1. MySQL SQL injection. Every single parameter fed to the database needs to be run through the mysql_real_escape_string function. To be future proof, queries should be sent as prepared statements. If you don't know what this stuff is, go to php.com and start reading. mysql_real_escape_string() is a good stopgap measure you can easily implement to scrub your parameters, however, long term you should be using prepared statements. Prepared statements tell the database "This parameter is to be treated as data and not interpreted as SQL". They separate the meat from the milk so to speak. This is the future proof way to secure your SQL queries. Stored procedures do NOT secure your code simply by being stored procedures, although, strongly typed input helps a great deal. No matter what you will be accepting strings/char etc in your database and that's where you'll be vulnerable. Prepared statements when used within stored procedures help, but you can SQL inject your way out of a non-prepared stored procedure call too, even if the sql within is a prepared statement. Make your stored proc calls with prepared statements, then the SQL within the stored procs should also be prepared statements. Do some reading about this stuff. Read it til you understand.
2. XSS. Every variable you get from GPCS (get, post, cookie, session) or database should be wrapped with htmlentities() before display on a web page. This prevents people from phishing your users by neutralizing javascript code they may try to inject. Javascript will simply display on your page and not get executed, making it harmless. If your regexes aren't the greatest, javascript can be sent to your db, then displayed as content. That's why even if it's coming from your db, you should htmlentities() it before displaying it.
3. Scrub your input. Input should only consist of printable characters. scrub it before processing to remove binary data, nulls and other potentially harmful stuff (unless you are handling binary such as a file upload or something). There are regex recipes all over the place for doing this for removing javascript, sql etc. None of them are perfect and that's why you absolutely must adhere to rules 1 and 2. You should also limit the length of the input to prevent buffer overflows that your scripting language people may have missed in their language.
Naturally the usual stuff about securing your server etc apply. Admins are really good at this stuff. However the average off the shelf app will have a lot of vulnerabilities. Almost all of them will be one of the 3 listed above. They are easily fixed. The hard part is finding them. Use grep.... look for "insert, GET, POST, update) etc and other keywords related to sql inserts, updates, delete, create and select.
If the app you are thinking of using doesn't do this stuff, walk away. Find another one. It's also good to force your users to use strong passwords and all that other stuff people mentioned, but you can have the most secure box in the world but if the application running on it is insecure, you will be pwned.
Security is more than just web app security but web app security is where 99.9999% of FAIL occurs and 99% of that happens in items 1-3.
-1: Amazon isn't using any state services such as street lighting, sewers, electricity, police protection, and the like that your state taxes pay for.
UPS is when they deliver your package. Since their business model is dependent on delivery services... well they indirectly use the streets in every state.
-3: You have a much smaller carbon footprint buying from Amazon verses driving your car to the mall (a plus to the environment).
Really? A UPS truck burns a LOT of fuel and often you'd burn less because there's a store closer to you than the nearest UPS center. There's a CD store 4 blocks from my house. I often buy on amazon because even with shipping, it's still cheaper. I agree that if you live in the sticks, you are correct. For anyone that lives in a city there are much better options as far as carbon footprint. Usually within walking or subway range.
-5: If states get this tax, how long before they start trying to tax Amazon profits from every individual state?
Texas is already doing so due to the fact that Amazon has warehouses there.
-6: Without Amazon and the like, your local stores have a virtual monopoly over providing you these items. How much do you think that is a good thing for the consumer?
With Amazon the local stores are at an unfair advantage. I know several business owners put out of business by Amazon. They simply can't compete on big ticket items where the tax is over $40.
I'm not saying I'm all for taxing Amazon, but simply playing devil's advocate. Your arguments are pretty one sided, to the point that you sound like an Amazon shill.
The US, all 50 states and territories are broke.
Don't expect to get away tax free for long. My own company had to start paying local sales tax in all states on internet sales. Well we didn't have to _yet_. However some states are suing companies retroactively for taxes so we are paying to cover our collective ass. It's an accounting nightmare. In California alone there are over 100 different local county tax rates. You need to check each sale by address to determine the sales tax.
http://www.boe.ca.gov/pdf/pub71.pdf for the list from California.
I hate menus this deep when using a mouse, with a trackpad they are impossible. That's why I have to carry a mouse with my laptop. Trackpads are unusable.
