Diversity is just a form of security through obscurity. Which we all know is bad, as it is anathema to the Open Source philosophy.
Diversity means using multiple implementations so they are not all compromised. This is not obscurity. For example, let's say a cracker exploits a security flaw in a version of Linux to gain access to your network. If you have a heterogenous network, then he will not crack your OpenBSD boxes. This is not obscurity. Obscurity would be trying to make it hard to find those Linux boxes.
Diversity is one of the foundations of the Open Source philosophy. OSS is all about choice, and without a diverse selection of software, we have no choice. For a concrete example, look at web browsers. How many free/OSS web browsers are there now? Try telling me this diversity goes against the grain of OSS.
I was the impression (probably because of one of those feverish Discovery marathons I tend to engage in when I get tired of coding) that the nice folks who guard US installations that contain either nuclear weapons of nuclear materials are allowed under federal mandate to shoot to kill. In fact that's what the warning messages posted along the fences of those facilities read - "lethal force authorized" or some such.
True. When defending nuclear, chemical or biological weapons, deadly force is authorized. Shoot first, ask questions later. I do not know if this is true for security that is contracted out, but I do know for a fact that for military personnel (such as myself) it is true. And just in case you think that the U.S. government does not have chemical or biological weapons, think again. We have tons more than Saddam. Maybe the U.N. will come knocking on the White House door to inspect and disarm next?
NASA is already mostly privatized. Most of the work is done by contractors and by contracted aerospace corps. NASA primarily acts as a coordinator. I suspect that'll continue.
This is true. Contractors build the launch vehicles such as the shuttles, rockets for unmanned missions, probes such as the Voyager, etc. And I am sure they also sweep the floors and scrub the toilets. I do not think NASA engineers do that. But what I am referring to is talk about contracting out everything, and making NASA a private organization with Federal oversight similar to the IRS or postal service.
Perhaps it is an oversimplification. It really is an alloy. Either way, the leading edge of the wings do not have tiles, they have a titanium alloy similar to the paint on the SR-71 Blackbird. The same is true for the nose of the orbiter. If debris were to fall during ascent, given the orbiter's curved flight path, it would strike either the leading (titanium) edge or the underside of the wing.
Yes... The report earlier this morning on NPR mentioned that a tile had dislodged on launch, and struck a wing. There was supposedly no serious damage at the time.
A piece of insulating foam broke off the external fuel tank and hit the left wing of the shuttle during liftoff. The chances of this causing problems is highly unlikely, given the titanium shielding along the leading edge of the wing and the super-strong construction of the airframe's wings.
But maybe it did cause a problem. Obviously something did. We will find out in due time.
You can not parachute from 200,000 feet. You have to free fall for a loong time. The escape facility is really if you can't land the thing and can only really be usable from about 20,000 feet or less. Even then, jumping from such a hright requires special skills. Usually jumps take place from less than ten thousand.
The highest parachute jump is from around 100,000 feet, and it required a special pressurized suit with air supply. Jumping from 200,000 feet would be suicide.
I remember hearing that the whole crew cabin could eject and parachute to safety, but now that I think about it this was a conceptual design that never made it into the real space shuttles. If the shuttle could do this I think the crews of Challenger and Columbia would have survived.
Three now. Four including the original Enterprise. I wonder if they'll retrofit her now, to replace Columbia?
Unlikely. The Enterprise was never meant to go into space and is only for training inside the atmosphere. Retrofitting it would probably be more work and money than building a whole new shuttle. Enterprise is also very old, and it is likely that Columbia's age played an indirect part in this accident. If I were an astronaut, I would not want to fly on a retrofitted Enterprise.
How about the whole ISS project anyway? Is this going to toast that for good, too?
I expect rocky times ahead for the ISS. The United States is the primary financial backer and provides basically all of the manned missions. Without our support, the ISS is toast. I expect not only NASA to investigate and put things on hold, but also Congress. They are the ones that apropriate funding to NASA. Expect a lot of Congressional debate about our space program in the near future. I would not be surprised if this accelerates plans to privative NASA, an idea that our government has been kicking around for a while. We already contract out a lot of work at NASA.
I wouldnt try relying on POST to hide GET vunerabilities
I do not do this. I want to test corrupt POST data like I can with GET. I don't want to obscure input.
