No, such companies can be and are PCI-DSS compliant as long as their declared PCI information security policy includes the transmission of payments data to the DHS (and there certainly is space for such things in PCI to meet regulatory requirements), that transfers to DHS are suitably cryptographically protected if over an public network, and as long as the company informs the DHS in their role as a PCI "third party" of their responsibility to also store payments data securely under the PCI.
Of course, whether the DHS are *actually* following section 9 of the PCI-DSS by mailing the guy his payment data is very questionable.
It's true that if you just rely on free time to do work on a mod you'll never get it done.
Disagree. I'm lead coder for a fairly sizable and popular mod (4th in moddb awards 2007, honourable mention and 2nd unreleased 2006, 14th and 2nd unreleased 2005) and I get everything I need to done just in my spare time, juggling a full-time job, a full-time girlfriend and a full-time cat.
What I think he really means is only antisocial types need apply.
The body of this story is misleading. Phorm *does* work on the ISP's side of the connection. It basically does a MITM attack on HTTP traffic to insert tracking cookies.
Now consider why a language who's sole use is doing this sort of thing didn't have it from the start. The answer is that PHP was not designed with security in mind. It was designed to be easy to use.
And how do you know that the certificates "from websites I know and trust" are really from said websites? The simple fact is you don't, because you have no trust in the root certs that they present.
/krugle/we can't write a simple readable webpage/because we have web2.0/jammed up our ass/unnhnhnh
Re:The real 90s versus outdated 00s software
on
Java Is So 90s
·
· Score: 1, Flamebait
Languages don't cause bad programs to be written -- bad programmers do!
Nonsense. Languages can be specifcally designed to encourage and assist programmers in achieving different outcomes. PHP - being poorly designed - encourages poor practices and certainly does not enforce or even encourage secure code. Hence why it is an absolute disaster in practice.
The pattern you see is "open-source software is not yet as good as its closed-source equivalent."
Not designed with security in mind
on
The Future of Firefox
·
· Score: 1, Interesting
Time and time again, we see the same basic design flaw rear its ugly head in Mozilla Firefox.
What need is there for a web browser to have privileged and non-priviliged scripting modes? What a horrible design decision. Did they not learn from IE?
addslashes should not be used to escape data destined for a database because it doesn't escape all the necessary reserved symbols associated with the underlying database engine.
It's not PHP's fault that people don't take the time to learn how to write secure code. But it should take the blame for making it so easy to do so and not guiding beginners to making the right choices. Even an extremely simple tainting system which throws an E_WARNING when incorrectly escaped user controllable input reaches any functions marked as dangerous (mysql_query, include and so on) would improve the situation greatly.
Re:mysql_escape_string
on
A Decade of PHP
·
· Score: 4, Interesting
mysql_escape_string is deprecated and should never be used in production code! The replacement is the hilariously named mysql_real_escape_string.
Your "not that hard" comment is rather amusing with this in mind.
Let's hope that in the future the PHP developers can come up with some ways to make the code produced by PHP developers more secure.
One of the huge problems with PHP is the massive number of XSS and SQL injection vulns present in code. Partially because PHP is used by beginners, but mainly because PHP does not help the developer write secure code. It's fast and easy to write, but allows you to shoot yourself in the foot. Just like C.
See this paper on precise tainting for an example solution to the problems. It would break compatibility with most software written in PHP, but that's not neccessarily a bad thing when most of it is insecure trash.
Slashdot Mirror
depends.exe does exactly this and ships with the platform sdk.
No, such companies can be and are PCI-DSS compliant as long as their declared PCI information security policy includes the transmission of payments data to the DHS (and there certainly is space for such things in PCI to meet regulatory requirements), that transfers to DHS are suitably cryptographically protected if over an public network, and as long as the company informs the DHS in their role as a PCI "third party" of their responsibility to also store payments data securely under the PCI. Of course, whether the DHS are *actually* following section 9 of the PCI-DSS by mailing the guy his payment data is very questionable.
It's true that if you just rely on free time to do work on a mod you'll never get it done.
Disagree. I'm lead coder for a fairly sizable and popular mod (4th in moddb awards 2007, honourable mention and 2nd unreleased 2006, 14th and 2nd unreleased 2005) and I get everything I need to done just in my spare time, juggling a full-time job, a full-time girlfriend and a full-time cat. What I think he really means is only antisocial types need apply.
It's a nice illustration that exit(3) is by definition not reentrant.
The body of this story is misleading. Phorm *does* work on the ISP's side of the connection. It basically does a MITM attack on HTTP traffic to insert tracking cookies.
Mozilla would've been better off keeping their mouths shut. As it is, they've irresponsibly disclosed a vulnerability in a competitor's product.
This is about bugs in PHP itself, not applications written in PHP. Both have an utterly appalling security record though.
All the free software browsers variously lack modern features or are of poor quality.
Now consider why a language who's sole use is doing this sort of thing didn't have it from the start. The answer is that PHP was not designed with security in mind. It was designed to be easy to use.
What are you trying to hide? Why do you hate freedom!?
we ran out of stones?! jesus the environment's in worse shape than i imagined!
And how do you know that the certificates "from websites I know and trust" are really from said websites? The simple fact is you don't, because you have no trust in the root certs that they present.
"Requires Firefox" is the new "Requires Internet Explorer." It's a pity the web is still so stupid.
/krugle/we can't write a simple readable webpage/because we have web2.0/jammed up our ass/unnhnhnh
Languages don't cause bad programs to be written -- bad programmers do!
Nonsense. Languages can be specifcally designed to encourage and assist programmers in achieving different outcomes. PHP - being poorly designed - encourages poor practices and certainly does not enforce or even encourage secure code. Hence why it is an absolute disaster in practice.
The pattern you see is "open-source software is not yet as good as its closed-source equivalent."
Time and time again, we see the same basic design flaw rear its ugly head in Mozilla Firefox.
What need is there for a web browser to have privileged and non-priviliged scripting modes? What a horrible design decision. Did they not learn from IE?
What is this "grammer" you speak of?
Does this work with linux? I tend to buy every FPS which supports linux and it looks like a great game.
addslashes should not be used to escape data destined for a database because it doesn't escape all the necessary reserved symbols associated with the underlying database engine.
It's not PHP's fault that people don't take the time to learn how to write secure code. But it should take the blame for making it so easy to do so and not guiding beginners to making the right choices. Even an extremely simple tainting system which throws an E_WARNING when incorrectly escaped user controllable input reaches any functions marked as dangerous (mysql_query, include and so on) would improve the situation greatly.
mysql_escape_string is deprecated and should never be used in production code! The replacement is the hilariously named mysql_real_escape_string.
Your "not that hard" comment is rather amusing with this in mind.
Let's hope that in the future the PHP developers can come up with some ways to make the code produced by PHP developers more secure.
One of the huge problems with PHP is the massive number of XSS and SQL injection vulns present in code. Partially because PHP is used by beginners, but mainly because PHP does not help the developer write secure code. It's fast and easy to write, but allows you to shoot yourself in the foot. Just like C. See this paper on precise tainting for an example solution to the problems. It would break compatibility with most software written in PHP, but that's not neccessarily a bad thing when most of it is insecure trash.
72 servers and it still runs slower than any other website of its popularity.
The concept of installing a program under windows is one of the most simple I know.