Simple solution. Encrypt the sensitive information before storing it in the database. Leave all of the other information unencrypted. You don't need to search by the sensitive fields anyway, so the inability to index them doesn't matter.
Use filesystem/os level support for locking down the key on the system that needs to be able to decrypt it so that only the account/application authorized to access it can. That limits the vulnerabilities a single system. Even once on that system it is limited to "root" and the actual application.
Now you may safely let any number of insecure systems query your database. You can use trivial database backup schemes with no additional encryption. You don't need to worry about the physical security of those backups. Since you only need to backup the key when you first generate it, there is never any danger of the key and backup data being lost together in transit.
There is no speed penalty anywhere in the system except the sensitive parts.
You don't need to search by name? As I understand the law, (which may be very incorrect) First and Last name, or other identifying information is what makes a record sensitive, under the law.
Also, searching by TIN, is very useful when finding accounts.
Redmine on RedHat was a nightmare for a colleague of mine.
On FreeBSD it was cd/usr/ports/www/redmine ; make install ; make clean ; vi/usr/local/etc/rc.d/redmine #edit to allow startup and then follow the instructions at http://www.redmine.org/wiki/redmine/RedmineInstall from step 2 on.
The only problem with redmine has been figuring out which extensions to install. Which isn't that bad of a problem.
This is about getting the post blog entry function to work. the html is more or less trivial. The server side is a bigger issue, as you have access control. data sanitation, and bunch of other minor details that will get your website compromised if you screw them up.
This is about grails vs rails vs django vs drupal vs zope vs web app framework du jour.
Personally, I wish there was a way of including php code in python, so I could extend existing php with django, and slowly convert the legacy code.
If you were to say that cups is the best solution we have today, I might agree with you, but posts like this one http://weblog.zamazal.org/cups-sucks.html are pretty common for cups, and printing is at least as bad on other platforms.
The big problem with cups is the UI and the ablity to secure it so you can safely put your print server on the net, without random spammers printing their ads on your printer.
Cups is a good start, but there is a long ways to go.
Shouldn't you be able to print your report for the office from home or on the road on a laptop?
Cups could get there, but right now it is a long ways from being easy.
files that are sometimes non-local being sent to non-local printers.
yup, sounds revolutionary to me, too.
(there must be something that we're missing, here?)
The absence of local printer drivers.
Or more specifically one universal printer driver.
Printing sucks on Linux, Windows, Mac, and every other platform because it is a very large problem, and abstractions tend to hide controls that are necessary to produce decent results.
Paper type, ink type, paper size, paper margins, duplexing capabilities, and other finishing functions such as collating and binding are issues, that the driver generally needs to know what to do about.
Also what should be done if an document overflows from the size of the printable area. (If you are printing things to go in a button machine, you want the image to not be scaled. If there is an important disclaimer at the end of the page you want the page scaled so the disclaimer shows.
Also brightness of the paper, and color of the paper are issues if you actually care about what the finished product looks like.
Spot colors are another factor for the print driver to deal with.
If Google can pull this off, it would be a huge step forward, however, it will probably be a limited enhancement of lpr.
Easier for others to follow. If someone else is tracing you code and you get a 3rd party tool, it is either a black box application that you are referencing where you need to break your trace to see what the heck it is for. Or there is source and you go in there and it being code by a different person it is like you are in Wonderland were all coding styles have changed.
<snip>
Although, if you use a well known and used library, it can make it easier to find a programmer that knows their way around at least part of your program, and can may get up to speed quickly. Although this applies to frameworks more than libraries, it still holds true to an extent.
This is more true if you are using opensource libraries.
The underside of the monitor seems to be most popular for people in San Francisco. (about 80% of the passwords I have not been able to retrieve via a dictionary attack have been on the bottom of monitors.)
inside CD cases is another popular place for passwords, I guess it is a habit people picked up from having software keys for Microsoft products on CD cases.
I can't say that I run into passwords under keyboards very often, but my sample set is sort of small, and definitely skewed to the cultural norms of the San Francisco Bay Area.
