1 - I use OpenBSD for firewalling. You limit connections to your machines by only allowing specific ports to connect to that machine. You can also control which way connections are allowed to connect. For instance you might wish to limit connections to your web server to port 80. For the database server that will hold the credit card data, a good way to do it would be to allow port 22 into the server, and no traffic whatsoever to leave the server.
2 - Use private key encryption. There is no need for anyone but you to have the key so use a good private-key encryption on your data server. Triple-DES is a good choice. It comes free with OpenBSD
So, basically, what you need are two OpenBSD boxen, and the expertise to set up two firewalls, SSH, and Triple-DES. Then, to get your data, a cracker has to 1)Crack two OpenBSD boxes 2) Exploit a hole in OpenSSH 3) brute-force Triple-DES.
In other words, they will be having snowball fights in the ninth layer of hell before someone gets to your data.
Well, I too am off to see the family and exchange gifts. We are having a surprise guest(at least it was a surprise to me) at the house who is a big fan of open source software.
So, my last-minute gift to him is a copy of the new OpenBSD 3.0.
I inscribed it:
Time since last remote root exploit:
OpenBSD: 4.5 years
Microsoft Windows: 4.5 days.
Merry Christmas! My condolences for you guys that have to work.
I agree that "marking people" is not going to happen in the U.S., being that we are 90+ Christian. It wouldn't even get to the point where there was fighting on the streets about it. As long as we have elected representatives who listen to their consitituents, this will never happen.
Of course if we were to lose our basic rights guaranteed by the Consititution, then all that goes out the window. Then there would be a reason to fight the government.
Actually this seems to be a common misconception. You have to manually keep track of the size of the string you are copying to ensure you always copy a null-terminated string. Most programmers don't, and thus introduce potentially unsafe code. Additionally, there is a performance loss when you don't use the whole buffer when copying -the strncpy function fills it with 0's.
A better set of functions to use is the strl* functions invented by OpenBSD's Todd Miller.
My programming team is considering making some sweeping changes to our code base (150+ perl CGIs, over a meg of code
First of all, I think its important to realize that you have a medium-sized website and not a big software project. Therefore, some of the above comments recommending refactoring, UML, and eXtreme programming may be a bit overkill.
Web programming != software development! Its usually done at a much faster pace. Even if an object-oriented approach is taken, you are still probably talking about simple function libraries rather than complex C++ or Java classes. Again, overkill.
150 files is still a small enough project to be managed by one or two decent coders. Actually, I just looked at the amount of stuff I've written over the years for my online bookstore and its more like 500 files and over 4 megs of code. I don't feel like its too much of a job to manage this codebase by myself.
So, here are my recommendations.
You probably have gotten better at programming since the time you started your project. Take a few of the most recent CGIs you have written and compare them to the first ones you wrote. You just might notice a glaring difference in the quality. Also, the first pages you wrote are likely to be among the most important in your project, yet they are also likely the worst quality-wise.
Regardless of what language you program in, I think its important that you can tell whats going on in the program by reading the comments. If a manager can understand what a program does by reading the English bit, there's a good chance other programmers will be able to jump in and help as well. One specific rule I also follow: if you do regexes, say IN ENGLISH what those regexes do. I say this because regexes are one of the hardest things to read.
Look for any code that can be "factored out" of your scripts and put those into function libraries. Then include those in your program. The only problem with this occurs when you have huge function libraries that slow down your scripts when you include them. In that case you would logically separate your functions into different files. I have included very common functions in different include files, so I can make the actual code compiled or interpreted as small as possible.
Consider using a flowcharting tool as an aid to programming and/or documenting your code.
Standardize how you name variables and functions, write comments, identation, and spacing.
Be sure and include the date you write your scripts in the comments, in case the filesystem wipes this out.
I'm sure theres other things I've left out, but following the above guidelines have helped me do exactly what you are trying to do: manage a growing codebase. But don't forget, this is web programming, not rocket science, and some of the above suggestions may be more trouble than they are worth. Keep it simple.
(1) how the architecture of the Internet built a set of values,
(2) how those values are fundamentally linked to the most important freedoms in our tradition, and
(3) how changes in that architecture of the net could undermine those values.
This needs to be conveyed loud and clear to every one of our legislators. As an article posted previously today stated, content providers want to take away general purpose computers and replace them with specialized devices. We must not let them!
and the like. Most of us just don't interact with these people, unless they are our grandparents.
Consider the man hours needed to produce Hoyle's Poker vs. Quake3. Its glamorous to do the latter, but I bet the former makes a lot more profit.