The original idea behind POST was to input data to a page but in a way that cannot be bookmarked and to have the page be volatile. Conversely, GET's purpose was to have a (relatively) static page, for example, results from a query. POST was for input, GET for output, roughly. I try to adhere to this methodology, since it does work even if in modern times a large number of web sites blur the lines and overtly don't care about the rules.
Don't hear too much about anyone using these 'sploits, and they've been around forever. Anyone out there running a PHP site been whacked around this way?
I run two sites with PHP and to test security, I use a few common sense computer science techniques:
Bad GET data: I tried manipulating variable via the URL line. POST data is a bit tougher, as I need a UA that can manipulate it and don't know of one.
Register Globals: since I don't have control over the physical server, I cannot turn this option off. However, I always use the full names, i.e. $_GET['data'] instead of $data. This helps with namespace collisions, for example, having POST and COOKIE variables with the same name. I used gvim's search feature since it highlights matches, and manually checked each variable to ensure it adheres to this standard. Whenever I use a global variable, I make sure I set it myself first just in case.
Taint checking: this is one Perl feature I sorely miss in PHP. I do a lot of manual grunt work to "emulate" it though. I thoroughly validate each variable the user can directly or indirectly manipulate. Usually I use the contents of a user variable to set a separate internal variable, flagging error conditions such as data that cannot be entered on a form. Who knows, maybe this will prevent buffer overrun errors in MySQL too.
Code Review: I remember reading a while ago about the unmatched security of OpenBSD, and that it was because of aggressive code reviews and tightly controlled release schedules. While my web sites don't mean a damn compared to OpenBSD, I still take after the OpenBSD team and review my code on a regular basis. I cannot tell you how many times I have caught bugs and errors that I did not see just the day before. You cannot find bugs if you do not look for them!
Security is not something that you can rely on other people to do for you: you will be let down. No matter how secure the tools are, you need to check things yourself.
I would say that COM allows you to implement a COM interface, i.e. expose a defined set of methods, variables, etc... but true inheritence is one of those things it sorely lacks.
If I remember correctly, the idea behind COM is not to implent a full-featured object-oriented model. It is designed to provide interfaces that allow for backwards and forwards compatibility mostly in libraries. It is akin to the "interface" keyword in Java, not the "implements" keyword. You can still use full object-oriented programming concepts in C++ using COM. Granted the COM interface may make things kludgy and awkward, but it is certainly possible.
An even better solution is to configure Apache via httpd.conf or.htaccess not to serve those files. I am meticulous about deleting backup (.php~) files, and Apache is configured to return 403 Forbidden on *.inc. Even if you know the names of my include files, you cannot view them. This is a better solution than instructing Apache to parse them as PHP. You'll wind up with a broken page that way.
The beauty of configuring Apache to disallow these files is PHP can still access them locally, but any remote script or browser will not be able to use them.
I didn't get tunnel vision on the Mantis, I got sore nuts and knees. The second time I adjusted the seat correctly and was fine, but that first time was rough. I also stopped trying to stand up, i.e. stopped fighting centrifugal force, and just sat down.
The Magnum still goes strong too. It may be a "paltry" 210 feet, but it's still 72 MPH, and a great view from the top of the hill. The first time I almost shit myself not because of the height, but because they anchored the rest of the ride in the sand. Pay attention next time -- it's built right on the beach. Granted they do have deep concrete pylons, but still... sand...
Look out for glasses as well. Once when I was riding the Mean Streak, a big wooden coaster at Cedar Point, it was so bumpy they flew off my face and a lucky blind grab caught them. The Millenium Force dried out my contacts. I couldn't yell either, they air rushing into my mouth was faster than my lungs could push the air out.
If I were a backer, I'd want some sore of guarantee that a second one would be busy full time before I'd approve it.
The people who run this company make so much money they don't need investors. Which kinda makes me upset when I have to cough up the admission fee. I remember when I was young it cost $15 to get in. That last time I went a year or two ago it was $35. And I'm only 23:-)
I think any reputable shop won't go browsing through your pr0n or email.
Pr0n should be shared, email should be encrypted. I don't know of anyone, let alone a hardware tech, who could break PGP. Of course given enough time they could brute force it... although with a 4096 bit key that may take a "couple" of years:-)
I vaguely remember being born. All I remember is light -- everything was dark, then progressively brighter. Of course I didn't realize anything at the time. Being a fetus, I was ignorant of absolutely everything in the world. But later on I remembered this. At the time I couldn't put events to senses, i.e. being born to the increasing light, sounds, etc. but in retrospect things started making sense.