I recall reading that iTRON was by far and away the most used operating system circa 2000
I don't know what percentage of CPUs are embedded in consumer products, and what the market share is for the various operating systems are, but I suspect that linux has a majority share of the TCP/IP capable products, but I have no clue what percentage that is.
I do understand where this confusion comes from, I really do, but is it so hard for people to wrap their minds around the idea of arbitrary version numbers? Because that's what they always are. Version numbers are arbitrarily chosen. Most commercial software will bump it up at meaningless times to get more money because 2.0 is better somehow than 1.0. Bigger numbers mean better, right? If software A is version 2.1, and software B is version 3.3, then B must be better, right? RIGHT?
(Of course, this would mean that emacs, at a lofty 23.1, is the best damned text editor/IDE/operating system/kitchen sink in the world. No arguments here!:P )
Most open source software follows this versioning scheme, or a variation of it, that actually makes sense and provides information: x.y.z. The same x means the two versions are fundamentally the same: there has been no rewrites or major restructuring. 0 usually is a special case, and means the structure isn't set in stone yet and could change before 1.0.0. y usually indicates different major releases, with new features and such. A lot of projects follow the Linux kernel here, where even numbers are stable releases while odd numbers are unstable. z usually only changes for bugfixes, and no new features.
The advantage to this system is that it's easy to tell the likely amount of change between two versions. The downside is that projects can stay in 0.y.z land for ages, and a 2.2.0 can have many more features than 2.0.0, even though it may not seem obvious to the uninformed. Also, 2.12.0 is a later version than 2.2.0, because 12 > 2, though this conflicts with intuitive decimal orderings... but really, who ever saw a number with two decimal places?
The system is weird and unintuitive to outsiders, but historically traditional and informative to those in the know. Everyone should just get over it and know that version numbers are arbitrary and should not be taken as a sign of quality.
Then the best pager is obviously less ----
less --version
less 394 Copyright (C) 1984-2005 Mark Nudelman
less comes with NO WARRANTY, to the extent permitted by law. For information about the terms of redistribution, see the file named README in the less distribution. Homepage: http://www.greenwoodsoftware.com/less
As I tried to say in the grandparent of this post, you can find examples in favor of almost every operating system by selecting specific programs.
One other thing to consider is how hard is it going to be to keep all the programs on the machine updated.
Windows, and some windows programs are very easy to keep updated. Some windows programs are a nightmare, as you have to visit a website, or write a screen scraper, to find out if you have to update, and then you have to manually do the update.
Debian, if you don't need to venture outside of the repositories, and there is a reasonable chance that this is true, as Debian has tens of thousands of packages in the official repositories, is trivial to keep updated, even if you have a few thousand packages installed on your computer.
I have a hard time believing that it takes days to install opera on ubuntu, but this page does seem to make it seem like there are issues with opera on linux, something one would think that opera would be interested in fixing, you might contact them. https://help.ubuntu.com/community/OperaBrowser
>>>You know, I have yet to find a closed-source OS that can run everything I want.
What could you possibly desire to run that Windows OS will not execute? I cannot think of anything.
There is a difference between execute, and run well.
PHP web apps have much less of the language available to them, as many (less frequently used) modules do not work correctly on windows.
Another example of that is not pro-one vendor is that chrome runs faster on Linux than Windows, while Firefox is much faster on Windows than Linux. If you are choosing your OS based on the web browser you are running, whether you are running chrome of firefox will influence which os you perceive to be better.
If you know how else to install Damn Small Linux or Kolibros onto a 386 machine, which only has a floppy for external input, please share.
I would install an ethernet card and install over tftp. I would recommend reading the debian install guide for examples.
floppies are so unreliable and slow that this may actually be faster than using floppies, even including the time to set up the tftp server, dhcpd, nfs, and install the card.
MP3s and GIFs didn't take down your beloved free and open internet. Why would H.264?
The attempt was made and came remarkably close.
Microsoft realized too late the idea of buying market share from apache.
Had IIS included a license for mp3s and gifs, and had 40% marketshare, Microsoft might have succeeded in making most websites ie6 only, especially if they had continued IE for unix a bit longer.
