For starters you don't want every damned thing to be in the database. SQL (mysql esp) is HORRIBLE at storing *files*... which means images, and various random attachments (pdf, exe, zip, etc., etc., etc.) Also, the more you have in the database, the harder it is to find (and fix) whatever the hell hackers tweak.
Their very nature means they have to be able to write a lot of stuff. It doesn't matter where you put it, it's still writable, and hackers will be able to alter it. The forum software itself is not a static blob; there are plugins, and templates, and tweaks, and customizations, and thousands of configuration knobs -- and it all has to be writable, at least during installation and setup. Locking it down, just like deleting the f'ing installer, is something thousands of people can't be bothered to do.
As others point out... swipe the email addresses of all the users (99% useless, but people still do it), swipe the encrypted passwords (you'll have some success recovering some of them), swipe the "remember me" login cookie -- which automatically logs you in. But that's all script-kiddie piss.
The pros are there to install malware into your site and/or redirect (read: out right, steal) your ad revenue. Some of them are very clever and redirect search engine hits, and search result clicks. (and they hide in parts of the database you cannot normally see)
I'm blown away that vBulletin's hasn't been targeted for years.
IT HAS! This bullshit comes up every few years. All because people are too stupid and lazy to follow the instructions and remove the f'ing installer when done.
It's even simpler than that... what one tested is svn status. That revision is what you deploy. There's no need for branching, tagging, or an of that crap. SVN has repo revision numbers. Use. Them.
(this is the reason our products have the svn rev in their product version - so we know exactly what was used to make it.)
The whole damned thing is one continuous "remotely"... rarely is it installed by someone with a CLI (or a clue how to use one.) They ftp this stuff to a "www" server and start clicking. And then promptly ignore ("forget") the big flashing RED on the first page telling them to REMOVE the installer when done.
The issue here, as the detective clearly says: What he (cop) says is heresay; what you (suspect) say is evidence. The simple fact that the interview room isn't "on record" means they can say whatever the hell they want to get you to say what they want to hear -- and put in their report, and they *ARE* subjective as to what goes in their report. (they aren't a court reporter; they aren't even going to remember everything you say.) This is why they can lie; there's no audio/video you can bring into court to show their dishonesty. When you bring in your lawyer(s), the lying stops because they won't get away with it.
Well, if we're speaking in theory, they could know instantly if they have a quantum entangled radio. (also not within our current technical ability) In practice, the rate set at exacly 1400 would not be known to them for another 7ms. Thus: "Insider Trading at the Speed of Light"
True, but one would assume anyone with a license would have enough g** d*** common sense to look around at where they're driving, and notice they're driving out onto the active airtraffic areas. I'm actually more shocked that it's this f'ing easy to drive out onto the runway. The FAA should have some heads on a platter for this blatant lack of security.
(Here at RDU, you couldn't accidentally drive onto the apron. You'd have to crash through gate(s) to do it intentionally.)
That's EXACTLY why people like the BSD license: take BSD licensed code and sell it within their product -- with or without modification, as they aren't publishing code, no one will know what they've done to it. It's what almost everybody does with BSD.
(That's why I call it the "take my code and sell it" license.)
We don't. What serious linux user ("guru"?) doesn't keep their own source tree? My own has dozens, if not hundreds, of modifications grown into it over the years. (delete qlogicfc? Uh, NO -- it's the only driver that works with some of my (ok, old as dirt) cards. 2min and it lives on in my tree.)
For the record, *every* major distro maintains their own kernel tree.
We aren't talking about OpenWhatver, or JavaShit. We're talking about GPLv3 versions of GCC. It's all but unheard of for gcc to be included on a shipping consumer product -- DVR, NAS, router, switch, access point, cellphone, voip phone, pocket watch, coffee maker, network card, and so forth.
FreeBSD has a passable compiler toolchain that isn't beholden to GPL, and they're running with it. Go for them. Someday it might produce code as small, fast, and efficient as gcc. (it you've ever worked with gcc source, you know what it's like to claw your eyeballs out. I don't practice that voodoo anymore.)
They're better at optimization - period. The only people that do it better are the people who built the processor. (read: intel -- icc, but don't try building the linux kernel with it, as there's way too much "gcc-ness" in the source code.)
(Also, Sun made a better sparc compiler than gcc, back in the day)
This would only be an issue if the "consumer device" were shipped with GCC on it. The complied result ("binary") from GCC is not bound by GCC's license -- if that were true, the entire world is violating the GPL.
The simple truth is FreeBSD purists have always had their panties in a wad from anything and everything that wasn't "BSD licensed". The changes in GPLv3 have been enough of bad taste to get the rest of the gang to agree enough is enough.
Correction: SSLeay was developed outside the USA because of US export restrictions -- if a US citizen wrote even a single line of code, the project would not be exportable ("published", i.e. "downloadable", 'tho actual print publication was legal.) It had f*** all to do with any government attempts or agenda to weaken or subvert it.