The next memory I have is of my first steps. I remember mainly because my father didn't care. All of my brothers and sisters (and mother) were going apeshit but my dad couldn't be bothered. Not that I'm bitter.
I also remember picking up gum off the sidewalk and chewing it in front of the Air and Space Museum in Washington, DC, when I was about four years old.
Personally, I like XP as my gui, and Linux as my server and extension to my workstation.
I agree. Windows XP has advantages compared to Linux, mostly the huge breadth of applications that are available. For serving, Linux is definitely better, although FreeBSD is the best in my opinion.
But if you only have 1 Box, XP+Cygwin seems a better option for now.
I could not get Cygwin to work with Windows XP. So when I boot into Windows, I use MinGW. It's not as full-featured as Cygwin, and isn't even the same type of suite, but it does what I need it to do. I have a full GNU development suite in Windows, except there is no UNIX shell. I can use the same source and makefiles in Linux and Windows. I can develop Windows applications using GCC. Just about the only thing I can't do is easily develop GUI resource scripts a la Visual C++.
The first thing that comes to mind is GCC. Without it, no Linux distribution would compile anything. Or how about Gnome, one of two major X-Window desktops?
Just because Richard Stallman is a crusty old fart who only owns one t-shirt and (probably) smells like rotting fish doesn't mean the FSF is useless.
I've got a shiny new Mandrake 9 PowerPack, and I'm happy with it.
Amen. This is quite a confession... I used to run Windows most of the time and boot into Linux everyone once in a while. Windows was bad, but I saw problems with Linux. I tried quite a few distributions too, including Debian, Slackware, Red Hat, Mandrake 8.x, and even FreeBSD and OpenBSD to name a few. I'm not trolling here, just stating that I didn't like the Linux offerings for the past few years. It always had potential, but couldn't keep my attention.
Mandrake 9.0 changed all of that. This distribution rocks. Everything works, it is very usable, and I love it. I switched to Mandrake 9.0 completely, leaving Windows behind. It would be a shame to see Mandrake die. I hope they are able to make it into the black again.
Sorry, I wasn't too clear. When I said "penetration," I meant the bullet goes through a person and keeps going. So, for example, I shoot someone, the bullet keeps going, and hits the person behind him. And so on. Most of these heavy weapons will go through several people, some as many as 15-20 people. I don't know if this has been tested in real life (I don't know who would volunteer for this experiment) but it's been simulated for sure.
Slashdot Mirror
Can I do ASP on apache?
Yes.
Diversity is just a form of security through obscurity. Which we all know is bad, as it is anathema to the Open Source philosophy.
Diversity means using multiple implementations so they are not all compromised. This is not obscurity. For example, let's say a cracker exploits a security flaw in a version of Linux to gain access to your network. If you have a heterogenous network, then he will not crack your OpenBSD boxes. This is not obscurity. Obscurity would be trying to make it hard to find those Linux boxes.
Diversity is one of the foundations of the Open Source philosophy. OSS is all about choice, and without a diverse selection of software, we have no choice. For a concrete example, look at web browsers. How many free/OSS web browsers are there now? Try telling me this diversity goes against the grain of OSS.
I was the impression (probably because of one of those feverish Discovery marathons I tend to engage in when I get tired of coding) that the nice folks who guard US installations that contain either nuclear weapons of nuclear materials are allowed under federal mandate to shoot to kill. In fact that's what the warning messages posted along the fences of those facilities read - "lethal force authorized" or some such.
True. When defending nuclear, chemical or biological weapons, deadly force is authorized. Shoot first, ask questions later. I do not know if this is true for security that is contracted out, but I do know for a fact that for military personnel (such as myself) it is true. And just in case you think that the U.S. government does not have chemical or biological weapons, think again. We have tons more than Saddam. Maybe the U.N. will come knocking on the White House door to inspect and disarm next?
NASA is already mostly privatized. Most of the work is done by contractors and by contracted aerospace corps. NASA primarily acts as a coordinator. I suspect that'll continue.
This is true. Contractors build the launch vehicles such as the shuttles, rockets for unmanned missions, probes such as the Voyager, etc. And I am sure they also sweep the floors and scrub the toilets. I do not think NASA engineers do that. But what I am referring to is talk about contracting out everything, and making NASA a private organization with Federal oversight similar to the IRS or postal service.
