You are missing the point entirely, all the things you mentioned are optional and in addition to the functionality of a single piece of paper. If you can't handle the distraction, opt out of it.
Personally, I wouldn't have made it through uni without these distractions during class and without having all the lectures posted on-line for when I didn't feel like attending -- which was most of the time..pretty much all of the time actually.
People learn at their own pace so why not let them do just that -- and it works best for the university too.
I still paid tuition and I imagine I saved them some money by not using their facilities/resources that much; and because I had a lot of free time I came out of uni with both a degree and a nice OSS project -- which have been much more helpful in finding employment than my degrees.
Because all it would take to break through the auth (or whatever the SSL certs were used for) would be to mess with the system clock -- could be hard, could be easy, doesn't matter, it'd be one more liability.
...with forward dates braking my tests.
I've had mock SSL certs and HTTP cookie jars that both expired and made it seem like the system was failing all over the place during unit/integration/general testing.
So just watch out in general because this can swing either way...
Well, yes and no. As a leader/owner of a F/OSS project myself a reviewed and tested legal framework, along with some operation guidelines, would be immensely helpful in "business" situations or any time monetary issues are at hand.
That's probably what they meant with "to provide consistent direction across many projects", not some plan to force everyone to rank and file under their command.
And since no-one is born with universal knowledge of every imaginable field then that sort of thing would benefit medium (or even largish) sized minds by saving them from a boatload of research and brain-melting legalese.
...or does it look like the US and the UK are like 2 mirrors opposite to each other bouncing stupidity back and forth?
I'm genuinely not trying to be offensive, I spent most of my adult life in the UK and plan to move to the US eventually for business reasons but how frustrating is this? That's like saying that you can't reserve a table for a night out with the guys because the group is not diverse enough.
No seriously, what's the difference?
You reserve a space to facilitate an exchange of ideas between like minded people -- Ruby devs for the conf and buddies for the night out.
Or is it because the conf has sponsors and someone's afraid that someone else will use their endorsing of a seemingly non-diverse conf line-up to bad mouth them?
In which case everyone goes into ultra-ass-covering mode...and that isn't that comforting of a stance either.
I don't really have a point to make, mostly venting and hoping that someone will post a comment to convincingly demonstrate that the situation isn't that bad...somehow.
Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?
Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).
Ah OK, I feel the need to point out that webappsec scanners and these sort of service fingerprinters are, operationally, completely different systems. Their designs may be similarly modular and web scanners may include some tests that rely on fingerprinting known vulnerable web apps or backdoor shells but the ones like mine and WhiteHat's Sentinel are focused more on fuzzing/injecting inputs.
Paradoxically, this is harder to get right but on the other hand the responses you get can give you enough data to make a more confident decision.
So 50% FPs in these systems is abysmal since the best of us are actually striving for 0% -- which in reality is an impossible standard considering the heterogeneous nature of the web but you're in it to make something as best as it can be, hopefully.
Thus, you may see some FPs or abnormal results but they'll probably be limited to a bug of a single test, so if there's a bug in the XSS check you'll see a lot of XSS FPs but the rest of the results will be unaffected. Or, it can be broader than that, like a flawed implementation of an analysis technique, so subsequent tests that rely on that technique might report FPs -- like if your timing-attack implementation is not resilient or intelligent enough to account for a dead/overloaded server (and stuff like that) you might get back FPs that report that OS command injection or PHP code injection was detected by a module/test that relies on timing attacks.
By necessity, things are quite compartmentalized in order be maintainable and that has the nice side-effect of failures also being compartmentalized.
Automated tools are here to pick the low handing fruit;
You should always validate their findings manually;
You should, if you can afford it, hire someone who knows what he's doing to do a proper pen test.
Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?
As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.
Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.
Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.
Not quite, if I recall correctly, it wasn't behaving as a racer, it just did a GPS-navigated lap of the track -- a human took it for a spin, it recorded the lines and then just replayed them. And it was a regular model (maybe even diesel), not a performance (M-something) one.
There wasn't anything remotely related to the title, no video, no telemetry not even laptimes. And "measly seconds"? Full seconds under racing conditions are not "measly". I was really disappointed, the title sounded really promising...
Maybe in the good'ol days, but unless my memory fails me, they crumbled a few years ago under international pressure in order to assist in investigating tax evaders.
PS. The "good'ol days" part was added for comedic effect, I'm actually Greek and have been paying taxes since I got my first semi-real job at 17.