To be 1000% clear... all a CA does is sign keys generated by others. They never see the private server key(s). Having the CA signing certificates doesn't give you the magic ability to decode a site's traffic; it only allows you to pretend to be that site. (assuming you can get the users traffic to come to, or through, you. and that other steps (fingerprint validation, serial number checking, etc.) aren't being used.)
Stay out of the left lane(s) and no one will have a problem with you. The problem comes from the flaming assholes who think they're the only people on earth and can drive however they want, where ever they want. You do know there is a rule "slow(er) traffic keep right" (also known as yeilding right-of-way to faster traffic) -- the speed limit has nothing to do with it. And it is actually illegal in many places to pass on the right, not that I've ever heard of anyone being ticketed for it.
Indeed. Speeding tickets (in the US) are about REVENUE, not road safety. Just look at where and when cops go looking for speeders. Or the massive amounts of money generated by "red light cameras" -- most of which go to the company(s) running the systems.
I'd be much happier to see cops out on the interstates writing tickets to the jackholes driving a fraction of the speed limit (and/or way slower than the rest of traffic), or sitting in the left lanes, or the asshole truckers who get in the left lane of a 2 lane highway and jam up traffic for miles.
Cars automatically hitting the brakes at random (i.e. when the driver isn't expecting it) is a HORRIBLE idea. I can see SO MANY issues with any system that will attempt to actively slow the car... how hard does it brake? If I keep my foot on the gas, will it continue to accelerate or will it add more brake and burn up my brakes? What heppens when it misreads a sign, or license plate, or logo on a truck...?
Speed governors have existed for almost as long as vehicles have existed, and NEVER have they touched the brakes -- they limit the accelerator, throttle, engine speed, etc. There is zero reason to depart from well estabilished, and safe, technology that can be applied very easily to the drive-by-wire systems in every modern car.
(And BTW, I've never seen a governor that couldn't be defeated. I've actually driven a few where it was completely broken -- old DOT trucks really aren't meant to go 80mph)
Slashdot Mirror
They don't want to ban users. It drives away paying customers.
For starters you don't want every damned thing to be in the database. SQL (mysql esp) is HORRIBLE at storing *files*... which means images, and various random attachments (pdf, exe, zip, etc., etc., etc.) Also, the more you have in the database, the harder it is to find (and fix) whatever the hell hackers tweak.
Their very nature means they have to be able to write a lot of stuff. It doesn't matter where you put it, it's still writable, and hackers will be able to alter it. The forum software itself is not a static blob; there are plugins, and templates, and tweaks, and customizations, and thousands of configuration knobs -- and it all has to be writable, at least during installation and setup. Locking it down, just like deleting the f'ing installer, is something thousands of people can't be bothered to do.
As others point out... swipe the email addresses of all the users (99% useless, but people still do it), swipe the encrypted passwords (you'll have some success recovering some of them), swipe the "remember me" login cookie -- which automatically logs you in. But that's all script-kiddie piss.
The pros are there to install malware into your site and/or redirect (read: out right, steal) your ad revenue. Some of them are very clever and redirect search engine hits, and search result clicks. (and they hide in parts of the database you cannot normally see)
IT HAS! This bullshit comes up every few years. All because people are too stupid and lazy to follow the instructions and remove the f'ing installer when done.
It's even simpler than that... what one tested is svn status. That revision is what you deploy. There's no need for branching, tagging, or an of that crap. SVN has repo revision numbers. Use. Them.
(this is the reason our products have the svn rev in their product version - so we know exactly what was used to make it.)
They cannot maintain their geostationary orbit without engines. (Or they'd have to be orbiting at a significant distance.)
The whole damned thing is one continuous "remotely"... rarely is it installed by someone with a CLI (or a clue how to use one.) They ftp this stuff to a "www" server and start clicking. And then promptly ignore ("forget") the big flashing RED on the first page telling them to REMOVE the installer when done.
The issue here, as the detective clearly says: What he (cop) says is heresay; what you (suspect) say is evidence. The simple fact that the interview room isn't "on record" means they can say whatever the hell they want to get you to say what they want to hear -- and put in their report, and they *ARE* subjective as to what goes in their report. (they aren't a court reporter; they aren't even going to remember everything you say.) This is why they can lie; there's no audio/video you can bring into court to show their dishonesty. When you bring in your lawyer(s), the lying stops because they won't get away with it.
You totally missed the part about not within our current technical ability.
Well, if we're speaking in theory, they could know instantly if they have a quantum entangled radio. (also not within our current technical ability) In practice, the rate set at exacly 1400 would not be known to them for another 7ms. Thus: "Insider Trading at the Speed of Light"
True, but one would assume anyone with a license would have enough g** d*** common sense to look around at where they're driving, and notice they're driving out onto the active airtraffic areas. I'm actually more shocked that it's this f'ing easy to drive out onto the runway. The FAA should have some heads on a platter for this blatant lack of security.