I've always avoided game programming simply because I know it would require me to give up virtually everything else I enjoy doing with computers(databases, web programming, sysadminning). You have to be pretty dedicated to be any good at it. However, if I was to start a game company, it would definitely start out producing simpler games for older customers, then perhaps move to making bigger 3D action games once I made enough to hire more people.
I'm not sure how they got write access, because the FTP directory was set to read-only. I'm assumming they exploited a buffer overflow. I doubt an outside user got a hold MS FTP is based on older BSD code. To tell you the truth, I don't know for sure how it happened. I did allow anonymous access, perhaps that was my undoing.
Luckily, the damage was contained to the FTP directory. At least before I ran rm.:)
You can get a number of UNIX(actually posix) commands from the Windows 2000 resource kit.
...as an open source system. There's more to it than just "lots of eyeballs".
For instance. Even with all the security patches Microsoft has provided with IIS, their FTP server is still insecure. How do I know this. Because some warez dudez managed to use my server, even though I had applied all the patches and set the FTP directory to be read only.
Now, if this ever happens to you, let me tell you, these guys play a dirty trick so you can't easily delete their directory. They name their folders with names that cannot be deleted the normal way, names like COM1 or DEL, names that are reserved somehow when you try to delete the files and folders.
The amusing thing about this is that the only way to get rid of these files is to install the posix utilities and use rm to get rid of them.
Now here's the kicker. If you use rm -r CO* to get rid of a directory called COM1 you might find out that this directory is really called "COM1\/" The command line actually hides the last three characters. And rm gets fed the first directory, and then the "/" separately. Yeah. You do the math. Needless to say, it wiped out quite a few of my files before I killed it.
Yes, I perform backups, so I proceeded to restore the files. But insidiously, SQL Server on the same machine refused to run, because it felt the installation had been corrupted. I basically had to figure out how to trick it into running again, because(another hideous design fault) you can't just uninstall SQL server and reinstall it and hope your data directory is OK. I had no way of doing an up to date backup of my data on this machine. So I had to trick it into believing it wasn't a corrupt installation, or I would have lost data.
Now, how many things can you count that would have never happened with an open source system. You certainly wouldn't have files with the latter part hidden. You can back up data directories to completely different servers by simply copying the directory. Its very easy to drop in other FTP servers without loss of functionality. And there is certainly nothing that will stop a program from running if all its files are there and the execute permission is set.
All, in all, I had a very frustrating experience that never would have happened with a Linux system. With Microsoft, its their way or the highway, and you can't change things or fix them when the design is bad. Rather than the user dictating what the software does, Microsoft dictates to you how their software will work. Because of that, closed source is less flexible and configureable, is less managable and nimble, and therefore cannot respond nearly as well to any number of problems, including security.
heh. And what firewall would that be? I sure hope you're not planning on securing your network with this hunk of shite.
Man, you've got a lot to learn if you think three months of book reading is going to protect any network.
I would like to say Happy Birthday
on
Happy Birthday Perl!
·
· Score: 4, Interesting
to the fastest and most complete cross-platform language that I know of. Yes, this includes C# and Java.
Seriously - what else can do system admin scripting(on many different systems), database programming, web programming, network programming, and do it all on just about any platform, not to mention virtually everything C, awk, sed and shell scripting can do.
To do this on as widespread of a basis as possible, they will need to label them as unplayable on computer equipment, DVD players, etc. Otherwise they will get slammed with returns.
I highly doubt they will put the CDDA logo on their CD's.
Its too bad they are doing this, because the likely outcome is that people will rip to MP3 using an analog method, and then return the CD whereas before they probably would have kept it.
The RIAA continues to prove its incompetence in dealing with the digital age.
There is a more fundamental problem. Being that IE is so intrinsically tied to the OS anymore I really don't want any website to be able to control my browser with scripting.
Its sort of like turning off port 23 - yes telnet is useful, and behind a firewall its safe, but I've come to value security over convenience and therefore just leave it off, period. Same thing with browser scripting. I just don't want to do it anymore.
I know I'm not the only one, far from it. It would be in Microsofts best interests to make their sites work without client side scripting.
How about making a site that doesn't require javascript? Really, who's the moron here?
I'll assume you were one of the $MS astroturfers I referred to. Needless to say, I no longer trust Microsoft and will no longer be using javascript in IE, even for your site.
Your company has lost a lot of business by the very same attitude you just showed in your post. Next year, I will not be renewing MSDN, and customers that I use to sell Microsoft products to will be steered toward Apache, Oracle, and Unix.
Yeah you can call me a moron, or you can go back to work and fix your broken site. Well I guess I already know what will happen.
Using Microsoft's own recommendations for making Internet Explorer and Outlook secure I disabled Active Scripting.
