Yawn. Nothing to do with Joomla OR web security
on
Joomla! Web Security
·
· Score: 4, Insightful
Clearly, neither the author of the book, nor reviewer understand web security.
If you want to learn about securing web servers, why not read Ivan Ristic's Apache Security?
Apparently, from the topics discussed in this review, this book has nothing to do with writing secure applications using the Joomla Framework. Seriously, file permission? Using Nmap? Nessus? Talk about using the wrong tools for the job. Not even the Joomla Security page has anything do with actual web application security.
How about going over topics like secure session management, input validation, parameterized queries, output entity encoding, etc?
This technique would be almost be equivalent to using multiple browsers, and I don't know why Jeremiah hasn't caught onto it. I and several others have been proposing others do the same for a while now. You can further enhance the security by running different Firefox profiles under different users. I included links to what others like Joanna Rutkowska does on Vista with IE7, Firefox, and Thunderbird.
This technique would be almost be equivalent to using multiple browsers, and I don't know why Jeremiah hasn't caught onto it. I and several others have been proposing others do the same for a while now. You can further enhance the security by running different Firefox profiles under different users. I included links to what others like Joanna Rutkowska does on Vista with IE7, Firefox, and Thunderbird.
NoScript is a domain whitelisting tool. It does not whitelist "per script" (and doing so would be very difficult). So essentially, you are explicitly trusting the website to run non-malicious scripts. Unless you review all scripts, you have no idea what it's doing, except that you can now "login" to your favorite website. It does not protect you from the attacker who added their own script that steals your login credentials without you knowing it because you trust that site to run only good scripts.
The POC worked in both Firefox 2.0.0.2 and IE6 on Windows XP SP2. It worked as well typing various phrases besides what it told me to type.
Below should be a copy of your C:\BOOT.INI file. If nothing is
shown, chances are you don't have this file in the first place,
your account has no permission to read that file, you didn't use
a vulnerable browser, or I screwed something up.
=== RECEIVED DATA ===
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional"/noexecute=optin/fastdetect
If you flip the light switch one way and it doesn't work...try flipping it the other way. The building isn't going to blow up.
I think that would mean the power is out;)
I agree with you about playing around with computers.. Whenever I get something new, I'll flip through the manual and see if there's anything I must do before and then I'll get right to tinkering, seeing what works and what breaks. (how many times have we pressed as many keyboard keys as we can to see how long the computer locks up for? heheh)
But Gmail does have ads! Its ads are in the form of "Web Clip," that little ticker-like item above your mail. Currently, I see "Forbes.com Most Popular Stories - How To Be A Better Boss in 2007 - 3 days ago"
So, either way... we must pay something(by ads) to enjoy a "free" service.
I used to be in the same boat, until I began racing NASCAR (Racing Season 2002/2003) online a couple years back. Going 100 laps (with good times and great track position) and then getting spun out into the wall sucks... a lot! You're out of the race, and it completely takes the fun out of it. Granted, I love just messing around in practice laps and seeing how many crashes I can cause, but when it comes down to actually racing, I either turned it off or put on minimal damage.
Not only that, but every car is different. Some cars are absolute lemons while others are gems when it comes down to the amount of power getting to the road.
I will too, but I've got to wonder how somebody interviewing me will think.. It at least can show your sense of humor, especially if they ask during it.
Re:How about dealing with blocking of port 80?
on
HR 5252 Bill Dies
·
· Score: 1
I'm with you on this. I cannot stand how ISPs react and place restrictions on consumers on how they use their service. Not only that, but what's with my upload speed being so crappy? (<7% of my download speed)
I wish I had the ability to say... "Ok, my pipe is 7000kbps; let's set aside X for download and Y for upload."
Viktor Cherkashin, a former KGB officer states in his book Spy Handler, people most often commit treason based on personal needs that need to be resolved, right now. Most commonly financial reasons, it is why Aldrich Ames and Robert Hanssen both defected to spy for Soviets.
What's the ideal solution? Make your employees happy, pay them more, etc? It's difficult to stop good people from going rogue, and even worse doing pre-screening. Note even a single scope background investigation and polygraph works (see above)
And to quote Cherkashin, "The only way to be safe is to remove people from intelligence gathering,....as long as people are involved, security threats can never be completely eliminated."
We've got all the big insurance companies (Hartford is aka "The insurance capital of the world"), and a machining industry, United Technologies (Pratt & Whitney, Sikorsky, Hamilton Sunstrand, etc), Kaman, General Electric Industrial.... Connecticut is pretty decent, could always be better though
Slashdot Mirror
Clearly, neither the author of the book, nor reviewer understand web security.
If you want to learn about securing web servers, why not read Ivan Ristic's Apache Security?
Apparently, from the topics discussed in this review, this book has nothing to do with writing secure applications using the Joomla Framework. Seriously, file permission? Using Nmap? Nessus? Talk about using the wrong tools for the job. Not even the Joomla Security page has anything do with actual web application security.
How about going over topics like secure session management, input validation, parameterized queries, output entity encoding, etc?
Take a clue from OWASP and skip this book.
