Is this the kind of FUD we're going to come to expect from security focus now that they sold out
George Smith's article isn't FUD...Schimidt's comments are. But I agree, it will only be a matter of time...
OT: ISAPI filters in Apache
on
.NET for Apache
·
· Score: 1, Offtopic
I have a slightly offtopic question. In Apache's documentation, they note that they support (on Windows) ISAPI Extensions, but not ISAPI filters (such as that behind.asp). My stupid question: why is that? I am not an.asp fan, but if we could use ISAPI filters on Apache on Windows, I think there'd be a huge migration to Apache (although it would still be on Windows).
Thoughts on why this hasn't been pursued...or has it?
I apologize in advance for my utter lack of knowledge.;-)
The tech stocks killed themselves with the mantra of reinvesting 100% of profits.
I agree. Businesses now will focus much more on trying to generate and distribute profits, or at least should, rather than just trying to increase share value. People have becomed so interested in share value that they have forgotten about how to make money of stocks with dividends. I remember overhearing an octagenarian at a bakery one day, right at the height of the bubble, saying to his son: "I always go for stocks that pay a good dividend...it means the company knows its money well enough to be able to make a reasonable profit." And those profits are real enough to pay back to investors.
Please, lets all come to our senses and stop this craziness.
I love the way some people blame the American people, the shareholders, for this problem. No doubt, we are a fickle lot who demand growth at inappropriate times, and we sell at inappropriate times. But those are the breaks of a market, esp. when it appears the numbers in the market are crooked.
According to some, it's our fault for
this craziness. We should continue to be bullish on most companies--there are only a 'few bad apples' out there.
Problem is, the 'good apples' had to play the 'bad apples' game to benefit from the expanding bubble. They had to claim on TV that they believed we were in an economic world where 15-20% yearly growth was sustainable forever. They had to push accounting rules to the grey areas. When everyone is playing this game, all the books get cooked, even if the CEOs are not doing so for personal enrichment.
So now, the market is finding its place in a turbulent time. Blame investors? Please!
I understand your 'problem'--like most working Americans, you hold decent and honest values, and expect the best of others! We don't like to think we live in a world where our 'superiors' are corrupt.
I can't believe that it's sleezy business becuase if it was just sleezy business then someone more sleezy would rat them out for blackmail or political reasons. Or someone honest would say something.
Let's look at the scenarios you present:
1) Why don't competitors rat out sleazy businesses? Because like any snitch, you run the risk of being shoved out of the biz altogether. Business is buddy-buddy. In an environment of loose regulation and enforcement, ratting only gets the rat in trouble.
2) Why doesn't someone honest say something? Honest people have been saying these things about businesses for a long time. Read the more 'fringe' magazines like The Nation. There are always doomsayers and critics, but in good times no one listens to them. The Ides of March? Finally, whistleblowers almost always get in trouble, even if offered some sort of protection. Follow the case of any whistleblower...in two years they most likely are charged with something 'unrelated' or are removed from their respective industry. If you blow the whistle, your life in that industry is over.
The things that happend at Loki are the same types of things happening at WorldCom or Qwest, just on a smaller scale.
Here I don't agree with you...Loki really was just like most small businesses, which fail in their first few years. They may have inflated numbers (I don't know if they did or not), but their demise was like that of most small businesses. You do need to be fair to employees, but on the other hand in a small business you have to expect that you are living month to month, even when times are good. Large businesses have a greater ability to hedge against hard times, but sometimes crooked management will instead use that power to hedge themselves against hard times.
We had zi small problem witz one of our computerz. But now we've rezetet it and everything seemz to be OK.
Heh, this happened to a friend of mine. He said that Airbus is more reliant on computers for some functions than other manufacturers...in his case they could not start the engine until they rebooted the computer. Needless to say, he didn't feel entirely assured about the safety of his flight.
That all said, I'm not aware of any reboots being responsible for aviation disasters.
Hotfixes by nature are not fully regression tested. This means that there is a possibility for errors even if you follow guidelines.
I agree, I have not had problems with the hotfixes...but several hotfixes have been re-released because of incompatibilities, etc.
