why don't they just ship a damn dongle with everything that can be possible used with a pc? rip the cd/dvd/game/movie all you want; it won't work without the dongle. as a matter of fact, give the fucking media away. charge for the dongle. been doing this shit for thirty years now.
I find this all pretty funny, especially the requirement of the keylogger, because it hits home pretty close. A web application I wrote and deployed to production about a year ago and now support was finally put through a third-party security check a few weeks ago. The results were fine for the most part. The application is more or less rock-solid since it is secured through Kerberos, hardened against sql injection, and invulnerable to cross-site scripting attacks.
What the company did list as issues (and severe issues mind you) was the fact the application displayed signs of being vulnerable to cookie stealing, and session hijacking through man-in-the-middle attacks, that the server type was sent in the http headers, and that ports 110 and 25 were open on the web server. Well, my complaint is that the security report listed the application problems first, and give them a higher score of criticality, which made everything else, including the open ports 1) seem less sever, and 2) seem as though they were application problems and not network problems, which is what they really are. The business people flipped out and thought the sky was going to fall, since there is some sensitive information stored in this system. Rather than breaking out champagne and celebrating the fact the system was secure against 99.9% of the attacks that would possibly be thrown at it, they lamented issues that weren't application issues. Now understand, I don't manage the servers this application runs on. I merely wrote the application. I don't know what all kind of shit the people who do manage it might have changed.
The funniest thing is, in order to successfully run any cookie stealing, or session hijacking, you (the hacker) had to already have access to not one, but two windows accounts on the domain! The only way to get those was to either work there and have an account, brute-force the username/password, or social-engineer someone out of theirs. And, in order to successfully run the man-in-the-middle attack, you would have to have penetrated the LAN, or hacked someone's computer at their home.
I began to run damage control, explaining how these exploits were possible, why they weren't application issues but network issues, and explaining lots of terms like ARP spoofing, cache poisoning, and how to avoid those things. I remarked that the open ports issue should be rated more highly than the MITM issues, and I also detailed how virtually every web application ever written was similarly vulnerable to these attacks in one way or the other, only to wind up being told that can't possible be true, how I'm extremely arrogant, and how I think I know everything! One person even threatened to have me removed from the project, the cocksucker.
At any rate, the requirement of the keylogger reminded me of the extenuating circumstances needed to exploit this application here: network penetration, not one but two valid accounts, and specialized knowledge of the application.
It's weird. You try to help people and do your job, and they hate you for it. I think I've been doing this for just too damn long.
He's pretty legendary for having the domain name rome.ro
not so legendary I've never heard of it. there goes that theory.
along with having a Ferrari that you could tune via USB while driving.
so that's where all that venture capital (that should have been spent on Daikatana) went.
at any rate, I met this guy a few years ago at Milo Butterfingers. He seemed really pissed when, after he was introduced, I said, "I love your zombie movies." No sense of humor for you. Ah, well. I heard he was down to making cell phone games, and attempting to "teach" in that video game program they threw together at SMU. I'm really surprised he's still alive...maybe he really IS the living dead???
Eh, it might. Based on the blurb on Amazon I'm curious to read it myself. However, if you're the kind of developer that needs to be highly productive it might not be the best place to look toward for a reference or for code examples. First, I'd probably track down a copy of this at the local Barnes and Noble, or the local University library, and give it a read through for a couple hours, and then decide whether or not I'd spend my money on it. There are other books, like SQL For Mere Mortals, that might give you quicker answers, although I don't know when the last edition of that one was published.
I've been in a similar situation to what you describe. The dynamic where clause had the potential to be arbitrarily large number of conditions. I had no other choice but to construct an inline query in my database access layer, but fortunately I could structure it as a parameterized query and still avoid sql injection. I can imagine there are situations where you really just have very little choice, but I try as hard as I can to stay away from dynamic SQL on the server side (via EXEC).
I suppose in that situation it would boil down to database security and who has the ability to do what. Well, we do what we can, and try to catch the rest with auditing.
I think one thing everyone is overlooking, and I didn't see it mentioned before I posted, is that alot of newbies, and even intermediate SQL developers either can't use stored procedures because they're using some old version of MySQL, or they have problems writing stored procedures that include dynamic WHERE clauses, or they just don't know that you can do that. It's been my miserable privilege to have seen some pretty goddamn bad SQL code in my life, code that was so bad it would make you physically ill, simply because the developer didn't know any better.
Remember kids:
Stored Procedures
Parameterized Queries
Learn the SQL-92 Specification (so that you're familar with the language beyond just SELECT, INSERT, UPDATE, and DELETE. There are all kinds of things out there to help you get rid of that dynamic code, like COALESCE, and CASE WHEN, etc.)
