There is such a thing as http://www.php.net/pdo you know? Maybe you should look into a current version of PHP:-)
Hasn't been around long enough. It takes longer than a year (+ 1 month 17 days since PHP 5.1.0) to change your stripes. PHP 4 is still the standard that you need to write your code to if you want to be sure Average Joe can run it at his mom-and-pop web host without funky settings. PHP 4 is still the language of dozens of tutorials on the 'Net. PHP 4 is still running dozens of production sites that would break if you switched to PHP 5 all of a sudden.
And it will take more than this to get PHP a reputation of security. Maybe once they've deprecated (or even removed) the old cruft like mysql_connect and put great big bold notices on the documentation pages of the old functions about "DON'T USE THIS" and things like addslashes() and such that say, "use PDO instead", and once this news works its way down the grapevine... then we can talk.
PHP pretty much invites you to be insecure with MySQL. They ship with this tempting mysql_query() that takes as an argument... a single string. (well, and a connection ID). To get something in there, you need to do something like mysql_query("select * from foo where whatever = '$var'") -- and remember to have $var properly escaped. PHP does not give you a pretty library with prepared statements, parameter binding, and such. There's a nice DB and MDB2 package available on PEAR, but PHP doesn't ship with those. It ships with the compile option --with-mysql.
Perl ships with a fair amount of stuff. It ships with a package named DBI. You can do things like $rv = $sth->execute(@bind_values);. The documentation on it starts off with a convenient set of good examples which go like
$sth = $dbh->prepare("SELECT foo, bar FROM table WHERE baz=?"); $sth->execute( $baz );
You can write code in PHP that's perfectly secure, you can do just about anything in PHP you could do in Perl (props for being Turing-complete, I guess), and yes, it ultimately is the developers' responsibility to secure their applications, not PHP's. That doesn't change the fact that PHP is an ugly mash-up of a language with Bad Choices just lying around in a scrap heap on the ground begging to be used. It's just about as organized as a scrap heap, too... (insert generic rant about naming conventions, parameter ordering, and such).
Ooooookay. I've just been doing mysql_real_escape_string all day, so it had better work.:P
mysql_escape_string and mysql_real_escape_string should both work (assuming you're using MySQL, anyway), but the former is deprecated as PHP 4.3.0 in favor of the latter; it also does not respect the current character set setting.
If you looked at the documentation for addslashes, though, it will tell you nice things like An example use of addslashes() is when you're entering data into a database even though there are special characters that it does not escape that can be used for SQL injection.
My beef with PHP is that it's full of junky functions like mysql_escape_foo() in the core distribution, main namespace, which don't even have a hint of data verification in 'em. I hear there's a neat database abstraction layer in PEAR, it even has prepared statements. But I'll wager there are plenty of PHP developers who haven't even heard of PEAR. Somehow, though, Perl seems to have managed to put together a decent standard distribution without this sort of mess...
1) If this stuff is still hot, doesn't it mean there's still energy there we could use?
How hot is it? Your body is hot. 98.6 degrees F. Doesn't mean it's practical to hook it up to some thermal generator (even if you're not busy doing other things with your life). If you want even a vaguely efficient energy-extraction process, you're going to need more than a few degrees of temperature differential.
2) This stuff came from the ground, why can't we put it back there?
That's what they want to do at Yucca Mountain, but a lot of people keep complaining about it for one reason or another. We'll see what happens... regardless of their complaints, it's still a heck of a lot more secure and stable in the long term than where they're typically storing things now.
I'm going to reply to this thread since it's the first that actually speaks positively of the idea. (sorta) A pirate MMORPG? Sure. That could work. There's plenty to do in the Carribean. Disney could easily mangle it, but if not, it could work. And it's not like the standard movie tie-in games are all that grand of a venue to compete with, even if you DO get to play Captain Jack himself doing all his swashbuckling from a close third-person chase camera.
Actually, that's not really all that terrible of an idea- I'm thinking of something like the way Guild Wars will give you 'henchmen' that you can add to your party if you can't find enough people for your group otherwise. Except instead of having, say, 'Alesia the Healer' (who's Alesia?) you have $DISNEY_PRINCESS. Or something like that. Then you go on an instanced raid on evil King What'shisface's castle for your mission.