By doing so, I can't get to Hotmail, can't sign in to Passport, and most importantly, can't access Windows Update.
Hey, anyone astroturfing for Microsoft! Your own security recommendation means people can't access your sites. I am NOT turning on active scripting(i.e. disabling a security measure) so I can get the fix.
You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?
Do you know of an ibm3151 terminal emulator that works with ssh? Preferably something thats not $100+ per seat? The only ones I've ever seen work with telnet. So unfortunately, telnet will have to stay. At least its behind my firewall.
I think what upsets me the most is that many of these "wizards" assume that because they wrote the regex code for a certain function, that others can easily read it.
I had a guy working for me for a couple of months who knew regexes better than me. I made him clearly comment his code above each regular expression he did so I wouldn't have to pore through Programming Perl to figure out what he did.
If Perl is clearly commented its not that bad of a language to work with, but otherwise his program would have looked like line noise.
If you are using Perl in a team project, extensive comments are a must.
You can use 'M' to signify megabytes, e.g. 256M when installing OpenBSD. I agree, the disk utility is pretty hard to use, but after that an OpenBSD install goes pretty smoothly.
Try reading this. Especially that part about running testparm to test your configuration.
Another very common newbie problem - samba uses unencrypted passwords by default. This only works with Windows 95 and possibly 98. Later versions of Windows encrypt their passwords so you won't be able to connect to your Samba shares. Run smbpasswd -a on your Linux boxes to fix this.
Also while you can access Windows machines from Linux using Samba, its default setup is to access Linux servers from Windows. You will need to learn about mounting Windows shares (try man mount) ala mount -t smbfs to access Windows shares in Linux.
Above all be patient. Unix is not for those who give up easily.
What is the point of robots.txt? And how is that different from requesting that someone doesn't link to your site?
I'm not saying that it isn't foolish to ask people not to link without an agreement. However, the same thing can be said about asking people not to spider your site that you put right there on port 80. And robots.txt is in fact an internet standard so this same sort of foolishness is built into the net from the ground up.
I was thinking small flying robots with a camera attached would be a great way to hunt down people like Osama. Assumming these could be built cheaply enough you could send out hundreds of these to invade caves, scout out undergroud bunkers, etc. Design them so that it doesn't matter if someone manages to take out a few of them as long as some of the bots complete their mission.
Its kind of frustrating with all the modern tech we have not to be able to track down a hiding enemy. Something like this could accomplish our mission a lot quicker and probably save a lot of lives.
Digital needs to get much better before it can replace tube guitar amps. None of the modeling amps sound as good as an all-tube Fender or Marshall.
For a digital amplifier to truly replace tubes, the current state of DACs and ADCs just don't cut it. There needs to be a much higher resolution in these devices, perhaps 128 bit or even higher. Then, these devices need to learn to react to the dynamics of the player well - a good tube amp can go from a soft passage to full-tilt scream by playing harder and hitting the volume control. Finally digital amps need to be able to do feedback - i.e. interact with guitar pickups in such a way that will interactively produce feedback at different harmonics of the original signal depending on the angle and proximity of the guitar to the amplifier.
Until that happens, I'm sticking with tubes. Perhaps a better application of digital tech to the world of guitar would be to simply make tubes work better - more reliably and consistently.
That said, I'm all for ethernet replacing MIDI. But that's an entirely different proposition.
Slashdot Mirror
1 - I use OpenBSD for firewalling. You limit connections to your machines by only allowing specific ports to connect to that machine. You can also control which way connections are allowed to connect. For instance you might wish to limit connections to your web server to port 80. For the database server that will hold the credit card data, a good way to do it would be to allow port 22 into the server, and no traffic whatsoever to leave the server.
2 - Use private key encryption. There is no need for anyone but you to have the key so use a good private-key encryption on your data server. Triple-DES is a good choice. It comes free with OpenBSD
So, basically, what you need are two OpenBSD boxen, and the expertise to set up two firewalls, SSH, and Triple-DES. Then, to get your data, a cracker has to 1)Crack two OpenBSD boxes 2) Exploit a hole in OpenSSH 3) brute-force Triple-DES.
In other words, they will be having snowball fights in the ninth layer of hell before someone gets to your data.
So, my last-minute gift to him is a copy of the new OpenBSD 3.0.
I inscribed it:
Time since last remote root exploit:
OpenBSD: 4.5 years
Microsoft Windows: 4.5 days.
Merry Christmas! My condolences for you guys that have to work.
Of course if we were to lose our basic rights guaranteed by the Consititution, then all that goes out the window. Then there would be a reason to fight the government.
