...? I've never heard of a small business that had a database for serving information online that didn't have a LAN...
Most small businesses have LANs, my father in-law's little store has a LAN, my accountant has a LAN, the restaurant I am typing this at has a LAN, et cetera...;)
Sorry I wasn't clearer about the input sanitizing.
- Many small companies have their DB at the DMZ because they only have a DMZ. Most of the time, they also only have one server at the DMZ... It is a significant saving for them
Significant saving? It is seriously cheap to put a linux box in the DMZ and use it as a firewall (probably cheaper than their monthly expenditure for network access.)
Also, as a rule, putting your DB inside a firewall doesn't protect against SQL injection
That depends, lol, the same type of company that would leave their DB server in the DMZ would likely have a default/no security on it.
In any case, putting it behind the firewall means that it is MUCH more difficult to reach that DB in any way except through software/services configured to make use of it. It means your DB isn't listening for just anyone to connect to it from anywhere on the net.
As a matter of policy, you just don't create situations where a user entered string can be dangerous. That means that if the user enters "'; DROP TABLE students;--" in a text field, you just don't evaluate it, you put exactly "'; DROP TABLE students;--" into your database. That may require that you analize the string and escape the right parts, but it is not exactly "evaluating it for danger".
That's exactly what it is doing. You're sanitizing input. Escaping strings IS evaluating strings for dangerous elements...
Serious SQL injection attack security requires many things including parameterization, properly packing those parameters when using them in a stored procedure (for example), pattern matching the input, role based DB security, et cetera...
I didn't say "correct potential danger", I said "evaluate." Replacing things is (a la medireview) is a flat out stupid approach anyhow, lol (thanks for the link - it made me laugh.)
I agree that everyone should use parameters instead of string concatenation, but that doesn't make things safe, it just makes them a little bit safer. Parameters don't help if someone passes the user name "';drop table important_table"
ALL input MUST be sanitized whether you use parameterized SQL or not; ergo, you must evaluate the data in some context.
I presume that you cannot actually reach the DB directly (it is shocking how many people in smaller companies have their DB actually in their DMZ), so they must be pushing the SQL injection through an actual Yahoo API, right?
How hard is it to evaluate a string for potential danger?
Surely API calls can be divided into context and 'grammars' of a sort, then these API calls can identify whether a given string is more or less likely to be a threat by keywording, if anything is suspicious (and at this level there will likely be a lot of false positives) you perform a more thorough evaluation based upon the context of the call, and so on...?
Anybody out there do this for a living? Insights please:)
You can run Mountain Lion on your 4.5 year old Mac Pro?
When we bought this OSX box we needed a lot o' cores and memory because the box was replacing several dell servers in a rack we wanted to be rid of (we use the monster mac to run a lot of virtualization environments and it is much simpler to debug on one physical machine in this fashion.) We did this with a Mac Pro instead of a WinTel box because it killed several birds with one stone (testing our.mono codebase under stress on OSX, Linux, Win 7, and WS2008.)
I agree with regards to the size of the changes and the ways they could be overcome; however, that is an academic exercise that assumes many conditions. This is being presented as a consumer technology for mapping interiors for consumption by consumer mobile devices.
Regarding computer visions, I wasn't referring to background learning, I was referring to kernels we use to recognize objects in the scene (speed samples, orientation change rates, sizes in given dimensions against camera orientation,et cetera.)
I think sub-meter accuracy is possible in academic conditions, I certainly don't think it is possible with current mobile devices in a 'noisy' environment though.
I understand what you're saying, but I have to disagree because you appear to be quite narrowly stipulating the usage of the technology for the purpose of your analogy.
The magnetic field in any particular spot can change for any number of reasons including, for example, the simple scenario of someone using electrical equipment. Something as simple as an electrical device being plugged into the wall, someone placing a computer based kiosk in the area, a television or monitor being turned on, someone using a floor polisher, fans being turned on overhead, lights being turned on/off, et cetera, ad nauseum. This ignores people in retail environments moving displays, furniture, and product relocation.
