what if you have your web application accessing a MySQL database on a different server? Well, then you need to login to that MySQL database. The password is stored in your web app. When was the last time that password was updated? And that, in theory, is easy to do because the web app isn't compiled and it's stored in a single location.
This is the clearest example of the issue I have seen in this entire thread.
That web app's password to the DB should be changed periodically. Have the administrators make it a policy to change to a new password every six months, or any time there's evidence suggesting a compromise. Such a policy would be marginally more secure, but at the cost of only 10 minutes per year it's a justifiable effort.
Re:People have done this for years!!
on
Hard Drive Window
·
· Score: 1
No, its not news, its one of four Slashdot front page stories copied from Digg.
*sigh*
Just because a story was linked to from both Slashdot and Digg (or kuro5hin, or Fark, or WHEREVER) does not mean that one site "copied" from the other. No wonder you're getting Troll moderations.
If they've given you 2 weeks notice and you let them go straight away, you're spending the equivalent of 2 weeks wages to treat the risk they will.
Problem is, you haven't treated at all the risk that they've ALREADY done something malicious in between the time they decided to leave and the time they turned in their resignation notice.
I am a contractor now, having shunned full time work myself. Why? because it is my experience that companies are in it for themselves regardless of the impact the have for their employees.
That's funny, because as an IT decisionmaker at a company, I have shunned contractors. Why? because it is my experience that contractors are in it for themselves regardless of the impact the have for the company that's giving them money.
The Harry Fox Agency is the sole licensor of song lyrics worldwide, and saw lyrics.ch as unlicensed competition.
Now why in the world would they do that? Just because lyrics.ch was illegally distributing content to the public for which Harry Fox had an exclusive licensing agreement with the creators?
That's roughly equivalent to using GPL'd code in a commercial product without including the GNU Copyleft notice or providing access to source code. How many of you get hopping mad every time that happens?
Musicians are generally thought of as being cool people. But (I would hope) that they are getting rather uncomfortable being associated with these weirdo-goon squad from the RIAA.
I'm sorry, but you seem to be misinformed. There is no RIAA involvement here.
Warner/Chappell Music Ltd is not a record company, they are a music publishing company. They manage MECHANICAL copyright, i.e. lyrics and sheet music, rather than the phonographic copyright that RIAA member companies are involved with.
This is a scenario where the company actually IS acting on behalf of the artists and not the greedy middlemen. Whether artists were consulted before the company took action, or whether artists generally feel that the course of action was a wise one, I do not know.
Go visit your high school A/V department. If they're like most, they have a back room with a stack of overhead projection tablets that nobody uses anymore because they're 480x640.
I wish I went to high school where you did! I think the highest form of technology we had there at the time (10 years ago) was a laserdisc player that had been produced 15 years prior. One VGA projection tablet would have been amazing, much less a whole stack of them.
All of these are existant 'problems' blown WAY out of proportion.
Five people were killed and 17 more hospitalized by an intentionally-deployed bioterrorism agent, within the United States, and you think it was blown out of proportion?
Mullen: I once had grid resources through a Web application anonymously for a power company. Grid resource control, OK? SQL injection, hit that through an anonymous connection and I had grid resources for the State.
Just because he THOUGHT he had control of the grid doesn't necessarily mean he DID. Confirmation of that would have to come from the power company itself, and they're more likely to have him thrown in jail for pointing out a flaw than to validate his hacking efforts.
But in reality, yeah he probably did have access. Web developer stupidity truly does know no bounds.
The fact that someone is accused of something doesn't make it true.
And the fact that someone denies something doesn't make it untrue.
It is important for Ballmer's status and for Microsoft's value that he NOT be perceived as a chair-chucking lunatic. Why wouldn't he deny that it happened? AFAIK there's no penalty for lying about it.
At some point, all these files floating around for free on the net are going to start sounding pretty crappy, and the DRM files will be the only ones that will be the MUST HAVE rage.
I think you place too much importance on the general public's desire for Quality.
Yes, DVDs can provide a higher-quality audiovisual experience than VHS tapes. This doesn't mean much when people are still hooking up their players to their Plain Old TVs with a composite cable, and listening to the sound through the TV's 4-inch mono speaker.
DVD supplanted VHS because of convenience, not quality. DVDs don't need to be rewound. They're random-access. They take up less space and usually come with bonus features and content.