When your developers are not that educated however, perhaps they use dirty tricks which will break when a hotfix is applied
Puh-lease! I agree that developers are prone to assuming bad things...but you just wait, eventually you, too, will be bitten by a bad hotfix, no matter how smart you are.
Re:Why is this an unusual occurrence?
on
Forbes on Linux
·
· Score: 3, Interesting
where are all the open source Linux companies that are currently truely making a profit
I think that the viable options are for the companies that use the software. For example, the option to use Linux for an OS on a server is cool: no forced upgrades, no unneeded bells and whistles. For PostgreSQL or MySQL: no having to pay more in licenses just because your user base or usage has increased. Etc.
P.S. I hope you didn't get flamed, it is a good question.
Re:Linux not just for geeks anymore
on
Forbes on Linux
·
· Score: 1
[From article:]...Linux still has a long way to go before being widely used in "back-end" applications like databases and enterprise resource planning.
There's nothing like seeing a bunch of tech managers sitting around after eating turkey sandwiches, saying 'ERP!'
Sorry. But seriously, don't a lot of people use Linux for databases? Definitely Linux/MySQL is used quite a bit on the web (although perhaps it is still not a large percentage). SO much more stable than NT/2K (particularly if the machine needs to run other services).
These days if I'm looking at setting up a database, I am more likely than not to set up MySQL/PostgreSQL/Oracle on Linux.
Re:Why is this an unusual occurrence?
on
Forbes on Linux
·
· Score: 3, Insightful
However, what Linux has proved, more than anything else, is not that Linux is a viable OS, but, far more importantly, that Open Source developments are a viable option for companies these days.
I totally agree. In my last project for a large financial services company, I was looking for some third-party libraries for use in our application. After conducting some research, I found an open-source solution which just blew away the alternatives.
I was a little concerned at the beginning of the project that people would be fearful of my recommendation--that they'd be afraid we'd have to reveal all our sources, or that our code would be more prone to exploits because of the open-source library.
I did spend extra time making sure that the licenses matched our corporate policies, which they did. And I was very surprised, just yesterday a guy who was reviewing the project was particularly pleased we had used open-source software--not because he was a zealot, but because he understood the drawbacks of black-box software and nasty licenses.
Linux and Apache are the two best-known systems which have caused people to understand open-source software. Thanks to everyone involved.
P.S. The libraries we used in the project have worked wonders. Seriously, the commercial 'peers' were completely unreliable and hard to use, all for thousands of dollars more!
As for the person who wrote the article, it seemed only his argument about fonts was actually relevant to the desktop environment...most of it could be classified under 'trying to install and muck with things without knowledge.' This doesn't mean he's an idiot or that he's wrong, but that he, like a lot of computer guys I know, are 'weekend' Linux guys who try to tweak too much, without knowing what they are doing. This will forever be a problem for a system that allows an admin to make such significant changes to the system. These guys, smart as they are, may have a bad experience because they destabilized their system...and thus think that somehow Linux is not stable or hard to set up.
Furthermore most of the complaints from the guy about his experience would be accommodated by using a 'standard install' such as most organizations already do (usually corporate users don't install their own display drivers).
My personal experience has been that it takes less than half the time to install a Linux system from scratch, largely due to the reduced number of reboots, and due to the ease of driver installation.
Side note: My mom just bought XP and really dislikes it...worse than 95, worse than NT. Ironically enough, this is because of XP driver compatibility issues. XP has a number of different requirements of vendors for their drivers, all of which slows down driver release time. The result of this is that end users (right now) often try to install drivers, only to have XP carp at them and tell them that HORRIBLE THINGS MIGHT HAPPEN becaue the drivers haven't been signed by MS, or alternately because they do not use the XP interface. By clamping further down on drivers, MS has actually made the driver install situation appear worse and more complex to users. Compare with various Linux packages. To date I haven't had hardware that hasn't shown up during my Linux install, and once it's set up I don't have problems.
The only problem with an air filter is that it must be cleaned regularly or it will cause the problem you are seeking to avoid, overheating to due lack of airflow.