Maybe the AI is working from a local copy of the Wikipedia database that isn't vulnerable to live vandalism or anything silly like that. And maybe Wikipedia spammers are more interested in a) putting links to their sites at the bottom of articles to boost PageRank and to capture the attention of random viewers or b) putting in biased promotional material and and other advertisements in a relevant page. And maybe this is likely to be far more attractive of an option than spamming Wikipedia in irrelevant places in the vague hope to poison a Bayesian filter which may or may not exist and probably is unlikely to ever see a revision of the article with this irrelevant information before someone reverts it. (Remember, it's obvious, systematic vandalism that attracts the most attention).
On that note, how long before some vigilante creates their own botnet and uses it to keep hundreds of thousands of machines up-to-date on their security, spyware-free, and running Folding@Home or something in their spare cycles?
Job search costs are nontrivial - at the very least, there's the opportunity cost of not having work for a while. Employees are aware of this, and seek a certain level of job security wherever they work, and job security is hard to put a dollar figure on.
While it still makes sense in some cases to cut back on staff, and especially to fire incompetents, being too heavy-handed about it is liable to damage the remaining employees' morale, with potentially far-reaching effects, potentially damaging the company even more than the continued employment of some people had followed. It is in most companies' best interests to make sure that any sort of downsizing takes place in as reasonable a manner as possible and that they reward loyalty as best they can - at least, in any company where employees are not disposable.
Just because we're capitalists doesn't mean we need to manage employees like they're inert matter. It makes poor business sense to do so.
The real problem with advertising on Wikipedia is that a nontrivial number of people would be extremely upset and stop editing it. What sort of people? Top contributors, editors, administrators. The Wikimedia foundation is wise to realize that despite the potential of earning tens or hundreds of thousands of dollars a year from advertising, the sort of input they obtain from their volunteers is worth more than that.
At one point, the Spanish-language Wikipedia suffered a max exodus over what essentially boiled down to "the rumour of coming advertising" (poor translation in the dialog may have been a factor as well). It set that wiki's development back quite a ways.
Re:It Left a Hole in the Clouds
on
UFOs In the News
·
· Score: 1
What the hell is a secret military aircraft doing in the middle of the busiest airport in America?
If current trends continue, it's more likely to be a result of the prospect of a trillion dollars being roughly 10 rubles.
Anything can happen "if current trends continue" forever. Are they likely to continue? If so, for how long? Well... You need the number on this graph to hit 100,000,000 for a trillion dollars to be 10 rubles. Right now it's.03801. So, is the dollar down against the ruble? Sure, but its plight is nothing like the ruble's.
In 1921, they had rubles - just, plain, rubles. But there was terrible inflation, and in 1922, they gave 1 "new" ruble for 10,000 of the original rubles. In 1923, they gave out another "new" ruble, at a rate of 100 to 1. In 1924, they had yet another ruble, the "gold" ruble, which was worth 50,000 of the 1923 rubles -- or, if I'm running this calculation right, 50,000,000,000 (50 billion) of the original Rubles for the new rubles.
There were two later revaluations at a 10:1 ratio, in 1947 and 1961, but nothing quite so impressive as 50 billion times in just three years. And the dollar is at little risk of that, in any event; the Federal Reserve isn't quite so loose with our currency.
That said, salted hashes are pretty tough to crack. Changing the passwords regularly will make it unrealistic for a cracker to obtain the passwords through brute force.
I don't think this is really the problem - the problem is that you have something like, say, a fairly standard sort of command you might find in a MySQL database. You might get the strings from a config file, but you need to pass the password as plaintext:
And you know what? That's not secure. But then again, the database it's connecting to should be as firewalled as all get-out, and even if it's NOT firewalled, it should have host-based authentication so that you can only access it with that password from the appropriate machine (your web server). At that point, if someone can hook into your LAN to sniff traffic or spoof things, you're probably in deep trouble anyway - but perhaps you could configure the database server to only accept connections over a VPN of some sort with appropriate authentication certificates.
You want your one-time pads to be very, very secret; that's why you can spread the actual cryptotext anywhere and not have to worry about a thing. If it were as simple as comparing one numbers station to another, any intelligence agency with a few computers to throw at the problem could check the numbers against each other and look for meaningful messages. While you might think that's oh-so-slightly unlikely, is it something you're willing to bet your security as an intelligence agency on?
There's a couple ways to generate one-time pads. The first I read was described at HotBits. They take a little radioactive bit of cesium, and a radiation detector which can detect atomic decay:
What we do, then, is measure a pair of these intervals, and emit a zero or one bit based on the relative length of the two intervals. If we measure the same interval for the two decays, we discard the measurement and try again, to avoid the risk of inducing bias due to the resolution of our clock.
