The problem with this is you will need a chart to tell you what time of day it is elsewhere. It matters because you don't want to make a work call with someone when they are likely asleep. The effort of all the charts would be the same as using time zones.
If you were teaching civil engineering, the first day you would be showing them a film about the bridge that blew down because of its design failing to accommodate for its stress inputs. And the fact that people's lives were on the line.
I would very much like to know what the first day in your course is like.
I think you have to honestly look at yourself and if you are not educating developers on how and why injection flaws work, and how they must be stopped at every handoff of data between interpretation domains, then you are a bad professor and a part of the problem. Insufficient education is, in my observation, the largest contributor to the problem.
I think you have to honestly look at yourself and if you are not educating or failing these incompetents, you are a bad professor and a part of the problem. Insufficient education is, in my observation, the largest contributor to the problem.
That's a very good point. The system designers have to have their design and implementation* correct, 100% of the time to be safe. And they generally only the the chance to design, once. (refactoring can give you multiple chances at implementation
The attackers on the other hand, only have to be right, once.
The model of this in the natural world is virus infections and other parasitic relationships. If the parasite kills its host or host ecosystem, the parasite also fails. So I think in the worst case, this will become the limiting factor to cybercrime.
* - There are security design defects (unsafe password recovery) and security implementation defects (XSS).
I have been working in software security for twelve years, telling developers not to write SQL Injections, or designing processes to detect and fix them. I think there are some chief problems:
Any business goes through an initial development phase of creating a minimum viable product. During this time, the company needs to decide if it is going to survive or not, and it must make this decision absolutely as soon as possible.
The SOONER the business idea can FAIL, the faster the resources can be put into the next possibly viable idea. And most ideas do fail. So during the minimum viable product phase, it actually does not make economic sense to write good comments, have coding guidelines, or yes, eliminate security vulnerabilities.
The sensible time for businesses to invest in security is: "as soon as you can afford it," which is when you have ramped up some customers and have some recurring revenue, maybe a B funding. By this time, there is a lot of code written and the business processes need a kick-start to introduce security. If the CTO or chief inventor is resistant, the security enhancements will unfortunately not be taken up correctly. If you wait until too late (3rd parties and customers customizing your APIs, or acquisitions) it costs 100x more to get the security work done.
the second reason is: Lack of good security education in university. A few professors have posted here already about how their students are idiots and don't get it. The thing is you cannot bolt on basic security knowledge at the end of a course and expect it to stick. Every coding course should be a secure coding course as much as it is a (nobody would say this) CORRECT coding course. The end result is most students emit from university having heard the phrases cross-site-scripting, sql injection, buffer overflow -- but do not know what they are or how to prevent them.
Oracle here. The reason is that if you say "That account is locked out" then the attacker can enumerate the valid usernames. If bobama is valid user but gwbush is not, then you can try gwbush with random passwords six times and it will still say "Username password combination is incorrect." Whereas with bobama it would say "bobama account is locked out," confirming the existence of the account for further targeting.
So, loonycyborg's problem is the error message should be correct, which would be "You could not be logged on with those credentials. Try again or contact your system administrator."
This is interesting. My favorite professor would give open book exams with very few, very complex questions - three to five. And the answers were multiple choice! So he kept telling us, only answer the question(s) you are sure about.
Correct answer: 1 point
No answer: 0 points
Incorrect: -1 point.
People were in tears every time, stressing over the exams and ending up with negative scores. Meanwhile I would often get the high score of 1 or 2.
Slashdot Mirror
Whoosh. He was talking about Media Access Control.
The problem with this is you will need a chart to tell you what time of day it is elsewhere. It matters because you don't want to make a work call with someone when they are likely asleep. The effort of all the charts would be the same as using time zones.
Why are C developers still writing buffer overflows?
I would very much like to know what the first day in your course is like.
I think you have to honestly look at yourself and if you are not educating developers on how and why injection flaws work, and how they must be stopped at every handoff of data between interpretation domains, then you are a bad professor and a part of the problem. Insufficient education is, in my observation, the largest contributor to the problem.
I think you have to honestly look at yourself and if you are not educating or failing these incompetents, you are a bad professor and a part of the problem. Insufficient education is, in my observation, the largest contributor to the problem.
The attackers on the other hand, only have to be right, once.
The model of this in the natural world is virus infections and other parasitic relationships. If the parasite kills its host or host ecosystem, the parasite also fails. So I think in the worst case, this will become the limiting factor to cybercrime.
* - There are security design defects (unsafe password recovery) and security implementation defects (XSS).
Any business goes through an initial development phase of creating a minimum viable product. During this time, the company needs to decide if it is going to survive or not, and it must make this decision absolutely as soon as possible.
The SOONER the business idea can FAIL, the faster the resources can be put into the next possibly viable idea. And most ideas do fail. So during the minimum viable product phase, it actually does not make economic sense to write good comments, have coding guidelines, or yes, eliminate security vulnerabilities.
The sensible time for businesses to invest in security is: "as soon as you can afford it," which is when you have ramped up some customers and have some recurring revenue, maybe a B funding. By this time, there is a lot of code written and the business processes need a kick-start to introduce security. If the CTO or chief inventor is resistant, the security enhancements will unfortunately not be taken up correctly. If you wait until too late (3rd parties and customers customizing your APIs, or acquisitions) it costs 100x more to get the security work done.
the second reason is: Lack of good security education in university. A few professors have posted here already about how their students are idiots and don't get it. The thing is you cannot bolt on basic security knowledge at the end of a course and expect it to stick. Every coding course should be a secure coding course as much as it is a (nobody would say this) CORRECT coding course. The end result is most students emit from university having heard the phrases cross-site-scripting, sql injection, buffer overflow -- but do not know what they are or how to prevent them.
Many people choose not to get medical treatment at all. Just look at the people out on the street...
Are you seriously unable to go to Harley Street?
Wow, what an incredibly good idea. It seems to me like this is exactly what block chain does best.
Hillary Cliton was never even a candidate,
Workplace cafeterias in Dutch banks.
Oracle here. The reason is that if you say "That account is locked out" then the attacker can enumerate the valid usernames. If bobama is valid user but gwbush is not, then you can try gwbush with random passwords six times and it will still say "Username password combination is incorrect." Whereas with bobama it would say "bobama account is locked out," confirming the existence of the account for further targeting. So, loonycyborg's problem is the error message should be correct, which would be "You could not be logged on with those credentials. Try again or contact your system administrator."
Wait till it takes a barrel of oil energy to recover one barrel of oil.
This is interesting. My favorite professor would give open book exams with very few, very complex questions - three to five. And the answers were multiple choice! So he kept telling us, only answer the question(s) you are sure about. Correct answer: 1 point No answer: 0 points Incorrect: -1 point. People were in tears every time, stressing over the exams and ending up with negative scores. Meanwhile I would often get the high score of 1 or 2.
Calculus 3, Creighton University? I loved your class - or the class of a professor very much like you.
Fake. And Gay.
potentially causing irreparable farm??? Editors, please!!
It took them two weeks to find it - after which the damage seemed to have been done.
What rock does AC live under? Other professional driving businesses collapsed because all of their drivers went to Uber.
Same number of syllables, sounds nice.
I thought like that for years until a friend told me to get onto eharmony and I met my wife.
Once a month, here. Sometimes we skip a month.
NSA published EC algorithms and even specific curves.
This is by no means the first work phone to prohibit SMS. But I do wonder how they accommodate 2FA.