If you think a developer can't hide malware in an app they submit to the AppStore, well, that's like saying Apple computers can't get malware or viruses.
"Man can make it, man can break it".
I've been saying this since 1995, when someone told me their systems and network were bulletproof and couldn't be hacked.
The day you stop telling yourself this is the day your career is done if you are even remotely involved in networking or systems security.
"OSX doesn't get malware and viruses"
-smug mac user
2009
Linux you are next.
Don't get me wrong, I develop on linux systems professionally and am an ios/osx user. I'm a huge UNIX fan, philosophically and operationally, but that is some misguided and shit to say.
microsoft is kind of like coke. it's a relatively stable long term investment. It's value fluctuates with it's release schedule, kind of like GPU manufacturers.
Sure right now it's down, when they release a new successful product it will go back up.
That statement Einhorn made is a little loaded...
Investing is a lot like gambling, but you can take a lot of the gamble out of it via research. You shouldn't simply watch trends, you should become intimately familiar with the stocks you buy and sell.
My opinion is Einhorn bought a crapload of MSFT low, now he's trying to get the CEO ousted. Stocks almost always rebound when a new CEO assumes the helm. As soon as that happens (if it happens) Einhorn will laugh all the way to the bank after he sells high. Even if this doesn't happen, the stock will rebound anyway as soon as MSFT releases Windows 8.
Either way he wins. He's just trying to make it happen faster by talking smack about Ballmer. It's nothing more than an attempt at manipulating MSFT stock prices. I'd wager that Ballmer doesn't go anywhere.
I think the breakthrough will be genetically engineered superconducting alfalfa hay fiber and horses genetically engineered to have fiber producing spider silk glands.
The horse poop will simply cover the newly laid fiber.
Oh yea here we go with the anti-semitism. Typical... Anyone that doesn't like US and Israeli policy is automatically a Jew hating nazi. I have news for you, there are a lot of Jews that don't agree with Israeli and Zionist driven policy too, myself included. I'm not afraid of being called anything you want to call me. Bring it on and I'll wear it proudly.
Give it a rest huh? You know why people hate Israel and Zionists? You dislike/mistrust anyone that's not a Jew and completely fail to be reasonable about anything or anyone that's not in accordance with Zionist goals. It's no wonder. In your eyes, and the eyes of people like you, people are either Jew hating nazis, or they agree with your point of view and support Israel without reservation. There is no in between. It's black and white to you. We're really tired of hearing that line and it's getting old. This issue is not cut and dried or black and white. Disagreement with a country's policy doesn't make you a racist.
The sad thing is you are too self righteous to even see it for what it is. I wish you and Israel good luck. You'll need it. I sure as hell want no part of it. I'm perfectly happy being in the country I was born in. This is my country. I mind my own business.
Well said. Unfortunately the Cartoon World is the one in which most of us live, so the moronic "they hate us for our freedom" narrative always gets good traction here.
Actually, "they hate us for our freedom" is not too far from the truth. Everyone here is playing coy when talking about the goals of terrorists. Of course the terrorists don't care if TSA is feeling up our kids or the government is asking for ID to fly. That's not the freedom they are after.
========
Actually they hate us because we meddle in their affairs and support their (arabic people's) enemies.
It would be a good exercise to see if the necessary equipment could at least function in a sustainable manner in earth's harshest land environment. After all if it could be debugged on earth, at least you could debug it with a minimal loss of life. On mars the colony would be truly fucked if there was a game breaking bug.
Would you really want to go to mars with gear that hasn't been tested?
Actually we will have done the work for them, to find another race and habitable planet to exploit. The message will be returned by an invasion force who will collect a lot more than postage due.
Consumption tax, amount determined by income. Issue tax cards to everyone. when you buy something, it computes tax based on your income, which is looked up from IRS at point of sale after swiping card. Income gets recalculated on the fly based on how much you spend (if the system sees impossibly low income for the amount of spending you are doing)
Catches drug dealers, oil barons, people with offshore businesses, illegal aliens (who can no longer legally purchase anything until they get a green card, unless they pay max tax). No one gets away without paying tax. Foreigners and people without tax cards default to highest tax rate possible.