Exactly. It is actually better to leave large holes big enough to create dust bunnies...they are less likely to cause problems than an uncleaned filter. How many common users would remember to clean their filter? Leave a little room for the bunnies, and your computer should last for years under normal conditions.
I'm glad that his dad supports him in his scientific endeavors...but...his dad is in every article posted about him...interesting.
His dad is most likely very intelligent, but a bit of a spin-meister:
"Jason is so far outside of the box with his thinking that he can't find the box..."
Puleeze!
Good luck with the research...but there are a number of PRNGs out there already. Sounds like Jr. has learned a thing or two about how to spin a story from his dad...
I can't disclose the details of my new patented idea for what I know is an unbreakable encryption algorithm, but I will describe my research.
I was sitting outside and saw all the blades of grass swaying in the wind before me. I noticed how some were shorter than others, and that they actually didn't all have the exact same color. I thought if I assigned a number to each of these and several other characteristics, I'd be well on my way to unbreakable encryption.
My dad used to be a pretty famous rodeo clown in the 60s and an alumnus of the college I'm attending, so when I approached the board of trustees for approval for my research, they were ecstatic! They gave me $20,000 to conduct my research. Now I will be busy all summer observing the grass swaying in the wind. I plan to have a prototype ready at some point, I hope.
Microsoft...just doesn't have the credibility...to make this draconian Palladium/Trustworthy Computing progrom work.
I agree, and it will only get worse for MS if they actually implement Palladium. They are making public claims that may sound to the common user that they are improving security. However, the first major virus or worm that strikes a user/organization on their new Palladium computers will baffle them. "How did this worm run on my box...I thought it could only run signed code!" Signed code will not stop signed programs, e.g. IIS, from having flaws that will cause it to perform 'unintended operations'. Finally, even unsigned programs could still turn your box into a zombie...even if it can't access your CD-R.
Sheep are sheep, but you can't drive them over a cliff.
Unless you believe Thomas Hardy in Far From the Madding Crowd (I think).;-) Sorry, English major joke.
I don't know why I'm responding to your inarticulate flame.
First of all, my original post actually was talking about how PHP can be good for many reasons, but whatever...
Well this is mostly a lie...ODBC and ADO are libraries.
Oy.
Yes, ODBC, ADO and JDBC are libraries. Libraries make it really easy to take your code and port it from database A to database B, which is actually a good and common thing. I do this frequently. Frankly, in my line of work it's a good way to move organizations off of dependencies (like porting away from SQL Server)...they make it easy to run the database in SQL Server, Sybase, Oracle, Postgres...etc. It's not actually that hard to port mid-sized apps to different databases. The fact is that in PHP the built-in functions do not have similar calls (by name or in their function) between different databases...this is a good thing OR a bad thing, depending on how you look at it. That was the point of my original post.
If you are hack then all you are going to do is small sites anyway (and bad ones at that). The fact remains that there are some HUGE sites that use php.
Goodness. Where did you learn to communicate? Insult what you do not know? Oh, wait, this is Slashdot. I'll go tell all the people for whom I built useful, profitable sites that I was called a 'hack' and have been demoted to making bad, small sites.
Maybe you ought to look into some of the more advanced aspects of it.
I agree, obviously some large sites have used it, true of pretty much any technology. I will look more at PHP, although if most developers are as ire-ridden as you I doubt I'll join that community.
Although your point is a little vague, it seems to mean 'tough sh*t, consumers couldn't cough up for bandwidth.'
You're playing into a common fallacy, which is that the only reason a company can go broke is if they didn't have enough demand. Well...actually businesses go broke for many reasons. Businesses make decisions outside of demand that affect their health. Particularly in a more monopolistic situation, it is hard to argue that there's a sufficient market to distribute the risk of bad decision-making.
For example, maybe they thought the bandwidth need was going to be 50% greater than it was, and though they could accommodate 100% of the traffic profitably, they scaled their business out of reach and it came down like a heap of bricks. In that situation, the demand could have been met profitably, but bad decisions caused them to fail completely--regardless of ability to meet demand, or for customers to pay.
By un-portable, I meant somewhat inelegantly that you can't port your code to different databases without serious rework because there's no database abstraction. Definitely, you're right that it runs on more platforms than ASP does (don't cry to me about ChiliSoft...it's a load of crap)!
