Try reading some of Tufte's work first. Tufte's genius is just the sort of thing we need more of so that we can better make use of the torrent of information raining down on us.
If his work is used to distort rather then reveal information I suspect he will let us know.
its not so different from the way our cities have developed and I don't think it is anything to complain about.
How much do you think you would enjoy a completely centrally planned city? Probably not as much as the some of the best cities in the world that developed as a distributed semi-chaotic system using what worked and what was at hand.
I think it is the strength and wonder of the web, not it shortcomings. After all, If you want a walled garden there are those that would give you one. (Jobs, Zuker, etc)
The Sarbanes-Oxley Act may have come about because of financial mismanagement at a handfull of accounting companies, it contained a lot of data access control and auditing requirements. Causing much pain in the DBA community.
So perhaps new rules are not required, simply compliance with existing ones.
I am not sure I understand. Copyright is automatic. The only reason to include a copyright notice is to make absolutely sure the person doesn't assume the work is public.
So what would a questionable copyright look like? Would it be if I said something was my copyrighted property when it was not?
You obviously don't know who Stewart Brand is or you wouldn't suspect him of brainwashing for the Plutarchs. He basically re-launched the ecological movement in the 60's by lobbing the US government to release a photo of the Earth from space.
But since your also on slashdot you should also now him from TheWELL
I for one would love to learn how to have 1m people per square mile in an efficient manner. Then we could build arcologies like those cool ones in the new Star Trek movie.
Couldn't someone just reverse engineer the datastream in order to figure out the save/load logic then redirect the URL call to another IP (maybe your own)?
Right and all I am saying is that I have I am not forcing myself into proc due to some ideology, I have just found it to the best choice in pretty much every case.
You make it sound like that all those things are problems. I just wrote a custom CMS and member management systems where the main member list screen allows about a dozen optional filters (12 parameters) with SQL paging and variable sort columns all in one proc. The entire proc is only 100 lines long and not very complicated. (and it does not use any dynamic sql in the proc either)
I haven't added "sort by" to the filter form yet but it's in the proc. It works like this:
declare @OrdSeq int set @OrdSeq = 2
select top 10 * from member ORDER BY CASE @OrdSeq WHEN 1 THEN lastname ELSE NULL END ASC, CASE @OrdSeq WHEN 2 THEN lastname ELSE NULL END DESC, CASE @OrdSeq WHEN 3 THEN firstname else NULL END DESC, CASE @OrdSeq WHEN 4 THEN firstname ELSE NULL END ASC
Sure I need to add two lines for each column I want to sort by but for most apps that I do you can easily predict a handful of columns that people want to sort by.
No procs are not religious relics but I have found them to be the best tool for the job in pretty much every circumstances.
Concerning security chaining. If you use dynamic sql then you have to grant the applications account direct access to the tables and the intruder can throw ad hoc queries against them and inject all sorts of things. None of my procs can be used to elevate permissions because they are only performing CRUD operation against user tables. And since the parameters are typed they can't be injected. The procs can't be used to do anything they were not written to do. So yes if someone got a hold of the the application account they could delete or mess up user records but they can't compromise other databases or the system itself.
But, If your saying that security chaining is only one part of a proper defense in depth strategy, then I would agree.
Seriously, everything you complained about being hard to do in a proc is not really a problem. And from a performance, security, and maintainability point of view procs beat dynamic SQL every time. If I were you I would do myself a favor and spend some time boning up on T-SQL (or whichever flavor you use). The benefits to your apps will be huge. Just thing about all those times you watched some user doing things the hard way in Excel and when you show them an easier way they say "but I know the way I am doing it now". I think that is the zone your in. Your fighting to do things the hard way.
ps. I am using MS SQL 2000. The newer version (2005, 2008) have a bunch of cool new features that make things like paging even easier.
Or you could just learn to write better more flexible stored procedures.
I haven't resorted to dynamic SQL in at least 6 years and now I can't believe I ever did. And when I look at some of my old code with dynamic SQL, I can't believe how much MORE work it was.
