Perhaps Ubuntu with a "trial" CNR service can make up (moneywise) for the lost revenue from the windows crapplets. No, I'm not advocating it, but that is the sort of thing they would pick as a business model. Kickback for every application installed. Even the "free" stuff can have a kickback. I can see it now, CNR install Realplayer with banner ads --- kickback to Dell. Install your lovely weatherbug client -- kickback to Dell. Purple gorillas on Gnome... never mind... you get the picture.
I just hope Dell offers lots of distributions and gives the option of lots of different Linux support services
Yes, that would be utopia, but it would shortly end their Linux business because of the extra service costs involved. I hope they just offer one or two distros, so their costs stays low and they make enough of a profit to keep them in the Linux business. I don't care which distros they offer. I only care that the hardware has certified kernel driver support. I'm guessing they will be offering RedHat and/or SuSe, which will satisfy 90% of the *need* (not preference, but need). If you know enough about Linux to want a specific distro beside what they offer or have a specialized need to require a specific distro beside what they offer, then you probably know enough to support it yourself (outside of the kernel-level hardware drivers). I'm a Debian fan myself, but I could live with RH. If I have a compelling need to use Debian, I can install and support it myself, as long as the hardware has proper gpl drivers.
How about a cell company having a drone circle a major metro area during major sporting events or along a highway during a hurricane evacuation. As the mob of people move to or from the center or along a highway, the drone could calculate where it was needed most in order to supplement the local tower infrastructure. That way, it could help the local network from being saturated and collapsing.
Satellite bandwidth is scarce. Only really high priority users or missions are going to get an allocated satellite freq. More common are local-unit radio networks. Think of a tank squadron (battalion). They have separate troops (companies) maneuvering over an area of several kilometers. The adjacent unit or the Brigade command post is another several klicks distant on top of that. Most of the tanks' radios are of limited range; so a dynamically moving repeater (perhaps on an airborne drone) would be very valuable to allow a tank to communicate back to the Bde CP.
This list is part of the implementing mechanism of "economic sanctions", hence it is maintained by the "Office of Foreign Assets Control". How else do you think these things are done? Do you think "sanctions" magically implement themselves? If you would rather have economic sanctions as an instrument of policy instead of war, then you certainly can have no complaint here. If you think known money launderers should not be moving financial transactions through US banks, then you also should have no complaints.
BTW.This list is consolidated with some others at the "Excluded Party List System" at http://www.epls.gov/ . That list also contains people who have defrauded the government (amongst other things) and have been debarred from federal contracts.
Since there is some concern here about false positives, here is an explanation of what the system is and what they say to do when you get a match:
23.What is SDN?
As part of its enforcement efforts, the U.S. Department the Treasury, Office of Foreign Assets Control (OFAC) publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDN." Their assets are blocked and U.S. persons are generally prohibited from dealing with them. To access the SDN list, please visit www.treas.gov/ofac and click on the link for the SDN list under the OFAC mission statement.
24.What do I do if I have a match to the SDN list?
If you have checked a name manually or by using software and find a match, you should do a little more research. Is it an exact name match or very close? Is your customer located in the same general area as the SDN? If not, it may be a "false hit." If there are many similarities, contact the Office of Foreign Assets Control's (OFAC) "Hotline" at [redacted by me to prevent cranks] for verification. Unless a transaction involves an exact match, it is recommended that you contact OFAC Compliance office before actually blocking assets.
So you see, people are not denied just because their name "sounds foreign" or by way of casual misidentification. The Government personnel are directed to perform due diligence to ascertain that they are really dealing with a SDN before taking any action.
They apparently think the State did not evaluate the proposals in accordance with the publicly stated evaluation factors (i.e. the state didn't follow its own rules on fair contracting). That is enough to protest the award or sue (depending on how the state contracting system works).
I have experience with the federal contracting process, I suspect the states follow similar procedures. In the public solicitation or Request for Proposal, the Government will have laid out some evaluation factors (i.e. what matters when selecting the contractor or product). Those factors are more or less binding once announced. All proposals must be evaluated in accordance with the publicly stated evaluation factors and only the publicly stated evaluation factors. If Diebold reasonably believes that the state is not using its own rules for selecting a contractor, then Diebold can protest the award or sue. That's how public contracting works. If the State can reasonably and coherently relate their source selection decision in terms of the evaluation factors, then the State will probably win. If the State can not, or if the State used considerations outside of the announced evaluation factors, then the State will lose. That is the way the system works and it is designed to keep the process honest.
