Actually no. As an H1B myself we're supposed to carry the passport containing visa and the last entry we received when entering the country. I have a US drivers license, but that doesn't prove I'm here legally - after all my visa could have ran out. Now do I do it? No I don't, because the risk of being stopped and jailed is minimal compared to the risk of losing my passport, which is an even bigger mess. Even with a green card you're supposed to carry that around all the time, lose it and it's $290 to get another. And passport or green card loss leaves you ripe for identity theft.
the projects you will see in contract websites like elance, rentacoder and the like will be predominantly php+mysql
Well of course you will. The projects on those sites are looking for cheap implementation and damn any sort of quality or maintainability. The register didn't look at those sorts of sites, they looked at recruiting sites instead, the ones businesses use. Using the slime pool that is the "Write me a twitter clone for $100" sites to say LAMP is the most popular in businesses is laughable.
Actually you'll find that most security flaws are treated like this, in order to give the vendor time to patch. It's part of the whole responsible disclosure credo. As an indication of how seriously MS take this they facilitated the disclosure of Kaminsky's DNS cache poisoning discovery. he was contracting there at the time. MS called all the major vendors, and hosted meetings in Redmond to kick the whole response off. He talked about it at Bluehat on 2008. Heck even Bluehat itself demonstrates something. They had speakers from Adobe and other "rivals" this year, and after about a month they put the session videos up and available to all for free.
Dear god, that's impressive. Now if we read down and take all the "MS are doing this embarrass Google", would it be said for bugs reported from Google to Microsoft? No, don't be silly. *sigh* Hypocrisy abounds.
Microsoft didn't make any noise about this at all. The only reason you know MS discovered it was because google credited them in the update. So what exactly would shutting up do? Would you prefer them not to have told google at all perhaps?
Then you haven't been paying much attention. Billy Rios has discovered the GIFAR problem with Java. Of course they're only looking at things that affect their software, in much the same way that Google doesn't go looking for software bugs in Microsoft products.
Why is it so surprising that security researchers employed by a company only look at that company's software, and aren't credited in the security patch reports for just doing their jobs?
Well exactly. In this case Microsoft paid for what they believed was closed source code, it was a third party vendor that broke the GPL, but because Microsoft released the executable, well they're responsible.
Which raises a question - how do you check these things? If the vendor cut and pasted code in, and removed comments that identified its source and the source's licensing agreement how do you spot this? It's not feasible to download every single open source project and start a diff against every single file they contain, so how do you do it?
Indeed. The summary assertion that "The fact the company pulled the tool doesn't bode well" is really daft. Of course they'd pull it, there's been a claim made against it - if they keep distributing it whilst they investigate the potential for damages rises with every download. Pulling the tool is not an admission of anything other than the fact that an accusation has been made and they're investitaging it.
OK what costs? Scanning/turning into an e-book? I'd bet that the vast majority of the offered titles are the same as they offer in the US, and processed/made in the US (or wherever it gets outsourced to) - so there's no extra cost there? Hosting could be an additional cost, Amazon do have a data centre in Dublin, London and Frankfurt, but bandwidth isn't that much more expensive here. Tax? Well perhaps, although books tend not to be taxed in the UK - who knows how ebooks will be treated though. Or it's the typical US move of take the dollar price and convert it to pounds or euros by changing the currency symbol.
Yes but considering you can download a free (no cost) versions of MS SQL2005 or a time limited version of SQL2008 how hard would it have been to check? If you don't have anyone on your team who knows SQL then why is the site starting to comment on the SQL you discovered using strings? If you don't know it can you really offer an opinion?
Saying it's vandalised when you didn't even perform the basic checks with someone who knows the MS platform is something you should be beaten up for, it's sensationalist, and now, if you do discover something, how much of your message will get hidden simply because you cried wold at the very beginning?
What? You don't think you can talk to MS-SQL from PHP? Or Java? Or Ruby? Or a myriad of other systems? What utter tosh. And how would that be different to writing the voting software using, say, MySQL and a compiled C++ Gnome app running on Linux? You can't say that the platform means that developers do very little work when it comes to security, that's just a nonsense. You could write software under linux without bothering about security, just as you could write.NET that does implement security.
Oh well, if we're recommending MS solutions on slashdot (ah karma suicide) then good old Windows Desktop Search works just as well. Since V4.0 came out you can have WDS on other machines, indexing away and it's the remote index that is queried - so no need for local machines to index remote shares. Plus, like sharepoint (spit) indexing, and Index Server before that it uses iFilters, so format aware indexing is available for most of the common formats a business uses.
