You're comparing 1990s Apache to 2013 IIS. If you care to know what your talking about, you may wish to have another look to too what has changed in the last 10-20 years. Here's one example that's not only way out of date, but also wrong even for that time period :

> why is Apache still spawning processes for every request that comes in... don't they realize the overhead of that??).

Prior to the release'of Apache 2.0 in 2000 (fourteen years ago), Apache pre-spawned a group of processes and each process would handle one request AT A TIME. It never spawned a process for each request, it had a pool of processes that were reused. Pretty much just like how modern browsers now run separate tabs in separate processes. The #1 reason for that was to allow Apache to use libraries (like GD) that weren't thread safe. If Apache were multi-thread rather than multi-process, you couldn't use those libraries.

Note also that Apache was designed for SERVER operating systems like Unix, Linux, and BSD, not for a desktop OS. On a server OS, forking a few processes at startup isn't that resource intensive- far less intensive that preloading IE and Office at startup.

Of course like everything in Apache, the multiprocessing is done by a module, so you can still use processes rather than threads if you want to. You can do that and by choosing sane settings for the number of spare processes you won't fork new ones more than a few per hour.

> A lot of the performance reasons that are behind people switching from Apache to Nginx

I tested this very thoroughly. 90% of the performance difference of Nginx, which only occurs on some systems, is that it essentially forced noatime, regardless of the administrator's selection of mount options. Back when noatime wasn't the default, less-knowledgeable admins who didn't know to use noatime would see a significant performance benefit from Nginx vs Apache. Knowledgeable admins would mount with noatime, and find that Apache and Nginx performance was almost identical. Knowledgeable admins would also comment out the 90% of available modules they don't use, like mod_speling, and set MaxClients etc appropriately. With a reasonable configuration, Apache can give better performance than Nginx, depending on which benchmark you choose. In all cases, Apache provides more PREDICTABLE performance because it actually works as documented, while Nginx has documentation copy-pasted from elsewhere, but their code isn't actually the same as server they copy-pasted documentation from.

> If I want to include an RCMP officer in full dress uniform in a stage play even in the country where they come from then I have to get permission from Disney to use the image.

That was almost true for a few years, from 1995-2000. The RCMP had a merchandising contract wherein Disney Canada would manage whatever rights RCMP had to the mountie image. They figured Disney is pretty good at managing the branding of a character, so they contracted with Disney to manage the Mountie character.

Does the RCMP have the right to control whether or not you have an RCMP officer in a play? Probably not. The image wasn't a registered trademark, and you're allowed to use other people's trademarks in certain ways. Therefore, they couldn't have Disney manage that right for them.

To the extent they did have Disney managing their licensing for merchandising, that deal ended fourteen years ago.

Thereatpost.com is a good source to stay on top of the latest news and threats. There is new stuff posted several times per week, so staying on top of it takes at least a couple of hours per week.

You can get pretty darn good security at a very reasonable cost, but I can't fit much useful info in a Slashdot post. I read a 586 page book just on securing Apache - there's a ton of information to know and concepts to understand. For a business, especially a web-based business, it probably makes the most sense to hire in the right professional to spend a few hours with you, going over your processes and systems. I've been doing web security for 17 years; before that I did physical security and I'm still learning, so there's just a lot to know.

Maybe the most important principle is to get rid of what isn't needed. Turn off unneeded services on computers, don't store credit card numbers if you don't absolutely have to, don't have multiple copies of sensitive data on different systems. I can't hack what isn't there.

If you consult with a professional, be prepared to alter some of your processes to alternatives that are approximately just as easy to use, but different. Sftp is as easy to use as ftp, so don't let "we've always done it this way" be an excuse to not improve your processes. A FEW changes may be much less convenient, but necessary. That is to say, your professional may say once or twice "yes, this way is more time consuming, but it really is necessary for security ". Be prepared for that, but also expect your professional to work with you to find ways to make security relatively painless most of the time. It'll likely follow strict, but painless, rules if done properly.

Security is mostly about process, not products, and much of the best security software is open source, so the right professional won't be selling you stuff, just spending some time to find what you need and get it set up for you, then help your IT understand a bit and know where to find documentation.

