a definition magically appear! We like this idea, and a company named Atomica (http://www.atomica.com/solutions_personal.html) has almost done it. Instead of saying "What?", you simply point at the word, hold the Alt key, and left-click your mouse. In a popup window, Atomica (formerly GuruNet) provides a standard dictionary definition and, in some cases, a specialized definition. Atomica downloads and installs very quickly (on Windows systems only). It's also very unobtrusive, just there when you think to use it. Review updated on August 12, 2002.

One of our favorite places to check out what's new on the Web is CyberNavigator, the home page used by the newsroom of the New York Times for Web research. (http://www.nytimes.com/library/tech/reference/cynavi.html) CyberNavigator was developed by Rich Meislin, the Editor in Chief of New York Times Digital. Rich saw the need for editors and reporters to have a jumping off point for their Web research, so he put together a very handy page with over 200 links to reference sites and search engines. What we like best about CyberNavigator, however, is the ever-changing list of quirky sites that Rich has included just because he thought they were fun. You never know what you're going to discover! The site is free, although the first time you visit, you'll be asked to register. Reviewed on November 25, 2000; last visited on August 12, 2002.

NewsAhead.com. As the title suggests, NewsAhead seeks to spot stories for which a news organization must make advance arrangements to cover. No, it does not rely on psychic predictions. It simply keeps an excellent calendar of upcoming events. Although the yearly calendar used by most newsdesks is only available by subscription, the monthly calendar is free on line. The London times calls it "addictive reading". We agree, and that's why we're giving it this month's Editor's Choice Award. Reviewed on September 20, 2001; last visited on August 12, 2002.

Philosophy The Internet Encyclopedia of Philosophy at The Timeline of Western Philosophy (www.utm.edu/research/iep/westtime.htm) gives us a glimpse of another of the individual heroic efforts that the World Wide Web seems to engender. Here, James Fieser, a philosophy professor at the University of Tennessee at Martin, has assembled his own notes and some public domain excerpts about mostly Western philosophy and arranged them by timeline, by philosopher, and by idea. You can do a quick search and you can also explore the site. We were pleased to find a nice discussion of Solipsism and the Problem of Other Minds. You can use this to stir things up at the dinner table. Reviewed on or about July, 1999; last visited on August 12, 2002. The Unclassifiable Sodaconstructor defies easy description but it is a site containing a Tinker-Toy sort of construction that you can play with, changing it into different forms, making it float, turning it inside out and upside down, changing it into a caterpillar or a strange creature out of some still-undreamed of two-dimensional land of the future (well, we told you it defied easy description). It's actually all right to be caught looking at sodaconstructor at work because your boss will become fascinated by it, too. Entire companies will get no work done on the day that one of their workers discovers sodaconstructor, which is the creation of a talented group in the UK called "soda" and whose Web site displays several other interesting projects as well. Reviewed on May 2, 2000; last visited on August 12, 2002.

Roadside America (www.roadsideamerica.com) will be recorded as our first amazing discovery. It sounds like a travel site and it is, in a way. A very strange way. It's devoted to the unusual objects and people that occupy odd corners of America, such as the Nut Lady, the Merman, the house made of beer cans, the house that looks like a shoe, all kinds of statues of Paul Bunyan, a 600-pound postage stamp ball, and telepathic raccoons. Pictures, maps, and highway directions are provided. The authors (there is a book version) are having quite a bit of fun here, making sure that "No one who builds a palace out of mud is ever completely forgotten." Users are encouraged to report new sitings of the "out-of-the-way." Reviewed on or about June, 1999; last visited on August 12, 2002.

Someplace was needed on the Web to keep all the scraps, bits-and-pieces, flotsams and jetsams of funny stories, jokes, nostrums, legends and myths, curiosities, trivia questions, and other verbal amusements. Fortunately, the well-named NetScrap (www.netscrap.com) site was invented to meet this need and you may be several hours poorer by the time you leave it. The originators began by culling from Usenet newsgroups and other sources and now depend on user submissions. They are currently 900 submissions behind. The scraps are organized by category and you can also search. The categories suggest the beginning of a new scraps-oriented view of the human knowledge base. Reviewed on June 7, 1998; last visited on August 12, 2002.

