CH-8-10 Web Server Hardware and Software – Electronic Commerce : Book Guide

This Document Contains Chapters 8 to 10 Chapter 8 Web Server Hardware and Software Review Questions 1. What is platform neutrality? Answer: Platform neutrality is the ability of a network to connect devices that use different operating systems. 2. What is a static Web page? Answer: A static Web page is an unchanging Web page composed of a set of files stored on a Web server. 3. What is dynamic Web page content? Answer: A dynamic page is a Web page whose content is created by software in response to use requests. Dynamic pages allow a Web server to provide customized pages in response to specific queries from site visitors. These customized pages are called dynamic content. 4. Name and briefly define the different types of server computers that might be used in an online business. Answer: The server connected to the Internet and running Web server software is the Web server. The server computer that handles incoming and outgoing e-mail is usually called an e-mail server, and the software that manages e-mail activity on that server is frequently called e-mail server software. The server computer on which database management software runs is often called a database server. The computer on which a company runs its accounting and inventory management software is sometimes called a transaction server. 5. List the main tasks performed by a Web server computer. Answer: A Web server computer runs software called Web server software. Web server software receives requests from many different Web clients and responds by sending files back to those Web client computers. Each Web client computer’s Web client software renders those files into a Web page. Thus, the purpose of a Web server is to respond to requests for Web pages from Web clients. 6. What is the function of a request message in a two-tier client-server architecture? Answer: The basic Web client/server model is a two-tier model because it has only one client and one server. All communication takes place on the Internet between the client and the server. Of course, other computers are involved in forwarding packets of information across the Internet, but the messages are created and read only by the client and the server computers in a two-tier client/server architecture. The message that a Web client sends to request a file or files from a Web server is called a request message. 7. What is included in a response header line? Answer: The response header line indicates the HTTP version used by the server, the status of the response (whether the server found the file that the client wanted), and an explanation of the status information. 8. What is the relationship between UNIX and Linux? Answer: Linux is a UNIX-based operating system. 9. What is open source software? Answer: Open-source software is software that is developed by a community of programmers who make the software available for download and use at no cost. 10. Name one specific concern that business organizations have about e-mail attachments. Answer: E-mail attachments can be or can contain viruses. Using virus protection software and dealing with e-mailed security threats is a cost that comes with e-mail use. 11. Briefly explain the difference between client-level and server-level spam filtering. Answer: All content-filtering solutions require software that identifies content elements in an incoming e-mail message that indicate the message is (or is not) spam. The software that performs the filtering task can be placed on individual users’ computers (called client-level filtering) or on mail server computers (called server-level filtering). Server-level filtering can be implemented on an ISP’s mail server, an individual company’s mail server, or both. Also, many individuals that have ISP and/or company mail servers that filter their e-mail also install client-level filters on their computers. 12. What problem is created by false positives in white list spam filters? Answer: A white list spam filter examines From addresses and compares them to a list of known good sender addresses (for example, the addresses in an individual’s address book). A white list filter is usually applied at the individual user level, although it is possible to do the filtering at the organization level if the e-mail administrator has access to all individuals’ address books. The main drawback to this approach is that it filters out any incoming messages sent by unknown parties, not just spam. Because the number of false positives (messages that are rejected but should not have been) can be very high for white list filters, the rejected e-mails are always placed into a review mailbox instead of being deleted. 13. Briefly explain how a challenge-response system works to reduce spam. Answer: The challenge-response technique uses a white list as the basis for a confirmation procedure. It compares all incoming messages to a white list. If the message is from a sender who is not on the white list, an automated e-mail response is sent to the sender. This message (the challenge) asks the sender to reply to the e-mail (the response). The reply must contain a response to a challenge presented in the e-mail. 14. What is Bayesian revision? Answer: Bayesian revision is a statistical technique in which additional knowledge is used to revise earlier estimates of probabilities. 15. What is teer grubing? Answer: Teer grubing is a anti spamming approach in which the receiving computer launches are turn attack against the spammer, sending e-mail messages back to the computer that originated the suspected spam. 16. Briefly describe the information that can be provided by a route-tracing program. Answer: Route-tracing programs can send data packets to every computer on the path (Internet)between one computer and another computer and clocks the packets’ round-trip times. This provides an indication of the time it takes a message to travel from one computer to another and back, ensures that the remote computer is online, and pinpoints any data traffic congestion. Route-tracing programs also calculate and display the number of hops between computers and the time it takes to traverse the entire one-way path between machines. 17. Provide one example of the type of information that might be included in a Web log file. Answer: Web servers can capture visitor information, including data about who is visiting a Web site (the visitor’s URL), how long the visitor’s Web browser viewed the site, the date and time of each visit, and which pages the visitor viewed. This data is placed into a Web log file. 18. What is an orphan file on a Web server? Answer: An orphan file is a file on the Web server that is not linked to any Web page. 19. What is remote server administration? Answer: Remote server administration is the control of a Web site by an administrator from any Internet-connected computer. 20. In a Web server, what is throughput? Answer: Throughput is the number of HTTP requests that a particular hardware and software combination can process in a unit of time. 21. What is a load-balancing switch? Answer: A load-balancing switch is a piece of network hardware that monitors the workloads of servers attached to it and assigns incoming Web traffic to the server that has the most available capacity at that instant in time. 22. What is cloud computing? Answer: Cloud computing is a service that allows multiple organizations to share a network of server computers and the software that runs on those computers. This strategy gives businesses access to a large array of computers, with the related storage and backup facilities, at a lower cost than they could purchase the same amount of computer power themselves. 23. What is a content delivery network? Answer: Content delivery networks (CDNs) are companies that provide a server in which they store large file contents on multiple servers located throughout the Internet. 