Defend Against Attacks
Add a couple more techniques to your arsenal of ways to safeguard your password-protected apps from dictionary attacks.
Letters to Visual Studio Magazine are welcome. Letters must include your name, address, and daytime phone number to be considered for publication. Letters might be edited for form, fit, and style. Please send them to Letters to the Editor, c/o Visual Studio Magazine, 2600 El Camino Real, Suite 300, San Mateo, CA 94403; fax them to 650-570-6307; or e-mail them to firstname.lastname@example.org.
Defend Against Attacks
I have an effective technique against dictionary attacks that James McCaffrey didn't discuss in his article, "Prevent Dictionary Attacks" [December 2003]. If the login fails, I delay the reply for a few seconds using a sleep thread. It's easy to implement and has no accessibility issues. The attacker can see that the effective response rate to the attack is low and will find easier game. I also log the IP and count retries. The sleep period can be proportional to the number of invalid retries from that IP. Consecutive invalid logins get slower and slower but do not lock out the account. This prevents a denial-of-service attack that an account lockout method causes. You can use this method in combination with all of James' other suggestions.
Cooper Out of Touch?
I recently read Alan Cooper's The Software Architect column, "The Last Gasp" [November 2003], and I have to admit I think he missed something fundamental in his logic. Normally I've been in complete agreement with Alan over the years and have enjoyed reading his various books, columns, and white papers.
I believe he's playing games with semantics, not reality. Software, and the necessary enabling technologies which are required to run the software on, are indeed manufactured goods. Yes, in a pure sense, software is an abstract collection of state potentials, but in order for it to be usable, it needs to be placed on some form of media or transferred over another form. In our world, things break out into two major marketable commodities: either goods or services. Software is a good, not a service. The software can provide a service, but it is a good intrinsically. The act of creating it is a manufacturing process. It uses raw materials by the tons. The factories are now office buildings stuffed full of people, computers, cubes, phones, infrastructure, and so on. They might also be a home office, but they still exist and consume resources, and you can get a tax credit from the IRS for all of it.
The manufacturing costs are indeed variable, as are raw-material costs. They fluctuate with the economy and change based on geographic location and skill levels, just like with any other manufacturing process. Variable costs are alive and well in the software industry, and if you ever ran a departmental or enterprise budget for a development team, you would know that. Since that was your basic premise as to what makes this a "new" economy, your entire article was patently false and out of touch with reality. However, I will continue to read what you writethese mental aberrations of yours are fortunately few and far between.
Thanks for your comments. You say, "In our world, things break out into two major marketable commodities: either goods or services." My point is that this assertion is no longer true. I believe that things break out into three major commodities: goods, services, and software. A.C.
I found Alan Cooper's article to be an island of clarity in a sea of info-glut jargon. He writes a straightforward sentence with ancient Greek economy. I have often used his articles to attempt to get the managers within my company to change course when heading for the shoalsusually to no avail. But Alan's concepts of architect, blueprint, and supervisor provided a metaphor so easy to understand that it cheered the developers and got "damagement's" attention.
As a postscript, the small shop I'm with is in the process of outsourcing to India.
Gary Hottinger, Louisville, Ky.