I have a ton of old DOS games that I really used to enjoy. They are just sitting around in the box collecting dust. Getting those DOS games to work on XP with either DosBox or the built-in XP "compatibility mode" is a hit or miss deal - some times it works great, sometimes not at all, and sometimes it's excruciatingly slow or buggy. I would love to have a *new* DOS machine with all the standard hardware and drivers for that era - like the Sound Blaster 16. Yes, I know your saying "E-Bay", but I want something that is not going to fall apart, catch fire and trip a circuit breaker, or be covered with 15 year-old coffee stains. Maybe there is a (small) market there.
From TFA interview with FAA chief information officer David Bowen
Bowen cited several reasons why he finds Google Apps attractive. "It's a different sort of computing strategy," he said. "It takes the desktop out of the way so you're running a very thin client. From a security and management standpoint that would have some advantages." ....
Bowen said he's in talks with the aviation safety agency's main hardware supplier, Dell Computer, to determine if it could deliver Linux-based computers capable of accessing Google Apps through a non-Microsoft browser once the FAA's XP-based computers pass their shelf life. "We have discussions going on with Dell," Bowen said. "We're trying to figure out what our roadmap will be after we're no longer able to acquire Windows XP."
I'm sorry, but do you really think Dell is going to enthusiastically push thin clients? AFAIK, Dell isn't even in the thin client business, they are in the PC business. Dell has an interest in dooming this from the start in order to protect their PC business. This CIO Bowen has no idea of where to go with this, so somebody needs to whisper in his ear. He needs to talk with Sun, since they have considerable experience with Sunray thin clients. Maybe even Neoware thin clients from IBM/Lenovo.
When I manually changed the version of Python by compiling it myself, it borked the package manager so it wouldn't get security updates anymore.
If you have some scripts that absolutely got to run with the newer version, then compile your own and put it in/usr/local. That way you don't bork the base system and you can still do what you want in our own little/usr/local sandbox. The only way that would fail is if the newer version is not backwards source-compatible with whatever version of libc RHEL 3 uses, which (while possible) is unlikely. The whole point of/usr/local is that you roll-your-own without screwing with the system managed components in/usr. Whatever you do, *never ever* install something non-standard or that you compiled yourself into/usr/bin or you will almost certainly bork the system. You might have to call the program with an absolute path or rearrange the PATH of the non-root user to make sure it sees your custom version first. Leave root's path alone so system updates use the vendor provided version.
BTW, I do this anyway as a matter of course with Apache and PHP because I need different compile-time options than what the vendor-provided packages provide. It gives me more flexibility. The downside is that I have to stay up to date with new source releases and bug fixes myself.
The whole point of the Africanized Bee experiments in Brazil (that created the Killer Bee Hybrid) was to create a bee that was hardier in warm/tropical climates? So if the Africanized Bees are also effected, the it definitely is not Global Warming.
On the other hand, if the africanized bees are not effected, if might be global warming (or more likely some resistance they carry). But more immediately, then bee keepers will have to learn to handle them in replacement of the European/Italian Bee,as beekeepers have been forced to in South and Central America. If that is the case, the the "Killer Bee" might be the salvation of the bee industry after all.
IIRC, one of the parts of the Novell-Microsoft deal was that MS had to buy and resell 70K SuSe licenses.
Financial terms weren't disclosed, but involve various payments between the two companies, including Microsoft's paying Novell for a minimum of roughly 70,000 "coupons" that Microsoft corporate customers can convert into annual subscriptions to receive support for Suse Linux.
Coincidence? So who will Dell be buying those SuSe licenses from? Directly from Novell or a "third party reseller"?
It's my understanding that the dilemma for Linux is that device manufactures are reluctant to have their hardware designs exposed in Linux code, therefore they usually don't give out their specs to Linux developers......... But the problem for Dell will be in choosing from the gazillions of combinations that make GNU/Linux what it is.
