Slashdot Mirror


User: Bert64

Bert64's activity in the archive.

Stories
0
Comments
12,200
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,200

  1. Re:Please forgive my likely stupidity on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 1

    What it comes down to is, when you've spent a lot of time going from company to company and system to system, you start being happy if there's at least ANY kind of security in place.

    Sounds like you do a similar job to me...

    You hit the nail on the head, most organisations have horrendously poor security, and those few that try to do anything about it whatsoever generally take a complete sub-optimal approach, driven by entirely non technical people who believe marketing propaganda and salesmen rather than get proper unbiased competent advice.

    Security is generally seen as a cost until something bad happens, and only then does it become important...

    The problem however, is that no matter how flawed most of these places security is, so long as they don't have worm-targeted holes exposed to the internet chances are noone will ever expend any effort to attack them.. So although their systems are deeply flawed, they often wont get compromised and assume that this means there secure, and not that there's simply no motivation for anyone yet.

  2. Re:Nothing has changed : Apple just explains it on Apple Is Forced By EU To Give 2 Years Warranty On All Its Products · · Score: 1

    Having a 1 year warranty on a phone made sense back when mobile contracts typically lasted 1 year...
    But now that mobile contracts are typically 2 years, it should be a legal requirement that any warranty last for at least as long as the contract terms if not longer.

  3. Re:Used this with Dell the other day on Apple Is Forced By EU To Give 2 Years Warranty On All Its Products · · Score: 1

    Sounds like they attempted to defraud you...
    They should have immediately offered to fix it for free, not try to trick you into buying an extended warranty that you didn't need. Even if they tried to send you an extended warranty, they should not have claimed that this was required in order for them to repair the current defect.

  4. Re:Apple still weaselling out of it on Apple Is Forced By EU To Give 2 Years Warranty On All Its Products · · Score: 1

    There is a reasonable expectation that a hard drive will last longer than 18 months, when used according to its spec (eg the temperature is kept within the specified limits, and the device is not subjected to shocks exceeding those stated on the spec sheet, and not subjected to water etc)...

    Indeed it is not uncommon for hard drives to last for years, even when subjected to harsh conditions. I had some scsi drives that ran for over 10 years in a server that was badly overheating, and still worked when they were last used. But i would not expect a warranty to cover those drives given the conditions they were used in (and modern drives have the ability to record the temperature they were operating at).

  5. Re:In your face, programmed obsolescence! on Apple Is Forced By EU To Give 2 Years Warranty On All Its Products · · Score: 2

    Much higher prices...
    Goods that last are not compatible with modern capitalism, once everyone who's going to buy a product has bought one, it will never break resulting in no further sales and the vendor going bankrupt.

    If you force vendors to produce reliable products, then they will find some other method to force you to keep paying them, wether its forced obsolescence (ie the product still works, but is no longer compatible with anything else) or a rental model where you never own the product and just have to keep paying for it perpetually...

  6. Re:I like it and I hate it on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 2

    And people need to stop misusing the word "professional"..

    It means someone who is paid to do a job, it doesn't imply any level of competence whatsoever.

  7. Re:Database Developer here on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 1

    And an SQL firewall is at best a "partial solution"... The problem is that it will be marketed to non technical people as "the ultimate solution to all database vulnerabilities", and they will lap it up.

  8. Re:Input sanitization ? Use statement preparation on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 1

    PHP has pretty good prepared statement support, at least for postgres... I use it quite heavily.

  9. Re:Please forgive my likely stupidity on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 1

    Only...

    1, buying, configuring, managing and keeping updated the ids system is not cheap either, and it will be an ongoing cost unlike fixing your code.
    2, you're not safe, it may make attacks less likely but don't fool yourself into thinking it makes you safe.
    3, it adds new risk, you now have an additional system in the path which may have exploitable vulnerabilities, and may fail causing an outage.

  10. Re:Please forgive my likely stupidity on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 1

    The best way to ensure security, is simplicity...

    Having thousands of layers of security may look good in theory, and may sell well to someone without a technical background, but ultimately the more complexity you have the more scope there is for vulnerabilities to exist.

    I have seen many cases where the underlying system was ok, while the complex firewall/authentication/ids/whatever system sitting infront of it had exploitable vulnerabilities that got you onto the network.

  11. Re:Please forgive my likely stupidity on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 1

    This will sell to non technical upper management, who will buy into it purely on the word of the salesman and without consulting any impartial technical staff...
    They will see it as a "solution" to the risk of exploitation, and buy in...

    A lot of management types see buying a product that claims to solve their problems as the thing to do, rather than actually fixing what they already have.

