I have the manual abilities of a gorilla, so hardware has not been my thing. I did my share of hardware as a kid, i built an FM radio transmitter (and operated my own unlicensed pirate FM station transmitting to like, half a block), my own stinky bomb using hydrochloric acid, wrote my first computer game at age 11 (a text based adventure) and my first 2d graphics game shortly after that. As a teen / young adult the stuff i am proud of are more on the software side: a serial port text chat and file transfer program between an amiga and a PC, some cool 2d demos on the amiga and PC, LOTS of electronic music on the amiga, built a small beowulf cluster at college and "invented" XML as a way to serialize objects in files before i knew XML existed.
What i have realized is that my creativity has been declining with time. That, or my ability to be amazed by my own "inventions".
Debian is great, we have been running it on our servers for some years now and we will not be changing it for a while. The downside is there is virtually no support from the server manufacturers for it. We just got our bright new IBM server and the RAID monitoring tools that come on the CD: RedHat and Suse. We managed to run the tools anyway but a few extra steps had to be taken.
Same thing happened when installing it on some Dell servers a while ago for some other company, OMSA is a bit tricky to setup on debian. At least trickier than using the provided RPM with redhat.
Moral of the story is, have a "debian wiz" on the team if you are going to use debian. I guess you should have a "RedHat wiz" or "Suse wiz" if using any of them anyway, but at least the software provided will install with "rpm -i" flawlessly even if you don't.
For starters, UNAM, the largest university in mexico has it's institute of astronomy here.
There are lots of observatories around mexico, it seems they like astronomy because of all that prehispanic tradition. Anyway, i live in mexico and this telescope was big news last night. The name in spanish is "Gran Telescopio Milimetrico" which translates better (IMO) to "Great Milimetric Telescope".
Then your program needs to be aware of LDAP, SQL, XML and XPATH syntax. Validating user input, as in using regular expressions, will protect you from "FutureML" injection attacks without the need of knowing how "FutureML" will work. In my opinion validating user input IS the correct way of doing it.
I think the problem here is the "language" barrier between IT people and management. As you state, the topmost-manager will be thinking revenue, profit, expenses while the IT manager will be thinking crackers, virii, spyware, worms, failing hardware, etc. I firmly believe that it is the IT manager's responsability to translate from "0-day exploit","broken TBU" and "expired anti virus licenses" to "loss of revenue", "smaller profit" and "increased expenses". I have tried doing this and guess what... it works.
I was very happy with the pre copy-protection scheme. I like owning the "original" plastic disc with the artwork and lyrics but i also like the ability to rip the music so i can play it at the time and on the device of MY choice.
VMWare and others have not emulated the TPM chip, so this would break MS DRM.
From the license for ultimate:
6. USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the
licensed device within a virtual (or otherwise emulated) hardware system on the licensed device. If
you do so, you may not play or access content or use applications protected by any Microsoft digital,
information or enterprise rights management technology or other Microsoft rights management
services or use BitLocker. We advise against playing or accessing content or using applications
protected by other digital, information or enterprise rights management technology or other rights
management services or using full volume disk drive encryption.
Were i work we switched to thunderbird as the official client since version 1.0. I would have heard of any complaints since we have it installed on 300 machines for 400 users. We use imap instead of pop, probably this is why.
When we switched (from O&OE to Thunderbird 1.0) we had lots of complaints caused by the differences in the two clients, but no lost email yet. What really helped us win the users was the "junk mail" feature. Now everybody is using it, manage their external contacts in it, create their vcards and signatures, etc.
Overall, switching from Outlook and OE to Thunderbird was a great decision.
There was a poster from cisco once that showed a flying saucer and had the legend: "If they have a computer on board we can communicate with them". You mean it was false advertising?