24. What is latency? Answer: Latency is the delay in transmission caused by the inability of the network to handle the full traffic load momentarily. Exercises 1. In about 200 words, describe the technologies Web servers use to tailor customized Web pages that respond to users’ requests. In your answer, include a comparison of client-side and server-side approaches and outline the advantages of each. Answer: The most common software tools used to create dynamic Web pages include Microsoft’s ASP. Net (often included in a program written in a standard language such as C#, C++, or Visual Basic), Apache Software Foundation’s Hypertext Preprocessor (PHP), or Adobe’s ColdFusion. Although JavaScript is used extensively for client-side scripting, it can also be used for server-side scripting. The Java programming language is another tool used to create server-side scripts. AJAX (asynchronous JavaScript and XML) is a newer frame work used to create interactive Web sites that look like applications running in a Web browser. Most dynamic Web pages must reload in their entirety if any page content changes. AJAX lets programmers create Web pages that will update asynchronously by exchanging small amounts of data with the server while the rest of the Web page continues to be displayed in the browser. Because the entire Web page does not reload with every change, the user experiences faster responses. Ruby on Rails, Python, and Scala are also newer Web development frameworks that are used to accomplish the same objectives as AJAX. 2. In about 100 words, describe how an n-tier architecture might be used by an online business. Include in your answer an outline of the functions that would likely be performed by computers configured in this way. Answer: Architectures that have more than three tiers are often called n-tier architectures. N-tier systems can track customer purchases stored in shopping carts, look up sales tax rates, keep track of customer preferences, update in-stock inventory databases, and keep the product catalog current. 3. Using your favorite search engine, find at least two companies that provide technical support for users of the Apache Web Server software. Learn what services they provide and, if possible, what they charge. Review their Web sites to learn more about the companies and summarize your findings in a report of about 200 words. Answer: Responses will vary. Pantek (www. pantek. com) Support:  Expert Technical Support 24/7  System Administration  Incident Response  Software Updates  Professional Services  Migrations and Integration Apache Config & Use:  SSL certificates and configurations  PHP configuration and upgrades  . htaccess, mod_rewrite & related  Configure particular features  Performance tuning & optimization Apache Security Examples:  Apache and module upgrades  PCI scanning and remediation  DoS attack detection/remediation  Fix BEAST, Poodle, Heartbleed, etc  mod_proxy, Nginx, Squid, etc  mod_security, mod_geoip, etc OpenLogic Support (http: //www. roguewave. com/capabilities/open-source-support) – Support:  Gold Support provides 24/7 coverage with guaranteed service level agreements to keep enterprise production applications up and running  Silver Support provides expert support on the configuration, integration, and use of open source software as well as recommendations for open source packages based on use case 4. In about 200 words, distinguish between white-list and black-list spam filters, then outline the advantages and disadvantages of each. Answer: The most common basic content-filtering techniques are black lists and white lists. A black list spam filter looks for From addresses in incoming messages that are known to be spammers. The software can delete the message or put it into a separate mailbox for review. A black list spam filter can be implemented at the individual, organization, or ISP level. Several organizations, such as the Spam and Open Relay Blocking System, collect black lists and make them available to ISPs and company e-mail administrators. Other groups, such as the Spamha us Project, track known spammers and publish lists of the mail servers they use. Some of these are free services; others charge a fee. The biggest drawback to the black list approach is that spammers frequently change their e-mail servers, which means that a black list must be continually updated to be effective. This updating requires that many organizations cooperate and communicate information about known spammers. A white list spam filter examines From addresses and compares them to a list of known good sender addresses (for example, the addresses in an individual’s address book). A white list filter is usually applied at the individual user level, although it is possible to do the filtering at the organization level if the e-mail administrator has access to all individuals’ address books (some companies mandate such access for security purposes). The main drawback to this approach is that it filters out any incoming messages sent by unknown parties, not just spam. Because the number of false positives (messages that are rejected but should not have been) can be very high for white list filters, the rejected e-mails are always placed into a review mailbox instead of being deleted. 5. In about 100 words, explain why laws designed to limit spam can be ineffective against many perpetrators. Answer: Legal solutions to the spam problem have achieved only limited success in reducing spam because it is expensive for governments to prosecute spammers. To become cost effective, prosecutors must be able to identify spammers easily (to reduce the cost of bringing an action against them) and must have a greater likelihood of winning the cases they file (or must see a greater social benefit to winning). The best way to make spammers easier to find has been to make technical changes in the e-mail transport mechanism in the Internet’s infrastructure. 6. The CAN-SPAM law prohibits a business from including misleading information in an e-mail header if the message is related to a transaction. In about 100 words, explain why the drafters of the law considered this to be a serious issue. Answer: E-mail headers and routing information, including the originating domain name and e-mail address, must be accurate and must identify the person who sent the e-mail. Altering the header information can make the e-mail look like it came from somewhere other than where it does. This can fool people into assuming a spam e-mail is legitimately coming from a known sender and in some cases trick people into giving out personal information. The use of deceptive e-mail headers is considered fraudulent and is viewed as a criminal offense. 7. Use W3C Link Checker or Elsop LinkScan Quick Check to check the links on any Web site of your choice. Print a few pages of the report and be prepared to turn them in to your instructor. Be patient. These programs can take some time to complete their work—especially on a Web page that has a large number of links. Answer: Responses will vary. Partial result for www. theguardian. com: 8. In about 100 words, describe the key characteristics of a blade server and outline reasons that an online business might prefer to use blade servers for Web server applications. Answer: Although some Web server computers are housed in freestanding cases, most are installed in equipment racks. These racks are usually about 6 feet tall and 19 inches wide. They can each hold from five to ten midrange server computers. An increasingly popular server configuration involves putting small server computers on a single computer board and then installing many of those boards into a rack-mounted frame. These servers-on-a-card are called blade servers, and some manufacturers now make them so small that more than 300 of them can be installed in a single 6-foot rack. 9. Large computing installations (such as server farms) can have significant impacts on the environment. In about 100 words, summarize these impacts and recommend measures that can be taken to reduce them. Answer: The use of large collections of computers, especially powerful computers such as Web servers, requires significant amounts of electrical power to operate. Although much of this electrical power is used to operate the servers themselves, a substantial portion of it is used to cool the rooms in which