Usually, I'm against a company using market power to twist the arms of its suppliers, but just this once, I hope it happens. So when Dell has to pick between stocking hardware that supports both OSes or having separate pieces for each OSes, which do you think they will pick? Obviously they will pick the one that supports both because it helps minimize their support and supply chain costs.
So which hardware vendor can afford to walk away from Dell because they're to cheap to contribute a driver? Hopefully this will get the vendor to see they are in the business of selling hardware, not selling drivers.
It doesn't matter that aboriginals lived in pre-Columbian America, because they didn't know where they were in context of the larger world. They were completely unaware that the rest of the world even existed. (Ironically, Columbus himself was unable to tell where he was, because he thought he was in Asia). Only the Europeans could integrate America into a geographical world-view. They could make maps and come and go repeatedly. They were able to integrate America into world trade. Hernan Cortes (conquered Aztecs) and Francisco Pizzaro (conquered Incas) would have been able tell you exactly where they were in relation to the rest of the world. The wisest Incan or Aztec would have been unable to tell you the same.
Back in the '80s, a majority Indo-Fijian government was elected. (There is major ethnic strife between Indians and indigenous Fijians). The indigenous Fijians (who controlled the military) overthrew the elected government and declared their leader Prime-Minister. IIRC, the Queen instructed the Governor-General to refuse consent and tried to reappoint the elected Government. The military then declared a republic and deposed the Governor-General, ending the Monarchy in Fiji.
So those constitutional checks are only effective if backed by sufficient force. As a practical matter, a Government of sufficient power (popular or otherwise) would be free to ignore the Monarchy.
If you data is so critical, so valuable (i.e. likely to be stolen), or able to be compromised by a USB thumb-drive, then maybe you shouldn't be using PCs at all. A thin client might be what you need.
Instead of drawing from the proven security models of systems like UNIX and VMS, the Windows developers went and rolled their own.
You either have no freaking idea what you are talking about or you are skillfully trolling. When Digital fired most of its VMS team in a cost cutting frenzy, Microsoft had the good sense to hire them up. David N. Cutler who was the VMS project leader became the NT project leader at MS. Cutler brought most of his team with him. The result was that NT was in many ways a clone of VMS with a Win32 API and Win16 API layer on top. The story is famous and is told here. Vista is NT and NT is partially a re-implementation of VMS, to the point that Digital sued MS. MS had to pay a settlement to Digital and agree to support the Alpha on NT. Some people speculate that the letters WNT is an increment on VMS and is an inside joke at MS. AFAIK, Cutler is still working at MS and helped with Vista.
We could just have our own "great firewall" and stop all Chinese traffic. ICANN and the US could (perhaps should) just deallocate Chinese ip space. Make all Chinese ip addresses non-routable. That would also cut down on a bunch of spam and zombies too.
Does anybody have any legitimate reason to route to china, beside exporting jobs to the offshore factories (which is AFAIAC another good reason to shut down their IP space)?
Time to start looking out for our own interests and cut these jokers afloat.
Teaching Bad Practices (Hopefully Not)
on
PHP 5 in Practice
·
· Score: 2, Interesting
A few years back (circa 2002), I whipped up a rapid application prototype with PHP while working off from some on-line tutorials and using Beginning Php 4 from Wrox. I think the book and the tutorials were good a teaching the basic language features and syntax, but they taught me to use PHP dangerously because they did not teach good practices. My application worked but never got out of the prototype/demo stage back then for business reasons. Recently, I went back to it on my own time to try to clean it up, move it to PHP5, and make it deployable. I now cringe with horror at the extremely bad practices I was using back then. Granted, it was just a prototype, but I thought I was doing it "right" because I was following the examples in the book and the tutorials. I was doing stuff like accepting form data and passing it to the DB with out validation, outputting user submitted variables without checking for XSS, registering globals, etc, etc, etc. I was doing the kind of things that give me nightmares now.
So here is my point, all the tutorials, examples, and books that the neophytes are using to learn are _WRONG_. They are teaching _BAD_PRACTICES_. Because PHP is necessarily meant to be in a network environment (excluding the rarely used cli) and it WILL be exposed to potential maliciousness, secure practices should be taught markedly at the beginning, not as an aside. So as part of teaching how to pass form parameters they should include validation code, even if they have to comment that section as "/* trust us on this part for now, we'll show you how this part works latter, just remember you always have to validate the input before you use it */".
