10 Key Security Questions to Help Determine the Most Secure Platform


1. How well does it protect sensitive data?
Mainframe computers provide for complete protection of all data from unauthorized reading and writing. If you want a measurable standard of how good the security of a given computer is, you probably want to know how it scores on the Common Criteria, a set of standards supported by the International Standards Organization (ISO). They specify seven levels of security from Evaluation Assurance Level (EAL)-1 up to EAL-7. A computer system is granted an EAL certification only after rigorous independent testing. Levels EAL-1 to EAL-4 apply to commercial installations. Levels EAL-5 and higher are much more formal and are granted only after certification by the National Security Agency (NSA).
Mainframe computers with z/OS system software have been certified at EAL-4+. Mainframes with VM system software have been certified at EAL-3+. With Linux system software, mainframes have been certified at EAL-4+.
Mainframe computers are usually kept behind locked doors in a secure data center. This physical security provides a “secure zone,” and within that zone, the mainframe security software permits only authorized users to access data. Outside the security of the data center, access to data is restricted by means of encryption. Whether the data is sent over a network or shipped on a tape cartridge, encryption can prevent unauthorized data access. You’ve probably read f companies whose computer tapes containing sensitive data were stolen off delivery trucks. In cases where the data on the tapes had been encrypted, the loss was minimal.
Mainframe computer security provides several additional access control functions not commonly found on other types of computers. These include verification of tape access by means of tape labels, access control over printouts before they’re printed, and automated obliteration of data when disk data sets are erased.
Because of its large size and standardized processes, the mainframe can be said to offer more functions and more comprehensive protection of computerized data than most computing platforms.
Windows computers have received a Common Criteria rating of EAL-4+, the same as mainframes with the z/OS operating system. Unix computer ratings vary with the brand of Unix, but mainframes with Linux also have been rated EAL-4+.
Mainframes can provide more security functions than Windows or Unix, such as the tape and printout protection previously described, because of their greater processing power. Unlike mainframes, Windows and Unix systems aren’t always housed in locked data centers with strong physical security.
For any computer system you’re considering, ask how it ranks on the Common Criteria, which provides a consistent, independent evaluation of a given computer’s security. Also, ensure that your staff encrypts all sensitive data leaving your data center.

10 Reasons to Switch to Linux


1. It Doesn't Crash

Linux has been time-proven to be a reliable operating system. Although the desktop is not a new place for Linux, most Linux-based systems have been used as servers and embedded systems. High-visibility Web sites such as Google use Linux-based systems, but you also can find Linux inside the TiVo set-top box in many livingrooms.
Linux has proved to be so reliable and secure that it is commonly found in dedicated firewall and router systems used by high-profile companies to secure their networks. For more than ten years, it has not been uncommon for Linux systems to run for months or years without needing a single reboot.

2. Viruses Are Few and Far Between

Although it is possible to create a virus to target Linux systems, the design of the system itself makes it very difficult to become infected. A single user could cause local damage to his or her files by running a virus on his or her system; however, this would be an isolated instance rather than something could spread out of control.
In addition, virtually all Linux vendors offer free on-line security updates. The general philosophy of the Linux community has been to address possible security issues before they become a problem rather than hoping the susceptibility will go unnoticed.

3. Virtually Hardware-Independent

Linux was designed and written to be easily portable to different hardware. For the desktop user, this means that Linux has been and likely always will be the first operating system to take advantage of advances in hardware technology such as AMD's 64-bit processor chips.

4. Freedom of Choice

Linux offers freedom of choice as far as which manufacturer you purchase the software from as well as which application programs you wish to use. Being able to pick the manufacturer means you have a real choice as far as type of support you receive. Being open-source software, new manufacturers can enter the market to address customer needs.
Choice of application programs means that you can select the tools that best address your needs. For example, three popular word processors are available. All three are free and interoperate with Microsoft Word, but each offers unique advantages and disadvantages. The same is true of Web browsers.

5. Standards

Linux itself and many common applications follow open standards. This means an update on one system will not make other systems obsolete.

6. Applications, Applications, Applications

Each Linux distribution comes with hundreds and possibly thousands of application programs included. This alone can save you thousands of dollars for each desktop system you configure. Although this is a very small subset, consider that the OpenOffice.org office suite is included as well as the GIMP, a program similar to (and many people say more capable than Adobe Photoshop); Scribus, a document layout program similar to Quark Xpress; Evolution, an e-mail system equivalent to Microsoft's Outlook Express; and hundreds more.
For the more technically inclined, development tools, such as compilers for the C, C++, Ada, Fortran, Pascal and other languages, are included as well as Perl, PHP and Python interpreters. Editors and versioning tools also are included in this category.
Whether you are looking for Instant Messaging clients, backup tools or Web site development packages, they likely are all included within your base Linux distribution.