No it's not. The Reddit hack was a Cross Site Scripting attack made possible by bugs in their markdown implementation which let javascript through the parser. It was not a SQL injection attack, it did not attack the database directly, no commands were ran to directly put data into the database. It's an entirely different vector and an entirely different vulnerability, all the stored procedures, escaping of apostrophes and parametrised SQL in the world would not have stopped this.
There's more environmental cost to an eBook than power. There's the metals used in making it, some of which are very damaging, there's the delivery of the components and the cost of transporting them and the finished device, there's the batteries, with their poisonous metals, there's the upgrade/replacement cycle (because lets face it us gadget freaks want the latest and greatest every few years), etc.
"Pretty sure"? Google doesn't agree, in fact I can't find any proof or even discussion of what OS the Sky+ box uses. Under the hood it's an XTV device, which runs, according to XTV "IXI-Connect OS(TM)".
That way the affected users - ALL affected users - can take steps to mitigate their exposure.
You are assuming that you can take steps. Take the DNS flaw. It affected everyone on the internet. There was no mitigation. Should Dan have announced it to SANS et al, rather than talking to MS (because he was contracting with them at the time) and getting all the DNS companies in quietly to discuss it? Like hell. It would have leaked, and it would have been disastrous.
Without getting into a pissing match for companies already invested in AD and Exchange this is a no brainer, especially with IM integration where you no longer have physical phones, but laptop connected handsets. When I've rang MS people I've hit their extension and it's been routed to them, even if they are working from home.
Funny, ringing my voicemail on my Orange mobile is free. And of course you can configure the number of rings it diverts after yourself, or choose not to divert at all.
My other half uses a transcription service, SpinVox for her mobile phone which takes the messages and sends them via text message and email. Unfortunately I have a rather non-standard accent, what with the elocution lessons my parents made me take during my childhood in Northern Ireland, spending half my life in England and my default ability to try to match the speaking patterns of who I am talking to. It consistently mangles it's transcription of my messages.
A more interesting (for me anyway) approach for me is that taken by Microsoft's unified communications stuff where I've seen your phone number route through to your computer to Office communicator, with voicemails being emailed as attachments. Of course this is very corporate centric, but it strikes me as more useful. Sure you have to listen to the attachment, but there's no risk of misunderstanding because a transcribing service got it horribly wrong.
Slashdot Mirror
Are you going to drop Micro$oft now? Is it $teve Job$? O$ X? What?
Actually no. As an H1B myself we're supposed to carry the passport containing visa and the last entry we received when entering the country. I have a US drivers license, but that doesn't prove I'm here legally - after all my visa could have ran out. Now do I do it? No I don't, because the risk of being stopped and jailed is minimal compared to the risk of losing my passport, which is an even bigger mess. Even with a green card you're supposed to carry that around all the time, lose it and it's $290 to get another. And passport or green card loss leaves you ripe for identity theft.
Yes but the irony of people doing what they're told on a facebook page and buying a song that exhorts "I won't do what you tell me" is delicious.
Well of course you will. The projects on those sites are looking for cheap implementation and damn any sort of quality or maintainability. The register didn't look at those sorts of sites, they looked at recruiting sites instead, the ones businesses use. Using the slime pool that is the "Write me a twitter clone for $100" sites to say LAMP is the most popular in businesses is laughable.
cloud applications can be cashed
That's certainly what google is hoping for.
Actually you'll find that most security flaws are treated like this, in order to give the vendor time to patch. It's part of the whole responsible disclosure credo. As an indication of how seriously MS take this they facilitated the disclosure of Kaminsky's DNS cache poisoning discovery. he was contracting there at the time. MS called all the major vendors, and hosted meetings in Redmond to kick the whole response off. He talked about it at Bluehat on 2008. Heck even Bluehat itself demonstrates something. They had speakers from Adobe and other "rivals" this year, and after about a month they put the session videos up and available to all for free.
Dear god, that's impressive. Now if we read down and take all the "MS are doing this embarrass Google", would it be said for bugs reported from Google to Microsoft? No, don't be silly. *sigh* Hypocrisy abounds.
Microsoft didn't make any noise about this at all. The only reason you know MS discovered it was because google credited them in the update. So what exactly would shutting up do? Would you prefer them not to have told google at all perhaps?
Then you haven't been paying much attention. Billy Rios has discovered the GIFAR problem with Java. Of course they're only looking at things that affect their software, in much the same way that Google doesn't go looking for software bugs in Microsoft products.
Why is it so surprising that security researchers employed by a company only look at that company's software, and aren't credited in the security patch reports for just doing their jobs?
Well exactly. In this case Microsoft paid for what they believed was closed source code, it was a third party vendor that broke the GPL, but because Microsoft released the executable, well they're responsible.
Which raises a question - how do you check these things? If the vendor cut and pasted code in, and removed comments that identified its source and the source's licensing agreement how do you spot this? It's not feasible to download every single open source project and start a diff against every single file they contain, so how do you do it?