the servers reside. Large computers generate tremendous amounts of heat. 10. In about 100 words, outline the benefits and costs of using a decentralized instead of a centralized server architecture for an online business operation. Answer: Each approach (centralized and decentralized) has benefits and drawbacks. The decentralized architecture spreads risk over a large number of servers. If one server becomes inoperable, the site can continue to operate without much degradation in capability. The smaller servers used in the decentralized architecture are less expensive than the large servers used in the centralized approach. That is, the total cost of 100 small servers is usually less than the cost of one large server with the same capacity as the 100 small servers. However, the decentralized architecture does require additional hardware to connect the servers to each other. Most large decentralized sites use load-balancing systems, which cost additional money, to assign the workload efficiently. Cases Case 1: City of Asheville 1. Answers will vary. Students should detail their recommendations for using or not using a cloud computing service. In general, the use of cloud computing services to operate the City of Asheville mobile app server will be beneficial as the server will remain operational in the event of a disaster. On the downside, security and disaster recovery no longer lies within the control of the city. The cloud computing service contractor now becomes responsible for the protection of the data it hosts. If there is an issue with the cloud computing company, the server may not be accessible. 2. Answers will vary. Students should review hybrid cloud options and make appropriate recommendations for how the city of Asheville can implement this. They also may mention various pros and cons to this approach. Pros could include cost savings, increased security and easier disaster recovery while cons might include the ongoing cost for the cloud service and need to design the existing network around the cloud service. Case 2: Random Walk Shoes 1. Answers will vary. Minimum Web server capacity - 2305. 9 MB:  Database management software – 500 MB  Database of Web page information (including the images) – 1 TB  Shopping cart software – 300 MB  Site visitors (per month) – 18. 4 MB  Peak traffic load – 2. 3 MB  Cushion – 20% 2. Answers will vary. Some students may recommend Linux, an open-source operating system that is fast, efficient, and easy to install. It is also more stable and more secure than Windows. 3. Answers will vary. Amy might want to consider using content delivery networks since her customers will be viewing videos on her site. This will reduce the latency that her customers might otherwise experience when viewing the videos. Chapter 9 Electronic Commerce Software Review Questions 1. What are the main functions of a commerce service provider? Answer: Commerce service providers (CSPs) are firms that often offer Web server management and rent application software (such as databases, shopping carts, and content management programs) to businesses. 2. How does Web server co-location differ from a shared Web server? Answer: A shared Web server is a server that hosts multiple Web sites simultaneously. The service provider owns the server hardware and leases it to the client. The service provider maintains the Web server hardware and software, and provides the connection to the Internet through its routers and other network hardware. In a co-location service, the service provider rents a physical space to the client to install its own server hardware. The client installs its own software and maintains the server. The service provider is responsible only for providing a reliable power supply and a connection to the Internet. 3. Why might an online retailer choose to use a dynamic catalog rather than a static catalog? Answer: A dynamic catalog can feature multiple photos of each item, detailed descriptions, and a search tool that allows customers to search for an item and determine its availability. Small online stores (those that sell fewer than 100 items) can sometimes get by with a very simple static catalog that is just a simple list of products or categories and the organization of items on the Web site might not be particularly important. Such sites can provide a photo of each item that is a link to more information about the product. Most online sellers, however, want to incorporate into their sites the navigation aids and better product organization tools that are a part of dynamic catalogs. Good sites give buyers alternative ways to find products. Besides offering a well-organized catalog, large sites with many products can provide a search engine that allows customers to enter descriptive search terms, such as “men’s shirts,” so they can quickly find the Web page containing what they want to purchase. 4. Why is the stateless nature of the Internet a problem for shopping cart software? Answer: Since the Internet does not retain information from one transmission or session to another, shopping cart software must store information about specific shoppers and their purchases. One way that shopping cart software does this is to create cookies while others might assign each shopper a temporary identifying number. 5. How might a dynamic pricing management program increase sales? Answer: In an online business, dynamic pricing management software can adjust pricing in real time based on customer category, past purchase volume (in units or dollars), order size, or any other variable the seller chooses. 6. Outline the function of a fulfillment integration provider. Answer: Many online sellers use third-party fulfillment services to deliver their products. Fulfillment integration software can connect a seller’s shopping cart directly to the fulfillment service provider’s computers so that shipping can be triggered by the shopping cart software automatically when the sale transaction is completed. 7. What is a product recommendation trigger? Answer: Product recommendation triggers are software tools that respond to a customer’s product selection with suggestions for related products or refills for products that have consumable elements (such as blades for a razor). These triggers can also be set to remind a customer after a specified amount of time has passed since that customer purchased a consumable product. 8. What is shopping cart abandonment? Answer: Shopping cart abandonment refers to when customers add items to their shopping carts and then terminate their session before completing the purchase. 9. Name the main functions of shopping cart software. Answer: A shopping cart keeps track of the items the customer has selected and allows customers to view the contents of their carts, add new items, or remove items. To order an item, the customer simply clicks a button or link near the item’s description that indicates “add to cart” or similar language. All of the details about the item, including its price, product number, and other identifying information, are stored automatically in the cart. A good shopping cart allows the customer to view the cart’s contents and remove the unwanted items at any time during the session. When the customer is ready to conclude the shopping session, the click of a button executes the purchase transaction. 10. Why is the calculation of sales taxes a complex matter? Answer: Businesses that establish nexus with a state must file sales tax returns and remit the sales tax they collect from their customers. If a business ships goods to customers in other states, it is not required to collect sales tax from those customer sunless the business has established nexus with the customer’s state. Keeping track of who to collect sales tax from and, since sales tax rates vary and change greatly, the calculation can prove difficult. 11. List the steps that must occur to process an online retail sales transaction. Answer: Transaction processing occurs when the shopper proceeds to the virtual checkout counter by clicking a checkout button. Then the electronic commerce software performs any necessary calculations, such as volume discounts, sales tax, and shipping costs. At checkout, the customer’s Web browser software and the seller’s Web server software both switch into a secure state of communication. 