> non-refundable, coupons for WinXP Home edition.:\
Ha! My old company* had a bunch of WinXp Home packages sitting round doing nothing because the way the purchased hardware before I arrived meant that every machine they ordered turned up with XP Home on it, which was then replaced with a volume-licenced copy of XP Pro.
not a sensible use of their money, I felt, so I found a supplier which would give us naked PCs, and dropped volume XP Pro straight on.
Anyway, I digressed but I was going to make a point about the difference between refundable and rebatable - you can get rebates if you don't use a bundled copy of the OS - so a free coupon wouldn't be such a bad thing. Or something. It's getting late here
* disclaimer: I don't work for them any more. I work for them if you see what I mean.
for those Sydneysiders who feel like 'dropping in' but don't know where that is, Lime Street is down by King Street Wharf.
recommended action? annoying, non-destructive stuff, no superglue in the locks or permanent scarring of the building. flyers would be good
Here's a good idea : if anyone works nearby, indulge in the good old Sydney tradition of street chalking and write a neat 'Netharbour = Spammer', with an arrow pointing to their door each morning for a week or two.
... such as a prior low-level scandal where he initiated a government bail out of his brother's failing company (in preference to a number of other high profile corporate crashes). Now he's contracted his son to send spam.
Yeah, but the folks most likely to be taken in by these things are also the folks least likely to be on the immediate upgrade train. This vulnerability will linger for a while, though the fact that Firefox is still a minority product does mean that users are more likely to either be:
Savvy themselves Have a friend or relative who is savvy Be someone who keeps up with the "net trends" therefore will find about this
> Experts don't browse with javascript enabled, so > it's pretty obvious actually.
So how do these experts have any idea what will affect the end user? From their non-javascript Ivory Tower, they survey the scene and see all is good. meanwhile, Joe Dickwad sends his credit card info to the Ukraine, thinking he's just bought his momma a bouquet for mothers' day.
To secure the end user's experience, you need to experience things from an end-user perspective.
[this comment is nitpicking the post, not the experts, by the way]
Sysadmins day on a saturday? someone didn't think this over very clearly.
Saturday, when no-one else is in the office, except the sysadmin in question, slaving his/her ass off to keep the infrastructure humming along or cleaning up after the latest shitbomb of a virus which some user got infected with at 8pm on friday?
No-one to get them a coffee, or doughnuts? Noone
there to appreciate them, on appreciation day?
> Only if any part in the string is tainted (like deriving from user input).
That's what SQL Injection IS. The whole point is tainted input. Perhaps I wasn't clear about that being part of what I was referring to. let's see...
here's an explanation of SQL injection for those not aware of it. Google also shows up a ton of useful links, a number of which are PDFs so I'm not linking them
> The web-server takes a request, forwards it to > ASP/PHP/Perl, which process it, then send HTML to > the web-server.
Sort of. in a CGI context, the web server spawns off a new process to do the work. in an ISAPI environment (ASP is an ISAPI extension for instance, and Perl and PHP are optionally in-proc) the script runs in-process, as a thread within the Web server's own process space. (This is true of IIS, I expect the analogy to transfer to Apache - someone confirm/deny?). SO in essence, the processing is part of the web server [process]
There are performance benefits in moving in-proc, but it does mean a disaster in the extension can take down the whole web server process. Which is bad.
The situation is actually a bit more complex these days (IIS 6.0 Worker processes and application pools for instance, or FastCGI type stuff), but I think the general gist stands
and yes, I do work for them. I admit it. happy now?
> If your project is large enough, you separate the development, and allow for your DB admins to create stored procedures.
And then have to jump through hoops to get them changed if required, which usually involves some sort of bribery to the DBAs in question, Coffee, Doughnuts, iPods....