Its not just the input parsing, its also taking advantage of permission chaining. The DB account that I use in the application only has permission to run those stored procedure it specifically. So even if the application is compromised and the intruder gets the DB account info they still can't do anything other then run those procedure with those typed variables.
IMHO Anybody using dynamic SQL in a web application should have their head examined. There is no excuse other then being to lazy to learn to do things right.
"but i'd also reserve the right to deny the customer any features i deemed unsafe."
Don't you already? Try convincing an engineer or architect to design or building a structure that violates safety code. It just isn't going to happen unless you have a corrupt engineer.
I always maintain that security is the developers responsibility no matter what. If an engineer caved in to a customer request that ultimately resulted in death or injury do you think anyone cares that he was just giving the customer what they wanted?
How many times does your client have the know-how to correctly assess the threat and risks security in programming? I am guessing not very often.
If countryFromIP(IP) = 'CA' then
response.write "My content"
else
response.redirect("sorry for canucks only")
end if
I have web applications that make extensive use of country specific branching. For example the name of the region I live has a name that is similar to one in Australia. So if the user's IP is from Australia I place a link at the top of the page to a partnering site in AU. If someone is posting a classified ad I reject it if they are not from Canada (its a local site).
So is this just an overly broad patent or is there some specific technique (other then IP address) that they are patenting?
So your telling us that you live in a city that can't get its planning shit together. In your next municipal election maybe you could do something about it. Yes yes I know that its a legacy of the past, but the moment you are aware of the problem, you are now a part of the solution...or not.
So how does Westlaw get defined in this? Don't they have a bare facts representation of all public court records? My memory is weak but isn't their index numbers the part that they protect? But couldn't someone else publish a database of court records and then publish as a statement of fact that "us v them" is indexed by Westlaw as case number #12j-n13?
Well and doesn't PHP compile on first use like ASP Classic does? In ASP every call to a script after the first is essentially running a compiled program.
Hi Allow me to disagree. I run a small IT shop and I host a couple of dozen websites for my clients and myself. I currently have a dedicated server at thePlanet which I have been very happy with.
However, my disaster recovery plans always hit a snag when I imagine the server falling off the self or getting rooted. Sure I have all the software and license info required, and yes I have excellent off-site backups of the websites and their databases. But if I had to restore that server from scratch it would still take me at least a day and probably two or three.
OTOH If I have an EC2 instance, I just re-launch from my custom AMI and I am back in business in minutes with little effort.
Add to that the fact that I can make snapshot backups of 30gb ESB volumes in less then a minute and I get very excited.
I can't even remember how I used to work before fireBug and webDeveloper toolbar, tamperData, yslow, etc. Those extensions revolutionized my productivity.
Also, last I checked, you are absolutely allowed to possess alcohol (and even drink it) while flying through Saudi Arabian airspace. It only becomes a problem if you land there and try to get it through the customs.
That was provided as a hypothetical. In my hypothetical in order to comply with a local law upon landing, you must start to comply at take off. In the case of a fly over of US airspace you may never land so compliance has to be performed at origin. In this case the US wants to know who is flying over their airspace. They cannot intercept and check passports in midair so the information has to be collected at origin.
I am not arguing that the TSA requirement makes sense. I am simply arguing that Canadian Airlines would not be breaking Canadian privacy laws in the collection and sharing of the personal information as long as they disclosed how it would be used.
From the airline's and passenger's point of view providing the information is ESSENTIAL to the transaction because of the demands of a separate sovereign nation that neither party has any control over.
Yes but in this case the information is necessary in order for the Canadian Carrier to provide the service. If the Carrier refused to provide the information then they couldn't fly over the US and so couldn't sell the seat to the individual.
My point is that the Canadian Carrier would only be violating Canadian privacy law if they failed to inform the individual up front about what information is collected, why, and who its shared with.
One could argue that the TSA's requirement would not be a legal in Canada. For example, if Air Canada said "In order to fly on our plan from Toronto to vancouver we need to know the country you were born in." Someone could argue that they do not need that information in order to provide the service so would be in breach of the law.