Soap: Simple Object Access Protocol www.w3c.org/TR/soap, an object access protocol XML: Extensible Markup Language www.w3c.org/XML, a markup language SAX: Simple API for XML, an API for accessing XML AJAX: Asynchronous Javascript And XML, a BUZZWORD WEB2.0: a BUZZWORD XMLHTTPRequestObject: an object to post (or handle) XML requests made over HTTP (core of ajax). RSS: Really Simple Sindication, a protocol(?) for aggregating web content.
prepared statements are not exclusive to perl. VB, Java, and i believe php have those too. Writing secure software is not easy because of the developer's culture, not because developers don't know how to use prepared statements. Most of the inexperienced developers (or lousy experienced ones) who write web applications don't even know how the http protocol works.
I did read the article. And I never said that all SQL injection is entirely the fault of the vb+sql coders.
I was stating that in my experience, lots of developers that used the vb+sql client-server paradigm in the mid-90's coded without giving a rat's ass about security. Those developers learned from books that showed them how easy it was to code with VB by ignoring the security implications. After all, the market was hungry for vb coders and people would pick the thinner of the books that promised them that they would be coding vb in 24 hours or less. And this was "acceptable" for the small business LAN. The problem is that the same developers have migrated to a much more hostile environment, the internet, and are carrying with them the same ways of doing things.
You may correctly state that some of the developers we are talking about have migrated to PHP+MySQL and doing things the same way.
* Many development texts actually teach programmers insecure SQL syntax.... * Many sites are exposed to SQL injection attacks but don't know it.
I agree completely! I've seen the texts, I've seen the hordes of VB+SQL programmers that learned from said texts moving to the web porting the same "vices" to the new platform. And I've seen the "oh-sh*t" face on a couple of developers after demonstrating to them that their software is vulnerable to SQL Injection. In both cases the vulnerabilities exposed the customers to the posibility of serious financial damage.
So far, the stupidest work arounds i've seen have been: Developer: It's ok, I'll switch to post instead of get so the user can't forge the request. Developer: It's ok, I'll write a method that removes sinlge quotes for every string i get from the user. Developer: It's ok, I'll write some java script that will validate user input.
Slashdot Mirror
I have the manual abilities of a gorilla, so hardware has not been my thing. I did my share of hardware as a kid, i built an FM radio transmitter (and operated my own unlicensed pirate FM station transmitting to like, half a block), my own stinky bomb using hydrochloric acid, wrote my first computer game at age 11 (a text based adventure) and my first 2d graphics game shortly after that. As a teen / young adult the stuff i am proud of are more on the software side: a serial port text chat and file transfer program between an amiga and a PC, some cool 2d demos on the amiga and PC, LOTS of electronic music on the amiga, built a small beowulf cluster at college and "invented" XML as a way to serialize objects in files before i knew XML existed.
What i have realized is that my creativity has been declining with time. That, or my ability to be amazed by my own "inventions".
I am not kidding, "we don't support debian" were the HP representative's words, not mine.
Debian is great, we have been running it on our servers for some years now and we will not be changing it for a while. The downside is there is virtually no support from the server manufacturers for it. We just got our bright new IBM server and the RAID monitoring tools that come on the CD: RedHat and Suse. We managed to run the tools anyway but a few extra steps had to be taken.
Same thing happened when installing it on some Dell servers a while ago for some other company, OMSA is a bit tricky to setup on debian. At least trickier than using the provided RPM with redhat.
Moral of the story is, have a "debian wiz" on the team if you are going to use debian. I guess you should have a "RedHat wiz" or "Suse wiz" if using any of them anyway, but at least the software provided will install with "rpm -i" flawlessly even if you don't.
For starters, UNAM, the largest university in mexico has it's institute of astronomy here.
There are lots of observatories around mexico, it seems they like astronomy because of all that prehispanic tradition. Anyway, i live in mexico and this telescope was big news last night. The name in spanish is "Gran Telescopio Milimetrico" which translates better (IMO) to "Great Milimetric Telescope".
Then your program needs to be aware of LDAP, SQL, XML and XPATH syntax. Validating user input, as in using regular expressions, will protect you from "FutureML" injection attacks without the need of knowing how "FutureML" will work. In my opinion validating user input IS the correct way of doing it.