As for using it to do command line/desktop apps...I suppose I hardly consider it a good language, for the same reason as above (no true abstraction) and the fact that it's really just a scripting language intended for web servers. If someone told me they'd built their desktop app in PHP I'd be concerned that they were just a web hack who couldn't be bothered to learn a more appropriate language.
Finally, yes, we agree about the smaller site use for PHP. I suppose the only reason I brought that up is that I've met with a number of zealots who try to convince me that all sites should be written in PHP--and often a sentiment on Slashdot.
Me too. I uninstalled PHP a while back. The database-specific functions exemplify what is both good and bad about PHP.
BAD: Nothing is really object-oriented. Code is completely un-portable. PHP code is useless in other environments like binary or batch development (unlike Java, VB, C++, etc...and no whining about how someone's made a PHP->binary compiler...it ain't the same.)
GOOD: Nothing is really object oriented. Each of the modules (one hopes) is stripped down and about as fast as possible. In the case of database access, you're opening native connections directly the database instead of wading through ADO/ODBC/JDBC or any of the other things that abstracts your access. Another example, mailing functions...works DAMN well, and is as simple as can be (ASP, Java obviously can do it...but) from both a programming and functional standpoint.
So I suppose I'd use PHP if I had a moderately small site that I wanted to use for a fairly specific purpose, one that once I'd built I wouldn't have the time to port to something else anyway. However, if the site was something that would be maintained by a large number of people, over a long period of time, and have to integrate with a variety of databases and such, I sadly wouldn't consider PHP for a second.
There are a couple of facts you need to know about these kinds of ISAPI attacks. First, you generally don't need to have an actual script on your server for the flawed ISAPI code to be invoked. Typically you can just refer to a bogus file with the correct extension associated with the filter. This was true of the.ida hacks. This means that you may think that as long as you don't 'use' a technology that someone can't exploit it. Unfortunately, you actually have to completely disassociate the ISAPI filter from any referring extensions (this is what the lockdown tool does).
One problem is that some of the feature-rich applications, such as Outlook Web Access (OWA) seem to like to have pretty much EACH AND EVERY ONE of these filters activated. My belief is that MS wanted to 'show off' all the different features, such as Index Server and what-not in OWA, but the result was that you couldn't remove the ISAPI associations.
Also, the reason it's a problem is because internet worms feed off the weakest-links--and from doing about eight years of internet applications, I can roughly guess that public IIS server maintenance breaks into the following categories:
50% are essentially unmaintained (co-located, etc.)
40% are maintained at a simple level (patches are applied)
10% are actually monitored and moderately protected
Sorry, I hate guesswork numbers, but that's probably about right. If that's even roughly correct, then I'd imagine that about 50-60% of these machines will still be vulnerable within the next few months...waiting for another worm to come along and impolitely remind people to patch their servers.
OK, yes, you've covered all the sysadmin geeky things you can do for file backup.
But there's something much more important in the long run. (Granted my following point is about document retention, not just 'backups.')
Keep REALLY GOOD PAPER RECORDS! Seriously, most of your users' most valuable information is in some simple document form. Documents they wrote up for customers. Financial documents. Have an appropriate person (lackey, with operations manager supervision) collect the most valuable documents, make sure they're printed and filed in triple, and send them off to Iron Mountain and two other safe places.
We'd love to think that digital media is the most portable, flexible, yadda yadda. Well, it is...sorta. But it's also quite fragile. Sadly, there probably WILL be Word 97 translators out there in the year 2020...but they'll probably be sorta crappy. Paper records are really quite valuable.
Oh, and you think 2020 is far off? Ever do legal research? Read up on deeds and stuff? Documents need to last a long time.
Now I'm not saying that reselling books is evil, immoral, or illegal. But it does have a potentially negative effect on the book industry, and I believe there's a good chance that that negative effect will get transferred back to the consumer.
Is this post a joke? Most writers actually do not make the majority of money from writing. And most published writers make hardly any money at all (a few thousand for a book). Believe me, there is a very, very small number that actually write and make a living at it.
