I think what really happened is that UMG realized how powerful our message was, how potent it would become, and how positively it would affect Mega's image. From rogue to vogue. They decided to stop us at all costs, that becomes clear when you see the defense strategy of UMG in court. They have nothing and they don't even care.
UMG knows that we are going to compete with them via our own music venture called Megabox.com, a site that will soon allow artists to sell their creations direct to consumers and allowing artists to keep 90% of earnings.
We have a solution called the Megakey that will allow artists to earn income from users who download music for free. Yes that's right, we will pay artists even for free downloads. The Megakey business model has been tested with over a million users and it works. You can expect several Megabox announcements next year including exclusive deals with artists who are eager to depart from outdated business models.
I'm in Sioux City, Iowa of all places, and our band has seen this shit tried on two bars that I've played at. We called the fine gentleman who left his card and told him we were not ASCAP members and played only original music. He responded that it only takes four chords before we infringe on his artists' songs, and it was simply not possible for us not to infringe.
Yeah.. I really don't know what to respond to that.
Yes, he was making miljons. Why is that really a problem? Is that, in itself, illegal (now that WOULD be interesting)?
"He's making lots of money, he's clearly doing something illegal" - mmhmm.. *looks at CEO's for large companies* weelll.... I think we got a lot of potential targets for arrests here.
I'm not saying he's a saint here, I'm not saying he didn't break the law(s), all I'm saying that being a rich asshole is not in itself against the law (sadly enough, maybe?), and is thus more or less irrelevant for the discussion. If you pointed to where he got the money from, and documented it being illegal, then you have a point (and soon, probably some feds visiting).
Until then... Yes, he is rich. Yes, he is kind of a dick. No, it isn't relevant for the discussion.
I dare you to do a week of first-line desktop support *anywhere* and come out with that belief intact.
Amen. After a few years of tech support I'm pleasantly surprised when people manage to open a door without burning down the builidng.
Overheard conversation:
"Is on the modem green?.. Are there any lights on the modem?.. Could you turn on the modem?.. Yes, I do think that will make a difference..."
No, that's not a joke, or even an exaggeration. Those people are out there, and ther's a LOT of them. People who have disabled the network card and refuse to enable it again (a little knowledge...); people who don't mention that their pet rabbit have gnawed over the wires, and honestly can't understand why that would be a problem; people who answer "yes" to every diagnostic question, hoping it goes faster that way somehow; people that still have the modem in the car, unboxed, and refuse to fetch it, because they just want it to work and we should fix it.. over the phone.. somehow..
If you are using the older version you will see bugs. There is no question about this. It's just dangerous in production environments. So we should be up front about it.
You don't say which version of django you were trying to run, but apparently v0.96 (where the requirement bump happened) they added an option to still run with the old mysql backend, but it wouldn't be maintained in the future..
While I do understand the change, I also understand the frustration of old packages (and various hacks to get newer versions installed). And in the python ecosystem things still happen rather fast. Which is why I've changed to use virtualenv and pip for my development and deployment, and that mostly take all the problems out of it. I have a system that's deployed to gentoo, debian stable and newest ubuntu release - before virtenv and pip it was a royal PITA to keep everything synced up. Now I can more or less deploy it effortlessly on just about any unix. I haven't tried on windows, but most of it should be working there, too.
But generally, making a large python / django app these days without either pip+virtualenv or buildout (or equivalent) is just irresponsible. Both makes it incredibly easy to reproduce an exact python environment, and makes both testing and deploying much, much easier (often, its a 1-2 command deploy, instead of 1-2 days deploy + debug all the different versions)
Anyway.. Sorry to hear of your problems, and I'm a bit sad to see it being necessary.. But there was a reason for it, and there are tools to make it much easier on the sysadmin (lovely feeling knowing that all that crazy stuff is contained in one user directory, and does not touch anything system-wide). And also, next time someone mentions django, maybe you won't dismiss it out of hand:)
It's one of the flickr devs talking about Django, and frameworks in general. Now, it says Django, but he have a lot of really good points about frameworks and webdev in general, and I honestly think everyone working with webapps should see it.