I think PHP is a great language for its purpose, which is simple web-apps. Lots of the criticism about its brain-dead defaults is correct, but they can be overcome with good practices by the application developer. PHP can be great, but it is typically taught wrong at the beginning and that just snowballs.
The editors and authors all the PHP books and tutorials out there need to make sure the new editions encapsulate good practice at the beginning of the learning process.
first disclaimer- I haven't read this particular book. I hope it is better than the other PHP books to which my comments apply.
I checked at unix.org (i.e. the Open Group website) and OS X is *not yet* showing up in either the 95, 98, and 03 certifications, but I then checked wikipedia http://en.wikipedia.org/wiki/Mac_OS_X_v10.5. Here is the apropos part:
Leopard is set to be fully UNIX compliant as Apple intends to submit Leopard and Leopard Server to the Open Group for certification. This means that software following the Single UNIX Specification can be compiled and run on Leopard without the need for any code modification.
Very informative. Good job in bringing that to light. I guess that also will settle the litigation issue between apple and the open group over the UNIX trademark, about which I've been very curious but haven't seen any developments on.
First , it requires security clearances for DMV workers. It also closes off some of the easier fraudulent approaches. Previously, it was easy to present totally bogus "identification" like an electric bill and a fake SSN, which were almost never verified. Now you will have to at least present verifiable documents like a certified birth certificate, valid SSN in your own name, or a passport to be accepted. The DMV is required to verify those documents before they issue an ID. Here is a link (PDF) to a explanation put out by Oregon on the key requirements of the Real ID Act.
No system can ever be made completely secure. But it can be made more secure than it currently is. No computer system can ever be protected against all possible threats. Does that mean you shouldn't institute good security practices? As far as the corrupt officials go, you can never completely protect against an inside job, but you try to hire trustworthy people with background checks for sensitive positions.
This makes great grandstanding for politicians, but when these states' citizens are unable to open bank accounts, get on an airplane or train, enter a federal court house, or do anything under the control of the federal government or involving interstate commerce, then the other 90% of the people in those states (the 90% who don't care about real id) are going to be madder than hell at the state legislature for dragging the feet.
My understanding is that it makes applicants prove either their citizenship or legal presence in the country (i.e valid permanent resident visa) to get a license. The 9-11 hijackers had real valid Virginia issued drivers licenses, but they were obtained fraudulently. This makes it harder for them to get one. Once they are denied a driver license, a whole host of otherwise trivial transactions (banking, travel, renting an apartment, etc) become much harder from them to accomplish without attracting attention.
The use of this device would effectively amount to torture. Using it on a crowd of protesters you want removed would be equivalent to going around and Tazering all of them. Passive resistance does not justify the use of torture.
Please stop using strawman agruments. The article said nothing about peaceful protestors. I seriously doubt the military cares about a group of people peacefully singing kumbaya around a campfire, seeing how they have their hands full fighting people with AK-47s and RPGs. Let's see what the article said:
The technology is supposed to be harmless -- a non-lethal way to get enemies to drop their weapons. Hmm...Peaceful protestors don't carry weapons.
During the first media demonstration of the weapon Wednesday, airmen fired beams from a large dish antenna mounted atop a Humvee at people pretending to be rioters and acting out other scenarios U.S. troops might encounter. Hmm... Peaceful protestors are not rioters.
They let volunteer reporters experience it, so the public could know what it really did. None of the reporters have so far claimed they were "tortured".
However, I will grant that the device could be abused. But then again, so could a rubber hose, a car battery, or a bamboo cane.
Slashdot Mirror
Perhaps Ubuntu with a "trial" CNR service can make up (moneywise) for the lost revenue from the windows crapplets. No, I'm not advocating it, but that is the sort of thing they would pick as a business model. Kickback for every application installed. Even the "free" stuff can have a kickback. I can see it now, CNR install Realplayer with banner ads --- kickback to Dell. Install your lovely weatherbug client -- kickback to Dell. Purple gorillas on Gnome... never mind... you get the picture.