Writers write because they love writing. Even the grocery-store authors did it largely for the experience of writing, even if now they write to line their coffers. If you think the literary community is fueled by writers whose purpose is to make money, boy, do I have a bridge to show you!
If you serve software as source...use CVS and check your distributed source frequently, to ensure that there are not changes.
There's a charge that if you distribute source from your site that it's a security risk because someone can hack your site and insert malware. Yep, that's true. Exact same thing for binaries, though.
And it is true that people don't check hashes and signatures frequently...so what do ya do?
Well, use CVS and make sure that your distribution matches your latest approved rev. I keep all source in CVS and definitely would notice if either the dist had changed, or if someone had committed a strange new revision with 'rm -rf *' somewhere in it!
Wouldn't help the sucker who downloaded the infected software...but again the same can be said of infected binaries.
Bolo rocked. I was just raving about it to a friend the other day.
Best part of the game...the little guy would be out on a job, get whacked, and cry out 'Ooogh! They got me!' Then you'd have to wait, and PROTECT his landing zone if you wanted to see him anytime soon.
Elaborate base defenses, dangerous alliances, and yet simple to play...it ruled. Sh*t, now I wanna play!
Slashdot Mirror
George Smith's article isn't FUD...Schimidt's comments are. But I agree, it will only be a matter of time...
Thoughts on why this hasn't been pursued...or has it?
I apologize in advance for my utter lack of knowledge. ;-)
I agree. Businesses now will focus much more on trying to generate and distribute profits, or at least should, rather than just trying to increase share value. People have becomed so interested in share value that they have forgotten about how to make money of stocks with dividends. I remember overhearing an octagenarian at a bakery one day, right at the height of the bubble, saying to his son: "I always go for stocks that pay a good dividend...it means the company knows its money well enough to be able to make a reasonable profit." And those profits are real enough to pay back to investors.
I love the way some people blame the American people, the shareholders, for this problem. No doubt, we are a fickle lot who demand growth at inappropriate times, and we sell at inappropriate times. But those are the breaks of a market, esp. when it appears the numbers in the market are crooked.
According to some, it's our fault for this craziness. We should continue to be bullish on most companies--there are only a 'few bad apples' out there.
Problem is, the 'good apples' had to play the 'bad apples' game to benefit from the expanding bubble. They had to claim on TV that they believed we were in an economic world where 15-20% yearly growth was sustainable forever. They had to push accounting rules to the grey areas. When everyone is playing this game, all the books get cooked, even if the CEOs are not doing so for personal enrichment.
So now, the market is finding its place in a turbulent time. Blame investors? Please!
I can't believe that it's sleezy business becuase if it was just sleezy business then someone more sleezy would rat them out for blackmail or political reasons. Or someone honest would say something.
Let's look at the scenarios you present:
1) Why don't competitors rat out sleazy businesses? Because like any snitch, you run the risk of being shoved out of the biz altogether. Business is buddy-buddy. In an environment of loose regulation and enforcement, ratting only gets the rat in trouble.
2) Why doesn't someone honest say something? Honest people have been saying these things about businesses for a long time. Read the more 'fringe' magazines like The Nation. There are always doomsayers and critics, but in good times no one listens to them. The Ides of March? Finally, whistleblowers almost always get in trouble, even if offered some sort of protection. Follow the case of any whistleblower...in two years they most likely are charged with something 'unrelated' or are removed from their respective industry. If you blow the whistle, your life in that industry is over.
The things that happend at Loki are the same types of things happening at WorldCom or Qwest, just on a smaller scale.
Here I don't agree with you...Loki really was just like most small businesses, which fail in their first few years. They may have inflated numbers (I don't know if they did or not), but their demise was like that of most small businesses. You do need to be fair to employees, but on the other hand in a small business you have to expect that you are living month to month, even when times are good. Large businesses have a greater ability to hedge against hard times, but sometimes crooked management will instead use that power to hedge themselves against hard times.
Heh, this happened to a friend of mine. He said that Airbus is more reliant on computers for some functions than other manufacturers...in his case they could not start the engine until they rebooted the computer. Needless to say, he didn't feel entirely assured about the safety of his flight.