      The right professional will also be able to explain the purpose of any recommendations in a way that you can fully understand. "Because security " is not a valid answer and is most frequently used by people who don't understand the "security" measures they are improperly applying, often in a way that weakens your system rather than strengthens it. It might seem strange to emphasize this, but I've seen a LOT of sysadmins severely damage system security by trying to strengthen it but not really understanding what they're doing. In almost all cases, the people doing crap "security" couldn't explain in detail why they did what they did, and became annoyed when asked to explain in detail. It's a good way to distinguish the few who know their stuff from the vast majority, who don't actually know what they're doing.

I've worked in the field of IT security, so I too will be looking forward to learning details. The story of the TJX incident was quite interesting- not just the technical details, but also the conversations between the perpetrators, the fact they knew they were getting greedy and should have gotten out of Dodge, etc.

I'm not so sure it needs to be either really crappy security or a great cracker. Generally, breaking things is easier than making things, so an average bad guy can defeat average security. I've never encountered security I couldn't bypass, either in IT or physical security. (I'm trained in locksmithing). I'm not the world's greatest cracker, but I only need ONE way in. The defender has to secure EVERY possible weakness. That's a huge advantage.

It's like a football game where one side wins the game if they score just once.

That was a useful system. There are two simple ways to get approximately the same amount of security, in exchange for the same or less amount of hassle.

> tell it that the next time I swipe my credit card, make it generate a one-time number only good for $50?
> I go to Target or Staples or wherever, spend $25, the number is never valid again and I have nothing to worry about.

For $25-$50, that's called cash. No need to pay the credit card company $1 on a $25 transaction, and you are paying them, indirectly. No need to create hackable and trackable records of every little purchase you make daily, either.

The other thing you can do is get a card with a $200 limit, or a debit card and tell them not to allow overdrafts. Set up an automatic payment to the card for $100 twice per month or whatever. That way the bad guy can't hit you for more than $200, or whatever amount you put on the debit card. You can have the bank will email you if your available balance gets low and add another $100 or whatever you're comfortable with. Crapital One makes this very simple and quick, but they are evil so I'd rather use a debit card that has the same options for automating things.

> Apart from the fact that you're mixing UPDATE syntax with INSERT syntax

Works in MySQL and MS SQL, ymmv for any other RDMS.

In regards to both escape_string() and htmlspecialchars(), two words: character sets.

They are not fundamentally any better than addslashes(). They just have a bit more duct tape.

One way to increase that "expected gain" is to take a slightly wider view of what security is. Security is more than just locks and passwords - it includes defense against denial of service attacks, for example. A useful definition of system security is:

A secure system is one that continues to work properly, even in the face of attack.

An example is one of the most common security issues, SQL injection. My work place had a typical example:
INSERT INTO users SET fname='$fname', lname='$lname';

From a traditional security perspective, we worry about an attacker entering a "name" that includes quotes marks and such. However, the same issue also meant that things broke nicely when Tom O'Reilly tried to register, using his real name.

Fixing that issue meant that attackers couldn't mess up the system - and the "random" errors in the system stopped.

As another example, we provide a service called Clonebox. With Clonebox, if a customer's web server is hacked or otherwise damaged, we can switch it over to a ~read-only mirror. Sure that protects against hackers, and some customers have been hacked and used the protection. More often, customers simply screw up and delete important files or databases. Either way, they are protected - our customers' web sites keep working, even when they screw up, even when hardware fails, and even when they are hacked.

So the pitch, and the cost/benefit calculation is this:
How much is it worth to have systems that just keep working, that don't screw up, that handle any input gracefully?

It can be good to ask that question right around the time some executives are cursing the current system.

Aha. That is interesting. A set of particles that move/act like a wave is one thing, but in this case one slit doesn't look like one wave, but two slits looks like two waves. Interesting.

He said that they'll have to migrate further and further north each year, so that those in the bay area in 1997 would have to be all the way in CANADA within 100 years. So roughly 20 miles per year, or 340 miles in 17 years since he made rhat statement. Has anyone or anything moved an inch, much less 340 miles?

Your next step is to say he's a fringe kook, not representative of what people have been saying. Well, he's a tenured professor of climate science at Berkeley, a position as well respected (by the left) as a constitutional law professor / community organizer.

For intelligent forms, that seems to be the case here on earth.

There are about 1.5 billion smartphones on the planet. If you ask a smartphone "who is the vice president of the united states", approximately all of them will say (speak) "Joe Biden is the vice president".