Problem solved. No more tax dodgers or fiscal problems due to bullshit tax shelters. Fuck them all.
No more tax returns to process, IRS shrinks to nearly nothing. People are paying the tax they can afford. People are spending what they can afford. Elderly/Fixed Income/Handicapped on social security pay minimum tax rate which is less than what they pay now for sales tax.
The IRS, as we know it, needs to be dismantled and shut down, to be replaced with a ruthlessly efficient consumption tax system, the amount of which is based on income, or spending if reported income is obviously artificially low.
It wasn't the affair, it was the lying under oath. Bill Clinton got caught doing this in the Paula Jones deposition for (SURPRISE!) sexual harrassment.
He said he never had relations with Lewinsky under oath. Then her clothes with his semen on it were entered into evidence for his impeachment.
Having AN(one) affair and admitting to it is a little different than fucking (or trying to fuck) everything that moves then lying about it under oath when it catches up with you.
Of course Clinton is the Greatest President Ever!(tm) so he gets a pass for perjury.
Talk about obscene and vile. Clinton takes the cake.
It's been my experience, at least in a bank, when you shove excessive process down everyone's throats, the developers are the least of your worries. We'll happily spend half the day doing the necessary paperwork to update an address on the web site, chasing down people for approvals, etc etc.
The real issue is once it takes 2 weeks to change a phone number on a fucking web site, because of excessive process, change control meetings, qa sign off etc etc etc. your business customers (the departments you write your software for) fire your IT organization out of frustration and go outside the company to a contractor that's not hampered by such processes, procedures, and bullshit. When you ask them to change a phone number, it gets done before the phone is hung up, just like we used to do it.
Then your entire IT development unit gets fired, largely because of some busybody manager that had some great ideas about shoving their stupidity up everyone's ass.
True story... When I worked at this bank, there was one change control meeting a week. You had to first get the idea approved at a CC meeting. Then you had to go code it, get it signed off by QA, who had to schedule you at least a week out, because they were busy too, and present the qa results at a second meeting. So it quite literally took a minimum of 2 full weeks to change a fucking phone number on a web site. They tried to move me to a different state. I found another job and quit because I didn't want to move. 6 months later the entire team got laid off because the business units went to an outside contractor that could get stuff done in minutes instead of weeks.
> But its good to see people making these languages accessible for someone just starting out.
When I was starting out, I tried to use languages that were "accessible". I didn't get very far.
I threw that idea out the window and learned C instead. I learned how computers actually work. That was what made being a developer accessible.
Making javascript easy by using shapes and "drag and drop" so someone fresh off the typewriter can program in it, isn't really going to do much good for anyone.
1. they really aren't learning anything except how to move blocks around on the ouijia board, click and drag stuff etc 2. they completely miss out on fundamentals such as how to open a file, read it, and do something with the data. I'm sorry but lego programming isn't going to teach you anything except how to use the lego interface. What happens when you need to put the legos away and build a real building?
you could always stop by the embassy and tell someone there. I'm sure the marines at the gate would be interested in where Osama is/was. Just carry some DVD's so it looks like you are trying to sell dvds to troops to avoid getting yourself killed by the terrorist types.
The university and grants (maybe NASA or some other agency) paid you to write your formula.
Software developers have to work a 40 hour job AND work on their own software on their own time. We don't have a huge juicy tit (like a university or government) to suck on and provide resources for us. As well we have to compete with other software developers that write similar programs. We don't get grants, don't get funding, don't get equipment provided for us and yadda yadda yadda. If we do, the people providing the funds own our work, just like you.
The difference is you don't _own_ the formulas you came up with. The software developer does own his own code coded in his spare time (as long as he didn't sign a stupid agreement with his employer)
If you don't like it, start your own lab, quit your job at your university, and fund your own research, then you'll own your formulas. We do./shrug
Don't down us because you took the low risk easy way out and have to share your work. Becoming part of a university or other government funded system is a choice you make. In return for an easy life with a metric ton of perks (like under grad women, living on campus, not needing to build your own particle accelerator etc) you give up your work.
Software developers get nothing in return for giving their work away, you get a salary to do it. It's easy to take the moral high ground for you and hide behind altruistic ideas, but admit it, if no one was paying you a salary would you give all of your work away? Of course you would because you aren't in that position and empathy is something you've read about but never experienced.