The industry has tried several times to sell a next-generation consumer audio format with higher quality -- DAT, DVD-Audio, SACD -- and invariably they've been relegated to small corners of the market. Oddly enough, the move from CDs to MP3s is a huge step BACK in quality. But the market doesn't mind, because MP3s offer far more CONVENIENCE. You can't carry 250 CDs with you in your pocket.
This is a great opportunity for a well-funded indie label to step up and fill the void
If they had the resources needed (not just funding, but also marketing channels and such) to step up and fill the void, they would not be an indie label.
Re:No one notices a well done security job...
on
Security's Shaky State
·
· Score: 2, Insightful
Keep in mind that many workplaces with managed email storage via Exchange or whatever have retention policies that will purge all emails older than 6 months or whatever, so if it's something you really think you'll need as evidence a year from now, make a hard copy.
Of course, this opens the door for them to say you violated retention policy and use that as an excuse to fire you, but that happens you can be assured that they place more value on winning the blame game than on succeeding in the industry. Small consolation as you're clicking through Monster.com every morning, I know, but you're almost certainly better off elsewhere anyway.
It's not a comment on the voracity [sic] of the page's content, but rather the freshness.
As anyone who's adminned a site that deals with bursts of high traffic can tell you, one way to speed up page serving is to remove dynamic content and replace it with static content to whatever extent possible.
Faced with a Slashdotting, it makes sense for Wikipedia to cache a static copy of the page and serve that for some interval. Most of the time, it won't matter to users if the content they see was actually rendered 10 minutes ago. At least they're nice enough to point this out, for the the benefit of those users to whom it DOES matter.
With a software deployment target as standardized as the Xbox 360, out-of-order execution of instructions is less important. The code can be optimized for universal best execution at the compiler.
Dropping OOE support also makes it MANY times easier to divide work among multiple cores.
[with RFID's] you'll have to scan an existing unsold item in the store and duplicate that tag onto your target item. This is going to be difficult and expensive
At first it will. But so was making a copy of a compact disc, at one point.
I doubt it will take more than fifteen years for a fast, cheap, portable method of masquerading RFID's to become available. Retailers better be planning ahead for a BIGGER board-with-a-nail-in-it, as their new weapon isn't going to work forever.
The biggest advantage to using RFID is not easier and more accurate scanning, it's that every item in the store now has a serial number and exists in the database.
It also means that instead of one row in the SKU table with an integer representing the quantity in stock, there is going to be one row in the SKU table joined to 10,000 rows in a new RFID table. Disk space requirements for data storage (and horsepower needs for running reports) are going to increase manyfold if tracking by unique RFID is implemented.
And where's the benefit? Does anyone care WHICH of the 10,000 boxes of paperclips got shoplifted?
I'm not sure why you seem to think it's only big-boxers that are aware of shrinkage and let it influence their pricing strategies. Any business large enough to track their inventory does this, from Wal-Mart to Waldenbooks to Winn-Dixie.
they are Wal-Marting a bunch of small local businesses like newspapers
Just yesterday Knight-Ridder announced that it was looking for buyers for its network of 30-odd newspapers across the U.S., with an asking price of $4 billion. On Monday, the FTC approved the pending merger of Village Voice and New Times Media, the two (and now one) largest weekly newspaper companies in the country.
Most newspapers that have survived up until now can hardly be said to be "small" or "local".
"The chances of it not being the right person or someone in that household are slim," said Stanley Pierre-Louis, senior vice president for legal affairs at the RIAA
I would like to thank Mr. Pierre-Louis for his public statement to the effect that their violation-finding tactics are not error-proof. It may come in handy for my defense should the RIAA ever (rightfully OR wrongfully) take me to court over alleged copyright violations.
This is exactly why I have a second unsecured access point in my apartment piped to the internet. Plausible denyabilty. Who know who's using it?
Your ISP has protected status as a common carrier. You, as an ISP customer running an unsecured access point, probably do not. I hope you're not planning for your "plausible deniability" scheme to save you in court when "you" get busted for downloading music, trafficking child pornography, plotting terrorist acts...
Slashdot Mirror
what if you have your web application accessing a MySQL database on a different server? Well, then you need to login to that MySQL database. The password is stored in your web app. When was the last time that password was updated? And that, in theory, is easy to do because the web app isn't compiled and it's stored in a single location.
This is the clearest example of the issue I have seen in this entire thread.
That web app's password to the DB should be changed periodically. Have the administrators make it a policy to change to a new password every six months, or any time there's evidence suggesting a compromise. Such a policy would be marginally more secure, but at the cost of only 10 minutes per year it's a justifiable effort.
