Maybe it's time to realize that OpenSSL has become obsolute. For me it's totally unacceptable that even now the documentation is [STILL INCOMPLETE]. Instead of wasting time with cleaning up a pile of dirt, use that time to start supporting PolarSSL in all your applications. Its code is clean and it is well documented. Once you give PolarSSL a try, I'm sure you will wonder why the hell you were using OpenSSL all that time.
Not GnuTLS, but PolarSSL. Reason for moving away from OpenSSL is because of it's horrible documentation. Or, better said, the lack of any documentation. Tried to implement SNI support in my open source web server (Hiawatha http://www.hiawatha-webserver....), but there was no proper documentation or example code available. With PolarSSL, it was done within a day. All other SSL features were implemented in a more cleaner way. No ugly callback stuff.
Even with the OpenSSL 1.0.0 release some time ago their documentation was still incomplete. I seriously don't now how to take a piece of software (specially libraries) serious with proper and complete documentation. I believe proper documentation and support is even more essential to software than code quality.
I do know 'anythin' about OpenBSD. And yes, I was already aware of the things in the online presentation. But OpenBSD is not unique on this matter. Other OSes offer the same functionality. OpenBSD is quite unique on his strong focus on writing correct code. But that alone is not enough for being a 'secure OS'. OpenBSD has security features that other OSes lack, but the same counts for any other OS. If you call OpenBSD secure just because they focus on writing correct code, then you're missing the point about what good security is all about.
OpenBSD is nothing more than software with a very low bug count. While bug free software is a nice ingredient, but for real security much more is needed.
Nice example of insecure code at their login screen (http://go.microsoft.com/fwlink/?LinkId=309297&clcid=0x409&slcid=0x409):
What if InsertOrUpdate() or Save() fails? Lesson number one in secure programming: ALWAYS check return codes of functions.
"It isn't stealing. When I steal, you don't have what I took from you."
That's not the definition of stealing. It's taking what is not yours without getting permission or paying for it, while you should have. This is also the case with pirating.
Btw, congrats TPB and I hope you live many more years!!
It's called Prowl. http://www.prowlapp.com/ Simply send an e-mail to a special e-mail address and you'll get a notification on your iPhone. And it's even cheaper than 5 bucks. Topic can be closed.
Taken a quick view at Laravel, it's again a framework like one in a dozen.
All such PHP projects can be divided into to groups: frameworks and CMS-es. A big problem with all those PHP frameworks is that you have to write stuff like user administration, authentication, static pages from the database, etc yourself. In my opinion, in many cases the MVC architecture is not implemented in a clean way and it's often too complex to translate an URL to an actual file on disk.
A big problem with most CMS-es (like Wordpress, Joomla and TYPO3) is that it's one big chunk of code. There is no clear separate framework layer. It's quite a torture to add or change functionality by writing code. And don't even get me started about security!
That's why I wrote the Banshee PHP framework. Clear MVC implementation, easy routing, strong focus on security and clear separation between framework layer and CMS. Clear the controller, model, view and css directory and what's left is the framework. Although I call it a framework, it's more of a framework / CMS hybrid.
It is not my intention to spam about my framework, but I realize this post can be seen as such. Sorry for that. I only want PHP developers to know there is more than those minimalist frameworks or bloated CMS-es.
Re:Still no support for TLS 1.1 / 1.2
on
Firefox 21 Arrives
·
· Score: 1
Clippy?? Dude, you haven't updated your computer for too long. Get your ass of the web, right now!
Still no support for TLS 1.1 / 1.2
on
Firefox 21 Arrives
·
· Score: 3, Insightful
And the only thing I really want in Firefox is *still* not there. But instead, more crap features.
Good security is not about making clever rules. It's about dealing properly with the exceptions of those rules. Banishing liquids from airplanes is nothing more than a rule. Its level of security depends on how you deal with the situations in which you must, or at least should, allow a bottle of liquid on an airplane. If you don't have rules for that, if your personel is not trained and aware for those situations, your whole security setup is vulnerable for social engineering and it becomes nothing more than security theater.
I totally agree. The TSA consists of a bunch of mindless idiots following stupid rules. There is nothing that those TSA idiots did that ever stopped a terrorist attack. The only thing the TSA is good for is wasting money and pissing of Americans and foreigners.
He's comparing security with health and driving to 'prove his point'. Security is not the same as health or driving. So, any conclusion from making a comparison is a false one.
Second, you don't have to choose between completely ignoring security awareness training and spending lots and lots of money and time in it. There is a very good choice somewhere in between. I agree with him that the information systems have to be secure and shouldn't offer dangerous actions but no matter how secure you make your information system, it will all fail if the user has no clue about what he or she is doing. And giving empolyees a basis level of security awareness doesn't have to cost a lot of money but will still help you prevent a lot of trouble.
Slashdot Mirror
They don't classify as terrorists if you ask me. Not every lunatic murderer is a terrorist.
Tell me, when was the last time terrorists did food poisoning?
Hmm, placed the PolarSSL link at the wrong place. I hate it when you can't edit your post.