Usually this isn't a desirable way of doing it, IMO. Better to give the developers absolute control over the development environment, including the DB, then have the DBAs audit and clean up the Data-Centric components before deployment, just as you'd have a QA process on the code itself
Actually, this depends on the database in question these days. SQL Server 2k does a pretty good job of keeping embedded queries hot, so the performance gain is waay less impressive than it was in, say, SQL 7.0
[cue MSSQL Bashing in 3...2....1.....]
Haven't really kept up with competing RDBMSes recently, but it wouldn't surprise me if competitors were also narrowing the gap
> Enhanced security
One incredibly common security hole being SQL Injection, I have to agree with this, but with the following caveat:
I've seen developers create stored procs which do a bunch of string concatenation within the SP, then EXEC the resulting string. This is just as injection prone as doing it in a script in the first place, but the developers in question often cite SQL injection as their one of their reasons for using SPs in the first place.
Again, back to the problem with lack of knowledge on the developer's part causing security holes, rather than the platform.
Slashdot Mirror
Archived from The Onion
... so my clock doesn't drift by like five minutes a day, necessitating a daily ping to the USNO time servers? anyone?
> non-refundable, coupons for WinXP Home edition. :\
Ha! My old company* had a bunch of WinXp Home packages sitting round doing nothing because the way the purchased hardware before I arrived meant that every machine they ordered turned up with XP Home on it, which was then replaced with a volume-licenced copy of XP Pro.
not a sensible use of their money, I felt, so I found a supplier which would give us naked PCs, and dropped volume XP Pro straight on.
Anyway, I digressed but I was going to make a point about the difference between refundable and rebatable - you can get rebates if you don't use a bundled copy of the OS - so a free coupon wouldn't be such a bad thing. Or something. It's getting late here
* disclaimer: I don't work for them any more. I work for them if you see what I mean.
for those Sydneysiders who feel like 'dropping in' but don't know where that is, Lime Street is down by King Street Wharf.
recommended action? annoying, non-destructive stuff, no superglue in the locks or permanent scarring of the building. flyers would be good
Here's a good idea : if anyone works nearby, indulge in the good old Sydney tradition of street chalking and write a neat 'Netharbour = Spammer', with an arrow pointing to their door each morning for a week or two.
Rule #1 : Spammers Lie
how appropriate
I prefer to listen to satirical Howard quotes rather than the real ones. They make more sense.
I mean, is it a clause that SOLELY allows political spam, or is he exploiting a loophole
Charities and political parties are exempt.
Why political parties? Same reason as hard-core porn, prostitution and pot smoking are permitted in Canberra. Politicians aren't like everyone else.
... such as a prior low-level scandal where he initiated a government bail out of his brother's failing company (in preference to a number of other high profile corporate crashes). Now he's contracted his son to send spam.
not surprising at all.
Oh, I don't know. I'd concede the point for Barry Lyndon, likewise Eyes Wide Shut (couldn't finish the damn things) but you may have missed:
Full Metal Jacket
Dr Strangelove
A Clockwork Orange
The Shining (in particular, slow for a reason, to build tension)
It was a better browser before Internet Explorer was even a concept.
Yeah, but it really took a dive around v4. I still wake up in a cold sweat after Netscape 4.x nightmares.
demand some retribution
errr.. restitution, perhaps? or remuneration?
Or are you advocating revenge?
> hand in their nerd license on the way out.
Last one out don't forget to turn out the lights!
[kidding, OK?]
Yeah, but the folks most likely to be taken in by these things are also the folks least likely to be on the immediate upgrade train. This vulnerability will linger for a while, though the fact that Firefox is still a minority product does mean that users are more likely to either be:
Savvy themselves
Have a friend or relative who is savvy
Be someone who keeps up with the "net trends" therefore will find about this
hence mitigating the vulnerability somewhat.
This particular vln would catch me out though. The demo was very convincing (aside of course from the red text saying "hey this is a fake". But of course no self respecting scammer would leave such a blatant clue)
> have there actually been exploits for outlook that didn't involve social engineering?