The wing does not have 'titanium shielding'.
Perhaps it is an oversimplification. It really is an alloy. Either way, the leading edge of the wings do not have tiles, they have a titanium alloy similar to the paint on the SR-71 Blackbird. The same is true for the nose of the orbiter. If debris were to fall during ascent, given the orbiter's curved flight path, it would strike either the leading (titanium) edge or the underside of the wing.
Yes... The report earlier this morning on NPR mentioned that a tile had dislodged on launch, and struck a wing. There was supposedly no serious damage at the time.
A piece of insulating foam broke off the external fuel tank and hit the left wing of the shuttle during liftoff. The chances of this causing problems is highly unlikely, given the titanium shielding along the leading edge of the wing and the super-strong construction of the airframe's wings.
But maybe it did cause a problem. Obviously something did. We will find out in due time.
You can not parachute from 200,000 feet. You have to free fall for a loong time. The escape facility is really if you can't land the thing and can only really be usable from about 20,000 feet or less. Even then, jumping from such a hright requires special skills. Usually jumps take place from less than ten thousand.
The highest parachute jump is from around 100,000 feet, and it required a special pressurized suit with air supply. Jumping from 200,000 feet would be suicide.
I remember hearing that the whole crew cabin could eject and parachute to safety, but now that I think about it this was a conceptual design that never made it into the real space shuttles. If the shuttle could do this I think the crews of Challenger and Columbia would have survived.
Three now. Four including the original Enterprise. I wonder if they'll retrofit her now, to replace Columbia?
Unlikely. The Enterprise was never meant to go into space and is only for training inside the atmosphere. Retrofitting it would probably be more work and money than building a whole new shuttle. Enterprise is also very old, and it is likely that Columbia's age played an indirect part in this accident. If I were an astronaut, I would not want to fly on a retrofitted Enterprise.
How about the whole ISS project anyway? Is this going to toast that for good, too?
I expect rocky times ahead for the ISS. The United States is the primary financial backer and provides basically all of the manned missions. Without our support, the ISS is toast. I expect not only NASA to investigate and put things on hold, but also Congress. They are the ones that apropriate funding to NASA. Expect a lot of Congressional debate about our space program in the near future. I would not be surprised if this accelerates plans to privative NASA, an idea that our government has been kicking around for a while. We already contract out a lot of work at NASA.
Register Globals: since I don't have control over the physical server, I cannot turn this option off.
I found in the PHP documentation that you can turn PHP INI options on and off at runtime. For example, you can turn off register globals like so:
ini_set ('register_globals', '0');
I wouldnt try relying on POST to hide GET vunerabilities
I do not do this. I want to test corrupt POST data like I can with GET. I don't want to obscure input.
The original idea behind POST was to input data to a page but in a way that cannot be bookmarked and to have the page be volatile. Conversely, GET's purpose was to have a (relatively) static page, for example, results from a query. POST was for input, GET for output, roughly. I try to adhere to this methodology, since it does work even if in modern times a large number of web sites blur the lines and overtly don't care about the rules.
Don't hear too much about anyone using these 'sploits, and they've been around forever. Anyone out there running a PHP site been whacked around this way?
I run two sites with PHP and to test security, I use a few common sense computer science techniques:
Security is not something that you can rely on other people to do for you: you will be let down. No matter how secure the tools are, you need to check things yourself.
I would say that COM allows you to implement a COM interface, i.e. expose a defined set of methods, variables, etc... but true inheritence is one of those things it sorely lacks.
If I remember correctly, the idea behind COM is not to implent a full-featured object-oriented model. It is designed to provide interfaces that allow for backwards and forwards compatibility mostly in libraries. It is akin to the "interface" keyword in Java, not the "implements" keyword. You can still use full object-oriented programming concepts in C++ using COM. Granted the COM interface may make things kludgy and awkward, but it is certainly possible.
An even better solution is to configure Apache via httpd.conf or .htaccess not to serve those files. I am meticulous about deleting backup (.php~) files, and Apache is configured to return 403 Forbidden on *.inc. Even if you know the names of my include files, you cannot view them. This is a better solution than instructing Apache to parse them as PHP. You'll wind up with a broken page that way.
The beauty of configuring Apache to disallow these files is PHP can still access them locally, but any remote script or browser will not be able to use them.