Slashdot Mirror
yep. a computer is silicon, metal and plastic. like any tool, it's not brand of the tool, it's the guy turning the wrench.
1. MySQL SQL injection. Every single parameter fed to the database needs to be run through the mysql_real_escape_string function. To be future proof, queries should be sent as prepared statements. If you don't know what this stuff is, go to php.com and start reading. mysql_real_escape_string() is a good stopgap measure you can easily implement to scrub your parameters, however, long term you should be using prepared statements. Prepared statements tell the database "This parameter is to be treated as data and not interpreted as SQL". They separate the meat from the milk so to speak. This is the future proof way to secure your SQL queries. Stored procedures do NOT secure your code simply by being stored procedures, although, strongly typed input helps a great deal. No matter what you will be accepting strings/char etc in your database and that's where you'll be vulnerable. Prepared statements when used within stored procedures help, but you can SQL inject your way out of a non-prepared stored procedure call too, even if the sql within is a prepared statement. Make your stored proc calls with prepared statements, then the SQL within the stored procs should also be prepared statements. Do some reading about this stuff. Read it til you understand.
2. XSS. Every variable you get from GPCS (get, post, cookie, session) or database should be wrapped with htmlentities() before display on a web page. This prevents people from phishing your users by neutralizing javascript code they may try to inject. Javascript will simply display on your page and not get executed, making it harmless. If your regexes aren't the greatest, javascript can be sent to your db, then displayed as content. That's why even if it's coming from your db, you should htmlentities() it before displaying it.
3. Scrub your input. Input should only consist of printable characters. scrub it before processing to remove binary data, nulls and other potentially harmful stuff (unless you are handling binary such as a file upload or something). There are regex recipes all over the place for doing this for removing javascript, sql etc. None of them are perfect and that's why you absolutely must adhere to rules 1 and 2. You should also limit the length of the input to prevent buffer overflows that your scripting language people may have missed in their language.
Naturally the usual stuff about securing your server etc apply. Admins are really good at this stuff. However the average off the shelf app will have a lot of vulnerabilities. Almost all of them will be one of the 3 listed above. They are easily fixed. The hard part is finding them. Use grep.... look for "insert, GET, POST, update) etc and other keywords related to sql inserts, updates, delete, create and select.
If the app you are thinking of using doesn't do this stuff, walk away. Find another one. It's also good to force your users to use strong passwords and all that other stuff people mentioned, but you can have the most secure box in the world but if the application running on it is insecure, you will be pwned.
Security is more than just web app security but web app security is where 99.9999% of FAIL occurs and 99% of that happens in items 1-3.
-1: Amazon isn't using any state services such as street lighting, sewers, electricity, police protection, and the like that your state taxes pay for. UPS is when they deliver your package. Since their business model is dependent on delivery services... well they indirectly use the streets in every state. -3: You have a much smaller carbon footprint buying from Amazon verses driving your car to the mall (a plus to the environment). Really? A UPS truck burns a LOT of fuel and often you'd burn less because there's a store closer to you than the nearest UPS center. There's a CD store 4 blocks from my house. I often buy on amazon because even with shipping, it's still cheaper. I agree that if you live in the sticks, you are correct. For anyone that lives in a city there are much better options as far as carbon footprint. Usually within walking or subway range. -5: If states get this tax, how long before they start trying to tax Amazon profits from every individual state? Texas is already doing so due to the fact that Amazon has warehouses there. -6: Without Amazon and the like, your local stores have a virtual monopoly over providing you these items. How much do you think that is a good thing for the consumer? With Amazon the local stores are at an unfair advantage. I know several business owners put out of business by Amazon. They simply can't compete on big ticket items where the tax is over $40. I'm not saying I'm all for taxing Amazon, but simply playing devil's advocate. Your arguments are pretty one sided, to the point that you sound like an Amazon shill.
The US, all 50 states and territories are broke. Don't expect to get away tax free for long. My own company had to start paying local sales tax in all states on internet sales. Well we didn't have to _yet_. However some states are suing companies retroactively for taxes so we are paying to cover our collective ass. It's an accounting nightmare. In California alone there are over 100 different local county tax rates. You need to check each sale by address to determine the sales tax. http://www.boe.ca.gov/pdf/pub71.pdf for the list from California.
happened to me too. This is more than just a phishing campaign....