Well, the market isn't reacting as you would suggest.
Woops, I meant to reply to your comment instead of this one.
What you can do instead of using multiple browsers, is use separate Firefox profiles using MOZ_NO_REMOTE=1. I explain this technique in a blog entry, Using multiple Firefox profiles simultaneously to guard against CSRF attacks
This technique would be almost be equivalent to using multiple browsers, and I don't know why Jeremiah hasn't caught onto it. I and several others have been proposing others do the same for a while now. You can further enhance the security by running different Firefox profiles under different users. I included links to what others like Joanna Rutkowska does on Vista with IE7, Firefox, and Thunderbird.
NoScript is a domain whitelisting tool. It does not whitelist "per script" (and doing so would be very difficult). So essentially, you are explicitly trusting the website to run non-malicious scripts. Unless you review all scripts, you have no idea what it's doing, except that you can now "login" to your favorite website. It does not protect you from the attacker who added their own script that steals your login credentials without you knowing it because you trust that site to run only good scripts.
You should try using suspend. It will save you time, come 12:58 instead of ~2 minute bootup you will be up and running in 1-2 seconds.
The POC worked in both Firefox 2.0.0.2 and IE6 on Windows XP SP2. It worked as well typing various phrases besides what it told me to type.
W So soft Windows XP Professional" /noexecute=optin /fastdetect
Below should be a copy of your C:\BOOT.INI file. If nothing is
shown, chances are you don't have this file in the first place,
your account has no permission to read that file, you didn't use
a vulnerable browser, or I screwed something up.
=== RECEIVED DATA ===
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDO
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micr
Same here, until I realize what exactly I deleted after I accidentally hit the up arrow before hitting delete... yup, woops!
The problem with that then, is they could lose 501(c)(3) tax-deductible nonprofit charity status.
I am in university and I use a Ti-89 daily, but for tests I am only allowed to use a Ti-83 or equivalent. No Ti-89 or Ti-84 in any Calculus courses.
If you flip the light switch one way and it doesn't work...try flipping it the other way. The building isn't going to blow up.
;)
I think that would mean the power is out
I agree with you about playing around with computers.. Whenever I get something new, I'll flip through the manual and see if there's anything I must do before and then I'll get right to tinkering, seeing what works and what breaks. (how many times have we pressed as many keyboard keys as we can to see how long the computer locks up for? heheh)
But Gmail does have ads! Its ads are in the form of "Web Clip," that little ticker-like item above your mail. Currently, I see "Forbes.com Most Popular Stories - How To Be A Better Boss in 2007 - 3 days ago"
So, either way... we must pay something(by ads) to enjoy a "free" service.
I would be very much interested in this.. Perhaps a Wiki of some sort?
Who's to say I don't already do that, and what about privacy and physical ownership of my data?
Do we want too? I don't like the idea of somebody besides me having ALL of my data.
I used to be in the same boat, until I began racing NASCAR (Racing Season 2002/2003) online a couple years back. Going 100 laps (with good times and great track position) and then getting spun out into the wall sucks... a lot! You're out of the race, and it completely takes the fun out of it. Granted, I love just messing around in practice laps and seeing how many crashes I can cause, but when it comes down to actually racing, I either turned it off or put on minimal damage.
Not only that, but every car is different. Some cars are absolute lemons while others are gems when it comes down to the amount of power getting to the road.
wait, .002 dollars or .002 cents???
I will too, but I've got to wonder how somebody interviewing me will think.. It at least can show your sense of humor, especially if they ask during it.
Sure it does!
http://www.snort.org/dl/binaries/win32/
http://www.winsnort.com/
http://www.sans.org/resources/idfaq/snort.php
I'm with you on this. I cannot stand how ISPs react and place restrictions on consumers on how they use their service. Not only that, but what's with my upload speed being so crappy? (<7% of my download speed)
I wish I had the ability to say... "Ok, my pipe is 7000kbps; let's set aside X for download and Y for upload."
Ridiculous! Such blatant lies, disinformation and verbal diarrhea this commercial spreads, should be punishable to maximum extent of the law.
The audio is hilarious, sad, and extremely frustrating all at the same time. George has so much more patience than I would have.
Viktor Cherkashin, a former KGB officer states in his book Spy Handler, people most often commit treason based on personal needs that need to be resolved, right now. Most commonly financial reasons, it is why Aldrich Ames and Robert Hanssen both defected to spy for Soviets.
....as long as people are involved, security threats can never be completely eliminated."
What's the ideal solution? Make your employees happy, pay them more, etc? It's difficult to stop good people from going rogue, and even worse doing pre-screening. Note even a single scope background investigation and polygraph works (see above)
And to quote Cherkashin, "The only way to be safe is to remove people from intelligence gathering,
We've got all the big insurance companies (Hartford is aka "The insurance capital of the world"), and a machining industry, United Technologies (Pratt & Whitney, Sikorsky, Hamilton Sunstrand, etc), Kaman, General Electric Industrial.... Connecticut is pretty decent, could always be better though
:( Don't 'lego my Lego!
It is sad to see Lego go,