That all said, I'm not aware of any reboots being responsible for aviation disasters.
I agree, I have not had problems with the hotfixes...but several hotfixes have been re-released because of incompatibilities, etc.
When your developers are not that educated however, perhaps they use dirty tricks which will break when a hotfix is applied
Puh-lease! I agree that developers are prone to assuming bad things...but you just wait, eventually you, too, will be bitten by a bad hotfix, no matter how smart you are.
I think that the viable options are for the companies that use the software. For example, the option to use Linux for an OS on a server is cool: no forced upgrades, no unneeded bells and whistles. For PostgreSQL or MySQL: no having to pay more in licenses just because your user base or usage has increased. Etc.
P.S. I hope you didn't get flamed, it is a good question.
There's nothing like seeing a bunch of tech managers sitting around after eating turkey sandwiches, saying 'ERP!'
Sorry. But seriously, don't a lot of people use Linux for databases? Definitely Linux/MySQL is used quite a bit on the web (although perhaps it is still not a large percentage). SO much more stable than NT/2K (particularly if the machine needs to run other services).
These days if I'm looking at setting up a database, I am more likely than not to set up MySQL/PostgreSQL/Oracle on Linux.
I totally agree. In my last project for a large financial services company, I was looking for some third-party libraries for use in our application. After conducting some research, I found an open-source solution which just blew away the alternatives.
I was a little concerned at the beginning of the project that people would be fearful of my recommendation--that they'd be afraid we'd have to reveal all our sources, or that our code would be more prone to exploits because of the open-source library.
I did spend extra time making sure that the licenses matched our corporate policies, which they did. And I was very surprised, just yesterday a guy who was reviewing the project was particularly pleased we had used open-source software--not because he was a zealot, but because he understood the drawbacks of black-box software and nasty licenses.
Linux and Apache are the two best-known systems which have caused people to understand open-source software. Thanks to everyone involved.
P.S. The libraries we used in the project have worked wonders. Seriously, the commercial 'peers' were completely unreliable and hard to use, all for thousands of dollars more!
Yeah, I agree with RainboxSix on his points.
As for the person who wrote the article, it seemed only his argument about fonts was actually relevant to the desktop environment...most of it could be classified under 'trying to install and muck with things without knowledge.' This doesn't mean he's an idiot or that he's wrong, but that he, like a lot of computer guys I know, are 'weekend' Linux guys who try to tweak too much, without knowing what they are doing. This will forever be a problem for a system that allows an admin to make such significant changes to the system. These guys, smart as they are, may have a bad experience because they destabilized their system...and thus think that somehow Linux is not stable or hard to set up.
Furthermore most of the complaints from the guy about his experience would be accommodated by using a 'standard install' such as most organizations already do (usually corporate users don't install their own display drivers).
My personal experience has been that it takes less than half the time to install a Linux system from scratch, largely due to the reduced number of reboots, and due to the ease of driver installation.
Side note: My mom just bought XP and really dislikes it...worse than 95, worse than NT. Ironically enough, this is because of XP driver compatibility issues. XP has a number of different requirements of vendors for their drivers, all of which slows down driver release time. The result of this is that end users (right now) often try to install drivers, only to have XP carp at them and tell them that HORRIBLE THINGS MIGHT HAPPEN becaue the drivers haven't been signed by MS, or alternately because they do not use the XP interface. By clamping further down on drivers, MS has actually made the driver install situation appear worse and more complex to users. Compare with various Linux packages. To date I haven't had hardware that hasn't shown up during my Linux install, and once it's set up I don't have problems.
Me too.
Exactly. It is actually better to leave large holes big enough to create dust bunnies...they are less likely to cause problems than an uncleaned filter. How many common users would remember to clean their filter? Leave a little room for the bunnies, and your computer should last for years under normal conditions.
His dad is most likely very intelligent, but a bit of a spin-meister:
"Jason is so far outside of the box with his thinking that he can't find the box..."
Puleeze!
Good luck with the research...but there are a number of PRNGs out there already. Sounds like Jr. has learned a thing or two about how to spin a story from his dad...