You might expect that there would be a North American Tiddlywinks Association (http://www.tiddlywinks.org) and there is. At their Web site, you can learn more about a game that, if you're familiar with it, you may have tended to think was a bit simple. Before visiting this site, you may not have known that real tiddlywinkers are actually called winkers and that there are tournaments and a world ranking of players. Squopping and boondocking are common practices among winkers and a considerable glossary is needed to keep track of the language. Originally called Tiddledy-Winks by its inventor, Joseph Assheton Fincher, the game was a craze in England in the 1890s and spread to America. Revived in the 1950s at Cambridge, college teams competed and world tournaments were held. Today, HTML coders, Perl programmers, and really anyone can seek distraction from the information age by visiting this quiet corner of the Web to learn the official Tiddlywinks rules. The site includes tournament schedules and a complete history of all patents and copyrights. This site can also outfit you for the sport for less than $10. Reviewed on December 5, 1998; last visited on August 12, 2002.

Vot Der Dumboozle?, billed as "The Popular Culture Excavation Site," is devoted to, if not reviving, at least preserving in one tiny corner of the Web, some worthy, if not always well-known, contributors to popular culture, mainly of yesteryear. The site name is derived from The Katzenjammer Kids, a cartoon of the 1930 to 1960 period, and Jim Lowe, the creator of this noble and worthy site, has unearthed the history of the cartoon and some colorful and high-quality images that capture its charm. Reviewed on or about March, 1999; last visited on August 12, 2002. Creating Web Sites When is the last time you went blogging? Blogging, a general word used to describe any activity that relates to aWeblog, is the latest Internet craze in personal expression. Biz Stone's article, The Blogging Revolution explains the origins of blogging and provides a tour of popular blogs. (Feel free to sing along to Brad Graham's Twelve Days of Blogging as you tour!) We also like the blog Tasty Bits from the Technology Front, where we learned about Quicktopic.com, a popular place to post blogs. Warning: Blogging (creating, posting, reading, responding) can be highly addictive.Reviewed February 20, 2001; last visited on August 12, 2002.

................................................................................................................................................................................................................................Do you have a personal Web site that you d like to jazz up? You might want to add a floating photo cube for those new baby pictures or make the water appear to ripple in your favorite beach shot. If you know basic HTML, you can work with javascripts and applets by visiting Website Abstraction for a quick tutorial on how to insert some simple code to "wow" your visitors. For the more advanced Webmaster, who might be interested in writing their own scripts or learning more about browser compatibility, we recommend Doc Javascript, whose easy-to-follow instructions make coding fun! Reviewed on January 18, 2001; last visited on August 12, 2002.

This is not a new discovery, but rather a newly appraised site that we think Web site builders should know about. Dr. Jakob Nielsen, sometimes described as "the guru of Web site usability" and formerly a senior engineer at Sun Microsystems, has been studying how people use computers for several decades. His books, columns, and his own Web site distill his findings and offer some provocative thoughts about the future of human-computer interaction. When we first discovered Nielsen, his strong, blanket recommendation not to ever use frames suggested a tendency to overgeneralize and we wondered whether it was possible in these dynamic times for anyone to really be a "usability expert." But we've decided Nielsen has some very important things to say about Web design, and we recommend reading at least one or two of his papers. For example, try Usability as Barrier to Entry and Is Navigation Useful? His site is called useit.com. Reviewed on January 17, 2000; last visited on August 12, 2002.

Project Cool (www.projectcool.com), now part of a site called devX, tells you where to go if you want to use cascading style sheets, dynamic HTML, JavaScript, and other new technologies in your own Web pages. The initially cool design is no longer quite so cool, but the content seems to be there. Reviewed on or about September, 1998; last visited on August 12, 2002.