You also appear to treat the system as a pattern recognizer that grows in accuracy as samples increase and are correlated as 'accurate' - where are you getting this from? It seems very unlikely that without a beacon based system where the app could recalibrate as it approached (not a terrible idea really) how could you confirm the validity of the introduced changes to the magnetic field map? In computer vision we do this with training that requires user interaction.
I think it could have some interesting uses in a broader environment but claim sub-meter accuracy in an active location seems hyped (although I could be totally wrong - in fact, I hope they're on to something because I occasionally do IPS related work and I'd love to be able to push a good mobile outdoor-indoor transitioning system.
...so malls are going to problematic, no? Airports? Supermarkets? Retail stores that aren't going under...?
Lol.
Perhaps they have methods for mitigating these things or they are less problematic than I expect, but just changing the shelving and orientation in a store would screw this thing up, doesn't it seem?
You're going to get tons of defensive push back in here, but the most important answer to your questions is that it isn't directly related to age. You'll find people, in every field and every age, but especially in the 'tech industry', who like the pay, like the dependency people develop upon them, but absolutely hate doing anything even remotely close to the edges of their sandboxes. They get defensive (i.e. "you just don't understand" without explaining what it is that you supposedly don't understand), they get recalcitrant (i.e. "that's really not my job"), or they let things they don't like just die on the vine (because most IT managers have difficulty knowing the difference between an IT lifer blowing smoke up their a** and when there's a real issue.)
If you want to work someplace where people are more likely to be akin to how you are now, you should find a start-up. Start-ups suffer from 'many hats' syndrome which is something you'd probably love right now.
You may grow tired of it in a few years (most do), or you may do it for the next 25 years (as I have.)
I already explained it, because it should be incorporated under the Hawaiian Homestead Act. The reasons why it should be are the same reasons why the Act exists in the first place.
It's like your asking me "give me a good reason why Ellison shouldn't be allowed to buy Alaska." Technically he could, there's no legal reason why he couldn't. What could possibly go wrong? LOL.
I'm also not asserting that property rights don't matter.
If I wanted to be as ridiculously hyperbolic as you're trying to be I'd simply state that "Well, you're basically asserting that anyone should be able to own anything."
Perhaps you're confused and think I'm saying Lana'i should have been taken away from Murdoch - I don't.
I don't think Ni-ihau should be taken away from the Robinsons.
I DO think that the Robinsons should only be able to sell it back to the state of Hawaii at fair market value.
Equivalency in principle is one of the basic logical fallacies, although your suggestion barely makes it that far.
Differences in degree are very important.
Your comparison to the possibility of Ellison not being allowed to buy Lana'i to the returning of all land to Native Americans is a reduction to absurdity.
Wait - You think that my suggestion that a private individual shouldn't be allowed to own the 6th biggest island in Hawaii is the equivalent of giving all land back to Native Americans because "you still haven't given a good reason why the act should be revised or why that island can't remain private"?
I'm sorry, but how does my suggestion that the Hawaiian Homestead Act be revised to prevent selling an entire island in the Hawaiian archipelago to a private owner mean that all land should be returned back to "Native Americans"?
Actually, when 'I say Hawaiians' that generally means people who live in the state of Hawaii full-time. If you mean true-blood Hawaiians, I lived there for 3 years and never met one. There are tons of people who have ethnic Hawaiian ancestry, but the vast majority of those are hapa haole.
Why should the people on Oahu decide what happens on Lanai? For the same reason that the people in Northern California have a say in what happens to their state on issues that may just be located in Southern California.
I'm sure most Hawaiians (ethnic or otherwise - who aren't billionaires) feel that the island of Lana'i shouldn't be privately controlled.
Slashdot Mirror
Yes, the triangle I call it. I always find a way to bring this up once we start talking about 'possibilities.'
It's my mantra - "Fast, cheap, good - pick any two."
Cheers!
...? I've never heard of a small business that had a database for serving information online that didn't have a LAN...
Most small businesses have LANs, my father in-law's little store has a LAN, my accountant has a LAN, the restaurant I am typing this at has a LAN, et cetera... ;)
Sorry I wasn't clearer about the input sanitizing.