The way I see it this situation is entirely different. For example lets say it was illegal to posses alcohol in Saudia Arabia. If you book a non-stop flight to Saudia Arabia you would probably be informed that no alcohol would be served on the flight. Even though when you get on the plan you are in Canada and possessing the alcohol would be legal, when you land the carrier would be breaking local law if their was alcohol on board.
I might argue instead that the TSA requirement is over burdensome and counter productive and just plain silly. But I wouldn't say that the TSA is breaking Canadian law within their own sovereign airspace.
Actually the odd thing is that I can't see how this violates Canadian Privacy Laws?
My reading of the law (which I needed to do for my work) requires that we inform the person what information is being collected, what it will be used for, how long will it be kept, AND who it will be shared with.
If you read many privacy statements you usually find a statement that says that the information is being collected in order to fulfill the service the person is availing themselves of. Eg. We need your address if you want us to send you your product.
Clearly, if your flight is flying over the US, then the airline needs that information in order to deliver their service to you.
As far as I can tell, there is no violation unless the airlines fail to properly inform ticket purchasers that this information will be collected and shared.
Word War II online had a neat idea. It was a MMO that was played in campaigns. Within each campaign many players would just log in and fight first person style. But there was also other players that made strategic decisions within a campaign that effected the game play of all players.
For example the leadership players could decide to reduce fighter plan construction in favor of having more tanks available. When a player logged in they might find that all the plans were already in use so they would have to go inf or take a tank out.
This basic idea could be translated into other game worlds.
So if my newspaper breaks the story is that a clear indication that the leaker accessed the wikileaks up-loader from my newspapers website?
Could a lawyer construe that since I placed the link on my site for the express purpose of facilitating the upload in the first place that I was somehow complicit in, and liable for, the release of the information? IANAL but law and order keeps telling me that the parities to a conspiracy do not need to know each and still be involved in a conspiracy. I wonder if the target of a leak could be successful with that argument.
Slashdot Mirror
Try reading some of Tufte's work first. Tufte's genius is just the sort of thing we need more of so that we can better make use of the torrent of information raining down on us.
If his work is used to distort rather then reveal information I suspect he will let us know.
its not so different from the way our cities have developed and I don't think it is anything to complain about.
How much do you think you would enjoy a completely centrally planned city? Probably not as much as the some of the best cities in the world that developed as a distributed semi-chaotic system using what worked and what was at hand.
I think it is the strength and wonder of the web, not it shortcomings. After all, If you want a walled garden there are those that would give you one. (Jobs, Zuker, etc)
I think there already is (SoX)
The Sarbanes-Oxley Act may have come about because of financial mismanagement at a handfull of accounting companies, it contained a lot of data access control and auditing requirements. Causing much pain in the DBA community.
So perhaps new rules are not required, simply compliance with existing ones.
I am not sure I understand. Copyright is automatic. The only reason to include a copyright notice is to make absolutely sure the person doesn't assume the work is public.
So what would a questionable copyright look like? Would it be if I said something was my copyrighted property when it was not?
You obviously don't know who Stewart Brand is or you wouldn't suspect him of brainwashing for the Plutarchs. He basically re-launched the ecological movement in the 60's by lobbing the US government to release a photo of the Earth from space.
But since your also on slashdot you should also now him from TheWELL
I for one would love to learn how to have 1m people per square mile in an efficient manner. Then we could build arcologies like those cool ones in the new Star Trek movie.
Couldn't someone just reverse engineer the datastream in order to figure out the save/load logic then redirect the URL call to another IP (maybe your own)?
Right and all I am saying is that I have I am not forcing myself into proc due to some ideology, I have just found it to the best choice in pretty much every case.
Here is a screen shot of the filter form. http://www.lonecrow.net/images/member-list-filters.jpg
I haven't added "sort by" to the filter form yet but it's in the proc. It works like this:
Sure I need to add two lines for each column I want to sort by but for most apps that I do you can easily predict a handful of columns that people want to sort by.
No procs are not religious relics but I have found them to be the best tool for the job in pretty much every circumstances.