A number of banks in South Korea use activeX to establish secure connections, imagine if you could only do online shopping with IE
Net/1 still required a unix license, as it had ed and other utilities from unix, Net/2 was not released until 1991, and was the first version of BSD that did not require a Unix license, ergo the lawsuit, doesn't mean that none of the code was released before that, or that the UC license was not similar to the modern BSDs. (admittedly there has been a license change to make the BSD license compatible with the GPL.)
What you got for $10,000 USD was the code available at UC's anonymous ftp site on a mag tape with a printed copy of the BSD license. The printed copy of the license was the big reason people paid up.
Yeah, people make 'limited' use of the linux kernel.
(and then there are the interesting counter examples; if you measure how fast they have progressed, Webkit has progressed a lot more since Apple and Google started sharing some of their work than Gecko has progressed in the same interval of time; so commercial companies sharing based on their own self interest are (at least arguably) throwing off more benefit than a semi-commercial open effort)
Although that could have something to do with number of paid programmers working on each project, and the fact that khtml was a much nicer rendering engine than gecko, from a programmers perspective. IE5 and Netscape 4 compatibility never entered the khtml discussion that I am aware.
Of course you are basing your argument on false information. Microsoft did not, and has not used open source BSD licensed code in anything I am aware of.
They did *LICENSE* a network stack from Spider Software, who in turn had *LICENSED* the stack from UCB Berkely. This code predates the first open source version of BSD as witnessed by the copyrights present in the code.
In other words, the author of the code (UCB Berkely) gave Spider software explicit permission to use the code in their product, even relicensing it other users most likely for a fee.
It's easy. Look at the copyrights of the BSD based apps in Windows, then look at the copyrights of the versions of BSD released.
The ftp client.
Runs strings on ftp.exe
I have not tried this on vista or windows 7 so I don't know if the license is gone, although, I suspect that in a corporate environment the UC license would have been left in as an abundance of caution even if the BSD code is long gone.
Really, using the FreeBSD network stack code as a basis for version one of the windows networking stack would have been a good business and coding decision.
The question is, do you want TCP propagated, or tcp libraries propagated? The answer to that question is BSD style license vs GPL.
Good thing you are not a lawyer, it's from the date it was committed.
The point of such statutes is because after a long time has passed, the defense is less able to form a coherent defense since a lot of the evidence is gone.
I Am Not A Lawyer, but I have a reasonable amount of experience doing legal research:
Actually both parent and grandparent are correct. Generally, in civil cases where the standard is preponderance of the evidence or which was more likely, the statute of limitation is from the discovery of the damage, most of the controlling case law in the US in civil matters was established in the dalkon shield cases against A. H. Robins Company. a three year statute of limitations was held to not protect A. H Robbins 16 years after the faulty product was sold, and 15 years after the initial discovery of injury, but less then three years after the discovery of severe internal damage.
The standards for criminal law are not preponderance of evidence, but beyond a reasonable doubt, and in criminal law, the statute of limitations are a way of saying that there is reasonable doubt by the passage of time, so we will not even try the case because the burden of proof cannot be met. Therefore criminal matters tend to have a statute of limitations that runs from the commission of the crime.
IIRC - The password aging was part of IBM's recommendations for implementing DES. This is a proven best practice for perfect systems. This advice on changing passwords monthly is based on the assumption that the ends are secure, for example mainframe to mainframe communications.
Weren't session keys invented to overcome this problem?
Yes. The basic concept of limiting the amount of exposure a password breach causes is still sound, even if the real world economics make it a small improvement, as opposed to a large improvement.
Slashdot Mirror
Simple solution. Encrypt the sensitive information before storing it in the database. Leave all of the other information unencrypted. You don't need to search by the sensitive fields anyway, so the inability to index them doesn't matter.
Use filesystem/os level support for locking down the key on the system that needs to be able to decrypt it so that only the account/application authorized to access it can. That limits the vulnerabilities a single system. Even once on that system it is limited to "root" and the actual application.