He touches on many points, among others when frameworks are good, when they are bad, what's annoying, things involved with scaling, and so on.. And he's entertaining too:)
One of the points he makes : "Does it even make sense for a web framework to aim for top100 scalability? No. Most webpages are not in the top 100. In fact, all but about a hundred web pages are not in the top 100."
Look. You kinda need a framework. If you don't use an existing one, you'll start making your own. And re-visit a lot of the problems and pitfalls existing frameworks have already solved.
Either that, or you'll be the king of copy-paste (and even that copy-pasted code is arguably a small framework).
I'm not OP, but have a bit of experience with this..
There are two things "against" apache:
1. It runs either a thread or a process for each connection 2. With all the fun stuff on, each thread / process take a lot of memory (especially with php enabled)
The new breed of popular webservers (which nginx seems to be the most popular of) are event-driven, which means it can handle a silly amount of connections in one thread/process.
This gives them advantages in a lot of situations. Especially for serving static files, doing comet stuff, and load balancing incoming connections to several backends.
It's also worth noticing that the part where apache is good, generating dynamic pages, are increasingly being moved to specialized software for the language (ruby on rails, django, php-fpm and so on), which the webserver then talks to via fastcgi or similar protocol (or even normal http).
Other event-based servers (from memory) : Cherokee, node.js, Tornado, lighttpd
a product comprising a hardened Linux kernel with trusted path execution, PaX and grsecurity, ClamAV, mod_security, mod_evasive, OSSEC, rkhunter, SSH hardening and comes with continuously updated custom rulesets for its components. It can do geoblocking, active response based on security events and comes with a web interface for management.
Woah, that's like the digital version of More Dakka
You know that. I know that. But someone with little or no experience with web browsers probably won't know that.
My point was: a web app can't be treated like "any other networked program" because the clients and protocols have some unique considerations you have to keep in mind.
I've programmed for the web for almost 10 years now, and have always tried to keep a focus on security. I would hesitate to do a project like this myself, because I know there are a lot of ways things can go wrong. So many details to err on. Just look at HTTPS alone.. Is the site vulnerable to the BEAST attack? Are CA's still trustworthy enough? Is your server's SSL configuration actually secure (O hi, yes we accept anon key exchange, go ahead mr MitM)?
So many pitfalls.. Even Raging Paranoia(TM) would just be a good start, nothing more.
Now, look at the question.
new website which would require extremely high levels of security (i.e. I need to be sure that my servers are as 100% rock-solid, unhackable as possible.) [...] I am clueless of what is requires to create a web server that is as secure as, say, a banking account management system.
My advice: 1. Learn HTML, JS and HTTP 2. Read up on "best practices" - understand them 3. Read up on top10 website problems, make sure you fully understand each and every one of them. 4. Read some details about various high-profile website hacks. See how a small, overlooked detail set the whole security tower falling to the ground. 5. Now you're starting to get the basic knowledge required to find who to hire to code this for you. Hire a team to actually code it.
It isn't quite that simple. How do you know that the POST you just got from the client is, in fact, from the user clicking a button and not from an injected javascript living in the tab with Ye Olde Pornsite loaded?
A good framework can help a lot in some regards.. For example, I often use the Django python web framework.
SQL injection
Got its own database abstraction layer (ORM), which practically eliminates that problem. Also gives the bonus of easily moving to a different database and automatic creation of test databases, but lacks some flexibility (and of course, makes some stupid SQL here and there). You can also write raw SQL, but in the vast majority of cases that's not needed.
validation of inputs
Has it's own system for generating, processing and validating forms. Greatly helps with that problem. Also makes re-use of input logic much easier:) The framework also have an optional per-page or site-wide layer for protecting against CSRF attacks.
cross site scripting
By default, ALL variables in templates are HTML-escaped. While you still can (and sometimes need to) declare variables as raw, it's something you actively have to enable on a case-by-case basis. Which means that you only have to think about it on the exceptions, and not everywhere.
When I worked at a ISP call center, I suggested a seperate "pro" queue, where you'd have to answer for example some simple hex -> dec and subnetting questions.
(Examples : What is the dec equivalent of 0x(FF|0A|10)? how many ip adresses are there in a/24 subnet?)
For some reason the management didn't quite like the idea..