(Here at RDU, you couldn't accidentally drive onto the apron. You'd have to crash through gate(s) to do it intentionally.)
That's EXACTLY why people like the BSD license: take BSD licensed code and sell it within their product -- with or without modification, as they aren't publishing code, no one will know what they've done to it. It's what almost everybody does with BSD.
(That's why I call it the "take my code and sell it" license.)
We don't. What serious linux user ("guru"?) doesn't keep their own source tree? My own has dozens, if not hundreds, of modifications grown into it over the years. (delete qlogicfc? Uh, NO -- it's the only driver that works with some of my (ok, old as dirt) cards. 2min and it lives on in my tree.)
For the record, *every* major distro maintains their own kernel tree.
The USB cable I have on my desk with the data pins cut... so my stupid Aiptek camera stops going into "data" mode when connected.
(Now if I could figure out what Magic(tm) is in the pulg that allows the AC adapter to power it while on...)
We aren't talking about OpenWhatver, or JavaShit. We're talking about GPLv3 versions of GCC. It's all but unheard of for gcc to be included on a shipping consumer product -- DVR, NAS, router, switch, access point, cellphone, voip phone, pocket watch, coffee maker, network card, and so forth.
FreeBSD has a passable compiler toolchain that isn't beholden to GPL, and they're running with it. Go for them. Someday it might produce code as small, fast, and efficient as gcc. (it you've ever worked with gcc source, you know what it's like to claw your eyeballs out. I don't practice that voodoo anymore.)
They're better at optimization - period. The only people that do it better are the people who built the processor. (read: intel -- icc, but don't try building the linux kernel with it, as there's way too much "gcc-ness" in the source code.)
(Also, Sun made a better sparc compiler than gcc, back in the day)
This would only be an issue if the "consumer device" were shipped with GCC on it. The complied result ("binary") from GCC is not bound by GCC's license -- if that were true, the entire world is violating the GPL.
The simple truth is FreeBSD purists have always had their panties in a wad from anything and everything that wasn't "BSD licensed". The changes in GPLv3 have been enough of bad taste to get the rest of the gang to agree enough is enough.
Absolutely WRONG. If I have your server certificate, I can decode your traffic.
Correction: SSLeay was developed outside the USA because of US export restrictions -- if a US citizen wrote even a single line of code, the project would not be exportable ("published", i.e. "downloadable", 'tho actual print publication was legal.) It had f*** all to do with any government attempts or agenda to weaken or subvert it.
To be 1000% clear... all a CA does is sign keys generated by others. They never see the private server key(s). Having the CA signing certificates doesn't give you the magic ability to decode a site's traffic; it only allows you to pretend to be that site. (assuming you can get the users traffic to come to, or through, you. and that other steps (fingerprint validation, serial number checking, etc.) aren't being used.)
You do realize Google keeps their own search history on their servers outside your browser. It's still clear-able, but there's more work involved.
(I opt out of that crap.)
Stay out of the left lane(s) and no one will have a problem with you. The problem comes from the flaming assholes who think they're the only people on earth and can drive however they want, where ever they want. You do know there is a rule "slow(er) traffic keep right" (also known as yeilding right-of-way to faster traffic) -- the speed limit has nothing to do with it. And it is actually illegal in many places to pass on the right, not that I've ever heard of anyone being ticketed for it.
Indeed. Speeding tickets (in the US) are about REVENUE, not road safety. Just look at where and when cops go looking for speeders. Or the massive amounts of money generated by "red light cameras" -- most of which go to the company(s) running the systems.
I'd be much happier to see cops out on the interstates writing tickets to the jackholes driving a fraction of the speed limit (and/or way slower than the rest of traffic), or sitting in the left lanes, or the asshole truckers who get in the left lane of a 2 lane highway and jam up traffic for miles.
And where do these countries get the money for their universal healthcare? That's right, taxing the ever loving shit out of their citizens.
Cars automatically hitting the brakes at random (i.e. when the driver isn't expecting it) is a HORRIBLE idea. I can see SO MANY issues with any system that will attempt to actively slow the car... how hard does it brake? If I keep my foot on the gas, will it continue to accelerate or will it add more brake and burn up my brakes? What heppens when it misreads a sign, or license plate, or logo on a truck...?
Speed governors have existed for almost as long as vehicles have existed, and NEVER have they touched the brakes -- they limit the accelerator, throttle, engine speed, etc. There is zero reason to depart from well estabilished, and safe, technology that can be applied very easily to the drive-by-wire systems in every modern car.
(And BTW, I've never seen a governor that couldn't be defeated. I've actually driven a few where it was completely broken -- old DOT trucks really aren't meant to go 80mph)