One Word:
Bubbleboy
> Experts don't browse with javascript enabled, so
> it's pretty obvious actually.
So how do these experts have any idea what will affect the end user? From their non-javascript Ivory Tower, they survey the scene and see all is good. meanwhile, Joe Dickwad sends his credit card info to the Ukraine, thinking he's just bought his momma a bouquet for mothers' day.
To secure the end user's experience, you need to experience things from an end-user perspective.
[this comment is nitpicking the post, not the experts, by the way]
Err..... if the bad guy can't read my preferences and find out wht my theme is, how come the proof of concept appeared in MY THEME?
what, did this guy just happen to use Charamel for his PoC?
or hang on, was this not your point?
So all the more reason for filtering the data on the database server.
to be honest I'm not sure whether we've all drifted a little away from the point here
Sysadmins day on a saturday? someone didn't think this over very clearly.
Saturday, when no-one else is in the office, except the sysadmin in question, slaving his/her ass off to keep the infrastructure humming along or cleaning up after the latest shitbomb of a virus which some user got infected with at 8pm on friday?
No-one to get them a coffee, or doughnuts? Noone
there to appreciate them, on appreciation day?
Hang on, maybe that's ideal
Yikes, I hate when people use TRUE like that. Its redundant!
<retentive type="anal">
Actually, that depends on the language implementation
</retentive>
> Only if any part in the string is tainted (like deriving from user input).
That's what SQL Injection IS. The whole point is tainted input. Perhaps I wasn't clear about that being part of what I was referring to. let's see...
here's an explanation of SQL injection for those not aware of it. Google also shows up a ton of useful links, a number of which are PDFs so I'm not linking them
> The web-server takes a request, forwards it to
> ASP/PHP/Perl, which process it, then send HTML to
> the web-server.
Sort of. in a CGI context, the web server spawns off a new process to do the work. in an ISAPI environment (ASP is an ISAPI extension for instance, and Perl and PHP are optionally in-proc) the script runs in-process, as a thread within the Web server's own process space. (This is true of IIS, I expect the analogy to transfer to Apache - someone confirm/deny?). SO in essence, the processing is part of the web server [process]
There are performance benefits in moving in-proc, but it does mean a disaster in the extension can take down the whole web server process. Which is bad.
The situation is actually a bit more complex these days (IIS 6.0 Worker processes and application pools for instance, or FastCGI type stuff), but I think the general gist stands
and yes, I do work for them. I admit it. happy now?
> If your project is large enough, you separate the development, and allow for your DB admins to create stored procedures.
And then have to jump through hoops to get them changed if required, which usually involves some sort of bribery to the DBAs in question, Coffee, Doughnuts, iPods....
Usually this isn't a desirable way of doing it, IMO. Better to give the developers absolute control over the development environment, including the DB, then have the DBAs audit and clean up the Data-Centric components before deployment, just as you'd have a QA process on the code itself
Of course this is just one guy's opinion.
Linux
Apache
MySQL
PHP
for the acronymically challenged
> Compiled SQL is faster.
:
Actually, this depends on the database in question these days. SQL Server 2k does a pretty good job of keeping embedded queries hot, so the performance gain is waay less impressive than it was in, say, SQL 7.0
[cue MSSQL Bashing in 3...2....1.....]
Haven't really kept up with competing RDBMSes recently, but it wouldn't surprise me if competitors were also narrowing the gap
> Enhanced security
One incredibly common security hole being SQL Injection, I have to agree with this, but with the following caveat
I've seen developers create stored procs which do a bunch of string concatenation within the SP, then EXEC the resulting string. This is just as injection prone as doing it in a script in the first place, but the developers in question often cite SQL injection as their one of their reasons for using SPs in the first place.
Again, back to the problem with lack of knowledge on the developer's part causing security holes, rather than the platform.
I think you sold that to me!! I want my money back!