I didn't know who the dude was at Penny Arcade - I really didn't do anything wrong, and my reputation is ruined forever. --- Basically, what Gabe did is this If you were in a bar, drinking and hanging out with a bunch of people and in that group of people was one guy that you didn't know was a mixed martial arts champion. He knows he can kick the shit out of anyone in that bar and you happen to pick a fight with him. He doesn't tell you what he is you take a swing at him and the next thing you know you have a broken jaw and you're on the way to the hospital. --- I talked to four or five thousand people before I talked to this kid. None of them went viral. Before Sunday my reputation was impeccable - it was as clean as the most expensive diamond. Now it's just trash, and that bothers me.
Still feel sorry for him? I feel sorry for his family (which also seem to be harassed, which is really sad), but him? No.. Not the way he's still acting.
Well, a chinese spokesperson was quoted "They are as peaceful as the american GPS satellites, and contain no more armaments than those do" - so no worries.
We do have some strange reports of a high-ranking american general running from the press conference with a panic-struck look on his face, but that's probably unrelated.
Slashdot Mirror
who did MU piss of really.
As has been pointed out before:
I think what really happened is that UMG realized how powerful our message was, how potent it would become, and how positively it would affect Mega's image. From rogue to vogue. They decided to stop us at all costs, that becomes clear when you see the defense strategy of UMG in court. They have nothing and they don't even care.
UMG knows that we are going to compete with them via our own music venture called Megabox.com, a site that will soon allow artists to sell their creations direct to consumers and allowing artists to keep 90% of earnings.
We have a solution called the Megakey that will allow artists to earn income from users who download music for free. Yes that's right, we will pay artists even for free downloads. The Megakey business model has been tested with over a million users and it works. You can expect several Megabox announcements next year including exclusive deals with artists who are eager to depart from outdated business models.
Source
I can't see why - "an hero" is perfectly valid English in some dialects (where the "h" is not pronounced at the beginning of the word).
Explanation
It's been on Slashdot before. If not directly in the headline, it had a host of these stories in the comments section.
I think you'll find this comment interesting:
I'm in Sioux City, Iowa of all places, and our band has seen this shit tried on two bars that I've played at. We called the fine gentleman who left his card and told him we were not ASCAP members and played only original music. He responded that it only takes four chords before we infringe on his artists' songs, and it was simply not possible for us not to infringe.
Yeah.. I really don't know what to respond to that.
But you can only sell content you own
Clearly you're a bit behind the times there, mate.
If anything we should be complaining that these kids aren't out in the streets...
I'd just want to remind you that Anonymous can do that too.
That's one thing I don't really understand.
Yes, he was making miljons. Why is that really a problem? Is that, in itself, illegal (now that WOULD be interesting)?
"He's making lots of money, he's clearly doing something illegal" - mmhmm.. *looks at CEO's for large companies* weelll.... I think we got a lot of potential targets for arrests here.
I'm not saying he's a saint here, I'm not saying he didn't break the law(s), all I'm saying that being a rich asshole is not in itself against the law (sadly enough, maybe?), and is thus more or less irrelevant for the discussion. If you pointed to where he got the money from, and documented it being illegal, then you have a point (and soon, probably some feds visiting).
Until then... Yes, he is rich. Yes, he is kind of a dick. No, it isn't relevant for the discussion.
a bit with the possibility of being 0-5 for each of the cardinal directions, in which case you'd have to use a language with base 6 instead of binary.
The first number that's both mod 5 and mod 2 is 10. But bytes are 8 bits, so .. we have 40 that fit all three.
Minimum group : 8 atoms and 5 bytes.
I dare you to do a week of first-line desktop support *anywhere* and come out with that belief intact.
Amen. After a few years of tech support I'm pleasantly surprised when people manage to open a door without burning down the builidng.
Overheard conversation :
"Is on the modem green? .. Are there any lights on the modem? .. Could you turn on the modem? .. Yes, I do think that will make a difference..."
No, that's not a joke, or even an exaggeration. Those people are out there, and ther's a LOT of them.
People who have disabled the network card and refuse to enable it again (a little knowledge...);
people who don't mention that their pet rabbit have gnawed over the wires, and honestly can't understand why that would be a problem;
people who answer "yes" to every diagnostic question, hoping it goes faster that way somehow; people that still have the modem in the car, unboxed, and refuse to fetch it, because they just want it to work and we should fix it.. over the phone.. somehow..
