Let's look at a car analogy. If I was a car manufacturer, I could advertise that I recommended automatic transmissions, but that wouldn't mean that I wouldn't sell manual transmissions to those who wanted it. For some people, XP has advantages, for others, Vista is better. Same with automatic and manual transmissions. No one product is right for everyone, so they are selling both.
You would still be able to boot into Linux with a Live CD, or boot windows from a set of floppy discs, and check out the PC that way. The corrupt boot.ini would only stop your regular windows install from booting correctly, and wouldn't stop you from booting from some other device to check out the problem.
That's why with paper voting they have other people watching the counters and verifying their results. People from all interested parties can easily watch what's going on, to make sure everything is on the up-and-up. The same can't be said for machine, as it's really hard to verify that a machine is counting correctly.
Exactly. I'm a software developer. Most people would say I'm a pretty smart guy. However, it would still take me a lot of research to be able to verify that an electronic voting system is even secure. If I could verify it at all. And still when I walk up to the machine on voting day, it would be impossible for me to verify that the machine was running the correct software, unmodified hardware, and was actually doing what the original design said, and not something else.
I do the same with my personal website. I don't check it in IE (actually, just checked now, no major problems). However, that's just a little personal website, and I can't be bothered. However, if it was a money making venture or something that was for the general public, I would definitely test it in IE6, IE7, Firefox, Opera, and Safari. You can't just ignore a large percentage of your userbase.
Holy shortcuts Batman. I usually use Ctrl+L for the address bar, I didn't know that there was Alt+d. I don't know why they would have multiple shortcuts for a single action. Also, for the search bar, there's Ctrl+K which I use, and apparently Ctrl+E, which another poster pointed out.
No, it's usually something more like, get the site working in IE, and here's an extra $X to make it work in firefox. Working in IE isn't an option, it just has to work, because that's what the majority of people are using. Yet when it comes time to implement, you don't need to spend extra time to get things to work, because they work the way they should. You have to spend tons of extra time getting things to work in IE, but you don't get any extra cash for it. If things just worked in IE, you would spend a quarter of the time in messing around with HTML, JS, and CSS, and could focus on more important things like website security.
I will also vouch for PasswordSafe. It also runs quite well under WINE. which is nice because I haven't been able to find a Linux program that can read the current database formats. Just ones that read some old database format.
But isn't the whole problem with using a Rorschach that it's interpretation is dependant on your mental state? If you come in on Monday morning all relaxed and type in your password, then you might not be able to remember it when it's 3 in the morning and you have to log in to fix a critical system problem.
Many places don't allow passwords that long. My bank is one of them. Maximum number of characters is 8. There's plenty of other places that don't allow long passwords, or passwords with spaces, or a bunch of other things. I personally just use PasswordSafe to store all my passwords, and generate a new one for every account I have. I usually make it pretty strong, including symbols, letters, numbers, and around 12 characters. Except for the sites that require 8 character alphanumeric passwords.
Also, try playing some really crappy games, so you can find out what doesn't work. It's almost as important to understand bad design as it is to understand good design.
The file doesn't have to be that big. I compress files for my iPod Nano. It only supports 320x240 resolution, so that's the resolution I use. I can put a 2 hour movie in about 250 MB. The quality isn't spectacular, but the screen is so small it's hard to tell. Most DVDs have at least that much free space.
In highschool, I only had WordPerfect 5.1. Now, the word processor I use is very different from WordPerfect 5.1, and only a few places even use WordPerfect of any version anymore. It use to be the industry standard. My point is, is that if you want a job now, then knowing the industry standard tools is important. However, if you're in highschool, and just learning, the tools you're using won't likely be used in industry anyway, and even if they do, they will be vastly changed.
Sure they could research long range manned missions. They just have to change the project to "send a man to Titan". If you figure that out, then sending a man to mars would be a piece of cake.
I think that a good solution is to show them both. In highschool I learned how to use WordPerfect 5.1 as well as MS Word. I also learned to use Quattro Pro, and Excel, and MS Works. I also Learned Adobe PageMaker and CorelDraw. And the list goes on. Teach the students that there are different kinds of software that can do the same tasks and how to make their skills transferable from one application to another. Even if they were using Photoshop CS3, they wouldn't be using CS3 in 10 years when they were finally in the working world. The interface might have completely changed. So instead of teaching them how to memorize commands and only work with one tool, teach them concepts, and techniques, and they will have no problem with whatever tool they are provided by their future employers.