If you're building a Web site or if you build Web sites for a living, it's good to know a number of places where you can find help with a JavaScript question. You can do that at A List Apart (there is a search box), but you can do more than that; you can gain some perspective on different Web site design approaches and exchange ideas as well. A List Apart is one of those sites that doubles as a newsletter. If you subscribe, the site comes to you once a week with its latest article without your having to remember to visit the site. The newsletter also includes discussion exchanges where you can post and get replies to questions. Newsletters are archived and searchable at the Web site. A notable feature is the list of the Top Twenty most popular articles they've published. We find their own site design to be refreshing and easy to use. Reviewed on August 8, 1999; last visited on August 12, 2002.

WARNING; THIS IS ABOUT PROGRAMMING!...but it will only take 10 minutes. Sooner or later, if you build a Web site, you'll run into the word Perl, a programming language that some people quickly use to put together small practical programs that solve a big problem and no big deal. If they do it so quickly, can it be that difficult? Perl (we understand from several experts) can be simple or very sophisticated. Barry Floyd, the creator of Take 10 Minutes to Learn Perl, demonstrates that even people with no previous acquaintance can learn a lot about Perl in just 10 minutes. His tutorial is extremely simple and straightforward. Show a simple, self-describing example of code, then talk about it briefly. Then show another example, and so forth, until your 10 minutes are up. What's neat is that you sort of "get a grip on it " rather quickly. Then you can bookmark the site (or remember the page you're reading right now) and come back to it if and when you really need it. Possibly that's why we decided to make it this week's latest discovery. But we also like it as a demonstration of how something complicated can be divided up into simpler parts that give you the self-confidence to keep going. The URL is http://www.geocities.com/SiliconValley/7331/ten_perl.html. Reviewed on September 13, 1998; last visited on August 12, 2002.

If you're building or already maintain an online publishing sort of Web site, you'll want to know about ClickZ, a one-stop place for all things having to do with Web advertising and "doing business on the Web." In our opinion, ClickZ is what a niche portalought to be: well-organized, full of content that you can find quickly without being buried by buttons (not that there aren't buttons here, but ClickZ has managed to put them out of your way), deep in content so you don't feel it necessary to visit any further sites, full of intelligent writing and perceptive ideas, and visually appealing. At ClickZ, you can learn in depth about banner advertising, how to do a research survey for your site, and where to find "ad reps" to sell ads for your site or banner exchanges that enable you to swap promotional ads with other sites. Reviewed on December 13, 1998; last visited on August 12, 2002. Sites to Look At and Wonder At MkzdK (www.envirolink.org/mkzdk/) is another rediscovery, a beautiful site that always looks different when we go back. Originally, the site had text and was somewhat more mysterious (what was it about, anyway?). Today, it still has a number of beautiful images that bear looking at. Reviewed on or about June, 1998; last visited on August 12, 2002.

A small company named Plumb Design has invented something called Thinkmap that will certainly make you think. Are there tools that will help you visualize the relationship between concepts and real objects in a new way? Thinkmap suggests that there may be. Plumb Design's pilot project was a Visual Thesaurus that you really should take a look at. Reviewed on May 24, 1999; last visited on August 12, 2002. News and Topical Ideas Technology Review is a Massachusetts Institute of Technology Web magazine that promotes the understanding of emerging technology and its impact on the world. Technology Review is a century-old publication designed to help its readers keep up with the way new technologies gets out of the lab and into the marketplace. It's a great place to learn about the latest developments in technology, biotechnology and nanotechnology. Reviewed on March 16, 2001; last visited on August 12, 2002.

The Science & Technology News Network is a good place to visit when you want to read more about something you've seen in science and technology news headlines. Established as a means to deliver in-depth feature coverage to television newsrooms whose science and technology budgets were cut, Science and Technology News Network (STN2) has gone on to become one of the leading online science and technology magazines, receiving numerous awards including a Best of the Web award from Popular Science. We especially liked an article called "The God Particle" which taught us that scientists are involved in a multi-billion dollar race trying to prove a theory that there is a particle responsible for the mass of all matter. Reviewed on January 26, 2001; last visited on August 12, 2002.