I just hope Dell offers lots of distributions and gives the option of lots of different Linux support services
Yes, that would be utopia, but it would shortly end their Linux business because of the extra service costs involved. I hope they just offer one or two distros, so their costs stays low and they make enough of a profit to keep them in the Linux business. I don't care which distros they offer. I only care that the hardware has certified kernel driver support. I'm guessing they will be offering RedHat and/or SuSe, which will satisfy 90% of the *need* (not preference, but need). If you know enough about Linux to want a specific distro beside what they offer or have a specialized need to require a specific distro beside what they offer, then you probably know enough to support it yourself (outside of the kernel-level hardware drivers). I'm a Debian fan myself, but I could live with RH. If I have a compelling need to use Debian, I can install and support it myself, as long as the hardware has proper gpl drivers.
How about a cell company having a drone circle a major metro area during major sporting events or along a highway during a hurricane evacuation. As the mob of people move to or from the center or along a highway, the drone could calculate where it was needed most in order to supplement the local tower infrastructure. That way, it could help the local network from being saturated and collapsing.
Satellite bandwidth is scarce. Only really high priority users or missions are going to get an allocated satellite freq. More common are local-unit radio networks. Think of a tank squadron (battalion). They have separate troops (companies) maneuvering over an area of several kilometers. The adjacent unit or the Brigade command post is another several klicks distant on top of that. Most of the tanks' radios are of limited range; so a dynamically moving repeater (perhaps on an airborne drone) would be very valuable to allow a tank to communicate back to the Bde CP.
BTW.This list is consolidated with some others at the "Excluded Party List System" at http://www.epls.gov/ . That list also contains people who have defrauded the government (amongst other things) and have been debarred from federal contracts.
Since there is some concern here about false positives, here is an explanation of what the system is and what they say to do when you get a match:
So you see, people are not denied just because their name "sounds foreign" or by way of casual misidentification. The Government personnel are directed to perform due diligence to ascertain that they are really dealing with a SDN before taking any action.
They apparently think the State did not evaluate the proposals in accordance with the publicly stated evaluation factors (i.e. the state didn't follow its own rules on fair contracting). That is enough to protest the award or sue (depending on how the state contracting system works).
I have experience with the federal contracting process, I suspect the states follow similar procedures. In the public solicitation or Request for Proposal, the Government will have laid out some evaluation factors (i.e. what matters when selecting the contractor or product). Those factors are more or less binding once announced. All proposals must be evaluated in accordance with the publicly stated evaluation factors and only the publicly stated evaluation factors. If Diebold reasonably believes that the state is not using its own rules for selecting a contractor, then Diebold can protest the award or sue. That's how public contracting works. If the State can reasonably and coherently relate their source selection decision in terms of the evaluation factors, then the State will probably win. If the State can not, or if the State used considerations outside of the announced evaluation factors, then the State will lose. That is the way the system works and it is designed to keep the process honest.
I have a ton of old DOS games that I really used to enjoy. They are just sitting around in the box collecting dust. Getting those DOS games to work on XP with either DosBox or the built-in XP "compatibility mode" is a hit or miss deal - some times it works great, sometimes not at all, and sometimes it's excruciatingly slow or buggy. I would love to have a *new* DOS machine with all the standard hardware and drivers for that era - like the Sound Blaster 16. Yes, I know your saying "E-Bay", but I want something that is not going to fall apart, catch fire and trip a circuit breaker, or be covered with 15 year-old coffee stains. Maybe there is a (small) market there.
I'm sorry, but do you really think Dell is going to enthusiastically push thin clients? AFAIK, Dell isn't even in the thin client business, they are in the PC business. Dell has an interest in dooming this from the start in order to protect their PC business. This CIO Bowen has no idea of where to go with this, so somebody needs to whisper in his ear. He needs to talk with Sun, since they have considerable experience with Sunray thin clients. Maybe even Neoware thin clients from IBM/Lenovo.
When I manually changed the version of Python by compiling it myself, it borked the package manager so it wouldn't get security updates anymore.