There are two fundamental sources of practical quantum mechanical physical randomness: quantum mechanics at the atomic or sub-atomic level and thermal noise (some of which is quantum mechanical in origin). Quantum mechanics predicts that certain physical phenomena, such as the nuclear decay of atoms, are fundamentally random and cannot, in principle, be predicted. (For a discussion of empirical verification of quantum unpredictability, see Bell test experiments.) And, because we live at a finite, non-zero temperature, every system has some random variation in its state; for instance, molecules of air are constantly bouncing off each other in a random way. (Seestatistical mechanics.) This randomness is a quantum phenomenon as well. (Seephonon.)
Because the outcome of quantum-mechanical events cannot in principle be predicted, they are the 'gold standard' for random number generation. Some quantum phenomena used for random number generation include:
Shot noise, a quantum mechanical noise source in electronic circuits. A simple example is a lamp shining on a photodiode. Due to the uncertainty principle, arriving photons create noise in the circuit. Collecting the noise for use poses some problems, but this is an especially simple random noise source.
Photons travelling through a semi-transparent mirror, as in the commercial product, Quantis from id Quantique SA. The mutually exclusive events (reflection -- transmission) are detected and associated to "0" or "1" bit values respectively.
Thermal phenomena are easier to detect. They are (somewhat) vulnerable to attack by lowering the temperature of the system, though most systems will stop operating at temperatures (e.g., ~150 K) low enough to reduce noise by a factor of two. Some of the thermal phenomena used include:
In ten years someone who has been recording them for thirty years will have quantum breakers to decode them with.
Uhm, if these stations are being used for message dispersal, chances are good that they are using a one-time pad to encrypt the data. This isn't public-key cryptography: it's actually impossible to decrypt one of these without information about the original encrypting pad - not just practically impossible, theoretically impossible too, and no amount of processing power, classical or quantum, will ever make it otherwise: the encryption is random (real random, as in, determined with radioactive decay and thermal noise and radio waves from space, not invented by some silly computer program) and changes with each character.
This is the third millennium. Nobody argues anymore that global warming isn't happening. The debate is whether or not it is caused by man or something else.
I don't think that debate even matters, it's a silly blame game. I think the debate that really comes down to making a difference anywhere is "do we have governments pass legislation/treaty/etc XYZ in an attempt to counter this climate change" or do we have governments do nothing. And the big questions in that debate are: "how much are global warming's effects going to be a problem, how soon, and to whom", "what does XYZ actually accomplish, how much does it cost to whom, and is it worth it?, and "what's going to happen to address the problem otherwise?".
The first question is really the focus of things like Al Gore's movie (which has been criticized by better men than me for exaggerating risks and playing up fear, uncertainty and doubt). The second is the focus of debate about, say, the Kyoto Protocol, whether it will actually accomplish anything with developing nations growing their economies, whether the costs are going to cripple anyone... The third is the realm of things like hybrid cars (hardly mainstream yet, but getting closer day by day - because it makes sense, and people will like it) and the electric car (still waiting for the uber-batteries after all these years, and a failure since it doesn't really make sense) and better insulation and more energy-efficent homes and lighting (LED lighting? still not hitting it big, but breaking into the Christmas light market).
Oh, and things like corn-based ethanol, a topic which is very good at demonstrating the power of lobbying and the superficial appearance of "environmental friendliness" and other such fluff to obtain big fat government subsidies for people who are after them... which is about what you can expect to see if you think the government should spend lots of money on "alternative energy"...
During the last year the norwegian IRS grabbed 83% of every Krone I invoiced my customers. At that point I realized that I'd much rather work less and spend more time with my wife & kids, so I closed the company.
Wikipedia is not a Q&A site. It's an encyclopedia. It may be a good place to find answers for your arbitrary question, but it is not a question-and-answer site.
I'm sure this sort of problem is trivially "obvious" if you've been in the IT industry for a decade or so, but if you're not already in this sort of environment and someone sort of dumps the problem in your lap, what are you supposed to do? How to construct and manage a source control system for a decent-sized environment isn't usually the sort of thing you will find with your average B.S. in computer science. I certainly know that I wouldn't know how to go about doing much more than the basics (give me svn, don't edit things straight from production, umm, two machines to work on would be nice, and... uhh... I dunno, what next?). It's the sort of thing that I'd expect to learn about either on the job (using one that someone else with more IT knowledge set up for me), or from some sort of technical articles (which?), or both. Perhaps someone can recommend an online guide on how to structure a sophisticated system for source code, system configurations, and such... or maybe some books...