    This is obviously a nasty kludge, but people are used to being stuck with proprietary software they can't fix and thus implementing all kinds of nasty hacky workarounds to make it do what they want.

  12. Re:Please forgive my likely stupidity on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 3, Insightful

    Prepared statements work well and are easy to implement.
    Input validation on the other hand is extremely time consuming and error prone to implement, and extremely difficult to get right in all but the simplest of cases.

    If you take a blacklist approach, then you open yourself up to unexpected attacks and have to keep adding things to the blacklist.
    If you take a whitelist approach, then you will get cases where things break... For instance phone numbers, only allow numerics? what about when someone formats their phone number as xxx-xxx or (xxx) xxxxxx, or +xx xxxx etc... Or names, what about people with names like O'Callaghan or hyphenated names, or names in non latin character sets...

    And then for any moderately complex application, you need different input validation rules for different fields, resulting in extreme complexity and plenty of scope for bugs...

    At least if you use prepared statements, users won't be able to interrupt the execution flow, and although they might be able to put bogus entries into the database, good output encoding will prevent things like cross site scripting attacks rendering them at best a minor irritation...

  13. Re:Please forgive my likely stupidity on GreenSQL is a Database Security Solution, says CTO David Maman (Video) · · Score: 2

    The issue with a database firewall (and webapp firewalls in general) however, is that it doesn't fully understand your application and has to guess as to what its trying to do...
    As a result, you are likely to get false results, both negative and positive... I have seen several instances where such firewalls break the proper functioning of applications, and other cases where its possible to bypass them.

  14. Re:Freedom of speech... on UK Man Jailed For 'Offensive Tweets' · · Score: 1

    Making a statement (or threat) about something someone is planning to do is entirely different from simply stating they hate someone for a particular reason.

    In this case the statement is evidence that someone may plan further action, the statement in itself is nothing on its own as it only indicates the possibility that someone will commit a homophobically motivated murder.
    It's possible that such a statement may be made in jest and that they could never actually carry out the action.
    Similarly, its possible and highly likely that someone planning to commit such a murder would not publicise the fact.

    On the other hand, if someone was to state that they detest gays, and describe them in perjorative terms, so what? If you happen to be gay and he tells you he hates you for that reason and calls you various other perjorative terms again so what? you've not been harmed by his words and you can choose to either ignore them or respond in kind.

  15. Re:Quick Answer on Qualcomm Calls To 'Kill All Proprietary Drivers For Good' · · Score: 1

    You can remove itunes, i have done so on my work laptop..
    You can also elect not to install it when you install the os.

    By works out of the box, i mean the system is functional and all hardware features are working. Configuring your accounts is separate, you would have to do that on any device.

    Another question is wether the system does everything you want/need out of the box, or do you have to install additional applications? And if so, how difficult, time consuming and/or risky is it to do so? Linux distros tend to win here as they come with more software by default, and typically provide repositories for getting more.

  16. Re:Quick Answer on Qualcomm Calls To 'Kill All Proprietary Drivers For Good' · · Score: 1

    And it's less likely to happen either, because the community will generally favour vendors who are more open... When i built my latest box i explicitly chose an ATI card for this reason.

  17. Re:Quick Answer on Qualcomm Calls To 'Kill All Proprietary Drivers For Good' · · Score: 1

    Why would you go to the hassle of creating driver packages for every different distro, when you could submit your driver source to be included in the upstream kernel?

    That way it will work out of the box on any distro using a kernel after the point where it got included, it will get well tested and the kernel maintainers will take care of at least some if not all of the work to keep it functioning and fix bugs.

    You will also find that, where applicable (eg pci/usb devices) your driver will be working on both 32 and 64bit x86, arm, mips and any other architecture that linux runs on, even those that you wouldn't have made any effort to support otherwise.

    The problem is that hardware manufacturers are still thinking the windows way, release drivers for a given version and expect the user to find and install them on their own... This kinda works on linux, but is far from optimal.

    If you do it the proper linux way, things work out much better...
    I have plenty of non x86 hardware that has pci or usb, and many peripherals only work on that hardware when running linux, and not when running whatever proprietary os...
    I have a small arm laptop which came with windows ce, the built in wireless card is garbage (very poor range), linux can use a high power usb card while windows cannot.
    I have a quad port sun ethernet card that was intended to be used on sparc, it works on x86 and ia64 under linux but windows has no drivers for it.

  18. Re:Quick Answer on Qualcomm Calls To 'Kill All Proprietary Drivers For Good' · · Score: 1

    The vast majority of windows users either keep the factory install (complete with all the adware bullshit), or have someone else reinstall it for them.