7. Interoperability

More and more computers are being connected to networks. No system would be complete if it did not include tools to allow it to interoperate with computers running other operating systems. Once again, Linux is very strong in this area.
Linux includes Samba, software that allows Linux to act as a client on a Microsoft Windows-based network. In fact, Samba includes server facilities such that you could run a Linux system as the server for a group of Linux and Windows-based client systems.
In addition, Linux includes software to network with Apple networks and Novell's Netware. NFS, the networking technology developed on UNIX systems also is included.

8. It's a Community Relationship, Not a Customer Relationship

Other operating systems are the products of single vendors. Linux, on the other hand, is openly developed, and this technology is shared among vendors. This means you become part of a community rather than a customer of a single manufacturer. Also, the supplier community easily can adjust to the needs of various user communities rather than spouting a "one size fits all" philosophy.
This means you can select a Linux vendor that appears to best address your needs and feel confident that you could switch vendors at a later time without losing your investment--both in terms of costs and learning.

9. It's Not How Big Your Processor Is...

Because of a combination of the internal design of Linux and development contributions from a diverse community, Linux tends to be more frugal in the use of computer resources. This may manifest itself in a single desktop system running faster with Linux than with another operating system, but the advantages go far beyond that. It is possible, for example, to configure a single Linux system to act as a terminal server and then use outdated hardware as what are called thin clients.
This server/thin client configuration makes it possible for older, less powerful hardware to share the resources of a single powerful system thus extending the life of older machines.

10. Linux Is Configurable

Linux is a true multi-user operating system. Each user can have his or her own individual configuration all on one computer. This includes the look of the desktop, what icons are displayed, what programs are started automatically when the user logs in and even what language the desktop is in.

Top Ten Errors Java Programmers Make


Whether you program regularly in Java, and know it like the back of your hand, or whether you're new to the language or a casual programmer, you'll make mistakes. It's natural, it's human, and guess what? You'll more than likely make the same mistakes that others do, over and over again. Here's my top ten list of errors that we all seem to make at one time or another,  how to spot them, and how to fix them.

10. Accessing non-static member variables from static methods (such as main)

Many programmers, particularly when first introduced to Java, have problems with accessing member variables from their main method. The method signature for main is marked static - meaning that we don't need to create an instance of the class to invoke the main method. For example, a Java Virtual Machine (JVM) could call the class MyApplication like this :-
MyApplication.main ( command_line_args );
This means, however, that there isn't an instance of MyApplication - it doesn't have any member variables to access! Take for example the following application, which will generate a compiler error message.
public class StaticDemo
{
        public String my_member_variable = "somedata";
public static void main (String args[])
        {
  // Access a non-static member from static method
                System.out.println ("This generates a compiler error" +
   my_member_variable );
        }
}
If you want to access its member variables from a non-static method (like main), you must create an instance of the object. Here's a simple example of how to correctly write code to access non-static member variables, by first creating an instance of the object.
public class NonStaticDemo
{
        public String my_member_variable = "somedata";

        public static void main (String args[])
        {
                NonStaticDemo demo = new NonStaticDemo();

  // Access member variable of demo
                System.out.println ("This WON'T generate an error" +
                        demo.my_member_variable );
        }
}

9. Mistyping the name of a method when overriding

Overriding allows programmers to replace a method's implementation with new code. Overriding is a handy feature, and most OO programmers make heavy use of it. If you use the AWT 1.1 event handling model, you'll often override listener implementations to provide custom functionality. One easy trap to fall into with overriding, is to mistype the method name. If you mistype the name, you're no longer overriding a method - you're creating an entirely new method, but with the same parameter and return type.
public class MyWindowListener extends WindowAdapter {
 // This should be WindowClosed
 public void WindowClose(WindowEvent e) {
  // Exit when user closes window
  System.exit(0);
 }
});
Compilers won't pick up on this one, and the problem can be quite frustrating to detect. In the past, I've looked at a method, believed that it was being called, and taken ages to spot the problem. The symptom of this error will be that your code isn't being called, or you think the method has skipped over its code. The only way to ever be certain is to add a println statement, to record a message in a log file, or to use good trace debugger (like Visual J++ or Borland JBuilder) and step through line by line. If your method still isn't being called, then it's likely you've mistyped the name.

