Joe the Dragon could be a really smart 7 year old child, a severely autistic adult, a non native English speaker, or dyslexic. Don't understand it? Ignore it and move on, it's just spam to you. But taking time out of your life to try to train/insult him/it is pointless.
Protecting bank websites, ecommerce websites, online gaming... internal corporate systems, 3rd party applications, operating systems, device drivers... THESE do not require any clearance either.
The article is correct, there is a lot of code that has to be fixed, and there are not enough skilled/interested people to do the job right now.
There is a shortage. I do security code reviews and we have a challenging time finding good people. The prepress report talks about a lot more than dusty old government jobs.
Interesting... but I wouldn't bet my whole paycheck that the Skype guys, rolling their own encryption, from a weak (RC4) starting point, just stumbled upon something better than the good modern crypto hashes available.
Yeah, right. I'll let you do home maintenance to possibly save your building when your earthquake hits. I'll just be outside, possibly saving my human body thanks.
That's crazy talk. Microsoft has led the way in principles of application security, secure web frameworks.... they've not exactly blazed the trail with managed language runtimes and secure-by-default, but it's an understatement to say they have certainly caught up.
I don't know what you mean by "done to death", but if you are trying to say developers have stopped publishing websites with:
- XSS
- SQL Injection
- Javascript hijacking
- HTTP response splitting
- Guessable session keys
- Path injections
- Dumb insecure default configurations
- Hard coded passwords
- Remotely viewable stack traces
- Out of date frameworks
- Weak upload algorithms
- exposed direct object references
- attacker controlled primary keys then I think you would be wrong.
Secure programming is not as simple as a 200 word Slashdot comment, but it's not impractical to learn.
Yes, there are buffer protections in managed languages like Java and.NET. But every language suffers from programmers failing to validate data, or validating incompletely, or missing some assumption about the environment. Both C and Java suffer from format string vulnerabilities, although they're not popularly used in Java.
Architectural problems like a hard coded password, a sloppy insecure default configuration, making a session key too easy to guess, goofing up exception handling during a security sensitive operation... have almost nothing to do with the source language.
And please don't repeat that WRONG information about pointer and buffer management just being a matter of cluefulness. My research and that of others has shown that even smart people make mistakes, and smart programmers who know better continue to write buffer overflows even though we've had 30 YEARS of buffer overflows to get a handle on the problem. Beginners and old timers tend to make different sorts of oversights; that's all.
Wow, way to miss the most exciting parts of the article. Try again.
Cliff Notes: 1. Pay for tasks students know how to do: success. 2. Pay for outcomes students don't know how to attain: failure 3. Number 1 continues after the payments stop.
Slashdot Mirror
Like 270M Americans following gallons, ounces, horsepower and miles :-)
Joe the Dragon could be a really smart 7 year old child, a severely autistic adult, a non native English speaker, or dyslexic. Don't understand it? Ignore it and move on, it's just spam to you. But taking time out of your life to try to train/insult him/it is pointless.
amen. Ahem, why is this flamebait?
Protecting bank websites, ecommerce websites, online gaming... internal corporate systems, 3rd party applications, operating systems, device drivers... THESE do not require any clearance either.
The article is correct, there is a lot of code that has to be fixed, and there are not enough skilled/interested people to do the job right now.
Gary McKinnon.
There is a shortage. I do security code reviews and we have a challenging time finding good people. The prepress report talks about a lot more than dusty old government jobs.
Interesting... but I wouldn't bet my whole paycheck that the Skype guys, rolling their own encryption, from a weak (RC4) starting point, just stumbled upon something better than the good modern crypto hashes available.
I do security code reviews for PHP/mysql projects in my day job. I like to help with open source projects in my spare time.
Doug
Yeah, right. I'll let you do home maintenance to possibly save your building when your earthquake hits. I'll just be outside, possibly saving my human body thanks.
ditto.
Yeah, it's kind of like Oregon Trail.
Interesting points, but you are just a horrible person. Do you put on a balaclava and talk this way at dinner parties?
I would hate to work in an environment where "it's hopeless, nothing we do today works" was the prevailing theme.
Oh yeah, I sort of did forget about the zombies... I work in application security and probably have kind of a narrow view.
That's crazy talk. Microsoft has led the way in principles of application security, secure web frameworks.... they've not exactly blazed the trail with managed language runtimes and secure-by-default, but it's an understatement to say they have certainly caught up.
Yodlee is a service that back-ends online banking applications and payment systems. Maybe they would sell you a development license or something...?
It was crab people.
I wonder what other data flow sinks exist other than executing a shell call... ...
- Log entries
- File names
- environment variables
I don't know what you mean by "done to death", but if you are trying to say developers have stopped publishing websites with:
- XSS
- SQL Injection
- Javascript hijacking
- HTTP response splitting
- Guessable session keys
- Path injections
- Dumb insecure default configurations
- Hard coded passwords
- Remotely viewable stack traces
- Out of date frameworks
- Weak upload algorithms
- exposed direct object references
- attacker controlled primary keys
then I think you would be wrong.
Secure programming is not as simple as a 200 word Slashdot comment, but it's not impractical to learn.
Yes, there are buffer protections in managed languages like Java and .NET. But every language suffers from programmers failing to validate data, or validating incompletely, or missing some assumption about the environment. Both C and Java suffer from format string vulnerabilities, although they're not popularly used in Java.
Architectural problems like a hard coded password, a sloppy insecure default configuration, making a session key too easy to guess, goofing up exception handling during a security sensitive operation... have almost nothing to do with the source language.
And please don't repeat that WRONG information about pointer and buffer management just being a matter of cluefulness. My research and that of others has shown that even smart people make mistakes, and smart programmers who know better continue to write buffer overflows even though we've had 30 YEARS of buffer overflows to get a handle on the problem. Beginners and old timers tend to make different sorts of oversights; that's all.
F-15
Is that a joke? i can't tell what the diagram is supposed to mean.
Wow, way to miss the most exciting parts of the article. Try again.
Cliff Notes:
1. Pay for tasks students know how to do: success.
2. Pay for outcomes students don't know how to attain: failure
3. Number 1 continues after the payments stop.
I guess more of us are just going to have to chime in and reiterate that your comments are not clever, before you start to believe us.
One virus
Two viru's