But why put a funding freeze on something that's not even possible yet? What happens if, in 10 years, someone (like private enterprise) figures out how to travel in space for next to nothing. Then they will have to go back and change the legislation, just so they can send someone to Mars.
Could you please list a web development language that's invulnerable to idiot developers using non-random session ids? Yeah, I thought not. I guess it has nothing to do with ASP.Net after all.
In this case Option A didn't cost any more, it just consisted of typing SessionCode = GetCryptographicRandomNumber() rather than SesssionCode = LastSessionCode + 1. It would have taken possibly 30 minutes to write the GetCryptographicRandomNumber() function, and wouldn't have really cost any more money, considering they had to eventually fix it anyway.
But the security group has to have intimate knowledge of the entire system. Otherwise they can't do their job properly. You have to look at the code and verify whether or not they are doing things properly. You can't just look at a website from the outside, and tell whether or not the underlying code is vulnerable to SQL injections. You can't tell how the session codes are being generated. Even if they look random, they may not actually be random enough.
I think the problem doesn't even go as far as encryption. From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure. It doesn't really matter if the information is encrypted on the back end. If you can guess the session code (by incrementing your own by 1), then you effectively become that user, and it doesn't matter if the data is encrypted in the database or not. Likely, the only thing encrypting the actual data would counter against is an internal attack. However, you'd still need to have a table somewhere linking the user session to the data encryption key. You could probably encrypt this table with some secret machine key, but still the data would be readable. You could probably make the internal hacker run around in circles to get the data, but you wouldn't really be too effective in stopping them.
I'm just trying to wonder what the query could be, and why even use the limit clause when the argument is so high. Seems like MySQL has no problem with interpreting such a large number in a limit statement based on my tests. Seems to me you can cause the error by putting the limit clause, directly after the word "WHERE", if you forget your where clause. Here's the working link. Seems all we had to do was remove the trailing slash.
Let's look at a car analogy. If I was a car manufacturer, I could advertise that I recommended automatic transmissions, but that wouldn't mean that I wouldn't sell manual transmissions to those who wanted it. For some people, XP has advantages, for others, Vista is better. Same with automatic and manual transmissions. No one product is right for everyone, so they are selling both.
You would still be able to boot into Linux with a Live CD, or boot windows from a set of floppy discs, and check out the PC that way. The corrupt boot.ini would only stop your regular windows install from booting correctly, and wouldn't stop you from booting from some other device to check out the problem.
That's why with paper voting they have other people watching the counters and verifying their results. People from all interested parties can easily watch what's going on, to make sure everything is on the up-and-up. The same can't be said for machine, as it's really hard to verify that a machine is counting correctly.
Exactly. I'm a software developer. Most people would say I'm a pretty smart guy. However, it would still take me a lot of research to be able to verify that an electronic voting system is even secure. If I could verify it at all. And still when I walk up to the machine on voting day, it would be impossible for me to verify that the machine was running the correct software, unmodified hardware, and was actually doing what the original design said, and not something else.
How is paper voting any more expensive than machine assisted voting? From my understanding, it's extremely cheap.
I do the same with my personal website. I don't check it in IE (actually, just checked now, no major problems). However, that's just a little personal website, and I can't be bothered. However, if it was a money making venture or something that was for the general public, I would definitely test it in IE6, IE7, Firefox, Opera, and Safari. You can't just ignore a large percentage of your userbase.
Holy shortcuts Batman. I usually use Ctrl+L for the address bar, I didn't know that there was Alt+d. I don't know why they would have multiple shortcuts for a single action. Also, for the search bar, there's Ctrl+K which I use, and apparently Ctrl+E, which another poster pointed out.
No, it's usually something more like, get the site working in IE, and here's an extra $X to make it work in firefox. Working in IE isn't an option, it just has to work, because that's what the majority of people are using. Yet when it comes time to implement, you don't need to spend extra time to get things to work, because they work the way they should. You have to spend tons of extra time getting things to work in IE, but you don't get any extra cash for it. If things just worked in IE, you would spend a quarter of the time in messing around with HTML, JS, and CSS, and could focus on more important things like website security.
Even worse is that Outlook 2007 has adopted the MS Word HTML Engine for rendering, bringing HTML newsletters back to the stoneage.