That reminds me of something I saw on vacation last week in Portland, ME. We were driving down the road in Windham, and we hear this loud whining motory sound, like a lawn edger or something. Loe and behold, down the sidewalk came a guy on an old bicycle, and affixed to it was a small gasoline powered motor turning the chain on it. He and had made a makeshift accelerator that was on the handle.
We were doing 30mph, and he smoked us, seriously. He shot past us and disappeared down a side road.
you arrogant pissant. it's low-level api programmers like you stuck in a windowless closet somewhere that completely missed the paradigm shift that happened in programming long ago. business programmers have to be as productive as possible in order to meet deadlines and generate revenue. VB and it's kin help them be productive and meet that goal. it's business analysts/programmers that drive innovation out of the inherent need to be as productive as possible, and keep the market place moving, so that you can stay in your closet writing low-level plumbing, and surfing slashdot. the people who own businesses and run companies that produce software products don't CARE about what you're talking about, that's why you are tolerated in all of your arrogant nerdy glory.
stay in your closet and argue about languages, and continue creating the components that support business developers, but it would serve you well to remember this: it doesn't matter how technically correct you are if you're not the boss.
mossession::store failed
DB function failed with error number 1062
Duplicate entry '1-' for key 2 SQL=INSERT INTO mos_session ( `session_id`,`time`,`username`,`gid`,`guest` ) VALUES ( '5a03d3215b93dec07298edf7b6444a78','1147722707','' ,'0','1' )
But it is fun to give a smug wave to the ass that blew past you at 90mph about 20-30 minutes ago as you pass him stopped in traffic because you chosae the correct lane to stay in while he keeps switching lane to lane.
Yes, that is one of great pleasures of life. More often than not, I even beat these guys to the same destination.
Redneck Rampage
on
Abandoned Games
·
· Score: 2, Interesting
Personally, I'm looking for a copy of redneck rampage. Yes, it was a stupid game, but I've never laughed so hard at an FPS before in my life.
My best friend passed away almost seven years ago. A couple of months after the funeral I was surfing the web when suddenly his screen name on my AIM list lit up as if he had just signed on! Totally freaked me out, until I found out it was his wife checking his email. It would happen every so often until finally I had to remove the entry from my buddy list, and I even went so far as to block the screen name. I know she took his death really hard, but I found it to be exceptionally creepy. I think she paid his account for a few years after that, just to keep the screen name.
IMHO, it's better to walk away from death than to wallow in it.
Look, I love IT with all of my heart, but I was sick of the losing the political fights all the time, or having some mid-level manager who doesn't know a null-terminated array from a hole in the ground deciding how best to develop and support applications. Besides, do you really want to stay in the trenches forever?
I tell every young programmer who wishes to further their education to get their MBA. The sheer value of having the exposure to the larger picture is priceless. I finally understood why I lost all of those political battles, and why seemingly ignorant mid-level managers controlled the universe.
Yes, I became one of them, but I sleep better at night no longer concerned that an application isn't elegant enough. If it does the job, that's good enough.
Or, in all seriousness, he could just be lying. It'd be alot of bad press if he admitted, "yeah, my kids google all the time", or "my kids just luuuuv their iPods." Try explaining that to your stockholders. It'd kind of be like the CEO of Anheuser-Busch talking to a reporter and cracking open a Coors.
Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.
Yeah, you're probably right. Microsoft builds in a lot of backwards compatibility, and that's pretty nice, so there has to be a ton of legacy code in there somewhere. Someone earlier in the thread mentioned why upgrade, and without all of the new features (WinFS, etc) why do so? My mother is still running the win2kpro box I set up years ago for her, and until a year ago a friend of mine was still running the old win95 box she bought a decade ago. All the applications she needed still worked on it, it was just horribly, horrendously slow.
You mentioned the registry, and that reminds of another article I read some time ago. Didn't Microsoft say at some point the registry will go away? I thought.Net was supposed to have something to do with that, but again I could be mistaken.
I agree with you mostly, but I swear I remember reading an article a couple of years ago where Allchin (sp?) commented that Vista was a from-scratch complete re-write of the OS, that they didn't port anything over. Of course I could be mistaken, but it just sounds really weird to remember that, and now the talk of a major re-write. 10%, 25%, 50%; does it really matter how much of a re-write it is? At 50+ million lines of code that's no small re-write. And I assume everyone here on/. has at the very least worked on small to medium-sized project development teams. You all know the difficulties and politics in teams of that size. Can you imagine the cluster-fuck in coordinating development using literally hundreds and hundreds of programmer?
Personally, I really don't care when it comes out. I waited until sp2 to jump on the xp bandwagon anyway, and I typically wait a couple of years before adopting a new operating system, just to let the bugs shake out.
be grateful you have a job. it's obvious there is nothing you can do about it, so why are you sweating it? go with the flow and live a less-stressed existence. it's not worth creating ripples. the only people who judge you for your work aptitude are you and other men; no one else cares.