12. Why would database management software be an important component of an online business Web site’s technology? Answer: Online stores that sell many different products use databases to store product information, including size, color, type, and price details. Usually the Web site would pull the product information directly from the database for display on the site. 13. What is middleware? Answer: Middleware is software that takes information about sales and inventory shipments from the electronic commerce software and transmits it to accounting and inventory management software in a form that these systems can read. 14. What is business logic? Answer: Business logic are the rules of a particular business. An example of a business rule is the following: When a customer logs in, check the password entered against the password file in the database. 15. Why is application integration an important part of running an online business? Answer: Application integration is important because, in many organizations, the business logic is distributed among many different applications that are used in different parts of the organization. Application integration is used to link these applications so the organization’s business logic can be interconnected. 16. Which business functions are integrated in a typical ERP system? Answer: Enterprise resource planning (ERP)software packages are business systems that integrate all facets of a business, including accounting, logistics, manufacturing, marketing, planning, project management, and treasury functions. 17. What is the difference between software as a service (SaaS) and Web services? Answer: The practice of offering software use online is called software as a service (SaaS).A Web service is a set of software and technologies that allow computers to use the Web to interact with each other directly, without human operators directing the specific interactions. An SaaS product provides a complete software package through a Web browser and generally includes interaction with human beings. Web services are designed to automate narrow, specific functions in the background and generally do not include interaction with human beings. 18. Briefly describe one example of a Web service that might be a useful part of an online business Web site. Answer: Answers will vary. Some examples might include: • J.P. Morgan Chase & Co. uses Web services in its investment information portal to pull information, such as general economic forecasts, financial analyses of specific companies, industry forecasts, and financial markets results, into online reports available to customers on the company’s portal site. • Nationwide Building Society uses Web services to communicate automatically with mortgage application service companies. These service companies obtain information from consumers who want mortgages and then forward the information in a prescribed XML format to Nationwide, where its Web services software reformats the submission and enters it into Nationwide’s enterprise computer system. When Nationwide makes its lending decision, the Web service sends the decision back to the mortgage application service company’s computer. • CUNA Mutual Group sells services to credit unions throughout the United States. Many of these services, such as check clearing, do not change much over time, so CUNA performs them running programs on old computer systems that they have been using for many years. Instead of reprogramming everything to be accessible on the Web, CUNA created a Web services layer that takes information from the old computer systems and generates Web pages that its customers can use to obtain those services. • The MSN Money site buys stock quotes and other information from Morningstar, Inc., which delivers them, computer-to-computer, using Webservices. If you view an MSN Money stock quote page, you can see the acknowledgement for those stock quotes (along with those of other Webservices providers that contributed to the page) near the bottom of the Webpage under the heading “Data Providers.” 19. What are the key differences between a basic commerce service provider (CSP) and a mall-style CSP? Answer: Mall-style CSPs provide small businesses with a basic Web site, online store design tools, storefront templates, and an easy-to-use interface. These service providers charge a low monthly fee and may also charge one-time setup fees (similar to basic CSPs); however, others also charge a percentage of or fixed amount for each customer transaction. 20. What is the key function of a content management system as used in an online business? Answer: The increased use of social media and networking as part of online business operations has made content management even more important as all kinds of Web sites now put content online. Content management systems help them organize, control, and move this information to and from their Web sites. 21. Name four types of information that might be useful inputs to a customer relationship management (CRM) system. Answer: Four types of information that might be useful inputs could include data from customer touchpoints such as Web site interaction and phone calls; data from salespersons; data from transaction records; and data purchased from external sources such as call reports. 22. In about 100 words, summarize the advantages and disadvantages of using a mall-style commerce service provider such as eBay Stores or Amazon.com’s Pro Merchant program instead of operating a stand-alone electronic commerce site. Answer: Mall-style CSPs provide small businesses with a basic Web site, online store design tools, storefront templates, and an easy-to-use interface. These service providers charge a low monthly fee and may also charge one-time setup fees (similar to basic CSPs), however, others also charge a percentage of or fixed amount for each customer transaction. Mall-style CSPs provide shopping cart software or the ability to use another vendor’s shopping cart software. They also provide payment-processing services so the online store can accept credit cards. 23. In one or two paragraphs, explain the functions of supply chain management software. Answer: Supply chain management (SCM) software helps companies to coordinate planning and operations with their partners in the industry supply chains of which they are members. SCM software performs two general types of functions: planning and execution. Most companies that sell SCM software offer products that include both components, but the functions are quite different. SCM planning software helps companies develop coordinated demand forecasts using information from each participant in the supply chain. SCM execution software helps with tasks such as warehouse and transportation management. 24. Write a paragraph in which you explain the purpose of cloud computing. Answer: Cloud computing allows companies to gain the benefits of software without having to install computing hardware and maintain it. As the software changes, users do not need to upgrade or reconfigure their servers. The vendor manages the entire software installation at its sites. The software user pays a subscription fee, which can be as low as a few hundred dollars per user per year. Exercises 1. In one or two paragraphs, outline the differences between shared and dedicated hosting. Answer: Shared hosting means that the client’s Website is on a server that hosts other Web sites simultaneously. With dedicated hosting, the service provider makes a Web server available to the client, but the client does not share the server with other clients of the service provider. In both shared hosting and dedicated hosting, the service provider owns the server hardware and leases it to the client. The service provider maintains the Web server hardware and software, and provides the connection to the Internet through its routers and other network hardware. 