Speaking of ping times, I'm curious how they usually fared over WiMax services. (SSH is a real pain with a high ping time.) ClearWire has started offering internet service in my area (Winston-Salem, NC), but I'm a little concerned after looking some stuff online about a) issues with cancelling accounts, especially during the "7-day free trial", unrealistic cancellation windows (60 days' notice?) and huge fees, as well as b) issues regarding bandwidth shaping and port blocking (they really don't like competing VOIP services, apparently! and take a dim view of BitTorrent...)
Slashdot Mirror
And it will take more than this to get PHP a reputation of security. Maybe once they've deprecated (or even removed) the old cruft like mysql_connect and put great big bold notices on the documentation pages of the old functions about "DON'T USE THIS" and things like addslashes() and such that say, "use PDO instead", and once this news works its way down the grapevine... then we can talk.
PHP pretty much invites you to be insecure with MySQL. They ship with this tempting mysql_query() that takes as an argument... a single string. (well, and a connection ID). To get something in there, you need to do something like mysql_query("select * from foo where whatever = '$var'") -- and remember to have $var properly escaped. PHP does not give you a pretty library with prepared statements, parameter binding, and such. There's a nice DB and MDB2 package available on PEAR, but PHP doesn't ship with those. It ships with the compile option --with-mysql.
Perl ships with a fair amount of stuff. It ships with a package named DBI. You can do things like $rv = $sth->execute(@bind_values);. The documentation on it starts off with a convenient set of good examples which go like
You can write code in PHP that's perfectly secure, you can do just about anything in PHP you could do in Perl (props for being Turing-complete, I guess), and yes, it ultimately is the developers' responsibility to secure their applications, not PHP's. That doesn't change the fact that PHP is an ugly mash-up of a language with Bad Choices just lying around in a scrap heap on the ground begging to be used. It's just about as organized as a scrap heap, too... (insert generic rant about naming conventions, parameter ordering, and such).
mysql_escape_string and mysql_real_escape_string should both work (assuming you're using MySQL, anyway), but the former is deprecated as PHP 4.3.0 in favor of the latter; it also does not respect the current character set setting.
If you looked at the documentation for addslashes, though, it will tell you nice things like An example use of addslashes() is when you're entering data into a database even though there are special characters that it does not escape that can be used for SQL injection.
My beef with PHP is that it's full of junky functions like mysql_escape_foo() in the core distribution, main namespace, which don't even have a hint of data verification in 'em. I hear there's a neat database abstraction layer in PEAR, it even has prepared statements. But I'll wager there are plenty of PHP developers who haven't even heard of PEAR. Somehow, though, Perl seems to have managed to put together a decent standard distribution without this sort of mess...
I'm going to reply to this thread since it's the first that actually speaks positively of the idea. (sorta) A pirate MMORPG? Sure. That could work. There's plenty to do in the Carribean. Disney could easily mangle it, but if not, it could work. And it's not like the standard movie tie-in games are all that grand of a venue to compete with, even if you DO get to play Captain Jack himself doing all his swashbuckling from a close third-person chase camera.
Actually, that's not really all that terrible of an idea- I'm thinking of something like the way Guild Wars will give you 'henchmen' that you can add to your party if you can't find enough people for your group otherwise. Except instead of having, say, 'Alesia the Healer' (who's Alesia?) you have $DISNEY_PRINCESS. Or something like that. Then you go on an instanced raid on evil King What'shisface's castle for your mission.
Ah, I see what happened. I was using an x86_64 install. There are 6 CDs in that one. My apologies for the confusion.
Hey, I just installed Fedora Core 6 last Thursday, and I'm pretty sure there were 6 of those darned CDs I had to mess around with.
Maybe the AI is working from a local copy of the Wikipedia database that isn't vulnerable to live vandalism or anything silly like that. And maybe Wikipedia spammers are more interested in a) putting links to their sites at the bottom of articles to boost PageRank and to capture the attention of random viewers or b) putting in biased promotional material and and other advertisements in a relevant page. And maybe this is likely to be far more attractive of an option than spamming Wikipedia in irrelevant places in the vague hope to poison a Bayesian filter which may or may not exist and probably is unlikely to ever see a revision of the article with this irrelevant information before someone reverts it. (Remember, it's obvious, systematic vandalism that attracts the most attention).
On that note, how long before some vigilante creates their own botnet and uses it to keep hundreds of thousands of machines up-to-date on their security, spyware-free, and running Folding@Home or something in their spare cycles?
1400x1050 (IBM ThinkPad R52 - real IBM, not Lenovo IBM, not that there's a difference). You try getting wallpaper at this size!