No, its not news, its one of four Slashdot front page stories copied from Digg.
*sigh*
Just because a story was linked to from both Slashdot and Digg (or kuro5hin, or Fark, or WHEREVER) does not mean that one site "copied" from the other. No wonder you're getting Troll moderations.
No, not their data, just yours, if you used their resources for your own stuff.
YMMV, but every work agreement I've ever signed has stipulated that if I used company resources for something, it belonged to the company.
What I'd like to know is what didn't make the front page because this got posted instead?
Probably just another dupe, or possibly (in observance of the anniversary of Lennon's death) another beatles-beatles spambmission.
If they've given you 2 weeks notice and you let them go straight away, you're spending the equivalent of 2 weeks wages to treat the risk they will.
Problem is, you haven't treated at all the risk that they've ALREADY done something malicious in between the time they decided to leave and the time they turned in their resignation notice.
I am a contractor now, having shunned full time work myself. Why? because it is my experience that companies are in it for themselves regardless of the impact the have for their employees.
That's funny, because as an IT decisionmaker at a company, I have shunned contractors. Why? because it is my experience that contractors are in it for themselves regardless of the impact the have for the company that's giving them money.
The Harry Fox Agency is the sole licensor of song lyrics worldwide, and saw lyrics.ch as unlicensed competition.
Now why in the world would they do that? Just because lyrics.ch was illegally distributing content to the public for which Harry Fox had an exclusive licensing agreement with the creators?
That's roughly equivalent to using GPL'd code in a commercial product without including the GNU Copyleft notice or providing access to source code. How many of you get hopping mad every time that happens?
Musicians are generally thought of as being cool people. But (I would hope) that they are getting rather uncomfortable being associated with these weirdo-goon squad from the RIAA.
I'm sorry, but you seem to be misinformed. There is no RIAA involvement here.
Warner/Chappell Music Ltd is not a record company, they are a music publishing company. They manage MECHANICAL copyright, i.e. lyrics and sheet music, rather than the phonographic copyright that RIAA member companies are involved with.
This is a scenario where the company actually IS acting on behalf of the artists and not the greedy middlemen. Whether artists were consulted before the company took action, or whether artists generally feel that the course of action was a wise one, I do not know.
Go visit your high school A/V department. If they're like most, they have a back room with a stack of overhead projection tablets that nobody uses anymore because they're 480x640.
I wish I went to high school where you did! I think the highest form of technology we had there at the time (10 years ago) was a laserdisc player that had been produced 15 years prior. One VGA projection tablet would have been amazing, much less a whole stack of them.
All of these are existant 'problems' blown WAY out of proportion.
Five people were killed and 17 more hospitalized by an intentionally-deployed bioterrorism agent, within the United States, and you think it was blown out of proportion?
What about Cyber-sex?
That's the one case where it's a way for GEEKS to explain something that they don't in any way understand.
Mullen: I once had grid resources through a Web application anonymously for a power company. Grid resource control, OK? SQL injection, hit that through an anonymous connection and I had grid resources for the State.
Just because he THOUGHT he had control of the grid doesn't necessarily mean he DID. Confirmation of that would have to come from the power company itself, and they're more likely to have him thrown in jail for pointing out a flaw than to validate his hacking efforts.
But in reality, yeah he probably did have access. Web developer stupidity truly does know no bounds.
The fact that someone is accused of something doesn't make it true.
And the fact that someone denies something doesn't make it untrue.
It is important for Ballmer's status and for Microsoft's value that he NOT be perceived as a chair-chucking lunatic. Why wouldn't he deny that it happened? AFAIK there's no penalty for lying about it.
At some point, all these files floating around for free on the net are going to start sounding pretty crappy, and the DRM files will be the only ones that will be the MUST HAVE rage.
I think you place too much importance on the general public's desire for Quality.
Yes, DVDs can provide a higher-quality audiovisual experience than VHS tapes. This doesn't mean much when people are still hooking up their players to their Plain Old TVs with a composite cable, and listening to the sound through the TV's 4-inch mono speaker.
DVD supplanted VHS because of convenience, not quality. DVDs don't need to be rewound. They're random-access. They take up less space and usually come with bonus features and content.
The industry has tried several times to sell a next-generation consumer audio format with higher quality -- DAT, DVD-Audio, SACD -- and invariably they've been relegated to small corners of the market. Oddly enough, the move from CDs to MP3s is a huge step BACK in quality. But the market doesn't mind, because MP3s offer far more CONVENIENCE. You can't carry 250 CDs with you in your pocket.