I was sitting outside and saw all the blades of grass swaying in the wind before me. I noticed how some were shorter than others, and that they actually didn't all have the exact same color. I thought if I assigned a number to each of these and several other characteristics, I'd be well on my way to unbreakable encryption.
My dad used to be a pretty famous rodeo clown in the 60s and an alumnus of the college I'm attending, so when I approached the board of trustees for approval for my research, they were ecstatic! They gave me $20,000 to conduct my research. Now I will be busy all summer observing the grass swaying in the wind. I plan to have a prototype ready at some point, I hope.
I agree, and it will only get worse for MS if they actually implement Palladium. They are making public claims that may sound to the common user that they are improving security. However, the first major virus or worm that strikes a user/organization on their new Palladium computers will baffle them. "How did this worm run on my box...I thought it could only run signed code!" Signed code will not stop signed programs, e.g. IIS, from having flaws that will cause it to perform 'unintended operations'. Finally, even unsigned programs could still turn your box into a zombie...even if it can't access your CD-R.
Sheep are sheep, but you can't drive them over a cliff.
Unless you believe Thomas Hardy in Far From the Madding Crowd (I think). ;-) Sorry, English major joke.
First of all, my original post actually was talking about how PHP can be good for many reasons, but whatever...
Oy.Yes, ODBC, ADO and JDBC are libraries. Libraries make it really easy to take your code and port it from database A to database B, which is actually a good and common thing. I do this frequently. Frankly, in my line of work it's a good way to move organizations off of dependencies (like porting away from SQL Server)...they make it easy to run the database in SQL Server, Sybase, Oracle, Postgres...etc. It's not actually that hard to port mid-sized apps to different databases. The fact is that in PHP the built-in functions do not have similar calls (by name or in their function) between different databases...this is a good thing OR a bad thing, depending on how you look at it. That was the point of my original post.
Goodness. Where did you learn to communicate? Insult what you do not know? Oh, wait, this is Slashdot. I'll go tell all the people for whom I built useful, profitable sites that I was called a 'hack' and have been demoted to making bad, small sites. I agree, obviously some large sites have used it, true of pretty much any technology. I will look more at PHP, although if most developers are as ire-ridden as you I doubt I'll join that community.Although your point is a little vague, it seems to mean 'tough sh*t, consumers couldn't cough up for bandwidth.'
You're playing into a common fallacy, which is that the only reason a company can go broke is if they didn't have enough demand. Well...actually businesses go broke for many reasons. Businesses make decisions outside of demand that affect their health. Particularly in a more monopolistic situation, it is hard to argue that there's a sufficient market to distribute the risk of bad decision-making.
For example, maybe they thought the bandwidth need was going to be 50% greater than it was, and though they could accommodate 100% of the traffic profitably, they scaled their business out of reach and it came down like a heap of bricks. In that situation, the demand could have been met profitably, but bad decisions caused them to fail completely--regardless of ability to meet demand, or for customers to pay.
To start out with, I appreciate the comments.
By un-portable, I meant somewhat inelegantly that you can't port your code to different databases without serious rework because there's no database abstraction. Definitely, you're right that it runs on more platforms than ASP does (don't cry to me about ChiliSoft...it's a load of crap)!
As for using it to do command line/desktop apps...I suppose I hardly consider it a good language, for the same reason as above (no true abstraction) and the fact that it's really just a scripting language intended for web servers. If someone told me they'd built their desktop app in PHP I'd be concerned that they were just a web hack who couldn't be bothered to learn a more appropriate language.
Finally, yes, we agree about the smaller site use for PHP. I suppose the only reason I brought that up is that I've met with a number of zealots who try to convince me that all sites should be written in PHP--and often a sentiment on Slashdot.
Me too. I uninstalled PHP a while back. The database-specific functions exemplify what is both good and bad about PHP.
BAD: Nothing is really object-oriented. Code is completely un-portable. PHP code is useless in other environments like binary or batch development (unlike Java, VB, C++, etc...and no whining about how someone's made a PHP->binary compiler...it ain't the same.)