2. In about 100 words, outline the key elements that should be a part of any electronic commerce software package. Answer: Responses will vary, but should note that all electronic commerce software must provide the following elements: • A catalog display • Shopping cart capabilities • Transaction processing Larger and more complex electronic commerce sites need software that adds other features and capabilities to the basic set of commerce tools. These additional software components can include: • Middleware that integrates the electronic commerce system with existing company information systems that handle inventory control, order processing, and accounting • Enterprise application integration • Web services • Integration with enterprise resource planning (ERP) software • Supply chain management (SCM) software • Customer relationship management (CRM) software • Content management software • Knowledge management software 3. Giving online customers alternative paths that lead to products in which they might be interested is important. In about 100 words, explain how static and dynamic catalogs could either facilitate or inhibit customers as they try to find a particular product on a company’s Web site. Answer: A dynamic catalog can feature multiple photos of each item, detailed descriptions, and a search tool that allows customers to search for an item and determine its availability. Small online stores (those that sell fewer than 100 items) can sometimes get by with a simple list of products or categories and the organization of items on the Web site might not be particularly important. Such sites can provide a photo of each item that is a link to more information about the product. Thus, a static catalog is sufficient for their needs. Most online sellers, however, want to incorporate into their sites the navigation aids and better product organization tools that are a part of dynamic catalogs. Good sites give buyers alternative ways to find products. Besides offering a well-organized catalog, large sites with many products can provide a search engine that allows customers to enter descriptive search terms, such as “men’s shirts,” so they can quickly find the Web page containing what they want to purchase. 4. In about 200 words, explain why shopping cart abandonment could be a problem for an online retailer and describe at least two measures that can be taken to reduce its occurrence. Answer: Shopping cart abandonment could be a problem because it indicates that something is keeping customers from following through with their transaction. This something could be any number of things. A customer may not feel comfortable entering personal information on the site, he may not completely trust the site, he may be turned off when costs aren’t made clear upfront, particularly shipping costs, etc. Measures that can be taken might include redesigning the checkout form to help establish trust, making the transition between the shopping cart and the store seamless, or even offer multiple forms of payment. Abandoned shopping cart management software that enables the shopping cart to retain are cord of what customers have added to their shopping carts when their session is terminated for some reason could also be used. 5. In two or three paragraphs, explain the difference between page-based application and component-based application systems. In your answer, be sure to outline which is preferable in an online business system design and explain why. Answer: Application servers are usually grouped into two types: page-based and component-based systems. Page-based application systems return pages generated by scripts that include the rules for presenting data on the Web page with the business logic. Scripting tools used in page-based application systems include Adobe ColdFusion, Java Server Pages (JSP), Microsoft Active Server Pages (ASP), and Hypertext Preprocessor(PHP). Because page-based systems combine presentation and business logic, they are hard to revise and update. To avoid this problem, an increasing number of businesses use a component-based application system that separates the presentation logic from the business logic. Each component of logic is created and maintained separately, which makes updating and changing elements of the system much easier. Because of this component-based is preferable in an online business system design. The most common component-based systems used on the Web are Enterprise JavaBeans (EJBs), Microsoft COM, and the Object Management Group’s Common Object Request Broker Architecture (CORBA). 6. In a paragraph or two, describe the goals of enterprise application integration and explain why XML is often used in such efforts. Answer: In many organizations, the business logic is distributed among many different applications that are used in different parts of the organization. In recent years, many IT departments have devoted significant resources to the creation of links among these scattered applications so that the organization’s business logic can be interconnected. The creation and management of these links is called application integration or enterprise application integration. The integration is accomplished by programs that transfer information from one application to another. For example, a program might transfer information from order entry systems in several different divisions to a single accounts receivable and sales system that integrates all enterprise-wide sales activity. In many cases, the data formats in the various programs are different and the transfer programs must edit and reformat the data before transferring it. Many systems use XML data feeds to move data from one application to another in these implementations. 7. In about 100 words, describe the idea behind software as a service (SaaS). In your answer, include at least three examples of electronic commerce software packages or components that are offered as an SaaS. Answer: Often, smaller businesses cannot afford to buy a full software implementation, so they find a company that offers a subscription to the software they might need. Instead of installing and customizing the software, businesses use a Web browser to access the software on the vendor’s site. This practice of offering software use online is called software as a service (SaaS). Some examples include NetSuite and FinancialForce that offer subscriptions to ERP software and Salesforce.com that offers CRM software. 8. In about 200 words, outline the difference between the Simple Object Access Protocol (SOAP) and the Representational State Transfer (REST) principle as they are used in the creation of Web services. In your answer, discuss the advantages and disadvantages of each. Answer: Simple Object Access Protocol (SOAP) is a message-passing protocol that defines how to send marked-up data from one software application to another across a network. Representational State Transfer (REST) is a principle that describes the way the Web uses networking architecture to identify and locate Web pages and the elements (graphics)that make up those Web pages. Some Web services designers who found SOAP to be overly complex for their applications turned to the REST idea and used it to structure their work. Web services that are built on the REST model are said to use RESTful design and are sometimes called RESTful applications. A RESTful application transfers structured information from one Web location to another. This structured information is most often an XML- or XHTML-tagged data set. The Web service is made available at a specific address (much as a Web page is made available at its URL) and can be accessed by any other computer that has a Web browser function. More than half of all Web services to day are RESTful applications. 9. Electronic commerce software must summarize sales and shipments. In about 100 words, explain how software for a small online store might accomplish this task and contrast it with how software for a large enterprise might do so. Answer: Although a basic online store’s electronic commerce software can generate reports that summarize sales and inventory shipped, most midsize and larger companies use an accounting software package to record sales and inventory movements. To integrate effectively with accounting software, the electronic commerce software must communicate with that accounting software, which typically runs on other computers in the seller’s network. When an item is sold online, the electronic commerce software must communicate that fact to both the sales and inventory management modules in the accounting software. 