Tasty Bits from the Technology Front is both a Web site (www.tbtf.com) and a weekly e-mail newsletter that distills the latest information technology news in a refreshing way. The author, Keith Dawson, a former software project manager, programmer, and writer/observer with a deft wit, apparently spends most of his time reading all the other newsletters (which he identifies) and "pithisizing" them into something informative, fun to read, and full of referential links. A useful feature is that previous articles on a subject are archived in "threads," handily accessed from the margins. Spend some time at the Web site and you'll find more than a few surprises. Reviewed on or about June, 1998; last visited on August 12, 2002. The Internet Itself An Atlas of Cyberspaces (www.cybergeography.org/atlas/atlas.html) is a collection of some of the best efforts so far to envision what the entire Internet or parts of it look like. Martin Dodge at the University College London has gathered regional, national, and international networks, ISP maps, and visualizations of information structures and put them in a single place. This site is a gift to all people fascinated by maps. You'll be surprised to see how many ways there are to map a Web site. Reviewed on or about June, 1998; last visited on August 12, 2002.

Where is World Wide Web technology headed? The best place to start is at the real home of the Web, the World Wide Web Consortium (or, for short, the W3C) at http://www.w3.org. Here you can be in touch with the future: the people and working groups that are building the next set of recommendations for Web browsers, for the Hypertext Markup Language (HTML), the Extensible Markup Language (XML), Cascading Style Sheets (CSS), the Hypertext Transfer Protocol (HTTP), and other new standards and recommendations that, whether we notice it or not, will affect us all. Tim Berners-Lee, who invented the Web protocol, is the director of the W3C, which is financed by DARPA and the European Commission. The site itself has a business-like design as if to say "Work going on here." If you want to know whether Amaya, DOM, HTTP-NG, and Jigsaw are going to affect your personal future, start here. Reviewed on February 28, 1999; last visited on August 12, 2002.

At StatMarket, get up-to-date statistics on what percentage of the world's Web users are using Internet Explorer, Netscape, or some other browser. You can also find out the as-of-yesterday top search engine usage, what the least busy hour on the Web was, what size screen resolution users have their displays set at, and how many are still using some older level of an operating system and/or browser. For Web site builders or owners, this can be useful information. StatMarket is based on data compiled from the over 74,000 Web sites that have registered with HitBOX.com, another site to know about. In addition to being glad StatMarket has provided this service, we were impressed with their user interface. They also provide banners you can put on your own site that provide continual updating. Combine StatMarket with visits to Headcount.com and Nua to make your next presentation utterly credible. Reviewed on May 15, 1999.

We spend a lot of time trying to understand how networks work. One of the most useful sources we've discovered is Cisco's Web page on Internetworking Basics. As the biggest company in routersand other networking equipment, Cisco would seem to be in a position to tell us what it's all about and on this and other parts of their large Web site, they do - with simple but exceedingly helpful illustrations, too. This particular page covers the ideas in OSIvery well and we know we'll be returning to it often. Tip: If you're stuck trying to understand something about networking, go to Cisco's Web site and use their search facility. You'll often find a clear explanation. Reviewed on October 25, 1998; updated on August 12, 2002.

David Bennahum's newletter, Meme (www.memex.org), comes out only a few times a year and it doesn't take long to read. You may find after reading the latest issue that you want to read all the other issues, dating back several years. One issue deals with the Dark Avenger, Bennahum's story about one of the most evil virus creators known to the civilized world and still somewhat of a mystery. He has also interviewed some of the grand old people of the Internet, such as Douglas Engelbart, inventor of the mouse, the late Jon Postel, who helped invent the Internet, and Mark Pesce, the creator of VRML(the virtual reality language). Bennahum has written for Wired and other publications and he is able to find and tell a story that offers some promise of telling us what this is all about or at least of raising some really interesting questions. Reviewed on or about Juen, 1999; last visited on August 12, 2002.