- Many small companies have their DB at the DMZ because they only have a DMZ. Most of the time, they also only have one server at the DMZ... It is a significant saving for them
Significant saving? It is seriously cheap to put a linux box in the DMZ and use it as a firewall (probably cheaper than their monthly expenditure for network access.)
Also, as a rule, putting your DB inside a firewall doesn't protect against SQL injection
That depends, lol, the same type of company that would leave their DB server in the DMZ would likely have a default/no security on it.
In any case, putting it behind the firewall means that it is MUCH more difficult to reach that DB in any way except through software/services configured to make use of it. It means your DB isn't listening for just anyone to connect to it from anywhere on the net.
As a matter of policy, you just don't create situations where a user entered string can be dangerous. That means that if the user enters "'; DROP TABLE students;--" in a text field, you just don't evaluate it, you put exactly "'; DROP TABLE students;--" into your database. That may require that you analize the string and escape the right parts, but it is not exactly "evaluating it for danger".
That's exactly what it is doing. You're sanitizing input. Escaping strings IS evaluating strings for dangerous elements...
Serious SQL injection attack security requires many things including parameterization, properly packing those parameters when using them in a stored procedure (for example), pattern matching the input, role based DB security, et cetera...
I didn't say "correct potential danger", I said "evaluate." Replacing things is (a la medireview) is a flat out stupid approach anyhow, lol (thanks for the link - it made me laugh.)
I agree that everyone should use parameters instead of string concatenation, but that doesn't make things safe, it just makes them a little bit safer. Parameters don't help if someone passes the user name "';drop table important_table"
ALL input MUST be sanitized whether you use parameterized SQL or not; ergo, you must evaluate the data in some context.
I'm not sure I understand where you're going with this, I evaluate ALL external input (not just from users) for danger.
I'm not a web developer though (mobile/thick client/enterprise only) which is why I asked if I was missing something since this seems trivial to do...
I presume that you cannot actually reach the DB directly (it is shocking how many people in smaller companies have their DB actually in their DMZ), so they must be pushing the SQL injection through an actual Yahoo API, right?
How hard is it to evaluate a string for potential danger?
Surely API calls can be divided into context and 'grammars' of a sort, then these API calls can identify whether a given string is more or less likely to be a threat by keywording, if anything is suspicious (and at this level there will likely be a lot of false positives) you perform a more thorough evaluation based upon the context of the call, and so on...?
Anybody out there do this for a living? Insights please :)
Leave that to a woman...
This is a dual hex core, 24 hardware thread, 26GB monster machine running OpenSUSE, OSX, Win7, and WS2008.
You can run Mountain Lion on your 4.5 year old Mac Pro?
When we bought this OSX box we needed a lot o' cores and memory because the box was replacing several dell servers in a rack we wanted to be rid of (we use the monster mac to run a lot of virtualization environments and it is much simpler to debug on one physical machine in this fashion.) We did this with a Mac Pro instead of a WinTel box because it killed several birds with one stone (testing our .mono codebase under stress on OSX, Linux, Win 7, and WS2008.)
...scrapes by.
That's reedonkulous.
Unmitigated success for Apple has been bad for us.
I agree with regards to the size of the changes and the ways they could be overcome; however, that is an academic exercise that assumes many conditions. This is being presented as a consumer technology for mapping interiors for consumption by consumer mobile devices.
Regarding computer visions, I wasn't referring to background learning, I was referring to kernels we use to recognize objects in the scene (speed samples, orientation change rates, sizes in given dimensions against camera orientation,et cetera.)
I think sub-meter accuracy is possible in academic conditions, I certainly don't think it is possible with current mobile devices in a 'noisy' environment though.
Let's hope I'm demonstrably wrong! :)
I understand what you're saying, but I have to disagree because you appear to be quite narrowly stipulating the usage of the technology for the purpose of your analogy.
The magnetic field in any particular spot can change for any number of reasons including, for example, the simple scenario of someone using electrical equipment. Something as simple as an electrical device being plugged into the wall, someone placing a computer based kiosk in the area, a television or monitor being turned on, someone using a floor polisher, fans being turned on overhead, lights being turned on/off, et cetera, ad nauseum. This ignores people in retail environments moving displays, furniture, and product relocation.