In theory the author of the code whose copyright they broke, if they did indeed break it.
Indeed. The summary assertion that "The fact the company pulled the tool doesn't bode well" is really daft. Of course they'd pull it, there's been a claim made against it - if they keep distributing it whilst they investigate the potential for damages rises with every download. Pulling the tool is not an admission of anything other than the fact that an accusation has been made and they're investitaging it.
OK what costs? Scanning/turning into an e-book? I'd bet that the vast majority of the offered titles are the same as they offer in the US, and processed/made in the US (or wherever it gets outsourced to) - so there's no extra cost there? Hosting could be an additional cost, Amazon do have a data centre in Dublin, London and Frankfurt, but bandwidth isn't that much more expensive here. Tax? Well perhaps, although books tend not to be taxed in the UK - who knows how ebooks will be treated though. Or it's the typical US move of take the dollar price and convert it to pounds or euros by changing the currency symbol.
Yes but considering you can download a free (no cost) versions of MS SQL2005 or a time limited version of SQL2008 how hard would it have been to check? If you don't have anyone on your team who knows SQL then why is the site starting to comment on the SQL you discovered using strings? If you don't know it can you really offer an opinion?
Saying it's vandalised when you didn't even perform the basic checks with someone who knows the MS platform is something you should be beaten up for, it's sensationalist, and now, if you do discover something, how much of your message will get hidden simply because you cried wold at the very beginning?
What? You don't think you can talk to MS-SQL from PHP? Or Java? Or Ruby? Or a myriad of other systems? What utter tosh. And how would that be different to writing the voting software using, say, MySQL and a compiled C++ Gnome app running on Linux? You can't say that the platform means that developers do very little work when it comes to security, that's just a nonsense. You could write software under linux without bothering about security, just as you could write .NET that does implement security.
Oh well, if we're recommending MS solutions on slashdot (ah karma suicide) then good old Windows Desktop Search works just as well. Since V4.0 came out you can have WDS on other machines, indexing away and it's the remote index that is queried - so no need for local machines to index remote shares. Plus, like sharepoint (spit) indexing, and Index Server before that it uses iFilters, so format aware indexing is available for most of the common formats a business uses.
True, but SQL Injection is a specific attack exploiting how an application talks to the database. This was not SQL injection.
No it's not. The Reddit hack was a Cross Site Scripting attack made possible by bugs in their markdown implementation which let javascript through the parser. It was not a SQL injection attack, it did not attack the database directly, no commands were ran to directly put data into the database. It's an entirely different vector and an entirely different vulnerability, all the stored procedures, escaping of apostrophes and parametrised SQL in the world would not have stopped this.
There's more environmental cost to an eBook than power. There's the metals used in making it, some of which are very damaging, there's the delivery of the components and the cost of transporting them and the finished device, there's the batteries, with their poisonous metals, there's the upgrade/replacement cycle (because lets face it us gadget freaks want the latest and greatest every few years), etc.
"Pretty sure"? Google doesn't agree, in fact I can't find any proof or even discussion of what OS the Sky+ box uses. Under the hood it's an XTV device, which runs, according to XTV "IXI-Connect OS(TM)".
Funnily enough Microsoft office already has this, with Office Live. I have Open from Office Live and Save to Office Live in my file menu.
That way the affected users - ALL affected users - can take steps to mitigate their exposure.
You are assuming that you can take steps. Take the DNS flaw. It affected everyone on the internet. There was no mitigation. Should Dan have announced it to SANS et al, rather than talking to MS (because he was contracting with them at the time) and getting all the DNS companies in quietly to discuss it? Like hell. It would have leaked, and it would have been disastrous.
Without getting into a pissing match for companies already invested in AD and Exchange this is a no brainer, especially with IM integration where you no longer have physical phones, but laptop connected handsets. When I've rang MS people I've hit their extension and it's been routed to them, even if they are working from home.
Funny, ringing my voicemail on my Orange mobile is free. And of course you can configure the number of rings it diverts after yourself, or choose not to divert at all.
My other half uses a transcription service, SpinVox for her mobile phone which takes the messages and sends them via text message and email. Unfortunately I have a rather non-standard accent, what with the elocution lessons my parents made me take during my childhood in Northern Ireland, spending half my life in England and my default ability to try to match the speaking patterns of who I am talking to. It consistently mangles it's transcription of my messages.
A more interesting (for me anyway) approach for me is that taken by Microsoft's unified communications stuff where I've seen your phone number route through to your computer to Office communicator, with voicemails being emailed as attachments. Of course this is very corporate centric, but it strikes me as more useful. Sure you have to listen to the attachment, but there's no risk of misunderstanding because a transcribing service got it horribly wrong.