A better set of functions to use is the strl* functions invented by OpenBSD's Todd Miller.
First of all, I think its important to realize that you have a medium-sized website and not a big software project. Therefore, some of the above comments recommending refactoring, UML, and eXtreme programming may be a bit overkill.
Web programming != software development! Its usually done at a much faster pace. Even if an object-oriented approach is taken, you are still probably talking about simple function libraries rather than complex C++ or Java classes. Again, overkill.
150 files is still a small enough project to be managed by one or two decent coders. Actually, I just looked at the amount of stuff I've written over the years for my online bookstore and its more like 500 files and over 4 megs of code. I don't feel like its too much of a job to manage this codebase by myself.
So, here are my recommendations.
You probably have gotten better at programming since the time you started your project. Take a few of the most recent CGIs you have written and compare them to the first ones you wrote. You just might notice a glaring difference in the quality. Also, the first pages you wrote are likely to be among the most important in your project, yet they are also likely the worst quality-wise.
Regardless of what language you program in, I think its important that you can tell whats going on in the program by reading the comments. If a manager can understand what a program does by reading the English bit, there's a good chance other programmers will be able to jump in and help as well. One specific rule I also follow: if you do regexes, say IN ENGLISH what those regexes do. I say this because regexes are one of the hardest things to read.
Look for any code that can be "factored out" of your scripts and put those into function libraries. Then include those in your program. The only problem with this occurs when you have huge function libraries that slow down your scripts when you include them. In that case you would logically separate your functions into different files. I have included very common functions in different include files, so I can make the actual code compiled or interpreted as small as possible.
Consider using a flowcharting tool as an aid to programming and/or documenting your code.
Standardize how you name variables and functions, write comments, identation, and spacing.
Be sure and include the date you write your scripts in the comments, in case the filesystem wipes this out.
I'm sure theres other things I've left out, but following the above guidelines have helped me do exactly what you are trying to do: manage a growing codebase. But don't forget, this is web programming, not rocket science, and some of the above suggestions may be more trouble than they are worth. Keep it simple.
Actually that was kind of funny, but you would have to be familiar with said phrase.
(2) how those values are fundamentally linked to the most important freedoms in our tradition, and
(3) how changes in that architecture of the net could undermine those values.
This needs to be conveyed loud and clear to every one of our legislators. As an article posted previously today stated, content providers want to take away general purpose computers and replace them with specialized devices. We must not let them!
Consider the man hours needed to produce Hoyle's Poker vs. Quake3. Its glamorous to do the latter, but I bet the former makes a lot more profit.
I've always avoided game programming simply because I know it would require me to give up virtually everything else I enjoy doing with computers(databases, web programming, sysadminning). You have to be pretty dedicated to be any good at it. However, if I was to start a game company, it would definitely start out producing simpler games for older customers, then perhaps move to making bigger 3D action games once I made enough to hire more people.
I'm not sure how they got write access, because the FTP directory was set to read-only. I'm assumming they exploited a buffer overflow. I doubt an outside user got a hold MS FTP is based on older BSD code. To tell you the truth, I don't know for sure how it happened. I did allow anonymous access, perhaps that was my undoing.
:)
Luckily, the damage was contained to the FTP directory. At least before I ran rm.
You can get a number of UNIX(actually posix) commands from the Windows 2000 resource kit.
For instance. Even with all the security patches Microsoft has provided with IIS, their FTP server is still insecure. How do I know this. Because some warez dudez managed to use my server, even though I had applied all the patches and set the FTP directory to be read only.
Now, if this ever happens to you, let me tell you, these guys play a dirty trick so you can't easily delete their directory. They name their folders with names that cannot be deleted the normal way, names like COM1 or DEL, names that are reserved somehow when you try to delete the files and folders.
The amusing thing about this is that the only way to get rid of these files is to install the posix utilities and use rm to get rid of them.
Now here's the kicker. If you use rm -r CO* to get rid of a directory called COM1 you might find out that this directory is really called "COM1\
Yes, I perform backups, so I proceeded to restore the files. But insidiously, SQL Server on the same machine refused to run, because it felt the installation had been corrupted. I basically had to figure out how to trick it into running again, because(another hideous design fault) you can't just uninstall SQL server and reinstall it and hope your data directory is OK. I had no way of doing an up to date backup of my data on this machine. So I had to trick it into believing it wasn't a corrupt installation, or I would have lost data.
Now, how many things can you count that would have never happened with an open source system. You certainly wouldn't have files with the latter part hidden. You can back up data directories to completely different servers by simply copying the directory. Its very easy to drop in other FTP servers without loss of functionality. And there is certainly nothing that will stop a program from running if all its files are there and the execute permission is set.