Now you may safely let any number of insecure systems query your database. You can use trivial database backup schemes with no additional encryption. You don't need to worry about the physical security of those backups. Since you only need to backup the key when you first generate it, there is never any danger of the key and backup data being lost together in transit.
There is no speed penalty anywhere in the system except the sensitive parts.
You don't need to search by name? As I understand the law, (which may be very incorrect) First and Last name, or other identifying information is what makes a record sensitive, under the law.
Also, searching by TIN, is very useful when finding accounts.
Why is this hard?
Because there is lots of money to be made by the losing side becoming the winning side?
Lying with numbers is the post election fix.
Redmine on RedHat was a nightmare for a colleague of mine.
On FreeBSD it was cd /usr/ports/www/redmine ; make install ; make clean ; vi /usr/local/etc/rc.d/redmine #edit to allow startup and then follow the instructions at http://www.redmine.org/wiki/redmine/RedmineInstall from step 2 on.
The only problem with redmine has been figuring out which extensions to install. Which isn't that bad of a problem.
Um,
This is not about java on the client it is about java on the server via tomcat, jetty, or some other java app server.
All of the sites listed at http://www.opencms.org/en/support/references/index.html are java based, as is opencms.org itself.
This is about getting the post blog entry function to work. the html is more or less trivial. The server side is a bigger issue, as you have access control. data sanitation, and bunch of other minor details that will get your website compromised if you screw them up.
This is about grails vs rails vs django vs drupal vs zope vs web app framework du jour.
Personally, I wish there was a way of including php code in python, so I could extend existing php with django, and slowly convert the legacy code.
I wonder what percentage of the kernel is 'bloat' or code that's needed to maintain backwards compatibility.
almost none.
the vast majority of the bloat is the device drivers.
But, what if you just want to be able to print?
If you were to say that cups is the best solution we have today, I might agree with you, but posts like this one http://weblog.zamazal.org/cups-sucks.html are pretty common for cups, and printing is at least as bad on other platforms.
The big problem with cups is the UI and the ablity to secure it so you can safely put your print server on the net, without random spammers printing their ads on your printer.
Cups is a good start, but there is a long ways to go.
Shouldn't you be able to print your report for the office from home or on the road on a laptop?
Cups could get there, but right now it is a long ways from being easy.
files that are sometimes non-local being sent to non-local printers.
yup, sounds revolutionary to me, too.
(there must be something that we're missing, here?)
The absence of local printer drivers.
Or more specifically one universal printer driver.
Printing sucks on Linux, Windows, Mac, and every other platform because it is a very large problem, and abstractions tend to hide controls that are necessary to produce decent results.
Paper type, ink type, paper size, paper margins, duplexing capabilities, and other finishing functions such as collating and binding are issues, that the driver generally needs to know what to do about.
Also what should be done if an document overflows from the size of the printable area. (If you are printing things to go in a button machine, you want the image to not be scaled. If there is an important disclaimer at the end of the page you want the page scaled so the disclaimer shows.
Also brightness of the paper, and color of the paper are issues if you actually care about what the finished product looks like.
Spot colors are another factor for the print driver to deal with.
If Google can pull this off, it would be a huge step forward, however, it will probably be a limited enhancement of lpr.
My understanding is that Acquia, Alfresco, and Opennms are all profitable venture backed companies.
IBM claims to make substantial money off of open source.
The drupal community seems to have lots of companies that support drupal besides Acquia that seem to have various levels of profitability.
Perversely, I bet SQLServer would be fairly good however.
I suspect it depends on what part of SQL Server you look at.
Some of the code is probably brilliant, readable, secure, maintainable and very fast. Some of it not so.
If you have the keys to the server room, and if you notice a post-it note with the root password, then yes indeedy you have an exploit.
Especially if you have an 18 wheeler and a fork lift.
<snip>
<snip>
Although, if you use a well known and used library, it can make it easier to find a programmer that knows their way around at least part of your program, and can may get up to speed quickly. Although this applies to frameworks more than libraries, it still holds true to an extent.
This is more true if you are using opensource libraries.