I didn't get tunnel vision on the Mantis, I got sore nuts and knees. The second time I adjusted the seat correctly and was fine, but that first time was rough. I also stopped trying to stand up, i.e. stopped fighting centrifugal force, and just sat down.
The Magnum still goes strong too. It may be a "paltry" 210 feet, but it's still 72 MPH, and a great view from the top of the hill. The first time I almost shit myself not because of the height, but because they anchored the rest of the ride in the sand. Pay attention next time -- it's built right on the beach. Granted they do have deep concrete pylons, but still... sand...
Look out for glasses as well. Once when I was riding the Mean Streak, a big wooden coaster at Cedar Point, it was so bumpy they flew off my face and a lucky blind grab caught them. The Millenium Force dried out my contacts. I couldn't yell either, they air rushing into my mouth was faster than my lungs could push the air out.
If I were a backer, I'd want some sore of guarantee that a second one would be busy full time before I'd approve it.
The people who run this company make so much money they don't need investors. Which kinda makes me upset when I have to cough up the admission fee. I remember when I was young it cost $15 to get in. That last time I went a year or two ago it was $35. And I'm only 23 :-)
I think any reputable shop won't go browsing through your pr0n or email.
Pr0n should be shared, email should be encrypted. I don't know of anyone, let alone a hardware tech, who could break PGP. Of course given enough time they could brute force it... although with a 4096 bit key that may take a "couple" of years :-)
I vaguely remember being born. All I remember is light -- everything was dark, then progressively brighter. Of course I didn't realize anything at the time. Being a fetus, I was ignorant of absolutely everything in the world. But later on I remembered this. At the time I couldn't put events to senses, i.e. being born to the increasing light, sounds, etc. but in retrospect things started making sense.
The next memory I have is of my first steps. I remember mainly because my father didn't care. All of my brothers and sisters (and mother) were going apeshit but my dad couldn't be bothered. Not that I'm bitter.
I also remember picking up gum off the sidewalk and chewing it in front of the Air and Space Museum in Washington, DC, when I was about four years old.
Personally, I like XP as my gui, and Linux as my server and extension to my workstation.
I agree. Windows XP has advantages compared to Linux, mostly the huge breadth of applications that are available. For serving, Linux is definitely better, although FreeBSD is the best in my opinion.
But if you only have 1 Box, XP+Cygwin seems a better option for now.
I could not get Cygwin to work with Windows XP. So when I boot into Windows, I use MinGW. It's not as full-featured as Cygwin, and isn't even the same type of suite, but it does what I need it to do. I have a full GNU development suite in Windows, except there is no UNIX shell. I can use the same source and makefiles in Linux and Windows. I can develop Windows applications using GCC. Just about the only thing I can't do is easily develop GUI resource scripts a la Visual C++.
FSF? What software have they released lately?
The first thing that comes to mind is GCC. Without it, no Linux distribution would compile anything. Or how about Gnome, one of two major X-Window desktops?
Just because Richard Stallman is a crusty old fart who only owns one t-shirt and (probably) smells like rotting fish doesn't mean the FSF is useless.
I've got a shiny new Mandrake 9 PowerPack, and I'm happy with it.
Amen. This is quite a confession... I used to run Windows most of the time and boot into Linux everyone once in a while. Windows was bad, but I saw problems with Linux. I tried quite a few distributions too, including Debian, Slackware, Red Hat, Mandrake 8.x, and even FreeBSD and OpenBSD to name a few. I'm not trolling here, just stating that I didn't like the Linux offerings for the past few years. It always had potential, but couldn't keep my attention.
Mandrake 9.0 changed all of that. This distribution rocks. Everything works, it is very usable, and I love it. I switched to Mandrake 9.0 completely, leaving Windows behind. It would be a shame to see Mandrake die. I hope they are able to make it into the black again.
to masturbate while wearing that. isn't that why we're all in front of the computer?
While you're at work? And I take it you didn't get caught? Good job! Now tell me how you did it.
You got me there, I was thinking one thing and typing another. Either way, I wouldn't want to have one shot at me. I've seen what these things can do.
Sorry, I wasn't too clear. When I said "penetration," I meant the bullet goes through a person and keeps going. So, for example, I shoot someone, the bullet keeps going, and hits the person behind him. And so on. Most of these heavy weapons will go through several people, some as many as 15-20 people. I don't know if this has been tested in real life (I don't know who would volunteer for this experiment) but it's been simulated for sure.