GOOD: Nothing is really object oriented. Each of the modules (one hopes) is stripped down and about as fast as possible. In the case of database access, you're opening native connections directly the database instead of wading through ADO/ODBC/JDBC or any of the other things that abstracts your access. Another example, mailing functions...works DAMN well, and is as simple as can be (ASP, Java obviously can do it...but) from both a programming and functional standpoint.
So I suppose I'd use PHP if I had a moderately small site that I wanted to use for a fairly specific purpose, one that once I'd built I wouldn't have the time to port to something else anyway. However, if the site was something that would be maintained by a large number of people, over a long period of time, and have to integrate with a variety of databases and such, I sadly wouldn't consider PHP for a second.
There are a couple of facts you need to know about these kinds of ISAPI attacks. First, you generally don't need to have an actual script on your server for the flawed ISAPI code to be invoked. Typically you can just refer to a bogus file with the correct extension associated with the filter. This was true of the .ida hacks. This means that you may think that as long as you don't 'use' a technology that someone can't exploit it. Unfortunately, you actually have to completely disassociate the ISAPI filter from any referring extensions (this is what the lockdown tool does).
One problem is that some of the feature-rich applications, such as Outlook Web Access (OWA) seem to like to have pretty much EACH AND EVERY ONE of these filters activated. My belief is that MS wanted to 'show off' all the different features, such as Index Server and what-not in OWA, but the result was that you couldn't remove the ISAPI associations.
Also, the reason it's a problem is because internet worms feed off the weakest-links--and from doing about eight years of internet applications, I can roughly guess that public IIS server maintenance breaks into the following categories:
- 50% are essentially unmaintained (co-located, etc.)
- 40% are maintained at a simple level (patches are applied)
- 10% are actually monitored and moderately protected
Sorry, I hate guesswork numbers, but that's probably about right. If that's even roughly correct, then I'd imagine that about 50-60% of these machines will still be vulnerable within the next few months...waiting for another worm to come along and impolitely remind people to patch their servers.OK, yes, you've covered all the sysadmin geeky things you can do for file backup.
But there's something much more important in the long run. (Granted my following point is about document retention, not just 'backups.')
Keep REALLY GOOD PAPER RECORDS! Seriously, most of your users' most valuable information is in some simple document form. Documents they wrote up for customers. Financial documents. Have an appropriate person (lackey, with operations manager supervision) collect the most valuable documents, make sure they're printed and filed in triple, and send them off to Iron Mountain and two other safe places.
We'd love to think that digital media is the most portable, flexible, yadda yadda. Well, it is...sorta. But it's also quite fragile. Sadly, there probably WILL be Word 97 translators out there in the year 2020...but they'll probably be sorta crappy. Paper records are really quite valuable.
Oh, and you think 2020 is far off? Ever do legal research? Read up on deeds and stuff? Documents need to last a long time.
Is this post a joke? Most writers actually do not make the majority of money from writing. And most published writers make hardly any money at all (a few thousand for a book). Believe me, there is a very, very small number that actually write and make a living at it.
Writers write because they love writing. Even the grocery-store authors did it largely for the experience of writing, even if now they write to line their coffers. If you think the literary community is fueled by writers whose purpose is to make money, boy, do I have a bridge to show you!
If you serve software as source...use CVS and check your distributed source frequently, to ensure that there are not changes.
There's a charge that if you distribute source from your site that it's a security risk because someone can hack your site and insert malware. Yep, that's true. Exact same thing for binaries, though.
And it is true that people don't check hashes and signatures frequently...so what do ya do?
Well, use CVS and make sure that your distribution matches your latest approved rev. I keep all source in CVS and definitely would notice if either the dist had changed, or if someone had committed a strange new revision with 'rm -rf *' somewhere in it!
Wouldn't help the sucker who downloaded the infected software...but again the same can be said of infected binaries.
Bolo rocked. I was just raving about it to a friend the other day.
Best part of the game...the little guy would be out on a job, get whacked, and cry out 'Ooogh! They got me!' Then you'd have to wait, and PROTECT his landing zone if you wanted to see him anytime soon.
Elaborate base defenses, dangerous alliances, and yet simple to play...it ruled. Sh*t, now I wanna play!