their new hobbit overlord.

Oh wait! That's North Korea ... my bad!

But most SS card applications are issued at the hospital nowadays. I got mine when I was 8 or 10 or something (I remember getting it). in the case of all my kids, my wife filled out the application at the hospital, or it was included in a packet from the hospital. Just another reason to hate SS (and the rat hole it is that we pound money down into).

>>"effort and awareness" ...

And next, you're going to expect "reason and logic" to prevail too, right!?!?!

Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails quickly, because people who don't value security will abuse whatever privileges they have, thinking that they're helping someone.

And you need an ISSO or some other security expert/chief/scary person to strike fear into them and into having that mindset. I think a Czar sounds scary, don't you? ;-)

>>The Democrats aren't much better, but at least they're trying to spend money on people in THIS HEMISPHERE, let alone in this country.

Well, then independent of who let this through (below), Bush's Admin. or the Democratic Congress ... maybe they should go kill this (heard about it on the radio):

http://www.cnsnews.com/public/content/article.aspx?RsrcID=47976&print=on
http://mediamatters.org/research/200905130010

Hope you're not trying to "enumerate the bad" (i.e looking at $foo ~= /<script/i in the input ... or even '<'). There are lots of ways to escape such validators. A great resource on some is here: http://ha.ckers.org/xss.html I say, unescape everything back to the browser (even email addresses). OWASP has a good resource: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

>>It's at least as secure as your wired ethernet connections to your Windows desktop workstations.

You had me feeling good until you qualified it with the "Windows desktop workstations" part. ...

Come on! somebody had to say it! ;-)

but the notion that "wireless=fundamentally insecure" seems dubious at best.

I would say "Wireless=More Attack Surface" ... Some might say fundamentally *less* secure because of that fact. A key factor in security is reducing attack surface to only what is necessary for the required/intended of the functionality.

Yes ... people should take more care in operating wired networks as well.

so I'm not sure what you plan on doing with your recorded authentication attempts.

I was thinking of sampling and using them like Dr. Dre, Vanilla Ice and others. One or two hits and I could retire early. There's gotta be a golden one in there somewhere with all that traffic!

I beg to differ .... What about all the poor people who couldn't share funny pictures of their cats you insensitive clod?!?!?! ;)

Well ... we're dealing with folks who like tax revenue .. so they'd probably like to say **BOTH**.

Also IANAL, but isn't congress not supposed to make laws about interstate commerce?

In reality though,
- taxing from the seller state makes states it less attractive for businesses to do business there.
- From the buyer's side, makes it complicated, because then the business may have to pay/file in every state depending on where

Either way ... it's a discouragement for the businesses as far as I can see. They're using the recession to say that they really need this. Yeah ... I'm sure that's the solution!! I bet that will make big government and its employees more responsible with the money they from the US' collective pockets.

OK ... I've only read up on it a little so far, but I have to ask:

Most of those apps use mysql on the backend (at least WP and Drupal do ... and those are two of the main apps touted). BUT! The platform only mentions SQL Server as far as I've read so far. Is MySQL quietly installed or is this some port of those apps that uses SQL Server? Some DB Abstraction Layer (find that hard to believe)?

Mod me down for not reading enough or being lazy if you want, but I an still trying to figure out how they include some of these apps without including MySQL

Anyone actually played with it yet?

If you're interested in the actual hacking (err ... cracking) side of things ... Web Application Hacker's Handbook came highly recommended by my SANS instructor. http://www.bestwebbuys.com/The_Web_Application_Hacker's_Handbook-ISBN_9780470170779.html?isrc=b-search

Exactly, the browser's history is not protected per tab, but is globally accessible by all tabs (and their js) AFAIK. The browser-maker has to figure out how to balance the security of the tab versus the convenience of a global history for the user. As I understand it, the only piece of info needed here is your history ... nothing from your banking site tab itself. So ... it's a question of whether or not the history can be "stove-piped" and protected as tab information as far as js is concerned.

For that matter though ... I'd be fine with banning js from having access to browser history at all. I don't think the trade-off is worth it in the end. Would break a lot of stuff out there I'm sure (well ... none of my stuff).

Whispering at a very low volume in someone's ear with your hands cupped around your mouth.