I hate menus this deep when using a mouse, with a trackpad they are impossible. That's why I have to carry a mouse with my laptop. Trackpads are unusable.
... and never will be.
If you think a developer can't hide malware in an app they submit to the AppStore, well, that's like saying Apple computers can't get malware or viruses.
"Man can make it, man can break it". I've been saying this since 1995, when someone told me their systems and network were bulletproof and couldn't be hacked. The day you stop telling yourself this is the day your career is done if you are even remotely involved in networking or systems security.
"OSX doesn't get malware and viruses" -smug mac user 2009 Linux you are next. Don't get me wrong, I develop on linux systems professionally and am an ios/osx user. I'm a huge UNIX fan, philosophically and operationally, but that is some misguided and shit to say.
microsoft is kind of like coke. it's a relatively stable long term investment. It's value fluctuates with it's release schedule, kind of like GPU manufacturers. Sure right now it's down, when they release a new successful product it will go back up. That statement Einhorn made is a little loaded... Investing is a lot like gambling, but you can take a lot of the gamble out of it via research. You shouldn't simply watch trends, you should become intimately familiar with the stocks you buy and sell. My opinion is Einhorn bought a crapload of MSFT low, now he's trying to get the CEO ousted. Stocks almost always rebound when a new CEO assumes the helm. As soon as that happens (if it happens) Einhorn will laugh all the way to the bank after he sells high. Even if this doesn't happen, the stock will rebound anyway as soon as MSFT releases Windows 8. Either way he wins. He's just trying to make it happen faster by talking smack about Ballmer. It's nothing more than an attempt at manipulating MSFT stock prices. I'd wager that Ballmer doesn't go anywhere.
This would make entirely too much sense.
I think the breakthrough will be genetically engineered superconducting alfalfa hay fiber and horses genetically engineered to have fiber producing spider silk glands. The horse poop will simply cover the newly laid fiber.
Give it a rest huh? You know why people hate Israel and Zionists? You dislike/mistrust anyone that's not a Jew and completely fail to be reasonable about anything or anyone that's not in accordance with Zionist goals. It's no wonder. In your eyes, and the eyes of people like you, people are either Jew hating nazis, or they agree with your point of view and support Israel without reservation. There is no in between. It's black and white to you. We're really tired of hearing that line and it's getting old. This issue is not cut and dried or black and white. Disagreement with a country's policy doesn't make you a racist.
The sad thing is you are too self righteous to even see it for what it is. I wish you and Israel good luck. You'll need it. I sure as hell want no part of it. I'm perfectly happy being in the country I was born in. This is my country. I mind my own business.
yup. well said.
Actually, "they hate us for our freedom" is not too far from the truth. Everyone here is playing coy when talking about the goals of terrorists. Of course the terrorists don't care if TSA is feeling up our kids or the government is asking for ID to fly. That's not the freedom they are after.
========
Actually they hate us because we meddle in their affairs and support their (arabic people's) enemies.
It's really that simple.
It would be a good exercise to see if the necessary equipment could at least function in a sustainable manner in earth's harshest land environment. After all if it could be debugged on earth, at least you could debug it with a minimal loss of life. On mars the colony would be truly fucked if there was a game breaking bug.
Would you really want to go to mars with gear that hasn't been tested?
Actually we will have done the work for them, to find another race and habitable planet to exploit. The message will be returned by an invasion force who will collect a lot more than postage due.
Consumption tax, amount determined by income. Issue tax cards to everyone. when you buy something, it computes tax based on your income, which is looked up from IRS at point of sale after swiping card. Income gets recalculated on the fly based on how much you spend (if the system sees impossibly low income for the amount of spending you are doing)
Catches drug dealers, oil barons, people with offshore businesses, illegal aliens (who can no longer legally purchase anything until they get a green card, unless they pay max tax). No one gets away without paying tax. Foreigners and people without tax cards default to highest tax rate possible.
Problem solved. No more tax dodgers or fiscal problems due to bullshit tax shelters. Fuck them all.
