This is the sort of stuff I used to hear from my ex-boss (a systems analyst with no clue on anything really technical).
He also used to say "hey, this PostgreSQL/MySQL/(any free SGDB) thing is shit! The only real DB is Oracle!".
Just ask "is it ready for the enteprise?" when anything comes out and you'll have a whole lot of mumbo jumbo reasons to say that language XYZ or operating system won't work in large deployments. =)
It would be useful to mention that by saying "VoIP" it means that voice transmission capabilities will be added to it, and not that it will interoperate with current VoIP telephony standards such as SIP, which by the way, Google Talk has plans to add in a future release.
The article mentions Vonage and SIPPhone alongside as "competitors", which gives people the idea that somehow they will be able to use it to make calls.
Let's be reasonable. That depends on 1) what you do with the piece of paper you wrote the passwords on, and 2) the way you wrote it.
Why? If you keep it, say, in our wallet, that implies in somebody having to steal it in order to get your passwords. You're then forcing a possible attacker to rob you first in order to get what he wants, and that's not really easy in most cases.
And I why should I be careful with the way I write? If you managed to forget it somewhere, it's less obvious an attacker will get something if you don't specify what the passwords are for. E.G.:
less secure note
"Ebay account username: dumbdude, password: ebay_in"
less insecure
"smarterdude lockin" (employing non-related words)
It's easier to keep in mind only the usernames you need for each service. With practice, this is far more secure than employing passwords that are easy to remember.
Smart people will recognize here a way to probe for trusted people working in the same enviroment than you. Leave a piece of paper with a few fake username/passwords around. You can even put some web addresses or email accounts on it. Then check the access logs sometimes.
You're assuming that school is a flawless reference for competence, and in that sense, I disagree.
I could point a few reasons, but there's a fortune cookie who says best:
%%
If the colleges were better, if they really had it, you would need to get the police at the gates to keep order in the inrushing multitude. See in college how we thwart the natural love of learning by leaving the natural method of teaching what each wishes to learn, and insisting that you shall learn what you have no taste or capacity for. The
college, which should be a place of delightful labor, is made odious and unhealthy, and the young men are tempted to frivolous amusements to rally their jaded spirits. I would have the studies elective.
Scholarship is to be created not by compulsion, but by awakening a pure interest in knowledge. The wise instructor accomplishes this by opening to his pupils precisely the attractions the study has for himself. The marking is a system for schools, not for the college; for boys, not for men; and it is an ungracious work to put on a professor.
-- Ralph Waldo Emerson
%%
If we are talking about people who have legitimate access to a database which contains banking info, and by some bizarre reason think "hey, let's do some transfers! they'll never find out!", then it doesn't matter where the transaction is coming from. These guys are probably not even techies...
Now if you deal with pros, well, that's a different story. You cannot (real) IP numbers simply popping up in your web server logs. At least not from my experience.
And speaking of Brazil (I'm brazilian), I don't think your job would be easier. In fact, it's *very* likely that the network provider wouldn't keep track of the connections, you would have to overcome a language barrier, and after a few months, you would probably give up on trying to get any data.
Why are people associating the fact that he's publishing "exploit" code with a crime? It's a crime to use it, to cause damage (which in most cases it's assumed, not proved), not to have or publish it. Or am I wrong? What's the difference between his site and, e.g: packetstorm? Isn't it numbers?
Last time I checked, France was doing this kind of thing. I didn't know that USA was doing the same.
I sell a licensed gun to you in a shop, taking all the necessary legal considerations. You go out and shoot somebody. Who's the criminal?
(and who's to tell that the analogy is incorrect? it's not illegal to download code)
The only annoyance I see is what some people tend to call "the language evolution". Nowadays OOP seem to be the way to go even if the language has 1 or 2 purposes.
If the cost for being similar to java (god knows why) is dropping simplicity, which in-lots-of-people-humble-opinion was (until 4) THE greatest feature of PHP, then the dev team deserves to burn in hell. Or better, as mentioned before in Slashdot (too lazy to look for the link), Zend is the reason for that.