Slashdot Mirror
why don't they just ship a damn dongle with everything that can be possible used with a pc? rip the cd/dvd/game/movie all you want; it won't work without the dongle. as a matter of fact, give the fucking media away. charge for the dongle. been doing this shit for thirty years now.
Try reading your post with a jamaican accent. It made it all the funnier....
Just don't ask why I was reading it with a jamaican accent.
I find this all pretty funny, especially the requirement of the keylogger, because it hits home pretty close. A web application I wrote and deployed to production about a year ago and now support was finally put through a third-party security check a few weeks ago. The results were fine for the most part. The application is more or less rock-solid since it is secured through Kerberos, hardened against sql injection, and invulnerable to cross-site scripting attacks.
What the company did list as issues (and severe issues mind you) was the fact the application displayed signs of being vulnerable to cookie stealing, and session hijacking through man-in-the-middle attacks, that the server type was sent in the http headers, and that ports 110 and 25 were open on the web server. Well, my complaint is that the security report listed the application problems first, and give them a higher score of criticality, which made everything else, including the open ports 1) seem less sever, and 2) seem as though they were application problems and not network problems, which is what they really are. The business people flipped out and thought the sky was going to fall, since there is some sensitive information stored in this system. Rather than breaking out champagne and celebrating the fact the system was secure against 99.9% of the attacks that would possibly be thrown at it, they lamented issues that weren't application issues. Now understand, I don't manage the servers this application runs on. I merely wrote the application. I don't know what all kind of shit the people who do manage it might have changed.
The funniest thing is, in order to successfully run any cookie stealing, or session hijacking, you (the hacker) had to already have access to not one, but two windows accounts on the domain! The only way to get those was to either work there and have an account, brute-force the username/password, or social-engineer someone out of theirs. And, in order to successfully run the man-in-the-middle attack, you would have to have penetrated the LAN, or hacked someone's computer at their home.
I began to run damage control, explaining how these exploits were possible, why they weren't application issues but network issues, and explaining lots of terms like ARP spoofing, cache poisoning, and how to avoid those things. I remarked that the open ports issue should be rated more highly than the MITM issues, and I also detailed how virtually every web application ever written was similarly vulnerable to these attacks in one way or the other, only to wind up being told that can't possible be true, how I'm extremely arrogant, and how I think I know everything! One person even threatened to have me removed from the project, the cocksucker.
At any rate, the requirement of the keylogger reminded me of the extenuating circumstances needed to exploit this application here: network penetration, not one but two valid accounts, and specialized knowledge of the application.
It's weird. You try to help people and do your job, and they hate you for it. I think I've been doing this for just too damn long.
No, but I hear there is a pretty decent restaurant at the end of the universe. Just make sure you tip the robot parking your car.
not so legendary I've never heard of it. there goes that theory.
along with having a Ferrari that you could tune via USB while driving.so that's where all that venture capital (that should have been spent on Daikatana) went.
at any rate, I met this guy a few years ago at Milo Butterfingers. He seemed really pissed when, after he was introduced, I said, "I love your zombie movies." No sense of humor for you. Ah, well. I heard he was down to making cell phone games, and attempting to "teach" in that video game program they threw together at SMU. I'm really surprised he's still alive...maybe he really IS the living dead???
Eh, it might. Based on the blurb on Amazon I'm curious to read it myself. However, if you're the kind of developer that needs to be highly productive it might not be the best place to look toward for a reference or for code examples. First, I'd probably track down a copy of this at the local Barnes and Noble, or the local University library, and give it a read through for a couple hours, and then decide whether or not I'd spend my money on it. There are other books, like SQL For Mere Mortals, that might give you quicker answers, although I don't know when the last edition of that one was published.
I've been in a similar situation to what you describe. The dynamic where clause had the potential to be arbitrarily large number of conditions. I had no other choice but to construct an inline query in my database access layer, but fortunately I could structure it as a parameterized query and still avoid sql injection. I can imagine there are situations where you really just have very little choice, but I try as hard as I can to stay away from dynamic SQL on the server side (via EXEC).
I suppose in that situation it would boil down to database security and who has the ability to do what. Well, we do what we can, and try to catch the rest with auditing.
- Stored Procedures
- Parameterized Queries
- Learn the SQL-92 Specification (so that you're familar with the language beyond just SELECT, INSERT, UPDATE, and DELETE. There are all kinds of things out there to help you get rid of that dynamic code, like COALESCE, and CASE WHEN, etc.)
Here's the SQL-92 Specification (pops in a new window)My question is how and where are they "homeless" charging the batteries on these devices? My celly won't last three days without a charge.
I remember having to daisy-chain my voodoo rush with my diamondmax 3d card, so I could run 2d & 3d.