There's a comment on those "Teach yourself X in Y days" books by Peter Norvig, called "Teach Yourself Programming in Ten Years".
I suspect most of it is relevant to this thing, too.
I've been programming for about 15 years now (most of it on hobby basis) and I still learn new things.
Seems a bit weird, but I did some digging, and it appear that versions before 1.2.1p2 weren't thread-safe. According to details at http://wolfram.kriesing.de/blog/index.php/2006/multithreading-with-mysqldb-and-weakrefs
From here:
If you are using the older version you will see
bugs. There is no question about this. It's just dangerous in production
environments. So we should be up front about it.
You don't say which version of django you were trying to run, but apparently v0.96 (where the requirement bump happened) they added an option to still run with the old mysql backend, but it wouldn't be maintained in the future..
https://docs.djangoproject.com/en/dev/releases/0.96/?from=olddocs#mysqldb-version-requirement
While I do understand the change, I also understand the frustration of old packages (and various hacks to get newer versions installed). And in the python ecosystem things still happen rather fast. Which is why I've changed to use virtualenv and pip for my development and deployment, and that mostly take all the problems out of it. I have a system that's deployed to gentoo, debian stable and newest ubuntu release - before virtenv and pip it was a royal PITA to keep everything synced up. Now I can more or less deploy it effortlessly on just about any unix. I haven't tried on windows, but most of it should be working there, too.
But generally, making a large python / django app these days without either pip+virtualenv or buildout (or equivalent) is just irresponsible. Both makes it incredibly easy to reproduce an exact python environment, and makes both testing and deploying much, much easier (often, its a 1-2 command deploy, instead of 1-2 days deploy + debug all the different versions)
Anyway.. Sorry to hear of your problems, and I'm a bit sad to see it being necessary.. But there was a reason for it, and there are tools to make it much easier on the sysadmin (lovely feeling knowing that all that crazy stuff is contained in one user directory, and does not touch anything system-wide). And also, next time someone mentions django, maybe you won't dismiss it out of hand :)
By "the mysql library" I assume you mean the python mysql library?
One of my previous comments about pip might have helped.
At least it keeps the nonstandard mess in a seperate folder, instead of infecting the core server system :)
I think all should see this video : DjangoCon 2008 Keynote: Cal Henderson - "Why I Hate Django"
It's one of the flickr devs talking about Django, and frameworks in general. Now, it says Django, but he have a lot of really good points about frameworks and webdev in general, and I honestly think everyone working with webapps should see it.
He touches on many points, among others when frameworks are good, when they are bad, what's annoying, things involved with scaling, and so on.. And he's entertaining too :)
One of the points he makes : "Does it even make sense for a web framework to aim for top100 scalability? No. Most webpages are not in the top 100. In fact, all but about a hundred web pages are not in the top 100."
Look. You kinda need a framework. If you don't use an existing one, you'll start making your own. And re-visit a lot of the problems and pitfalls existing frameworks have already solved.
Either that, or you'll be the king of copy-paste (and even that copy-pasted code is arguably a small framework).
I'm not OP, but have a bit of experience with this..
There are two things "against" apache:
1. It runs either a thread or a process for each connection
2. With all the fun stuff on, each thread / process take a lot of memory (especially with php enabled)
The new breed of popular webservers (which nginx seems to be the most popular of) are event-driven, which means it can handle a silly amount of connections in one thread/process.
This gives them advantages in a lot of situations. Especially for serving static files, doing comet stuff, and load balancing incoming connections to several backends.
It's also worth noticing that the part where apache is good, generating dynamic pages, are increasingly being moved to specialized software for the language (ruby on rails, django, php-fpm and so on), which the webserver then talks to via fastcgi or similar protocol (or even normal http).
Other event-based servers (from memory) : Cherokee, node.js, Tornado, lighttpd
A gun can be used as a hammer, and a rock can be used as a hammer.
But we still typically use a hammer as a hammer.
a product comprising a hardened Linux kernel with trusted path execution, PaX and grsecurity, ClamAV, mod_security, mod_evasive, OSSEC, rkhunter, SSH hardening and comes with continuously updated custom rulesets for its components. It can do geoblocking, active response based on security events and comes with a web interface for management.