Slashdot Mirror
This is the sort of stuff I used to hear from my ex-boss (a systems analyst with no clue on anything really technical).
He also used to say "hey, this PostgreSQL/MySQL/(any free SGDB) thing is shit! The only real DB is Oracle!".
Just ask "is it ready for the enteprise?" when anything comes out and you'll have a whole lot of mumbo jumbo reasons to say that language XYZ or operating system won't work in large deployments. =)
It would be useful to mention that by saying "VoIP" it means that voice transmission capabilities will be added to it, and not that it will interoperate with current VoIP telephony standards such as SIP, which by the way, Google Talk has plans to add in a future release.
The article mentions Vonage and SIPPhone alongside as "competitors", which gives people the idea that somehow they will be able to use it to make calls.
Let's be reasonable. That depends on 1) what you do with the piece of paper you wrote the passwords on, and 2) the way you wrote it.
Why? If you keep it, say, in our wallet, that implies in somebody having to steal it in order to get your passwords. You're then forcing a possible attacker to rob you first in order to get what he wants, and that's not really easy in most cases.
And I why should I be careful with the way I write? If you managed to forget it somewhere, it's less obvious an attacker will get something if you don't specify what the passwords are for. E.G.:
less secure note
"Ebay account username: dumbdude, password: ebay_in"
less insecure
"smarterdude lockin" (employing non-related words)
It's easier to keep in mind only the usernames you need for each service. With practice, this is far more secure than employing passwords that are easy to remember.
Smart people will recognize here a way to probe for trusted people working in the same enviroment than you. Leave a piece of paper with a few fake username/passwords around. You can even put some web addresses or email accounts on it. Then check the access logs sometimes.
A very effective honeypot =)
You're assuming that school is a flawless reference for competence, and in that sense, I disagree.
I could point a few reasons, but there's a fortune cookie who says best:
%%
If the colleges were better, if they really had it, you would need to get the police at the gates to keep order in the inrushing multitude. See in college how we thwart the natural love of learning by leaving the natural method of teaching what each wishes to learn, and insisting that you shall learn what you have no taste or capacity for. The college, which should be a place of delightful labor, is made odious and unhealthy, and the young men are tempted to frivolous amusements to rally their jaded spirits. I would have the studies elective.
Scholarship is to be created not by compulsion, but by awakening a pure interest in knowledge. The wise instructor accomplishes this by opening to his pupils precisely the attractions the study has for himself. The marking is a system for schools, not for the college; for boys, not for men; and it is an ungracious work to put on a professor.
-- Ralph Waldo Emerson
%%
If we are talking about people who have legitimate access to a database which contains banking info, and by some bizarre reason think "hey, let's do some transfers! they'll never find out!", then it doesn't matter where the transaction is coming from. These guys are probably not even techies...
Now if you deal with pros, well, that's a different story. You cannot (real) IP numbers simply popping up in your web server logs. At least not from my experience.
And speaking of Brazil (I'm brazilian), I don't think your job would be easier. In fact, it's *very* likely that the network provider wouldn't keep track of the connections, you would have to overcome a language barrier, and after a few months, you would probably give up on trying to get any data.
Why are people associating the fact that he's publishing "exploit" code with a crime? It's a crime to use it, to cause damage (which in most cases it's assumed, not proved), not to have or publish it. Or am I wrong? What's the difference between his site and, e.g: packetstorm? Isn't it numbers? Last time I checked, France was doing this kind of thing. I didn't know that USA was doing the same. I sell a licensed gun to you in a shop, taking all the necessary legal considerations. You go out and shoot somebody. Who's the criminal? (and who's to tell that the analogy is incorrect? it's not illegal to download code)
The only annoyance I see is what some people tend to call "the language evolution". Nowadays OOP seem to be the way to go even if the language has 1 or 2 purposes. If the cost for being similar to java (god knows why) is dropping simplicity, which in-lots-of-people-humble-opinion was (until 4) THE greatest feature of PHP, then the dev team deserves to burn in hell. Or better, as mentioned before in Slashdot (too lazy to look for the link), Zend is the reason for that.