Here is a CSS recipe to display any ordered or unordered list in multiple columns.


<style>
.fourColumns > li {
min-width: 25%;
float: left;
}
/* This will clear the floating in standards compliant browers... might not work in IE */
.fourColumns:after {
display: block;
content: '&nbsp;';
clear: both;
}
</style>
<ol class="fourColumns">
<li>An item </li>
<li>Another item </li>
<li>A different item</li>
<li>Item four </li>
<li>etc </li>
<li>An itme </li>
<li>An item </li>
<li>Another item </li>
<li>A different item</li>
<li>Item four </li>
<li>etc </li>
<li>An itme </li>
<li>An item </li>
<li>Another item </li>
<li>A different item</li>
<li>Item four </li>
<li>etc </li>
<li>An itme </li>
</ol>


That all becomes

1. An item
2. An item
3. Another item
4. A different item
5. Item four
6. etc
7. An itme
8. An item
9. An item
10. An item
11. Another item
12. A different item
13. Item four
14. etc
15. An itme
16. An item
17. An item
18. An item
19. Another item
20. A different item
21. Item four
22. etc
23. An itme
24. An item
25. An item
26. An item
27. Another item
28. A different item
29. Item four
30. etc
31. An itme
32. An item

Today, February 12, is Darwin Day.

Darwin Day is an international celebration of science and humanity held on or around February 12, the day that Charles Darwin was born on in 1809. Specifically, it celebrates the discoveries and life of Charles Darwin — the man who first described biological evolution via natural selection with scientific rigor. More generally, Darwin Day expresses gratitude for the enormous benefits that scientific knowledge, acquired through human curiosity and ingenuity, has contributed to the advancement of humanity.

See also, the Darwin Day entry on Wikipedia.

Word on the street is that Ezproxy, the remote access solution for libraries, is to be acquired by OCLC. I predict a change in the licensing and potential litigation for users in the future. More to the point, this should be seen as a call for an open-source equivalent.

For years ezproxy has been an outstanding solution for providing library patrons with remote access to licensed web resources. It has been dirt cheap with excellent support. Yet, at the same time the documentation is poor and the configuration bizarre. I know, I administered a large, complicated, ezproxy for a library consortium for many years.

With all strengths and weaknesses combined, ezproxy was head-and-shoulders above any competitor. Ezproxy’s well-earned popularity meant that there was really no advantage for anyone to create an open-source equivalent. However, now that it is to be acquired by a large library vendor, we can expect many reasons to emerge. The quality of support will likely change over time. The licensing is likely to become complex.

I believe that either a Java application or a apache module with a management tool for building, managing, and distributing the rules-sets for specific web resources is in order. Apache would be interesting as it already has an API for doing authentication/authorization and could be integrated with federated identity through emerging projects that would be seperate (that is to say, ezproxy wouldn’t need to support these… apache will). This is also true of Java in some sense as well as many Java Application Servers have identity management components that would help with this. But they are not open-source (generally speaking… some specific ones are).

This awesome short film on YouTube came to my attention because it is tagged with the word “librarian” (I’ve got an RSS feed that shows all “library” videos on YouTube). Apparently, the whole thing was created in less than 48 hours: the whole thing. It was an entry in the UNLV 48 Hour Film Festival. Wow! I think everyone with an interest in film-making should go out and make a video answering the question: “If you travelled back in time and got stuck, what would you do?”

On Monday, November 19, 2007, David Litchfield will be releasing the Database Exposure Survey for 2007 on his databasesecurity.com website. According to CIO.com, Litchfield estimates that there are roughly 500,000 database servers on the Internet that are openly accessible (with no firewall protection).

I believe many sysadmins overlook database security believing that “no one knows its there so how could be attacked?” It’s a foolish notion. I think other admins believe that database servers are no vulnerable to attack in the same way that other services are. We hear about worms and trojans targeting desktop users, IM clients, and web applications, but less often we hear about buffer overflows in server applications. However, vulnerabilities in RDBMS services do occur, and often enough to make you worry. Remote code execution is a potential problem for any services that you can connect to directly.

Even if your database server is patched-up you have to worry about accounts on the database server. Do all your database users accounts have passwords? I have seen poor password selection on database accounts far too often. It makes my skin crawl actually. It’s hard to explain to programmers sometimes why password choice is important or sometimes even why passwords are necessary at all.

Many people believe that database servers are “behind the scenes” and inaccessible to Internet. Litchfield’s survey demonstrates how often that assumption is wrong.

Defense-in-depth applies to database security as much as any other network service:

• You need a firewall configured to deny access to your database server except to the few people that really need to connect.
• Ever account on your database should have a non-empty password and it should be a strong password.
• Accounts should have limited access to database. Read-only access should be your default. No account should have access to all your database unless necassary.
• You should monitor database access. Do you have logs showing which users logged in and when and from where?
• When put together, “limiting account access” and “monitoring” mean you should be able to tell who accessed which database from what application. Each web application should use a different account to access your databases (at the very minimum).
• Finally, you should have a process for auditing data integrity. Would you be able to tell if data in a database had been inserted or if data was invalid or inconsistent?