The underside of the monitor seems to be most popular for people in San Francisco. (about 80% of the passwords I have not been able to retrieve via a dictionary attack have been on the bottom of monitors.)
inside CD cases is another popular place for passwords, I guess it is a habit people picked up from having software keys for Microsoft products on CD cases.
I can't say that I run into passwords under keyboards very often, but my sample set is sort of small, and definitely skewed to the cultural norms of the San Francisco Bay Area.
Does CentOS count as RedHat?
Probably not:
# cat /etc/redhat-release
CentOS release 5.4 (Final)
I recall reading that iTRON was by far and away the most used operating system circa 2000
I don't know what percentage of CPUs are embedded in consumer products, and what the market share is for the various operating systems are, but I suspect that linux has a majority share of the TCP/IP capable products, but I have no clue what percentage that is.
I do understand where this confusion comes from, I really do, but is it so hard for people to wrap their minds around the idea of arbitrary version numbers? Because that's what they always are. Version numbers are arbitrarily chosen. Most commercial software will bump it up at meaningless times to get more money because 2.0 is better somehow than 1.0. Bigger numbers mean better, right? If software A is version 2.1, and software B is version 3.3, then B must be better, right? RIGHT?
(Of course, this would mean that emacs, at a lofty 23.1, is the best damned text editor/IDE/operating system/kitchen sink in the world. No arguments here! :P )
Most open source software follows this versioning scheme, or a variation of it, that actually makes sense and provides information: x.y.z. The same x means the two versions are fundamentally the same: there has been no rewrites or major restructuring. 0 usually is a special case, and means the structure isn't set in stone yet and could change before 1.0.0. y usually indicates different major releases, with new features and such. A lot of projects follow the Linux kernel here, where even numbers are stable releases while odd numbers are unstable. z usually only changes for bugfixes, and no new features.
The advantage to this system is that it's easy to tell the likely amount of change between two versions. The downside is that projects can stay in 0.y.z land for ages, and a 2.2.0 can have many more features than 2.0.0, even though it may not seem obvious to the uninformed. Also, 2.12.0 is a later version than 2.2.0, because 12 > 2, though this conflicts with intuitive decimal orderings... but really, who ever saw a number with two decimal places?
The system is weird and unintuitive to outsiders, but historically traditional and informative to those in the know. Everyone should just get over it and know that version numbers are arbitrary and should not be taken as a sign of quality.
Then the best pager is obviously less ----
less --version
less 394
Copyright (C) 1984-2005 Mark Nudelman
less comes with NO WARRANTY, to the extent permitted by law.
For information about the terms of redistribution,
see the file named README in the less distribution.
Homepage: http://www.greenwoodsoftware.com/less
As I tried to say in the grandparent of this post, you can find examples in favor of almost every operating system by selecting specific programs.
One other thing to consider is how hard is it going to be to keep all the programs on the machine updated.
Windows, and some windows programs are very easy to keep updated. Some windows programs are a nightmare, as you have to visit a website, or write a screen scraper, to find out if you have to update, and then you have to manually do the update.
Debian, if you don't need to venture outside of the repositories, and there is a reasonable chance that this is true, as Debian has tens of thousands of packages in the official repositories, is trivial to keep updated, even if you have a few thousand packages installed on your computer.
I have a hard time believing that it takes days to install opera on ubuntu, but this page does seem to make it seem like there are issues with opera on linux, something one would think that opera would be interested in fixing, you might contact them. https://help.ubuntu.com/community/OperaBrowser
>>>You know, I have yet to find a closed-source OS that can run everything I want.
What could you possibly desire to run that Windows OS will not execute? I cannot think of anything.
There is a difference between execute, and run well.
PHP web apps have much less of the language available to them, as many (less frequently used) modules do not work correctly on windows.
Another example of that is not pro-one vendor is that chrome runs faster on Linux than Windows, while Firefox is much faster on Windows than Linux. If you are choosing your OS based on the web browser you are running, whether you are running chrome of firefox will influence which os you perceive to be better.
>>>Also, floppies?!? Really?