You also appear to treat the system as a pattern recognizer that grows in accuracy as samples increase and are correlated as 'accurate' - where are you getting this from? It seems very unlikely that without a beacon based system where the app could recalibrate as it approached (not a terrible idea really) how could you confirm the validity of the introduced changes to the magnetic field map? In computer vision we do this with training that requires user interaction.
I think it could have some interesting uses in a broader environment but claim sub-meter accuracy in an active location seems hyped (although I could be totally wrong - in fact, I hope they're on to something because I occasionally do IPS related work and I'd love to be able to push a good mobile outdoor-indoor transitioning system.
BTW, enjoyed your blog :).
Not really, it's more like saying "maps are useless if a lot of things that seem to look like things on the map are moving around you at all times."
...so malls are going to problematic, no? Airports? Supermarkets? Retail stores that aren't going under...?
Lol.
Perhaps they have methods for mitigating these things or they are less problematic than I expect, but just changing the shelving and orientation in a store would screw this thing up, doesn't it seem?
You're going to get tons of defensive push back in here, but the most important answer to your questions is that it isn't directly related to age. You'll find people, in every field and every age, but especially in the 'tech industry', who like the pay, like the dependency people develop upon them, but absolutely hate doing anything even remotely close to the edges of their sandboxes. They get defensive (i.e. "you just don't understand" without explaining what it is that you supposedly don't understand), they get recalcitrant (i.e. "that's really not my job"), or they let things they don't like just die on the vine (because most IT managers have difficulty knowing the difference between an IT lifer blowing smoke up their a** and when there's a real issue.)
If you want to work someplace where people are more likely to be akin to how you are now, you should find a start-up. Start-ups suffer from 'many hats' syndrome which is something you'd probably love right now.
You may grow tired of it in a few years (most do), or you may do it for the next 25 years (as I have.)
How can you be sure it's honest at the casino in person? ;)
I wonder if the ISPs with a physical presence in Delaware had a hand in this?
Hehe...
I already explained it, because it should be incorporated under the Hawaiian Homestead Act. The reasons why it should be are the same reasons why the Act exists in the first place.
It's like your asking me "give me a good reason why Ellison shouldn't be allowed to buy Alaska." Technically he could, there's no legal reason why he couldn't. What could possibly go wrong? LOL.
No you didn't.
I'm also not asserting that property rights don't matter.
If I wanted to be as ridiculously hyperbolic as you're trying to be I'd simply state that "Well, you're basically asserting that anyone should be able to own anything."
Perhaps you're confused and think I'm saying Lana'i should have been taken away from Murdoch - I don't.
I don't think Ni-ihau should be taken away from the Robinsons.
I DO think that the Robinsons should only be able to sell it back to the state of Hawaii at fair market value.
Equivalency in principle is one of the basic logical fallacies, although your suggestion barely makes it that far.
Differences in degree are very important.
Your comparison to the possibility of Ellison not being allowed to buy Lana'i to the returning of all land to Native Americans is a reduction to absurdity.
Why don't you just answer the question I asked you instead of moving goal posts.
Are you this bad at all your "arguments"?
Last word...
Wait - You think that my suggestion that a private individual shouldn't be allowed to own the 6th biggest island in Hawaii is the equivalent of giving all land back to Native Americans because "you still haven't given a good reason why the act should be revised or why that island can't remain private"?
LOL.
I'm sorry, but how does my suggestion that the Hawaiian Homestead Act be revised to prevent selling an entire island in the Hawaiian archipelago to a private owner mean that all land should be returned back to "Native Americans"?
Actually, when 'I say Hawaiians' that generally means people who live in the state of Hawaii full-time. If you mean true-blood Hawaiians, I lived there for 3 years and never met one. There are tons of people who have ethnic Hawaiian ancestry, but the vast majority of those are hapa haole.
Why should the people on Oahu decide what happens on Lanai? For the same reason that the people in Northern California have a say in what happens to their state on issues that may just be located in Southern California.
I'm sure most Hawaiians (ethnic or otherwise - who aren't billionaires) feel that the island of Lana'i shouldn't be privately controlled.