10. In two or three paragraphs, outline the differences between knowledge management software and content management software. Include a description of at least one application of each that might be useful in an online business. Answer: Knowledge management (KM) software is software that helps companies collect and organize information, share the information among users, enhance the ability of users to collaborate, and preserve the knowledge gained for future use.KM software helps companies do four main things: collect and organize knowledge, share the knowledge among users, enhance the ability of users to collaborate, and preserve the knowledge gained through the use of information so that future users can benefit from the learning of current users. The major software vendors have KM software offerings, including IBM and Microsoft SharePoint. Content management software helps companies control the large amounts of text, graphics, and media files that have become crucial to doing business. Most content management software includes tools that help companies manage information that was once stored in paper reports, schedules, analyses, and memos. The leading providers of content management software include IBM and Oracle, which provide the software as components in other enterprise software packages, and several smaller companies that provide stand-alone content management software. 11. In two or three paragraphs, explain how database software could be an important part of a customer relationship management system as used in an online business. Answer: In its most basic form, CRM uses information about customers to sell them more (or more profitable) goods or services. This data needs to be collected and stored and a database is a good solution. The implementation of a CRM system requires an integration of multiple data sources that have been cleaned and aggregated with an analytic engine that can make sense of the data using models that are continually revised to generate strategies for customized pricing, marketing campaigns, Web site special offers, and even catalog mailings that are synchronized with the online marketing effort. Cases C1.Moss Bros. 1. Answers will vary but some strategies might include: customized pricing strategies, marketing campaign strategies, and on-Web-site special offers. 2. Responses will vary. A simple diagram might look similar to the following: 3. Moss Bros. could use social media pages for specific events to promote their formal wear. For example, they might advertise on a social event’s Facebook page or Twitter feed. C2.Annette’s Crafts 1. Answers will vary. Student could research CSPs such asGate.com,ProHosting.com, 1&1 Internet, or Yahoo! (as shown below). Yahoo! Small Business: Web hosting ($5.99 per month – no setup fees): • Free domain • Support – 24 hr phone and e-mail • Site pages – unlimited • E-mail addresses – 1000 • Disk space – unlimited • Data transfer – unlimited 2. Mall-style CSPs provide small businesses with a basic Web site, online store design tools, storefront templates, and an easy-to-use interface. These service providers charge a low monthly fee and may also charge one-time setup fees (similar to basic CSPs); however, others also charge a percentage of or fixed amount for each customer transaction. Mall-style CSPs provide shopping cart software or the ability to use another vendor’s shopping cart software. They also provide payment-processing services so the online store can accept credit cards. Chapter 10 Electronic Commerce Security Review Questions 1. Briefly explain the difference between physical and logical security. Answer: Physical security includes tangible protection devices, such as alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings. Protection of assets using nonphysical means is called logical security. 2. What is a countermeasure? Answer: A countermeasure is a procedure that recognizes, reduces, or eliminates a threat. The extent and expense of countermeasures can vary, depending on the importance of the asset at risk. 3. What is a white hat hacker? Answer: A white hat hacker is a hacker who uses his skills for positive purposes. 4. Briefly explain what secrecy, integrity, and necessity are in the context of computer security. Answer: Secrecy refers to protecting against unauthorized data disclosure and ensuring the authenticity of the data source. Integrity refers to preventing unauthorized data modification. Necessity refers to preventing data delays or denials (removal). 5. What is a man-in-the-middle exploit? Answer: A man-in-the-middle exploit is a message integrity violation in which the contents of the e-mail are changed in a way that negates the message’s original meaning. 6. What is a security policy? Answer: A security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviors are acceptable and which are not. A security policy should address physical security, network security, access authorizations, virus protection, and disaster recovery and should be a living document that is regularly reviewed and updated. 7. Provide one example of an integrity violation. Answer: An integrity violation occurs, for example, when an e-mail message is intercepted and its contents are changed before it is forwarded to its original destination. That is, the integrity of the message has been violated. In this particular exploit, which is called a man-in-the-middle exploit, the contents of the e-mail are often altered in a way that changes the message’s original meaning. 8. What is a session cookie? Answer: A Session cookie is a cookie that exists only until you shut down your browser. 9. What is a third-party cookie? Answer: A third-party cookie is a cookie that originate son a Web site other than the site being visited. These third-party Web sites usually provide advertising or other content that appears on the Web site being viewed. The third-party Web site providing the advertising is often interested in tracking responses to their ads by visitors who have already seen the ad son other sites. 10. What is a Web bug? Answer: A Web bug (also called a Web beacon) is a tiny graphic that a third-party Web site places on another site’s Web page. When a site visitor loads the Web page, the Web bug is delivered by the third-party site, which can then place a cookie on the visitor’s computer. A Web bug’s only purpose is to provide a way fora third-party Web site (the identity of which is unknown to the visitor) to place cookies from that third-party site on the visitor’s computer. 11. What is active content? Answer: Active content are programs that are embedded transparently in Web pages that cause action to occur. These programs run when a client device loads the Web page. Active content programs can display moving graphics, download and play audio, or implement Web-based spreadsheet programs. Active content can also place items into a shopping cart and compute a total invoice amount, including sales tax, handling, and shipping costs. Active content moves some processing work from the server to the client device. 12. What is a scripting language? Answer: A scripting language is a programming language that provides scripts, or commands, that are executed. JavaScript and VBScript are both scripting languages; they provide scripts, or commands, that are executed on the client. 13. What is a zombie? Answer: A zombie is a Trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers. The computers running the zombie are also sometimes called zombies. 14. What is a macro virus? Answer: A macro virus is a type of virus that is coded as a small program, called a macro, and is embedded in a file formatted for use in a program, such as Microsoft Word or Excel, that can run the macro. 