The deal is simple, emotional detachment/hyper-rationality provides an objective view of things. An objective view allows you to see what's really going on instead of what most people perceive to be going on. And yeah these are psychopathic traits although they can be developed by non-natural-born psychopaths as well, with the right conditioning.
Also, psychopath != sociopath, so please do quit bitching (not you specifically, although I keep seeing this assumption pop up a lot around here). Just because someone doesn't care about your silly ass problems doesn't mean he's evil, or even marginally mischievous.
That sounds like a bad idea, that strays a lot from networking.
Not to mention the fact that if someone has memory management/layout related knowledge he'll already know about buffer-overflows, ROP and other related security matters and will most likely also have a decent amount of programming experience (unless they meant a "looked at a memory layout diagram once" level knowledge).
I'm curious now...I may sign-up just to see how they'll weave these different topics together in their material.
My thoughts exactly...Also, why would knowledge of these areas be a prerequisite for a networking class to begin with?
I'm not being snide, I'd actually like an answer if possible.
Give him his own office, a supply of fast food, sodas, coffee and energy drinks and let him work on the weird stuff that would defeat the others.
Why did everything get so touchy-feely all of a sudden? Why can't a guy just work in peace without having to tip-toe around the feelings of all the precious little snowflakes?
Now, if he goes out of his way to piss people off and promote general chaos and destruction then kick his ass out, otherwise suck it up.
Going the extra mile and notifying the users would have undoubtedly made a good impression but this situation resembles someone grepping a website for QOTDs and then complaining that his regexp no longer works because the site's HTML code changed or the quotes were removed altogether. Bottom line is, tough luck. When something is not supported then it's not supported, how much clearer can you get?
Slashdot Mirror
You are missing the point entirely, all the things you mentioned are optional and in addition to the functionality of a single piece of paper. If you can't handle the distraction, opt out of it.
Personally, I wouldn't have made it through uni without these distractions during class and without having all the lectures posted on-line for when I didn't feel like attending -- which was most of the time..pretty much all of the time actually.
People learn at their own pace so why not let them do just that -- and it works best for the university too.
I still paid tuition and I imagine I saved them some money by not using their facilities/resources that much; and because I had a lot of free time I came out of uni with both a degree and a nice OSS project -- which have been much more helpful in finding employment than my degrees.
That's true...I wouldn't want to work with a guy my dad's age wearing a miniskirt, or any other age for that matter.
This would work if the files weren't encrypted.
Because all it would take to break through the auth (or whatever the SSL certs were used for) would be to mess with the system clock -- could be hard, could be easy, doesn't matter, it'd be one more liability.
Damn it! *breaking* /facepalm
...with forward dates braking my tests.
I've had mock SSL certs and HTTP cookie jars that both expired and made it seem like the system was failing all over the place during unit/integration/general testing.
So just watch out in general because this can swing either way...
Not to bait you but you didn't actually debunk his post, are there any Win users here that use multiple monitors to give us a comparison?
Well, yes and no. As a leader/owner of a F/OSS project myself a reviewed and tested legal framework, along with some operation guidelines, would be immensely helpful in "business" situations or any time monetary issues are at hand.
That's probably what they meant with "to provide consistent direction across many projects", not some plan to force everyone to rank and file under their command.
And since no-one is born with universal knowledge of every imaginable field then that sort of thing would benefit medium (or even largish) sized minds by saving them from a boatload of research and brain-melting legalese.
Everybody knows you don't go full retard...
I didn't get even a tiny bit of wood on the ball, thanks man.
...or does it look like the US and the UK are like 2 mirrors opposite to each other bouncing stupidity back and forth?
I'm genuinely not trying to be offensive, I spent most of my adult life in the UK and plan to move to the US eventually for business reasons but how frustrating is this?
That's like saying that you can't reserve a table for a night out with the guys because the group is not diverse enough.
No seriously, what's the difference?
You reserve a space to facilitate an exchange of ideas between like minded people -- Ruby devs for the conf and buddies for the night out.
Or is it because the conf has sponsors and someone's afraid that someone else will use their endorsing of a seemingly non-diverse conf line-up to bad mouth them?
In which case everyone goes into ultra-ass-covering mode...and that isn't that comforting of a stance either.
I don't really have a point to make, mostly venting and hoping that someone will post a comment to convincingly demonstrate that the situation isn't that bad...somehow.
Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?
Try running eEye Retina against a Redhat box. At least half of the findings are because Retina is simply checking version numbers and doesn't understand that Redhat backports fixes. There are also a bunch of false positive findings for Microsoft products, where for example it doesn't differentiate between XP 32-bit and 64-bit (64-bit settings should follow the 2003 guidelines).
Ah OK, I feel the need to point out that webappsec scanners and these sort of service fingerprinters are, operationally, completely different systems. Their designs may be similarly modular and web scanners may include some tests that rely on fingerprinting known vulnerable web apps or backdoor shells but the ones like mine and WhiteHat's Sentinel are focused more on fuzzing/injecting inputs.
Paradoxically, this is harder to get right but on the other hand the responses you get can give you enough data to make a more confident decision.
So 50% FPs in these systems is abysmal since the best of us are actually striving for 0% -- which in reality is an impossible standard considering the heterogeneous nature of the web but you're in it to make something as best as it can be, hopefully.
Thus, you may see some FPs or abnormal results but they'll probably be limited to a bug of a single test, so if there's a bug in the XSS check you'll see a lot of XSS FPs but the rest of the results will be unaffected. Or, it can be broader than that, like a flawed implementation of an analysis technique, so subsequent tests that rely on that technique might report FPs -- like if your timing-attack implementation is not resilient or intelligent enough to account for a dead/overloaded server (and stuff like that) you might get back FPs that report that OS command injection or PHP code injection was detected by a module/test that relies on timing attacks.
By necessity, things are quite compartmentalized in order be maintainable and that has the nice side-effect of failures also being compartmentalized.
Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?
As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.
Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.
Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.
Why is parent modded at -1? Seriously, just look around and play with them wtf?
Not quite, if I recall correctly, it wasn't behaving as a racer, it just did a GPS-navigated lap of the track -- a human took it for a spin, it recorded the lines and then just replayed them. And it was a regular model (maybe even diesel), not a performance (M-something) one.
There wasn't anything remotely related to the title, no video, no telemetry not even laptimes. And "measly seconds"? Full seconds under racing conditions are not "measly".
I was really disappointed, the title sounded really promising...
Maybe in the good'ol days, but unless my memory fails me, they crumbled a few years ago under international pressure in order to assist in investigating tax evaders.
PS. The "good'ol days" part was added for comedic effect, I'm actually Greek and have been paying taxes since I got my first semi-real job at 17.
The EXT4 file-system can experience data loss if the file-system is remounted (or the system rebooted) too often.
We're talking about Linux users here...move along.
The deal is simple, emotional detachment/hyper-rationality provides an objective view of things. An objective view allows you to see what's really going on instead of what most people perceive to be going on. And yeah these are psychopathic traits although they can be developed by non-natural-born psychopaths as well, with the right conditioning.
Also, psychopath != sociopath, so please do quit bitching (not you specifically, although I keep seeing this assumption pop up a lot around here). Just because someone doesn't care about your silly ass problems doesn't mean he's evil, or even marginally mischievous.
...as of 3mins ago and will keep supporting them in hopes of seeing more headlines like these, pure comedy. Thank you PETA.
That sounds like a bad idea, that strays a lot from networking. Not to mention the fact that if someone has memory management/layout related knowledge he'll already know about buffer-overflows, ROP and other related security matters and will most likely also have a decent amount of programming experience (unless they meant a "looked at a memory layout diagram once" level knowledge).
I'm curious now...I may sign-up just to see how they'll weave these different topics together in their material.
My thoughts exactly...Also, why would knowledge of these areas be a prerequisite for a networking class to begin with?
I'm not being snide, I'd actually like an answer if possible.
The size of your need for attention is disturbing.
PS. I'm not a Python fan, I actually dislike it.
Give him his own office, a supply of fast food, sodas, coffee and energy drinks and let him work on the weird stuff that would defeat the others.
Why did everything get so touchy-feely all of a sudden? Why can't a guy just work in peace without having to tip-toe around the feelings of all the precious little snowflakes?
Now, if he goes out of his way to piss people off and promote general chaos and destruction then kick his ass out, otherwise suck it up.
Going the extra mile and notifying the users would have undoubtedly made a good impression but this situation resembles someone grepping a website for QOTDs and then complaining that his regexp no longer works because the site's HTML code changed or the quotes were removed altogether. Bottom line is, tough luck. When something is not supported then it's not supported, how much clearer can you get?