All, in all, I had a very frustrating experience that never would have happened with a Linux system. With Microsoft, its their way or the highway, and you can't change things or fix them when the design is bad. Rather than the user dictating what the software does, Microsoft dictates to you how their software will work. Because of that, closed source is less flexible and configureable, is less managable and nimble, and therefore cannot respond nearly as well to any number of problems, including security.
Man, you've got a lot to learn if you think three months of book reading is going to protect any network.
Seriously - what else can do system admin scripting(on many different systems), database programming, web programming, network programming, and do it all on just about any platform, not to mention virtually everything C, awk, sed and shell scripting can do.
Nothing, that I know of.
I highly doubt they will put the CDDA logo on their CD's.
Its too bad they are doing this, because the likely outcome is that people will rip to MP3 using an analog method, and then return the CD whereas before they probably would have kept it.
The RIAA continues to prove its incompetence in dealing with the digital age.
Therefore, models should date geeks. Sadly, none of them are here to read this comment.
Its sort of like turning off port 23 - yes telnet is useful, and behind a firewall its safe, but I've come to value security over convenience and therefore just leave it off, period. Same thing with browser scripting. I just don't want to do it anymore.
I know I'm not the only one, far from it. It would be in Microsofts best interests to make their sites work without client side scripting.
moron
just read the fucking help file.
How about making a site that doesn't require javascript? Really, who's the moron here?
I'll assume you were one of the $MS astroturfers I referred to. Needless to say, I no longer trust Microsoft and will no longer be using javascript in IE, even for your site.
Your company has lost a lot of business by the very same attitude you just showed in your post. Next year, I will not be renewing MSDN, and customers that I use to sell Microsoft products to will be steered toward Apache, Oracle, and Unix.
Yeah you can call me a moron, or you can go back to work and fix your broken site. Well I guess I already know what will happen.
By doing so, I can't get to Hotmail, can't sign in to Passport, and most importantly, can't access Windows Update.
Hey, anyone astroturfing for Microsoft! Your own security recommendation means people can't access your sites. I am NOT turning on active scripting(i.e. disabling a security measure) so I can get the fix.
You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?
Do you know of an ibm3151 terminal emulator that works with ssh? Preferably something thats not $100+ per seat? The only ones I've ever seen work with telnet. So unfortunately, telnet will have to stay. At least its behind my firewall.
I had a guy working for me for a couple of months who knew regexes better than me. I made him clearly comment his code above each regular expression he did so I wouldn't have to pore through Programming Perl to figure out what he did.
If Perl is clearly commented its not that bad of a language to work with, but otherwise his program would have looked like line noise.
If you are using Perl in a team project, extensive comments are a must.
I think we've found the author of the "Let me get this straight" trolls.
You can use 'M' to signify megabytes, e.g. 256M when installing OpenBSD. I agree, the disk utility is pretty hard to use, but after that an OpenBSD install goes pretty smoothly.
Another very common newbie problem - samba uses unencrypted passwords by default. This only works with Windows 95 and possibly 98. Later versions of Windows encrypt their passwords so you won't be able to connect to your Samba shares. Run smbpasswd -a on your Linux boxes to fix this.
Also while you can access Windows machines from Linux using Samba, its default setup is to access Linux servers from Windows. You will need to learn about mounting Windows shares (try man mount) ala mount -t smbfs to access Windows shares in Linux.
Above all be patient. Unix is not for those who give up easily.
I'm not saying that it isn't foolish to ask people not to link without an agreement. However, the same thing can be said about asking people not to spider your site that you put right there on port 80. And robots.txt is in fact an internet standard so this same sort of foolishness is built into the net from the ground up.
Its kind of frustrating with all the modern tech we have not to be able to track down a hiding enemy. Something like this could accomplish our mission a lot quicker and probably save a lot of lives.
For a digital amplifier to truly replace tubes, the current state of DACs and ADCs just don't cut it. There needs to be a much higher resolution in these devices, perhaps 128 bit or even higher. Then, these devices need to learn to react to the dynamics of the player well - a good tube amp can go from a soft passage to full-tilt scream by playing harder and hitting the volume control. Finally digital amps need to be able to do feedback - i.e. interact with guitar pickups in such a way that will interactively produce feedback at different harmonics of the original signal depending on the angle and proximity of the guitar to the amplifier.
Until that happens, I'm sticking with tubes. Perhaps a better application of digital tech to the world of guitar would be to simply make tubes work better - more reliably and consistently.
That said, I'm all for ethernet replacing MIDI. But that's an entirely different proposition.