If you know how else to install Damn Small Linux or Kolibros onto a 386 machine, which only has a floppy for external input, please share.
I would install an ethernet card and install over tftp. I would recommend reading the debian install guide for examples.
floppies are so unreliable and slow that this may actually be faster than using floppies, even including the time to set up the tftp server, dhcpd, nfs, and install the card.
MP3s and GIFs didn't take down your beloved free and open internet. Why would H.264?
The attempt was made and came remarkably close.
Microsoft realized too late the idea of buying market share from apache.
Had IIS included a license for mp3s and gifs, and had 40% marketshare, Microsoft might have succeeded in making most websites ie6 only, especially if they had continued IE for unix a bit longer.
A number of banks in South Korea use activeX to establish secure connections, imagine if you could only do online shopping with IE
Net/1 still required a unix license, as it had ed and other utilities from unix, Net/2 was not released until 1991, and was the first version of BSD that did not require a Unix license, ergo the lawsuit, doesn't mean that none of the code was released before that, or that the UC license was not similar to the modern BSDs. (admittedly there has been a license change to make the BSD license compatible with the GPL.)
What you got for $10,000 USD was the code available at UC's anonymous ftp site on a mag tape with a printed copy of the BSD license. The printed copy of the license was the big reason people paid up.
Yeah, people make 'limited' use of the linux kernel.
(and then there are the interesting counter examples; if you measure how fast they have progressed, Webkit has progressed a lot more since Apple and Google started sharing some of their work than Gecko has progressed in the same interval of time; so commercial companies sharing based on their own self interest are (at least arguably) throwing off more benefit than a semi-commercial open effort)
Although that could have something to do with number of paid programmers working on each project, and the fact that khtml was a much nicer rendering engine than gecko, from a programmers perspective. IE5 and Netscape 4 compatibility never entered the khtml discussion that I am aware.
Of course you are basing your argument on false information. Microsoft did not, and has not used open source BSD licensed code in anything I am aware of.
They did *LICENSE* a network stack from Spider Software, who in turn had *LICENSED* the stack from UCB Berkely. This code predates the first open source version of BSD as witnessed by the copyrights present in the code.
In other words, the author of the code (UCB Berkely) gave Spider software explicit permission to use the code in their product, even relicensing it other users most likely for a fee.
It's easy. Look at the copyrights of the BSD based apps in Windows, then look at the copyrights of the versions of BSD released.
The ftp client.
Runs strings on ftp.exe
I have not tried this on vista or windows 7 so I don't know if the license is gone, although, I suspect that in a corporate environment the UC license would have been left in as an abundance of caution even if the BSD code is long gone.
Really, using the FreeBSD network stack code as a basis for version one of the windows networking stack would have been a good business and coding decision.
The question is, do you want TCP propagated, or tcp libraries propagated? The answer to that question is BSD style license vs GPL.
Good thing you are not a lawyer, it's from the date it was committed.
The point of such statutes is because after a long time has passed, the defense is less able to form a coherent defense since a lot of the evidence is gone.
I Am Not A Lawyer, but I have a reasonable amount of experience doing legal research:
Actually both parent and grandparent are correct. Generally, in civil cases where the standard is preponderance of the evidence or which was more likely, the statute of limitation is from the discovery of the damage, most of the controlling case law in the US in civil matters was established in the dalkon shield cases against A. H. Robins Company. a three year statute of limitations was held to not protect A. H Robbins 16 years after the faulty product was sold, and 15 years after the initial discovery of injury, but less then three years after the discovery of severe internal damage.
The standards for criminal law are not preponderance of evidence, but beyond a reasonable doubt, and in criminal law, the statute of limitations are a way of saying that there is reasonable doubt by the passage of time, so we will not even try the case because the burden of proof cannot be met. Therefore criminal matters tend to have a statute of limitations that runs from the commission of the crime.
Weren't session keys invented to overcome this problem?
Yes. The basic concept of limiting the amount of exposure a password breach causes is still sound, even if the real world economics make it a small improvement, as opposed to a large improvement.