From Dublin, NUA (www.nua.ie), Internet consultants for the future, casts a sweeping eye. They conduct or boil together surveys and project how many people are now using the Internet (over 580 million, as they estimated in May 2002), broken down by major world regions. The NUA survey page is at www.nua.ie/surveys/how_many_online/index.html. This is simply a teaser for the real information, however. From the NUA home page, you can read a well-written digest of Internet and Web developments in general, by business or social sector, or by geographic region. It's very convenient to have all this in one place. NUA recently developed the Web site for the Thomas Publishing Company's American Export Register. Reviewed on June 14, 1998; updated on November 24, 1998; last updated on August 12, 2002.

One of our users recently told us about HotSheet (www.hotsheet.com). It's one long Web page consisting entirely of Web sites organized by subject category. One click and you're at HotSheet and another click and you're somewhere else. The list is long enough to be useful but still quite manageable. We liked the site choices. It's the most useful "fast directory of Web sites" we've seen. Reviewed on or about November, 1999; last visited on August 12, 2002. Computers There are useful books about how your computer works, but not very many Web sites. The best site we know of is called The PC Guide. The PC Guide is well-organized and clearly written. You can get to what you need quickly and the level of detail is satisfying without being exhaustive. You won't find processor pin configuration interfaces or jumper settings for specific processors and motherboards and you won't find many illustrations, but you will find a very long explanation of every part of a computer that you're familiar with and a few you may not be. Each topic is related to other topics and hypertext links are frequent so that you feel as though you're travelling through a body of knowledge. Created and maintained by Charles Kozierok, this site is exactly what many of us have been looking for. There is a CD-ROM version for individuals, schools, or corporations. The site is a bit spare on graphic design, perhaps because all the energy went into the site's organization and clarity. Reviewed on November 22, 1998; last visited on August 12, 2002.

TechFest.com is one of the least handsome (and also least pretentious) sites on the Web, but we were impressed by its usefulness for people who are constantly looking for networking standards and white papers, and for people looking for the best sites about computers and how they work. That's all it is. Just a collection of useful links about Networking and Computers. There is also a message board and a search capability but we'll stick with the links. It's just called TechFest.com and the emphasis is on the "Tech." Reviewed on July 9, 2000; last visited on August 12, 2002.

Lockergnome is an e-mail newsletter by Chris Pirillo from Des Moines, Iowa, who has managed to capture the attention of several hundred thousand subscribers with his animated, literate, yet down-to-earth descriptions of Windows freewareand all the Web sites that his readers send in. What seems to make this newsletter work is that its member community submits some valuable leads, Pirillo selects and describes them well, and the author's style makes the affair personal and real. The daily newsletter is in HTML with graphics. A weekly digest is also sent out. The Web site archives everything in case you don't want to subscribe. However, do subscribe, even if you have to unsubscribe to something else. Subscribers are known as Lockergnomies and somewhere on the Web site, you can find out why it's called "Lockergnome." Suggested by Steve Spence and reviewed on July 18, 1999; last visited on August 12, 2002.

There are two reasons we call your attention to PC Mechanic. First, there is some useful information you may need if you plan to install your own home networkand want to go a step further and set up Web and FTPserversof your own at home. Secondly, this site is one of the first on the Web to deliver some of its content as an e-book that you can pay to download and print. We paid $7.50 (we charged it to our credit card) for the longer version of Build Your Own Home Network and Server in Portable Document Format (PDF) form. Illustrated, it seemed almost worth it, although we think in time that this sort of short guide should cost a lot less. If you have content on your Web site that you think people would actually pay to download, visit PC Mechanic to see just how it's done. Reviewed on February 26, 2000; last visited on August 12, 2002.Learning Things (or Looking Things Up) A Web site called "Science, Optics, and You" offers a page called Powers of 10. Each picture on the Web page is an image of something that is 10 times bigger (or smaller) than the one preceding it or the one following it. You can start at the Milky Way and quickly move through space towards the Earth in successive orders of magnitude until you find yourself looking at the DNA structure for a leaf on a tree. Reviewed on June 21, 2002; last visited on August 13, 2002.

The Computer Information Center is a directory of information technology sites. In addition to resources located in their Technical Topics Centers, which cover 80 different areas of IT technology, there are annotated links to IT support, product reviews, white papers, and tech dictionaries and encyclopedias - including whatis.com. We especi