15. How is a multi-vector worm or virus a more severe threat than other worms or viruses? Answer: A multi-vector virus is a more severe threat because it is a virus that can enter a computer system in several different ways (vectors). 16. Why is an SSL-EV digital certificate superior to an ordinary digital certificate Answer: To issue an SSL-EV certificate, a certification authority must confirm the legal existence of the organization by verifying the organization’s registered legal name, registration number, registered address, and physical business address. The CA must also verify the organization’s right to use the domain name and that the organization has authorized the request for an SSL-EV certificate. 17. What is ransomware? Answer: Ransomware is a Trojan that encrypts files on the victim computer and demands a payment for the key to unlock them. 18. What is signed code? Answer: The digital certificate is an example of signed code. Signed code serves the same function as a photo on a driver’s license or passport. It provides proof that the holder is the person or organization identified by the certificate. A certificate supplies a level of assurance that the software is genuine and was created by a specific company, but does not imply anything about either the usefulness or quality of the downloaded program. The idea behind certificates is that if the user trusts the software developer, signed software can be trusted because, as proven by the certificate, it came from that trusted developer. 19. What is steganography? Answer: The term steganography describes the process of hiding information (a command, for example) within another piece of information. This information can be used for malicious purposes. Frequently, computer files contain redundant or insignificant information that can be replaced with other information. This other information resides in the back ground and is undetectable by anyone without the correct decoding software. Steganography provides a way of hiding an encrypted file within another file so that a casual observer cannot detect that there is anything of importance in the container file. 20. What is a biometric security device? Answer: A biometric security device is one that uses an element of a person’s biological makeup to perform the identification. These devices include writing pads that detect the form and pressure of a person writing a signature, eye scanners that read the pattern of blood vessels in a person’s retina or the color levels in a person’s iris, and scanners that read the palm of a person’s hand (rather than just one fingerprint) or that read the pattern of veins on the back of a person’s hand. 21. What is a backdoor? Answer: A backdoor is an element of a program (or a separate program)that allows users to run the program without going through the normal authentication procedure for access to the program. Programmers often build backdoors into programs while they are building and testing them to save the time it would take to enter a login and password every time they open the program. 22. Who are most likely to be victimized by a phishing expedition? Answer: The most common victims of phishing expeditions are users of online banking and payment system (such as PayPal) Web sites. 23. Briefly describe what occurs in a denial-of-service attack. Answer: The purpose of a necessity threat, which usually occurs as a delay attack, denial attack, or denial-of-service (DoS) attack, is to disrupt normal computer processing, or deny processing entirely. For example, slowing down the response time of any Web site could drive customers to competitors’ sites and discourage them from ever returning. The Internet Worm attack of 1998, which disabled thousands of computer systems that were connected to the Internet, was the first recorded example of a DoS attack. 24. What is a hash algorithm and when might it be used? Answer: A hash algorithm is a security utility that mathematically combines every character in a message to create a fixed-length number (usually 128 bits in length) that is a condensation, or fingerprint, of the original message. It is a fingerprint for the message because it is almost certain to be unique for each message. Hash coding can indicate whether a message has been altered in transit because its original hash value and the hash value computed by the receiver will not match after a message is altered. 25. What is a message digest? Answer: A message digest is a number that results from the application of an encryption algorithm to plain text information. 26. What is a dictionary attack? Answer: A dictionary attack is one in which a program cycles through an electronic dictionary, trying every word and common name as a password. 27. How does a packet-filter firewall work? Answer: Packet-filter firewalls examine all data flowing back and forth between the trusted network (within the firewall) and the Internet. Packet filtering examines the source and destination addresses and ports of incoming packets and denies or permits entrance to the packets based on a preprogrammed set of rules. 28. What is computer forensics? Answer: The field of computer forensics is responsible for the collection, preservation, and analysis of computer-related evidence. Ethical hackers are often hired by companies to test their computer security safeguards. They are also hired by law enforcement agencies investigating crimes and by law firms undertaking investigations on behalf of their clients. Exercises 1. Refer to Figure 10-1. In two paragraphs, identify and briefly describe two threats that you would place in Quadrant III and explain why you would classify them as Quadrant III threats. Answer: Examples of threats will vary but should be ones that are deemed low risk and unlikely to occur. If they should occur, they are usually best ignored because the cost impact is low. 2. Best Cutting Boards (BCB) makes and sells handcrafted wood cutting boards online. BCB offers about 100 different products for sale on its Web site, which sees about 9000 visitors per month. The average transaction amount is $112 and it makes an average of 150 sales per day. BCB accepts four different credit cards and PayPal and has more than 100,000 registered customers in its database, which is stored along with all transaction data on its own Web server at the company’s offices in Des Moines, Iowa. In about 300 words, outline a draft security policy for the company’s Web server. Be sure to consider any threats that exist because the company stores customer credit card numbers, the customer database, and transaction information on the same computer. You can use the Web Links for this exercise to find samples of security policies and detailed guidelines for creating them. Answer: Responses will vary, but students should consider the use of: • Database encryption systems • Intrusion detection systems • Database activity monitors, audit, and database vulnerability scanners 3. In about 100 words, explain the difference between session cookies and persistent cookies. In your answer, be sure to include how each type of cookie is used. Answer: There are two ways of categorizing cookies: by time duration and by source. The two kinds of time-duration cookie categories include session cookies, which exist until the Web client ends the connection (or “session”), and persistent cookies, which remain on the client computer indefinitely. Electronic commerce sites use both kinds of cookies. For example, a session cookie might contain information about a particular shopping visit and a persistent cookie might contain login information that can help the Web site recognize visitors when they return to the site on subsequent visits. Each time a browser moves to a different part of a merchant’s Web site, the merchant’s Web server asks the visitor’s computer to send back any cookies that the Web server stored previously on the visitor’s computer. 