8. Comparison assignment (  = rather than == )

This is an easy error to make. If you're used other languages before, such as Pascal, you'll realize just how poor a choice this was by the language's designers. In Pascal, for example, we use the := operator for assignment, and leave = for comparison. This looks like a throwback to C/C++, from which Java draws its roots.
Fortunately, even if you don't spot this one by looking at code on the screen, your compiler will. Most commonly, it will report an error message like this : "Can't convert xxx to boolean", where xxx is a Java type that you're assigning instead of comparing.

7. Comparing two objects ( == instead of .equals)

When we use the == operator, we are actually comparing two object references, to see if they point to the same object. We cannot compare, for example, two strings for equality, using the == operator. We must instead use the .equals method, which is a method inherited by all classes from java.lang.Object.
Here's the correct way to compare two strings.
String abc = "abc"; String def = "def";

// Bad way
if ( (abc + def) == "abcdef" )
{
    ......
}
// Good way
if ( (abc + def).equals("abcdef") )
{
   .....
}

6. Confusion over passing by value, and passing by reference

This can be a frustrating problem to diagnose, because when you look at the code, you might be sure that its passing by reference, but find that its actually being passed by value. Java usesboth, so you need to understand when you're passing by value, and when you're passing by reference.
When you pass a primitive data type, such as a char, int, float, or double, to a function then you are passing by value. That means that a copy of the data type is duplicated, and passed to the function. If the function chooses to modify that value, it will be modifying the copy only. Once the function finishes, and control is returned to the returning function, the "real" variable will be untouched, and no changes will have been saved. If you need to modify a primitive data type, make it a return value for a function, or wrap it inside an object.
When you pass a Java object, such as an array, a vector, or a string, to a function then you arepassing by reference. Yes - a String is actually an object, not a primitive data type.  So that means that if you pass an object to a function, you are passing a reference to it, not a duplicate. Any changes you make to the object's member variables will be permanent - which can be either good or bad, depending on whether this was what you intended.
On a side note, since String contains no methods to modify its contents, you might as well be passing by value.

5. Writing blank exception handlers

I know it's very tempting to write blank exception handlers, and to just ignore errors. But if you run into problems, and haven't written any error messages, it becomes almost impossible to find out the cause of the error. Even the simplest exception handler can be of benefit. For example, put a try { .. } catch Exception around your code, to catch ANY type of exception, and print out the message. You don't need to write a custom handler for every exception (though this is still good programming practice). Don't ever leave it blank, or you won't know what's happening.
For example
public static void main(String args[])
{
    try {
 // Your code goes here..
    }
    catch (Exception e)
    {
 System.out.println ("Err - " + e );
    }
}

4. Forgetting that Java is zero-indexed

If you've come from a C/C++ background, you may not find this quite as much a problem as those who have used other languages. In Java, arrays are zero-indexed, meaning that the first element's index is actually 0. Confused? Let's look at a quick example.
// Create an array of three strings
String[] strArray = new String[3];

// First element's index is actually 0
strArray[0] = "First string";

// Second element's index is actually 1
strArray[1] = "Second string";

// Final element's index is actually 2
strArray[2] = "Third and final string";
In this example, we have an array of three strings, but to access elements of the array we actually subtract one. Now, if we were to try and access strArray[3], we'd be accessing the fourth element. This will case an ArrayOutOfBoundsException to be thrown - the most obvious sign of forgetting the zero-indexing rule.
Other areas where zero-indexing can get you into trouble is with strings. Suppose you wanted to get a character at a particular offset within a string. Using the String.charAt(int) function you can look this information up - but under Java, the String class is also zero-indexed. That means than the first character is at offset 0, and second at offset 1. You can run into some very frustrating problems unless you are aware of this - particularly if you write applications with heavy string processing. You can be working on the wrong character, and also throw exceptions at run-time. Just like the ArrayOutOfBoundsException, there is a string equivalent. Accessing beyond the bounds of a String will cause a StringIndexOutOfBoundsException to be thrown, as demonstrated by this example.
public class StrDemo
{
 public static void main (String args[])
 {
        String abc = "abc";

        System.out.println ("Char at offset 0 : " + abc.charAt(0) );
        System.out.println ("Char at offset 1 : " + abc.charAt(1) );
        System.out.println ("Char at offset 2 : " + abc.charAt(2) );

 // This line should throw a StringIndexOutOfBoundsException
        System.out.println ("Char at offset 3 : " + abc.charAt(3) );
 }
}
Note too, that zero-indexing doesn't just apply to arrays, or to Strings. Other parts of Java are also indexed, but not always consistently. The java.util.Date, and java.util.Calendar classes start their months with 0, but days start normally with 1. This problem is demonstrated by the following application.
import java.util.Date;
import java.util.Calendar;

public class ZeroIndexedDate
{
        public static void main (String args[])
        {
                // Get today's date
                Date today = new Date();
 
  // Print return value of getMonth
  System.out.println ("Date.getMonth() returns : " +
    today.getMonth());

  // Get today's date using a Calendar
  Calendar rightNow = Calendar.getInstance();

  // Print return value of get ( Calendar.MONTH )
  System.out.println ("Calendar.get (month) returns : " +
   rightNow.get ( Calendar.MONTH ));
}
}
Zero-indexing is only a problem if you don't realize that its occurring. If you think you're running into a problem, always consult your API documentation.