I will also vouch for PasswordSafe. It also runs quite well under WINE. which is nice because I haven't been able to find a Linux program that can read the current database formats. Just ones that read some old database format.
But isn't the whole problem with using a Rorschach that it's interpretation is dependant on your mental state? If you come in on Monday morning all relaxed and type in your password, then you might not be able to remember it when it's 3 in the morning and you have to log in to fix a critical system problem.
Many places don't allow passwords that long. My bank is one of them. Maximum number of characters is 8. There's plenty of other places that don't allow long passwords, or passwords with spaces, or a bunch of other things. I personally just use PasswordSafe to store all my passwords, and generate a new one for every account I have. I usually make it pretty strong, including symbols, letters, numbers, and around 12 characters. Except for the sites that require 8 character alphanumeric passwords.
Why not just watch the DVD if you're going to watch it on a PC?
Also, try playing some really crappy games, so you can find out what doesn't work. It's almost as important to understand bad design as it is to understand good design.
The file doesn't have to be that big. I compress files for my iPod Nano. It only supports 320x240 resolution, so that's the resolution I use. I can put a 2 hour movie in about 250 MB. The quality isn't spectacular, but the screen is so small it's hard to tell. Most DVDs have at least that much free space.
In highschool, I only had WordPerfect 5.1. Now, the word processor I use is very different from WordPerfect 5.1, and only a few places even use WordPerfect of any version anymore. It use to be the industry standard. My point is, is that if you want a job now, then knowing the industry standard tools is important. However, if you're in highschool, and just learning, the tools you're using won't likely be used in industry anyway, and even if they do, they will be vastly changed.
Sure they could research long range manned missions. They just have to change the project to "send a man to Titan". If you figure that out, then sending a man to mars would be a piece of cake.
Even at a vocational school, it would be detrimental for them to only show how to use one tool.
I think that a good solution is to show them both. In highschool I learned how to use WordPerfect 5.1 as well as MS Word. I also learned to use Quattro Pro, and Excel, and MS Works. I also Learned Adobe PageMaker and CorelDraw. And the list goes on. Teach the students that there are different kinds of software that can do the same tasks and how to make their skills transferable from one application to another. Even if they were using Photoshop CS3, they wouldn't be using CS3 in 10 years when they were finally in the working world. The interface might have completely changed. So instead of teaching them how to memorize commands and only work with one tool, teach them concepts, and techniques, and they will have no problem with whatever tool they are provided by their future employers.
But why put a funding freeze on something that's not even possible yet? What happens if, in 10 years, someone (like private enterprise) figures out how to travel in space for next to nothing. Then they will have to go back and change the legislation, just so they can send someone to Mars.
Could you please list a web development language that's invulnerable to idiot developers using non-random session ids? Yeah, I thought not. I guess it has nothing to do with ASP.Net after all.
In this case Option A didn't cost any more, it just consisted of typing SessionCode = GetCryptographicRandomNumber() rather than SesssionCode = LastSessionCode + 1. It would have taken possibly 30 minutes to write the GetCryptographicRandomNumber() function, and wouldn't have really cost any more money, considering they had to eventually fix it anyway.
But the security group has to have intimate knowledge of the entire system. Otherwise they can't do their job properly. You have to look at the code and verify whether or not they are doing things properly. You can't just look at a website from the outside, and tell whether or not the underlying code is vulnerable to SQL injections. You can't tell how the session codes are being generated. Even if they look random, they may not actually be random enough.
I think the problem doesn't even go as far as encryption. From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure. It doesn't really matter if the information is encrypted on the back end. If you can guess the session code (by incrementing your own by 1), then you effectively become that user, and it doesn't matter if the data is encrypted in the database or not. Likely, the only thing encrypting the actual data would counter against is an internal attack. However, you'd still need to have a table somewhere linking the user session to the data encryption key. You could probably encrypt this table with some secret machine key, but still the data would be readable. You could probably make the internal hacker run around in circles to get the data, but you wouldn't really be too effective in stopping them.
I'm just trying to wonder what the query could be, and why even use the limit clause when the argument is so high. Seems like MySQL has no problem with interpreting such a large number in a limit statement based on my tests. Seems to me you can cause the error by putting the limit clause, directly after the word "WHERE", if you forget your where clause. Here's the working link. Seems all we had to do was remove the trailing slash.