Woah, that's like the digital version of More Dakka
But it is a platform
So is the web. And that platform runs just fine on all smartphones and most feature phones.
You know that. I know that. But someone with little or no experience with web browsers probably won't know that.
My point was: a web app can't be treated like "any other networked program" because the clients and protocols have some unique considerations you have to keep in mind.
I've programmed for the web for almost 10 years now, and have always tried to keep a focus on security. I would hesitate to do a project like this myself, because I know there are a lot of ways things can go wrong. So many details to err on. Just look at HTTPS alone.. Is the site vulnerable to the BEAST attack? Are CA's still trustworthy enough? Is your server's SSL configuration actually secure (O hi, yes we accept anon key exchange, go ahead mr MitM)?
So many pitfalls.. Even Raging Paranoia(TM) would just be a good start, nothing more.
Now, look at the question.
new website which would require extremely high levels of security (i.e. I need to be sure that my servers are as 100% rock-solid, unhackable as possible.) [...] I am clueless of what is requires to create a web server that is as secure as, say, a banking account management system.
My advice:
1. Learn HTML, JS and HTTP
2. Read up on "best practices" - understand them
3. Read up on top10 website problems, make sure you fully understand each and every one of them.
4. Read some details about various high-profile website hacks. See how a small, overlooked detail set the whole security tower falling to the ground.
5. Now you're starting to get the basic knowledge required to find who to hire to code this for you. Hire a team to actually code it.
But you'd never trust ANY client would you?
It isn't quite that simple. How do you know that the POST you just got from the client is, in fact, from the user clicking a button and not from an injected javascript living in the tab with Ye Olde Pornsite loaded?
A good framework can help a lot in some regards.. For example, I often use the Django python web framework.
SQL injection
Got its own database abstraction layer (ORM), which practically eliminates that problem. Also gives the bonus of easily moving to a different database and automatic creation of test databases, but lacks some flexibility (and of course, makes some stupid SQL here and there). You can also write raw SQL, but in the vast majority of cases that's not needed.
validation of inputs
Has it's own system for generating, processing and validating forms. Greatly helps with that problem. Also makes re-use of input logic much easier :) The framework also have an optional per-page or site-wide layer for protecting against CSRF attacks.
cross site scripting
By default, ALL variables in templates are HTML-escaped. While you still can (and sometimes need to) declare variables as raw, it's something you actively have to enable on a case-by-case basis. Which means that you only have to think about it on the exceptions, and not everywhere.
Rule 1: Do use a framework.. A good framework have already been widely tested and hardened, and will help you avoid stupid mistakes.
When I worked at a ISP call center, I suggested a seperate "pro" queue, where you'd have to answer for example some simple hex -> dec and subnetting questions.
(Examples : What is the dec equivalent of 0x(FF|0A|10)? how many ip adresses are there in a /24 subnet?)
For some reason the management didn't quite like the idea..
Have a read at his twitter account...
From there (posted some hours ago):
I didn't know who the dude was at Penny Arcade - I really didn't do anything wrong, and my reputation is ruined forever.
---
Basically, what Gabe did is this If you were in a bar, drinking and hanging out with a bunch of people and in that group of people was one guy that you didn't know was a mixed martial arts champion. He knows he can kick the shit out of anyone in that bar and you happen to pick a fight with him. He doesn't tell you what he is you take a swing at him and the next thing you know you have a broken jaw and you're on the way to the hospital.
---
I talked to four or five thousand people before I talked to this kid. None of them went viral. Before Sunday my reputation was impeccable - it was as clean as the most expensive diamond. Now it's just trash, and that bothers me.
Still feel sorry for him? I feel sorry for his family (which also seem to be harassed, which is really sad), but him? No.. Not the way he's still acting.
Well, a chinese spokesperson was quoted "They are as peaceful as the american GPS satellites, and contain no more armaments than those do" - so no worries.
We do have some strange reports of a high-ranking american general running from the press conference with a panic-struck look on his face, but that's probably unrelated.
WWCMOTDD?
He'd sell a sausage-inna-bun to you and you, that's what CMOT Dibbler'd do.