    People who are clued up enough to install windows would have no trouble whatsoever installing linux these days...

    Also "it's really not that bad anymore" is still a far cry from "works out of the box". Most users would have no idea how to find drivers, most wouldn't even be aware what make and model the internal components of their machine are and wouldn't have any idea how to find out.

  19. Re:Quick Answer on Qualcomm Calls To 'Kill All Proprietary Drivers For Good' · · Score: 1

    Most modern cards are supported by linux, and the linux drivers often support monitor mode which windows drivers do not... A lot of drivers also support master mode (Creating an ap).

    On all but one system i've installed modern linux distros on recently i've had no problems, everything worked right away...

    On one laptop, a brand i had never even heard of before, the sound didn't work by default and i had to manually force it to use a different codec for the intel hd audio card. Incidentally this laptop had the same problem under windows, you couldn't use the generic drivers and had to use the specific ones made by the laptop manufacturer.

    I've found that generally more hardware works by default on linux than windows.

    If it doesn't work by default, then it's a pain on both to get working:

    On windows, if you have the correct driver its usually relatively painless to get it installed (assuming a driver exists for the windows version your using)...
    If your not sure, then you can spend quite some time getting the pci/usb device ids out and searching google for them.
    Linux is slightly better in this regard because it has a built in database of pci ids, removing some of the work.

    A lot of the hardware that doesn't work with the generic drivers on linux also wont work with the generic windows drivers, and requires oem specific drivers... The linux drivers can sometimes be configured, and sometimes its a simple matter of the generic driver not recognising the device id so you could either force it, or add the device ids to the source and recompile (and if it works, driver maintainers are usually happy to be given the new ids)... you generally cant configure windows drivers this way, so you have no choice but to use the oem supplied driver, which is usually based on an older version of the official generic driver made by the component vendor.

  20. Re:Not Surprised on Munich Has Saved €4M So Far After Switch To Linux · · Score: 1

    Failure rates on older hardware are not actually all that high, the most likely thing to die is the hard drive because that has moving parts, so you just don't use the hard drive for anything but the os and store your data on a remote server.
    If the machine breaks, you just swap in a replacement and carry on working with the files you left on the server.

    A machine which is 10 years old is likely to have a 100mb nic, not 10mb, but even 10mb is more than adequate for most uses.

    There's another important factor to consider tho, if you are able to use older hardware then you will also be able to use lower power hardware, that is hardware which is performance equivalent to that older hardware while consuming considerably less electricity and costing much less to purchase.

  21. Re:Not Surprised on Munich Has Saved €4M So Far After Switch To Linux · · Score: 1

    It's both of their fault...
    Adobe/Apple for including their own update service.
    But more importantly, MS' fault for not including a system wide update service that these applications could hook into.

    If they don't try to keep it updated, then software like this just ends up as an exploit magnet.

  22. Re:I guess that's what you get for using Microsoft on MacControl Trojan Being Used In Targeted Attacks Against OS X Users · · Score: 1

    The scripting language is one of the least concerns...
    The biggest problem is the complexity and age of the file formats. There is plenty of complexity, and lots of crufty old code waiting to be exploited, while on the other hand the format is poorly documented which makes it hard to validate files against a known good spec.

  23. AmigaOS is a single user os with virtually none of the security features present in modern systems, if anyone put the effort in to target it i doubt it would stand up very well.

    Linux doesn't have a small userbase by any means, it just has a small userbase on the desktop. In other markets, linux is actually huge.
    Similarly while OSX may have a relatively small marketshare, it comes bundled with software which is very widely used such as Apache.

  24. Re:Rare earth metals all over again. on Solar Power Is Booming — Why Do We Want To Kill It? · · Score: 1

    It would be very difficult (and costly) to maintain...
    You would still need the same base load provided by something other than solar (eg coal, gas, nuclear etc) for nights and cloudy days...
    Also with lots of people feeding into aswell as taking from the grid you would have more scope for malfunctioning poorly maintained equipment causing problems.

    Solar may reduce the bills of those who have the panels, but only due to government subsidy... In actual fact it makes it more expensive, and that cost is passed on to all the other customers without solar panels. Take away the subsidy and it just wouldn't be viable at all.

  25. Re:But isn't it still slightly helpful to the poor on Solar Power Is Booming — Why Do We Want To Kill It? · · Score: 1

    Or an increase in costs, because thanks to lots of users running solar panels there is now far more variation in demand...
    Sure the demand on hot sunny days might be lower, but during the hours of darkness it will be just as high as it ever was, so you still need to keep the same capacity available in the coal/gas/nuclear plants.