That reminds me of something I saw on vacation last week in Portland, ME. We were driving down the road in Windham, and we hear this loud whining motory sound, like a lawn edger or something. Loe and behold, down the sidewalk came a guy on an old bicycle, and affixed to it was a small gasoline powered motor turning the chain on it. He and had made a makeshift accelerator that was on the handle.
We were doing 30mph, and he smoked us, seriously. He shot past us and disappeared down a side road.
you arrogant pissant. it's low-level api programmers like you stuck in a windowless closet somewhere that completely missed the paradigm shift that happened in programming long ago. business programmers have to be as productive as possible in order to meet deadlines and generate revenue. VB and it's kin help them be productive and meet that goal. it's business analysts/programmers that drive innovation out of the inherent need to be as productive as possible, and keep the market place moving, so that you can stay in your closet writing low-level plumbing, and surfing slashdot. the people who own businesses and run companies that produce software products don't CARE about what you're talking about, that's why you are tolerated in all of your arrogant nerdy glory.
stay in your closet and argue about languages, and continue creating the components that support business developers, but it would serve you well to remember this: it doesn't matter how technically correct you are if you're not the boss.
...thanks in large part to the ./ affect!
here's what I got:
mossession::store failedDB function failed with error number 1062
Duplicate entry '1-' for key 2 SQL=INSERT INTO mos_session ( `session_id`,`time`,`username`,`gid`,`guest` ) VALUES ( '5a03d3215b93dec07298edf7b6444a78','1147722707','
Yes, that is one of great pleasures of life. More often than not, I even beat these guys to the same destination.
Personally, I'm looking for a copy of redneck rampage. Yes, it was a stupid game, but I've never laughed so hard at an FPS before in my life.
My best friend passed away almost seven years ago. A couple of months after the funeral I was surfing the web when suddenly his screen name on my AIM list lit up as if he had just signed on! Totally freaked me out, until I found out it was his wife checking his email. It would happen every so often until finally I had to remove the entry from my buddy list, and I even went so far as to block the screen name. I know she took his death really hard, but I found it to be exceptionally creepy. I think she paid his account for a few years after that, just to keep the screen name.
IMHO, it's better to walk away from death than to wallow in it.
...as soon as I read the first four words: "Gorgeous nerd Annalee Newitz"
Look, I love IT with all of my heart, but I was sick of the losing the political fights all the time, or having some mid-level manager who doesn't know a null-terminated array from a hole in the ground deciding how best to develop and support applications. Besides, do you really want to stay in the trenches forever?
I tell every young programmer who wishes to further their education to get their MBA. The sheer value of having the exposure to the larger picture is priceless. I finally understood why I lost all of those political battles, and why seemingly ignorant mid-level managers controlled the universe.
Yes, I became one of them, but I sleep better at night no longer concerned that an application isn't elegant enough. If it does the job, that's good enough.
Or, in all seriousness, he could just be lying. It'd be alot of bad press if he admitted, "yeah, my kids google all the time", or "my kids just luuuuv their iPods." Try explaining that to your stockholders. It'd kind of be like the CEO of Anheuser-Busch talking to a reporter and cracking open a Coors.
Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.
Yeah, you're probably right. Microsoft builds in a lot of backwards compatibility, and that's pretty nice, so there has to be a ton of legacy code in there somewhere. Someone earlier in the thread mentioned why upgrade, and without all of the new features (WinFS, etc) why do so? My mother is still running the win2kpro box I set up years ago for her, and until a year ago a friend of mine was still running the old win95 box she bought a decade ago. All the applications she needed still worked on it, it was just horribly, horrendously slow.
.Net was supposed to have something to do with that, but again I could be mistaken.
You mentioned the registry, and that reminds of another article I read some time ago. Didn't Microsoft say at some point the registry will go away? I thought
I agree with you mostly, but I swear I remember reading an article a couple of years ago where Allchin (sp?) commented that Vista was a from-scratch complete re-write of the OS, that they didn't port anything over. Of course I could be mistaken, but it just sounds really weird to remember that, and now the talk of a major re-write. 10%, 25%, 50%; does it really matter how much of a re-write it is? At 50+ million lines of code that's no small re-write. And I assume everyone here on /. has at the very least worked on small to medium-sized project development teams. You all know the difficulties and politics in teams of that size. Can you imagine the cluster-fuck in coordinating development using literally hundreds and hundreds of programmer?
Personally, I really don't care when it comes out. I waited until sp2 to jump on the xp bandwagon anyway, and I typically wait a couple of years before adopting a new operating system, just to let the bugs shake out.
I wonder if he pays his taxes on that $6800 - 10,000 he makes each month?
So, just out of curiosity, how much IS a tv license fee in the UK?
be grateful you have a job. it's obvious there is nothing you can do about it, so why are you sweating it? go with the flow and live a less-stressed existence. it's not worth creating ripples. the only people who judge you for your work aptitude are you and other men; no one else cares.