4. Write a paragraph in which you explain the concept of a sandbox and describe how it can be used to reduce security risks in client computers. Answer: Java adds functionality to business applications and can handle transactions and a wide variety of actions on a client computer. This relieves an otherwise busy server-side program from handling thousands of transactions simultaneously. Once downloaded however, embedded Java code can run on a client’s computer and cause damage, run a Trojan horse, or turn the computer into a zombie. To counter this threat, the Java sandbox security model was developed. The Java sandbox confines Java applet actions to a set of rules defined by the security model. These rules apply to all untrusted Java applets. Untrusted Java applets are those that have not been established as secure. When Java applets are run within the constraints of the sandbox, they do not have full access to the client computer. 5. In a paragraph or two, explain what a botnet is and how it could cause more damage than a single Trojan horse attack. Answer: When a Trojan horse (or other type of virus) has taken over a large number of computers (and thus made them into zombies), the person who planted the virus can take control of all the computers and form a botnet (short for robotic network) that can act as an attacking unit, sending spam or launching denial-of-service attacks against specific Web sites. 6. In about 100 words, explain what assurances a certification authority (CA) provides to a business that purchases one of its digital certificates. In your answer, describe what general procedures a CA typically follows before issuing a digital certificate. Answer: Digital certificates are issued to organizations or individuals by a certification authority (CA). A CA requires entities applying for digital certificates to supply appropriate proof of identity. Once the CA is satisfied, it issues a certificate. Then, the CA signs the certificate, and its stamp of approval is affixed in the form of a public encryption key. The public encryption key “unlocks” the certificate for anyone who receives the certificate attached to the publisher’s code. Digital certificates cannot be forged easily. In effect, the CA guarantees that the individual or organization that presents the certificate is who or what it claims to be. 7. Write a paragraph in which you explain how remote wipe software can increase security for the user of a mobile device. Answer: Almost all mobile devices include software that allows the owner to initiate a remote wipe if the device is stolen. A remote wipe clears all of the personal data stored on the device, including e-mails, text messages, contact lists, photos, videos, and any type of document file. If a mobile device does not include remote wipe software, it can be added as an app. 8. In a paragraph or two, describe the purpose and use of a sniffer program. Answer: Software applications called sniffer programs provide the means to record information that passes through a computer or router that is handling Internet traffic. Using a sniffer program is analogous to tapping a telephone line and recording a conversation. Sniffer programs can read e-mail messages and unencrypted Web client–server message traffic, such as user logins, passwords, and credit card numbers. 9. In about 100 words, describe the function of an anonymous Web service and explain why an individual or company might want to use such a service. Answer: Web users continually reveal information about themselves when they use the Web. This information includes IP addresses and the type of browser being used. Such data exposure is a secrecy breach. Several companies and organizations offer anonymous Web services that hide personal information from sites visited. These services provide a measure of secrecy to Web surfers who use them by replacing the user’s IP address with the IP address of the anonymous Web service on the front end of any URLs that the user visits. When the Web site logs the site visitor’s IP address, it logs the IP address of the anonymous Web service rather than that of the visitor, which preserves the visitor’s privacy. 10. In about 200 words, explain the differences between private-key encryption and public-key encryption. In your answer, include examples of when and why each might be used. Answer: Private-key encryption encodes a message with an algorithm that uses a single numeric key, such as 456839420783, to encode and decode data. Because the same key is used, both the message sender and the message receiver must know the key. Encoding and decoding messages using symmetric encryption is very fast and efficient. However, the key must be guarded. If the key is made public, then all messages sent previously using that key become vulnerable, and the keys must be changed. In highly secure environments such as banking or the military, private-key encryption is commonly used. Public-key encryption encodes messages by using two mathematically related numeric keys. One key of the pair, called a public key, is freely distributed to anyone interested in communicating securely with the holder of both keys. The public key is used to encrypt messages using one of several different encryption algorithms. The second key, called a private key, is kept by the key owner. The owner uses the private key to decrypt all messages received. Digital signatures are created with public-key encryption. 11. Using your favorite search engine or the resources of your library, identify firewall issues that might arise for a company that uses cloud computing in its online sales system. In about 100 words, summarize your findings in terms of the perimeter expansion problem. Answer: Responses will vary. As more organizations rely on cloud computing for crucial production systems, the need for security in cloud environments is increasing. The development of firewalls that work with cloud computing is advancing rapidly but has lagged behind the need for these products. Instead of establishing security policies for each server, these firewalls must enforce a single set of policies across all of the servers in the cloud. One problem with cloud environments is that the servers and databases in the cloud are started up and wound down as needed. Thus, the type of identifiable servers that most firewall products are designed to protect does not exist in the same form in cloud server environments. Cases C1.Adobe Analytics 1. The students may find Adobe’s privacy statement here: http://www.adobe.com/privacy/policy.html with a discussion on cookies here: http://www.adobe.com/privacy/cookies.html. Students should discuss how easy it was to find these sites and whether they think the sites clearly present the privacy options. They should also discuss whether they feel the company adequately protects the privacy of the computers they place cookies on. 2. Responses will vary but the students should discuss privacy concerns and whether they think Adobe is being deceitful using domains that aren’t easily identifiable as Adobe. 3. Responses will vary but the students should discuss the ethical issues that arise from having cookies placed by a company other than the one the user is knowingly visiting. C2. Materials Equipment 1. Answers should include the following information: • A digital certificate or digital ID is an attachment to an e-mail message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be. In addition, the digital certificate contains a means to send an encrypted message (encoded so others cannot read it) to the entity that sent the original Web page or e-mail message. • Encryption is the coding of information by using a mathematically based program and a secret key to produce a string of characters that is unintelligible. 2. Answers will vary. Students may suggest the company use encrypted e-mail to protect its e-mail messages against secrecy violations. Secrecy countermeasures protect outgoing messages. 3. Answers will vary. Students should note that a digital certificate is a signed message or code. Signed code or messages serve the same function as a photo on a driver’s license or passport. They provide proof that the holder is the person identified by the certificate. That is, a digital ID verifies a Web site to a shopper and, optionally, identifies a shopper to a Web site. Solution Manual for Electronic Commerce Gary P. Schneider 9781305867819