Maybe it's time to realize that OpenSSL has become obsolute. For me it's totally unacceptable that even now the documentation is [STILL INCOMPLETE]. Instead of wasting time with cleaning up a pile of dirt, use that time to start supporting PolarSSL in all your applications. Its code is clean and it is well documented. Once you give PolarSSL a try, I'm sure you will wonder why the hell you were using OpenSSL all that time.
That escalated quickly...
Wasn't that the guy of the lamest vendor response in 2007? A little less harsh on your comment would be appropriate, mr. Theo.
Definitely PolarSSL.
Not GnuTLS, but PolarSSL. Reason for moving away from OpenSSL is because of it's horrible documentation. Or, better said, the lack of any documentation. Tried to implement SNI support in my open source web server (Hiawatha http://www.hiawatha-webserver....), but there was no proper documentation or example code available. With PolarSSL, it was done within a day. All other SSL features were implemented in a more cleaner way. No ugly callback stuff. Even with the OpenSSL 1.0.0 release some time ago their documentation was still incomplete. I seriously don't now how to take a piece of software (specially libraries) serious with proper and complete documentation. I believe proper documentation and support is even more essential to software than code quality.
I do know 'anythin' about OpenBSD. And yes, I was already aware of the things in the online presentation. But OpenBSD is not unique on this matter. Other OSes offer the same functionality. OpenBSD is quite unique on his strong focus on writing correct code. But that alone is not enough for being a 'secure OS'. OpenBSD has security features that other OSes lack, but the same counts for any other OS. If you call OpenBSD secure just because they focus on writing correct code, then you're missing the point about what good security is all about.
OpenBSD is nothing more than software with a very low bug count. While bug free software is a nice ingredient, but for real security much more is needed.
And you're one of those teenagers that clicks code instead of writing it. Amateur...
Right, it's clear you haven't done much code reviewing. Not checking for return values is where things go wrong very often.
Nice example of insecure code at their login screen (http://go.microsoft.com/fwlink/?LinkId=309297&clcid=0x409&slcid=0x409): What if InsertOrUpdate() or Save() fails? Lesson number one in secure programming: ALWAYS check return codes of functions.
"It isn't stealing. When I steal, you don't have what I took from you."
That's not the definition of stealing. It's taking what is not yours without getting permission or paying for it, while you should have. This is also the case with pirating.
Btw, congrats TPB and I hope you live many more years!!
It's called Prowl. http://www.prowlapp.com/ Simply send an e-mail to a special e-mail address and you'll get a notification on your iPhone. And it's even cheaper than 5 bucks. Topic can be closed.
... look at what your government does to people anywhere around the world.
Why such a promise? Can I read this as a confirmation by the USA that they've tortured other people?
With OpenBSD and specially it's main developer, nothing is arguably...
Taken a quick view at Laravel, it's again a framework like one in a dozen.
All such PHP projects can be divided into to groups: frameworks and CMS-es. A big problem with all those PHP frameworks is that you have to write stuff like user administration, authentication, static pages from the database, etc yourself. In my opinion, in many cases the MVC architecture is not implemented in a clean way and it's often too complex to translate an URL to an actual file on disk.
A big problem with most CMS-es (like Wordpress, Joomla and TYPO3) is that it's one big chunk of code. There is no clear separate framework layer. It's quite a torture to add or change functionality by writing code. And don't even get me started about security!
That's why I wrote the Banshee PHP framework. Clear MVC implementation, easy routing, strong focus on security and clear separation between framework layer and CMS. Clear the controller, model, view and css directory and what's left is the framework. Although I call it a framework, it's more of a framework / CMS hybrid.
It is not my intention to spam about my framework, but I realize this post can be seen as such. Sorry for that. I only want PHP developers to know there is more than those minimalist frameworks or bloated CMS-es.
Clippy?? Dude, you haven't updated your computer for too long. Get your ass of the web, right now!
And the only thing I really want in Firefox is *still* not there. But instead, more crap features.
If Mozilla did take Firefox seriously, they would implement TLS1.1 and TLS1.2 support instead of these useless features.
Good security is not about making clever rules. It's about dealing properly with the exceptions of those rules. Banishing liquids from airplanes is nothing more than a rule. Its level of security depends on how you deal with the situations in which you must, or at least should, allow a bottle of liquid on an airplane. If you don't have rules for that, if your personel is not trained and aware for those situations, your whole security setup is vulnerable for social engineering and it becomes nothing more than security theater.
I totally agree. The TSA consists of a bunch of mindless idiots following stupid rules. There is nothing that those TSA idiots did that ever stopped a terrorist attack. The only thing the TSA is good for is wasting money and pissing of Americans and foreigners.
He's comparing security with health and driving to 'prove his point'. Security is not the same as health or driving. So, any conclusion from making a comparison is a false one.
Second, you don't have to choose between completely ignoring security awareness training and spending lots and lots of money and time in it. There is a very good choice somewhere in between. I agree with him that the information systems have to be secure and shouldn't offer dangerous actions but no matter how secure you make your information system, it will all fail if the user has no clue about what he or she is doing. And giving empolyees a basis level of security awareness doesn't have to cost a lot of money but will still help you prevent a lot of trouble.