/usr/local. That way you don't bork the base system and you can still do what you want in our own little /usr/local sandbox. The only way that would fail is if the newer version is not backwards source-compatible with whatever version of libc RHEL 3 uses, which (while possible) is unlikely. The whole point of /usr/local is that you roll-your-own without screwing with the system managed components in /usr. Whatever you do, *never ever* install something non-standard or that you compiled yourself into /usr/bin or you will almost certainly bork the system. You might have to call the program with an absolute path or rearrange the PATH of the non-root user to make sure it sees your custom version first. Leave root's path alone so system updates use the vendor provided version.
If you have some scripts that absolutely got to run with the newer version, then compile your own and put it in
BTW, I do this anyway as a matter of course with Apache and PHP because I need different compile-time options than what the vendor-provided packages provide. It gives me more flexibility. The downside is that I have to stay up to date with new source releases and bug fixes myself.
The whole point of the Africanized Bee experiments in Brazil (that created the Killer Bee Hybrid) was to create a bee that was hardier in warm/tropical climates? So if the Africanized Bees are also effected, the it definitely is not Global Warming.
,as beekeepers have been forced to in South and Central America. If that is the case, the the "Killer Bee" might be the salvation of the bee industry after all.
On the other hand, if the africanized bees are not effected, if might be global warming (or more likely some resistance they carry). But more immediately, then bee keepers will have to learn to handle them in replacement of the European/Italian Bee
Coincidence? So who will Dell be buying those SuSe licenses from? Directly from Novell or a "third party reseller"?
Usually, I'm against a company using market power to twist the arms of its suppliers, but just this once, I hope it happens. So when Dell has to pick between stocking hardware that supports both OSes or having separate pieces for each OSes, which do you think they will pick? Obviously they will pick the one that supports both because it helps minimize their support and supply chain costs.
So which hardware vendor can afford to walk away from Dell because they're to cheap to contribute a driver? Hopefully this will get the vendor to see they are in the business of selling hardware, not selling drivers.
It doesn't matter that aboriginals lived in pre-Columbian America, because they didn't know where they were in context of the larger world. They were completely unaware that the rest of the world even existed. (Ironically, Columbus himself was unable to tell where he was, because he thought he was in Asia). Only the Europeans could integrate America into a geographical world-view. They could make maps and come and go repeatedly. They were able to integrate America into world trade. Hernan Cortes (conquered Aztecs) and Francisco Pizzaro (conquered Incas) would have been able tell you exactly where they were in relation to the rest of the world. The wisest Incan or Aztec would have been unable to tell you the same.
Back in the '80s, a majority Indo-Fijian government was elected. (There is major ethnic strife between Indians and indigenous Fijians). The indigenous Fijians (who controlled the military) overthrew the elected government and declared their leader Prime-Minister. IIRC, the Queen instructed the Governor-General to refuse consent and tried to reappoint the elected Government. The military then declared a republic and deposed the Governor-General, ending the Monarchy in Fiji.
So those constitutional checks are only effective if backed by sufficient force. As a practical matter, a Government of sufficient power (popular or otherwise) would be free to ignore the Monarchy.
If you data is so critical, so valuable (i.e. likely to be stolen), or able to be compromised by a USB thumb-drive, then maybe you shouldn't be using PCs at all. A thin client might be what you need.
You either have no freaking idea what you are talking about or you are skillfully trolling. When Digital fired most of its VMS team in a cost cutting frenzy, Microsoft had the good sense to hire them up. David N. Cutler who was the VMS project leader became the NT project leader at MS. Cutler brought most of his team with him. The result was that NT was in many ways a clone of VMS with a Win32 API and Win16 API layer on top. The story is famous and is told here. Vista is NT and NT is partially a re-implementation of VMS, to the point that Digital sued MS. MS had to pay a settlement to Digital and agree to support the Alpha on NT. Some people speculate that the letters WNT is an increment on VMS and is an inside joke at MS. AFAIK, Cutler is still working at MS and helped with Vista.
We could just have our own "great firewall" and stop all Chinese traffic. ICANN and the US could (perhaps should) just deallocate Chinese ip space. Make all Chinese ip addresses non-routable. That would also cut down on a bunch of spam and zombies too.
Does anybody have any legitimate reason to route to china, beside exporting jobs to the offshore factories (which is AFAIAC another good reason to shut down their IP space)?
Time to start looking out for our own interests and cut these jokers afloat.