I think the problem here is the "language" barrier between IT people and management. As you state, the topmost-manager will be thinking revenue, profit, expenses while the IT manager will be thinking crackers, virii, spyware, worms, failing hardware, etc. I firmly believe that it is the IT manager's responsability to translate from "0-day exploit","broken TBU" and "expired anti virus licenses" to "loss of revenue", "smaller profit" and "increased expenses". I have tried doing this and guess what... it works.
I was very happy with the pre copy-protection scheme. I like owning the "original" plastic disc with the artwork and lyrics but i also like the ability to rip the music so i can play it at the time and on the device of MY choice.
This is really a great idea for enterprise environments, but what about joe home user?
...and generally playing nice with the OSS crowd.
Yes, but for how long?
VMWare and others have not emulated the TPM chip, so this would break MS DRM.
From the license for ultimate:
6. USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the
licensed device within a virtual (or otherwise emulated) hardware system on the licensed device. If
you do so, you may not play or access content or use applications protected by any Microsoft digital,
information or enterprise rights management technology or other Microsoft rights management
services or use BitLocker. We advise against playing or accessing content or using applications
protected by other digital, information or enterprise rights management technology or other rights
management services or using full volume disk drive encryption.
Were i work we switched to thunderbird as the official client since version 1.0. I would have heard of any complaints since we have it installed on 300 machines for 400 users. We use imap instead of pop, probably this is why.
When we switched (from O&OE to Thunderbird 1.0) we had lots of complaints caused by the differences in the two clients, but no lost email yet. What really helped us win the users was the "junk mail" feature. Now everybody is using it, manage their external contacts in it, create their vcards and signatures, etc.
Overall, switching from Outlook and OE to Thunderbird was a great decision.
There was a poster from cisco once that showed a flying saucer and had the legend: "If they have a computer on board we can communicate with them". You mean it was false advertising?
Soap: Simple Object Access Protocol www.w3c.org/TR/soap, an object access protocol
:)
XML: Extensible Markup Language www.w3c.org/XML, a markup language
SAX: Simple API for XML, an API for accessing XML
AJAX: Asynchronous Javascript And XML, a BUZZWORD
WEB2.0: a BUZZWORD
XMLHTTPRequestObject: an object to post (or handle) XML requests made over HTTP (core of ajax).
RSS: Really Simple Sindication, a protocol(?) for aggregating web content.
Not all acronyms are buzzwords - N.A^3.B
prepared statements are not exclusive to perl. VB, Java, and i believe php have those too. Writing secure software is not easy because of the developer's culture, not because developers don't know how to use prepared statements. Most of the inexperienced developers (or lousy experienced ones) who write web applications don't even know how the http protocol works.
I did read the article. And I never said that all SQL injection is entirely the fault of the vb+sql coders.
I was stating that in my experience, lots of developers that used the vb+sql client-server paradigm in the mid-90's coded without giving a rat's ass about security. Those developers learned from books that showed them how easy it was to code with VB by ignoring the security implications. After all, the market was hungry for vb coders and people would pick the thinner of the books that promised them that they would be coding vb in 24 hours or less. And this was "acceptable" for the small business LAN. The problem is that the same developers have migrated to a much more hostile environment, the internet, and are carrying with them the same ways of doing things.
You may correctly state that some of the developers we are talking about have migrated to PHP+MySQL and doing things the same way.
From the article:
...
* Many development texts actually teach programmers insecure SQL syntax.
* Many sites are exposed to SQL injection attacks but don't know it.
I agree completely! I've seen the texts, I've seen the hordes of VB+SQL programmers that learned from said texts moving to the web porting the same "vices" to the new platform.
And I've seen the "oh-sh*t" face on a couple of developers after demonstrating to them that their software is vulnerable to SQL Injection. In both cases the vulnerabilities exposed the customers to the posibility of serious financial damage.
So far, the stupidest work arounds i've seen have been:
Developer: It's ok, I'll switch to post instead of get so the user can't forge the request.
Developer: It's ok, I'll write a method that removes sinlge quotes for every string i get from the user.
Developer: It's ok, I'll write some java script that will validate user input.
Writing secure software is never easy.
I prefer the "living on the etch" approach.