No more tax returns to process, IRS shrinks to nearly nothing. People are paying the tax they can afford. People are spending what they can afford. Elderly/Fixed Income/Handicapped on social security pay minimum tax rate which is less than what they pay now for sales tax.
The IRS, as we know it, needs to be dismantled and shut down, to be replaced with a ruthlessly efficient consumption tax system, the amount of which is based on income, or spending if reported income is obviously artificially low.
It wasn't the affair, it was the lying under oath. Bill Clinton got caught doing this in the Paula Jones deposition for (SURPRISE!) sexual harrassment.
He said he never had relations with Lewinsky under oath. Then her clothes with his semen on it were entered into evidence for his impeachment.
Having AN(one) affair and admitting to it is a little different than fucking (or trying to fuck) everything that moves then lying about it under oath when it catches up with you.
Of course Clinton is the Greatest President Ever!(tm) so he gets a pass for perjury.
Talk about obscene and vile. Clinton takes the cake.
It's been my experience, at least in a bank, when you shove excessive process down everyone's throats, the developers are the least of your worries. We'll happily spend half the day doing the necessary paperwork to update an address on the web site, chasing down people for approvals, etc etc.
The real issue is once it takes 2 weeks to change a phone number on a fucking web site, because of excessive process, change control meetings, qa sign off etc etc etc. your business customers (the departments you write your software for) fire your IT organization out of frustration and go outside the company to a contractor that's not hampered by such processes, procedures, and bullshit. When you ask them to change a phone number, it gets done before the phone is hung up, just like we used to do it.
Then your entire IT development unit gets fired, largely because of some busybody manager that had some great ideas about shoving their stupidity up everyone's ass.
True story...
When I worked at this bank, there was one change control meeting a week. You had to first get the idea approved at a CC meeting. Then you had to go code it, get it signed off by QA, who had to schedule you at least a week out, because they were busy too, and present the qa results at a second meeting. So it quite literally took a minimum of 2 full weeks to change a fucking phone number on a web site. They tried to move me to a different state. I found another job and quit because I didn't want to move. 6 months later the entire team got laid off because the business units went to an outside contractor that could get stuff done in minutes instead of weeks.
Process is GREAT!
> But its good to see people making these languages accessible for someone just starting out.
When I was starting out, I tried to use languages that were "accessible". I didn't get very far.
I threw that idea out the window and learned C instead. I learned how computers actually work. That was what made being a developer accessible.
Making javascript easy by using shapes and "drag and drop" so someone fresh off the typewriter can program in it, isn't really going to do much good for anyone.
1. they really aren't learning anything except how to move blocks around on the ouijia board, click and drag stuff etc
2. they completely miss out on fundamentals such as how to open a file, read it, and do something with the data. I'm sorry but lego programming isn't going to teach you anything except how to use the lego interface. What happens when you need to put the legos away and build a real building?
In the year 3000 computers will write their own code and humans will be obsolete.
you could always stop by the embassy and tell someone there. I'm sure the marines at the gate would be interested in where Osama is/was. Just carry some DVD's so it looks like you are trying to sell dvds to troops to avoid getting yourself killed by the terrorist types.
The university and grants (maybe NASA or some other agency) paid you to write your formula.
Software developers have to work a 40 hour job AND work on their own software on their own time. We don't have a huge juicy tit (like a university or government) to suck on and provide resources for us. As well we have to compete with other software developers that write similar programs. We don't get grants, don't get funding, don't get equipment provided for us and yadda yadda yadda. If we do, the people providing the funds own our work, just like you.
The difference is you don't _own_ the formulas you came up with. The software developer does own his own code coded in his spare time (as long as he didn't sign a stupid agreement with his employer)
If you don't like it, start your own lab, quit your job at your university, and fund your own research, then you'll own your formulas. We do. /shrug
Don't down us because you took the low risk easy way out and have to share your work. Becoming part of a university or other government funded system is a choice you make. In return for an easy life with a metric ton of perks (like under grad women, living on campus, not needing to build your own particle accelerator etc) you give up your work.
Software developers get nothing in return for giving their work away, you get a salary to do it. It's easy to take the moral high ground for you and hide behind altruistic ideas, but admit it, if no one was paying you a salary would you give all of your work away? Of course you would because you aren't in that position and empathy is something you've read about but never experienced.