A few years back (circa 2002), I whipped up a rapid application prototype with PHP while working off from some on-line tutorials and using Beginning Php 4 from Wrox. I think the book and the tutorials were good a teaching the basic language features and syntax, but they taught me to use PHP dangerously because they did not teach good practices. My application worked but never got out of the prototype/demo stage back then for business reasons. Recently, I went back to it on my own time to try to clean it up, move it to PHP5, and make it deployable. I now cringe with horror at the extremely bad practices I was using back then. Granted, it was just a prototype, but I thought I was doing it "right" because I was following the examples in the book and the tutorials. I was doing stuff like accepting form data and passing it to the DB with out validation, outputting user submitted variables without checking for XSS, registering globals, etc, etc, etc. I was doing the kind of things that give me nightmares now.
/* trust us on this part for now, we'll show you how this part works latter, just remember you always have to validate the input before you use it */".
So here is my point, all the tutorials, examples, and books that the neophytes are using to learn are _WRONG_. They are teaching _BAD_PRACTICES_. Because PHP is necessarily meant to be in a network environment (excluding the rarely used cli) and it WILL be exposed to potential maliciousness, secure practices should be taught markedly at the beginning, not as an aside. So as part of teaching how to pass form parameters they should include validation code, even if they have to comment that section as "
I think PHP is a great language for its purpose, which is simple web-apps. Lots of the criticism about its brain-dead defaults is correct, but they can be overcome with good practices by the application developer. PHP can be great, but it is typically taught wrong at the beginning and that just snowballs.
The editors and authors all the PHP books and tutorials out there need to make sure the new editions encapsulate good practice at the beginning of the learning process.
first disclaimer- I haven't read this particular book. I hope it is better than the other PHP books to which my comments apply.
Second, disclaimer- this is mostly a repost from my post at this discussion ( PHP Application Insecurity - PHP or Devs Fault?)
I especially enjoyed the Hal Cartoon : Cagel Cartoons. Scroll down to the middle of the page.
Very informative. Good job in bringing that to light. I guess that also will settle the litigation issue between apple and the open group over the UNIX trademark, about which I've been very curious but haven't seen any developments on.
First , it requires security clearances for DMV workers. It also closes off some of the easier fraudulent approaches. Previously, it was easy to present totally bogus "identification" like an electric bill and a fake SSN, which were almost never verified. Now you will have to at least present verifiable documents like a certified birth certificate, valid SSN in your own name, or a passport to be accepted. The DMV is required to verify those documents before they issue an ID. Here is a link (PDF) to a explanation put out by Oregon on the key requirements of the Real ID Act.
No system can ever be made completely secure. But it can be made more secure than it currently is. No computer system can ever be protected against all possible threats. Does that mean you shouldn't institute good security practices? As far as the corrupt officials go, you can never completely protect against an inside job, but you try to hire trustworthy people with background checks for sensitive positions.
This makes great grandstanding for politicians, but when these states' citizens are unable to open bank accounts, get on an airplane or train, enter a federal court house, or do anything under the control of the federal government or involving interstate commerce, then the other 90% of the people in those states (the 90% who don't care about real id) are going to be madder than hell at the state legislature for dragging the feet.
I predict their resistance won't last long.
My understanding is that it makes applicants prove either their citizenship or legal presence in the country (i.e valid permanent resident visa) to get a license. The 9-11 hijackers had real valid Virginia issued drivers licenses, but they were obtained fraudulently. This makes it harder for them to get one. Once they are denied a driver license, a whole host of otherwise trivial transactions (banking, travel, renting an apartment, etc) become much harder from them to accomplish without attracting attention.
The technology is supposed to be harmless -- a non-lethal way to get enemies to drop their weapons.
Hmm...Peaceful protestors don't carry weapons.
During the first media demonstration of the weapon Wednesday, airmen fired beams from a large dish antenna mounted atop a Humvee at people pretending to be rioters and acting out other scenarios U.S. troops might encounter.
Hmm... Peaceful protestors are not rioters.
They let volunteer reporters experience it, so the public could know what it really did. None of the reporters have so far claimed they were "tortured".
However, I will grant that the device could be abused. But then again, so could a rubber hose, a car battery, or a bamboo cane.