Concerning security chaining. If you use dynamic sql then you have to grant the applications account direct access to the tables and the intruder can throw ad hoc queries against them and inject all sorts of things. None of my procs can be used to elevate permissions because they are only performing CRUD operation against user tables. And since the parameters are typed they can't be injected. The procs can't be used to do anything they were not written to do. So yes if someone got a hold of the the application account they could delete or mess up user records but they can't compromise other databases or the system itself.
But, If your saying that security chaining is only one part of a proper defense in depth strategy, then I would agree.
Seriously, everything you complained about being hard to do in a proc is not really a problem. And from a performance, security, and maintainability point of view procs beat dynamic SQL every time. If I were you I would do myself a favor and spend some time boning up on T-SQL (or whichever flavor you use). The benefits to your apps will be huge. Just thing about all those times you watched some user doing things the hard way in Excel and when you show them an easier way they say "but I know the way I am doing it now". I think that is the zone your in. Your fighting to do things the hard way.
ps. I am using MS SQL 2000. The newer version (2005, 2008) have a bunch of cool new features that make things like paging even easier.
pps. If your looking for how to do server side paging this link has a lot of strategies. They save the best for last. Scroll to the bottom for the rowCount method.
http://databases.aspfaq.com/database/how-do-i-page-through-a-recordset.html
Or you could just learn to write better more flexible stored procedures.
I haven't resorted to dynamic SQL in at least 6 years and now I can't believe I ever did. And when I look at some of my old code with dynamic SQL, I can't believe how much MORE work it was.
Its not just the input parsing, its also taking advantage of permission chaining. The DB account that I use in the application only has permission to run those stored procedure it specifically. So even if the application is compromised and the intruder gets the DB account info they still can't do anything other then run those procedure with those typed variables.
IMHO Anybody using dynamic SQL in a web application should have their head examined. There is no excuse other then being to lazy to learn to do things right.
Don't you already? Try convincing an engineer or architect to design or building a structure that violates safety code. It just isn't going to happen unless you have a corrupt engineer.
I always maintain that security is the developers responsibility no matter what. If an engineer caved in to a customer request that ultimately resulted in death or injury do you think anyone cares that he was just giving the customer what they wanted?
How many times does your client have the know-how to correctly assess the threat and risks security in programming? I am guessing not very often.
How long is this "no warming in last 15 years" half-truth going to survive?
I would be greatly pleased if someone who takes this as some sort of anti-gw proof would kindly review this graph: http://www.grist.org/article/global-warming-stopped-in-1998 then explain why they still hold that view.
Then there is this 2000 year graph showing the results of 10 different studies by different teams using different methodologies: http://www.globalwarmingart.com/wiki/File:2000_Year_Temperature_Comparison_png
Is there a claim that ALL of them are junk?
Prior art.
If countryFromIP(IP) = 'CA' then
response.write "My content"
else
response.redirect("sorry for canucks only")
end if
I have web applications that make extensive use of country specific branching. For example the name of the region I live has a name that is similar to one in Australia. So if the user's IP is from Australia I place a link at the top of the page to a partnering site in AU. If someone is posting a classified ad I reject it if they are not from Canada (its a local site).
So is this just an overly broad patent or is there some specific technique (other then IP address) that they are patenting?
So your telling us that you live in a city that can't get its planning shit together. In your next municipal election maybe you could do something about it. Yes yes I know that its a legacy of the past, but the moment you are aware of the problem, you are now a part of the solution...or not.
So how does Westlaw get defined in this? Don't they have a bare facts representation of all public court records? My memory is weak but isn't their index numbers the part that they protect? But couldn't someone else publish a database of court records and then publish as a statement of fact that "us v them" is indexed by Westlaw as case number #12j-n13?
Well and doesn't PHP compile on first use like ASP Classic does? In ASP every call to a script after the first is essentially running a compiled program.
Hi Allow me to disagree. I run a small IT shop and I host a couple of dozen websites for my clients and myself. I currently have a dedicated server at thePlanet which I have been very happy with.