3. Preventing concurrent access to shared variables by threads

When writing multi-threaded applications, many programmers (myself included) often cut corners, and leave their applications and applets vulnerable to thread conflicts. When two or more threads access the same data concurrently, there exists the possibility (and Murphy's law holding, the probability) that two threads will access or modify the same data at the same time. Don't be fooled into thinking that such problems won't occur on single-threaded processors. While accessing some data (performing a read), your thread may be suspended, and another thread scheduled. It writes its data, which is then overwritten when the first thread makes its changes.
Such problems are not just limited to multi-threaded applications or applets. If you write Java APIs, or JavaBeans, then your code may not be thread-safe. Even if you never write a single application that uses threads, people that use your code WILL. For the sanity of others, if not yourself, you should always take precautions to prevent concurrent access to shared data.
How can this problem be solved? The simplest method is to make your variables private (but you do that already,  right?) and to use synchronized accessor methods. Accessor methods allow access to private member variables, but in a controlled manner. Take the following accessor methods, which provide a safe way to change the value of a counter.
public class MyCounter
{
 private int count = 0; // count starts at zero

 public synchronized void setCount(int amount)
 { 
  count = amount;
 }
 
 public synchronized int getCount()
 {
  return count;
 }
}

2. Capitalization errors

This is one of the most frequent errors that we all make. It's so simple to do, and sometimes one can look at an uncapitalized variable or method and still not spot the problem. I myself have often been puzzled by these errors, because I recognize that the method or variable does exist, but don't spot the lack of capitalization.
While there's no silver bullet for detecting this error, you can easily train yourself to make less of them. There's a very simple trick you can learn :-
  • all methods and member variables in the Java API begin with lowercase letters
  • all methods and member variables use capitalization where a new word begins e.g - getDoubleValue()
If you use this pattern for all of your member variables and classes, and then make a conscious effort to get it right, you can gradually reduce the number of mistakes you'll make. It may take a while, but it can save some serious head scratching in the future.

(drum roll)

And the number one error that Java programmers make !!!!!


1. Null pointers!

Null pointers are one of the most common errors that Java programmers make. Compilers can't check this one for you - it will only surface at runtime, and if you don't discover it, your users certainly will.
When an attempt to access an object is made, and the reference to that object is null, a NullPointerException will be thrown. The cause of null pointers can be varied, but generally it means that either you haven't initialized an object, or you haven't checked the return value of a function.
Many functions return null to indicate an error condition - but unless you check your return values, you'll never know what's happening. Since the cause is an error condition, normal testing may not pick it up - which means that your users will end up discovering the problem for you. If the API function indicates that null may be returned, be sure to check this before using the object reference!
Another cause is where your initialization has been sloppy, or where it is conditional. For example, examine the following code, and see if you can spot the problem.
public static void main(String args[])
{
 // Accept up to 3 parameters
 String[] list = new String[3];

 int index = 0;

 while ( (index < args.length) && ( index < 3 ) )
 {
  list[index++] = args[index];
 }

 // Check all the parameters 
 for (int i = 0; i < list.length; i++)
 {
  if (list[i].equals "-help")
  {
   // .........
  }
  else
  if (list[i].equals "-cp")
  {
   // .........
  }
  // else .....
 } 
}
This code (while a contrived example), shows a common mistake. Under some circumstances, where the user enters three or more parameters, the code will run fine. If no parameters are entered, you'll get a NullPointerException at runtime. Sometimes your variables (the array of strings) will be initialized, and other times they won't. One easy solution is to check BEFORE you attempt to access a variable in an array that it is not equal to null.

Summary

These errors represent but some of the many that we all make. Though it is impossible to completely eliminate errors from the coding process, with care and practice you can avoid repeating the same ones. Rest assured, however, that all Java programmers encounter the same sorts of problems. It's comforting to know, that while you work late into the night tracking down an error, someone, somewhere, sometime, will make the same mistake!