Based on surveys I've seen, only a couple million people reach the same level of intelligence, knowing who the vice president is. Therefore, silicon can be considered to be the most common form of intelligence on earth.

Even more so on the coasts of the US, of course, as humans are becoming more silicone, leaving all intelligence to the silicon.

Thanks for taking the time to type that out. It gave me a starting point to learn more, and I learned that if you release particles one a time, each particle makes one mark, one dot. One particle doesn't interfere with itself, and can't because the interference pattern is seen in the density of collisions over an area.

As many of these single dots build up, they tend to cluster around an interference pattern - as if some particles went through one slit, and some particles went through the other slit. Well yeah, if I turn on the light in my living room, some photons go out through one window, some photons go through the other. Each goes through one or the other.

So I do very much appreciate it, yet I'm as yet unsure where to go to "get it", to have the ahah moment of "this is what it's all about!"

> you'd expect is to get a pattern that's the SUM of the pattern you get through each slit. ... But instead what you get is an INTERFERENCE pattern

I thought the definition of the word "interference pattern" is "the SUM of two waves". So you'd expect a sum, and you get a sum, which is called an interference pattern.

Again, thanks.

Here's the California Energy Commission STILL saying it. SInce 2010 has passed, as of 2012 they pushed the "underwater by" date to 2050:
http://www.energy.ca.gov/2012p...

Here's an "underwater San Francisco" map that GW alarmists were circulating in 1997:
http://www.sfgate.com/news/art...

Asked about the effect on California, professor of climatology at the University of California at Berkeley Orman Granger said in 1997:

      "Climatologic records over the last 10,000 years show that species move north (in the Northern hemisphere) roughly 500km for every degree C temperature increase ... in order to survive they have 100 years to move to Canada".

With a few more simplifications maybe I can "get it". So far, much of quantum physics sounds like goobly-gook to me, and I had no trouble with relativity in 6th grade. I had to learn a little calculus to read Einstein, bit that wasn't a big deal.

If you understand quantum physics, or think you do, explain this. There is a cat, in a box. You can't see the cat. Is the cat alive or dead?

  Wrong, asshole. YOU can't see the cat, but I can see the cat shitting in his litter box right now. I can assure you he's very much alive. So SchrÃdinger was full of shit.

Unless by "both alive and dead " what you actually mean is "the cat is either alive or dead, I just don't happen to know which", in which case - no shit, Sherlock. You don't know everything. Is that supposed to be a revolutionary new discovery?

Do you think W could get a BJ without bragging to his buddies, and without forgetting to turn off his mic first? We'd have heard about it.

I suppose I'm a global warming denier, by the common standard here on Slashdot. The global warming alarmists and pitchmen said "San Francisco will be underwater by 2010". Unfortunately, it's still there.

That's one of two big problems for the global warming camp. Well-known leaders of that movement have publicly admitted to organized, widespread lying and intentional exaggeration in order to "spur the public to action". I deny that they've been telling the truth, and they agree! Has the "science" gotten any better? Well, we know that a typical volcano releases a couple tons of CO2 each day. A few months ago, there was an "OMG Global Warming!" story here on Slashdot that reported atmospheric CO2 levels rising more than expected - based on measuring CO2 on a friggin a volcano! Which is kind of like reporting global average humidity based on moisture measurements taken below Niagra Falls.

There IS some good science supporting global warming, but the alarmist stuff makes better headlines, so 90% of the "science" reported is complete junk, obviously so. I reject all claims based on this utter junk pseudo-science.

The second problem is more recent. Every president has their slush fund, a federal program or two which they use to send tax money to their donors, who send some back as campaign donations. It just so happens that THIS president's slush funds are included in the $100 billion we're spending on "green". For example, the tax payers loaned over a half a billion dollars to Fisker to develop their electric car. Fisker turned right around and handed millions of it to Obama and other Democrats. There's nothing new about that, of course, other than the exchange of greenbacks is normally labeled "green energy" right now. That makes anything labeled "green energy" or "save the planet" inherently suspicious, just like Haliburton contracts were suspicious when Cheney was in the White House. We know that any proposal to spend "half a billion for green energy" means $10 million for the DNC, $10 million for Hillary's campaign, $10 million split between a few congress-critters, $50 million for their CEO friend's golden parachute, and $420 million to who-knows-where. Again, not new - Haliburton was the same. "Green" is the new "Haliburton".