However, my disaster recovery plans always hit a snag when I imagine the server falling off the self or getting rooted. Sure I have all the software and license info required, and yes I have excellent off-site backups of the websites and their databases. But if I had to restore that server from scratch it would still take me at least a day and probably two or three.
OTOH If I have an EC2 instance, I just re-launch from my custom AMI and I am back in business in minutes with little effort.
Add to that the fact that I can make snapshot backups of 30gb ESB volumes in less then a minute and I get very excited.
I can't even remember how I used to work before fireBug and webDeveloper toolbar, tamperData, yslow, etc. Those extensions revolutionized my productivity.
So they claim the property itself, the minutes, and use them with employee phones. Dave
That was provided as a hypothetical. In my hypothetical in order to comply with a local law upon landing, you must start to comply at take off. In the case of a fly over of US airspace you may never land so compliance has to be performed at origin. In this case the US wants to know who is flying over their airspace. They cannot intercept and check passports in midair so the information has to be collected at origin.
I am not arguing that the TSA requirement makes sense. I am simply arguing that Canadian Airlines would not be breaking Canadian privacy laws in the collection and sharing of the personal information as long as they disclosed how it would be used.
From the airline's and passenger's point of view providing the information is ESSENTIAL to the transaction because of the demands of a separate sovereign nation that neither party has any control over.
Human readable version of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
A Guide for individuals.
http://www.priv.gc.ca/information/02_05_d_08_e.cfm
A Guide for businesses
http://www.priv.gc.ca/information/guide_e.cfm
Yes but in this case the information is necessary in order for the Canadian Carrier to provide the service. If the Carrier refused to provide the information then they couldn't fly over the US and so couldn't sell the seat to the individual.
My point is that the Canadian Carrier would only be violating Canadian privacy law if they failed to inform the individual up front about what information is collected, why, and who its shared with.
One could argue that the TSA's requirement would not be a legal in Canada. For example, if Air Canada said "In order to fly on our plan from Toronto to vancouver we need to know the country you were born in." Someone could argue that they do not need that information in order to provide the service so would be in breach of the law.
The way I see it this situation is entirely different. For example lets say it was illegal to posses alcohol in Saudia Arabia. If you book a non-stop flight to Saudia Arabia you would probably be informed that no alcohol would be served on the flight. Even though when you get on the plan you are in Canada and possessing the alcohol would be legal, when you land the carrier would be breaking local law if their was alcohol on board.
I might argue instead that the TSA requirement is over burdensome and counter productive and just plain silly. But I wouldn't say that the TSA is breaking Canadian law within their own sovereign airspace.
Actually the odd thing is that I can't see how this violates Canadian Privacy Laws?
My reading of the law (which I needed to do for my work) requires that we inform the person what information is being collected, what it will be used for, how long will it be kept, AND who it will be shared with.
If you read many privacy statements you usually find a statement that says that the information is being collected in order to fulfill the service the person is availing themselves of. Eg. We need your address if you want us to send you your product.
Clearly, if your flight is flying over the US, then the airline needs that information in order to deliver their service to you.
As far as I can tell, there is no violation unless the airlines fail to properly inform ticket purchasers that this information will be collected and shared.
Where's the beef? It seems like non-story.
Word War II online had a neat idea. It was a MMO that was played in campaigns. Within each campaign many players would just log in and fight first person style. But there was also other players that made strategic decisions within a campaign that effected the game play of all players.
For example the leadership players could decide to reduce fighter plan construction in favor of having more tanks available. When a player logged in they might find that all the plans were already in use so they would have to go inf or take a tank out.
This basic idea could be translated into other game worlds.
Who needs technology when you can login using your "universal hair-braid port"
So if my newspaper breaks the story is that a clear indication that the leaker accessed the wikileaks up-loader from my newspapers website?
Could a lawyer construe that since I placed the link on my site for the express purpose of facilitating the upload in the first place that I was somehow complicit in, and liable for, the release of the information? IANAL but law and order keeps telling me that the parities to a conspiracy do not need to know each and still be involved in a conspiracy. I wonder if the target of a leak could be successful with that argument.