While it still makes sense in some cases to cut back on staff, and especially to fire incompetents, being too heavy-handed about it is liable to damage the remaining employees' morale, with potentially far-reaching effects, potentially damaging the company even more than the continued employment of some people had followed. It is in most companies' best interests to make sure that any sort of downsizing takes place in as reasonable a manner as possible and that they reward loyalty as best they can - at least, in any company where employees are not disposable.
Just because we're capitalists doesn't mean we need to manage employees like they're inert matter. It makes poor business sense to do so.
At one point, the Spanish-language Wikipedia suffered a max exodus over what essentially boiled down to "the rumour of coming advertising" (poor translation in the dialog may have been a factor as well). It set that wiki's development back quite a ways.
In 1921, they had rubles - just, plain, rubles. But there was terrible inflation, and in 1922, they gave 1 "new" ruble for 10,000 of the original rubles. In 1923, they gave out another "new" ruble, at a rate of 100 to 1. In 1924, they had yet another ruble, the "gold" ruble, which was worth 50,000 of the 1923 rubles -- or, if I'm running this calculation right, 50,000,000,000 (50 billion) of the original Rubles for the new rubles.
There were two later revaluations at a 10:1 ratio, in 1947 and 1961, but nothing quite so impressive as 50 billion times in just three years. And the dollar is at little risk of that, in any event; the Federal Reserve isn't quite so loose with our currency.
And you know what? That's not secure. But then again, the database it's connecting to should be as firewalled as all get-out, and even if it's NOT firewalled, it should have host-based authentication so that you can only access it with that password from the appropriate machine (your web server). At that point, if someone can hook into your LAN to sniff traffic or spoof things, you're probably in deep trouble anyway - but perhaps you could configure the database server to only accept connections over a VPN of some sort with appropriate authentication certificates.
You want your one-time pads to be very, very secret; that's why you can spread the actual cryptotext anywhere and not have to worry about a thing. If it were as simple as comparing one numbers station to another, any intelligence agency with a few computers to throw at the problem could check the numbers against each other and look for meaningful messages. While you might think that's oh-so-slightly unlikely, is it something you're willing to bet your security as an intelligence agency on?
You can find more at Wikipedia's article on hardware random number generators:
The first question is really the focus of things like Al Gore's movie (which has been criticized by better men than me for exaggerating risks and playing up fear, uncertainty and doubt). The second is the focus of debate about, say, the Kyoto Protocol, whether it will actually accomplish anything with developing nations growing their economies, whether the costs are going to cripple anyone... The third is the realm of things like hybrid cars (hardly mainstream yet, but getting closer day by day - because it makes sense, and people will like it) and the electric car (still waiting for the uber-batteries after all these years, and a failure since it doesn't really make sense) and better insulation and more energy-efficent homes and lighting (LED lighting? still not hitting it big, but breaking into the Christmas light market).
Oh, and things like corn-based ethanol, a topic which is very good at demonstrating the power of lobbying and the superficial appearance of "environmental friendliness" and other such fluff to obtain big fat government subsidies for people who are after them ... which is about what you can expect to see if you think the government should spend lots of money on "alternative energy"...
Admittedly, you may find some luck with the Wikipedia Reference Desk, but...
I'm sure this sort of problem is trivially "obvious" if you've been in the IT industry for a decade or so, but if you're not already in this sort of environment and someone sort of dumps the problem in your lap, what are you supposed to do? How to construct and manage a source control system for a decent-sized environment isn't usually the sort of thing you will find with your average B.S. in computer science. I certainly know that I wouldn't know how to go about doing much more than the basics (give me svn, don't edit things straight from production, umm, two machines to work on would be nice, and... uhh... I dunno, what next?). It's the sort of thing that I'd expect to learn about either on the job (using one that someone else with more IT knowledge set up for me), or from some sort of technical articles (which?), or both. Perhaps someone can recommend an online guide on how to structure a sophisticated system for source code, system configurations, and such... or maybe some books...
Speaking of ping times, I'm curious how they usually fared over WiMax services. (SSH is a real pain with a high ping time.) ClearWire has started offering internet service in my area (Winston-Salem, NC), but I'm a little concerned after looking some stuff online about a) issues with cancelling accounts, especially during the "7-day free trial", unrealistic cancellation windows (60 days' notice?) and huge fees, as well as b) issues regarding bandwidth shaping and port blocking (they really don't like competing VOIP services, apparently! and take a dim view of BitTorrent...)