This is a great opportunity for a well-funded indie label to step up and fill the void
If they had the resources needed (not just funding, but also marketing channels and such) to step up and fill the void, they would not be an indie label.
Keep in mind that many workplaces with managed email storage via Exchange or whatever have retention policies that will purge all emails older than 6 months or whatever, so if it's something you really think you'll need as evidence a year from now, make a hard copy.
Of course, this opens the door for them to say you violated retention policy and use that as an excuse to fire you, but that happens you can be assured that they place more value on winning the blame game than on succeeding in the industry. Small consolation as you're clicking through Monster.com every morning, I know, but you're almost certainly better off elsewhere anyway.
Why, then, the need for Template:High-traffic?
It's not a comment on the voracity [sic] of the page's content, but rather the freshness.
As anyone who's adminned a site that deals with bursts of high traffic can tell you, one way to speed up page serving is to remove dynamic content and replace it with static content to whatever extent possible.
Faced with a Slashdotting, it makes sense for Wikipedia to cache a static copy of the page and serve that for some interval. Most of the time, it won't matter to users if the content they see was actually rendered 10 minutes ago. At least they're nice enough to point this out, for the the benefit of those users to whom it DOES matter.
Is someone going to provide me with a free Windows machine and pay me for the inconvenience of running Windows instead of OS X if I use Picasa?
For the price of Aperture, you could buy a Windows machine and run all the free apps you want on it...
lets just agree that 3 Coors are better than two unless you're driving.
I disagree. Zero Coors is better than any positive integer of Coors, at all times.
You say "labotomized" [sic], I say "simplified".
With a software deployment target as standardized as the Xbox 360, out-of-order execution of instructions is less important. The code can be optimized for universal best execution at the compiler.
Dropping OOE support also makes it MANY times easier to divide work among multiple cores.
it would be kind of hard to walk out the store with an iPod under his jacket, wouldn't it now?
How so? Given that the actual price of the item he stole was $150, I will assume that it was a 1GB iPod shuffle. Those things are not exactly bulky.
[with RFID's] you'll have to scan an existing unsold item in the store and duplicate that tag onto your target item. This is going to be difficult and expensive
At first it will. But so was making a copy of a compact disc, at one point.
I doubt it will take more than fifteen years for a fast, cheap, portable method of masquerading RFID's to become available. Retailers better be planning ahead for a BIGGER board-with-a-nail-in-it, as their new weapon isn't going to work forever.
The biggest advantage to using RFID is not easier and more accurate scanning, it's that every item in the store now has a serial number and exists in the database.
It also means that instead of one row in the SKU table with an integer representing the quantity in stock, there is going to be one row in the SKU table joined to 10,000 rows in a new RFID table. Disk space requirements for data storage (and horsepower needs for running reports) are going to increase manyfold if tracking by unique RFID is implemented.
And where's the benefit? Does anyone care WHICH of the 10,000 boxes of paperclips got shoplifted?
(i call it shrinkage).
So does everyone else in the retail industry.
I'm not sure why you seem to think it's only big-boxers that are aware of shrinkage and let it influence their pricing strategies. Any business large enough to track their inventory does this, from Wal-Mart to Waldenbooks to Winn-Dixie.
they are Wal-Marting a bunch of small local businesses like newspapers
Just yesterday Knight-Ridder announced that it was looking for buyers for its network of 30-odd newspapers across the U.S., with an asking price of $4 billion. On Monday, the FTC approved the pending merger of Village Voice and New Times Media, the two (and now one) largest weekly newspaper companies in the country.
Most newspapers that have survived up until now can hardly be said to be "small" or "local".
"The chances of it not being the right person or someone in that household are slim," said Stanley Pierre-Louis, senior vice president for legal affairs at the RIAA
I would like to thank Mr. Pierre-Louis for his public statement to the effect that their violation-finding tactics are not error-proof. It may come in handy for my defense should the RIAA ever (rightfully OR wrongfully) take me to court over alleged copyright violations.
This is exactly why I have a second unsecured access point in my apartment piped to the internet. Plausible denyabilty. Who know who's using it?
Your ISP has protected status as a common carrier. You, as an ISP customer running an unsecured access point, probably do not. I hope you're not planning for your "plausible deniability" scheme to save you in court when "you" get busted for downloading music, trafficking child pornography, plotting terrorist acts...