Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×

Submission + - Turns out nobody's sure what should count as a Cyber Incident (csmonitor.com)

Submitted by chicksdaddy
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure (http://hardware.slashdot.org/story/14/04/15/2032239/lack-of-us-cybersecurity-across-the-electric-grid), The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported. (http://www.csmonitor.com/World/Passcode/2015/0323/How-cyberattacks-can-be-overlooked-in-America-s-most-critical-sectors)

Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however.

His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.

While official reports like this one about the San Bruno pipeline explosion (http://www.cpuc.ca.gov/NR/rdonlyres/85E17CDA-7CE2-4D2D-93BA-B95D25CF98B2/0/cpucfinalreportrevised62411.pdf) duly note the role that the software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event.

Weiss says he has found many other, similar omissions that continue even today. One obstacle to properly identifying such incidents is that the popular understanding of a cyberincident borrows too much from the information technology industry, which focuses on malicious actors and software based threats operating in traditional IT environments. “In the IT world, ‘cyber’ is equated with malicious attacks,” Weiss said. “You’re worried about a data breach and stolen data, or denial of service attacks.”

Weiss argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. “San Bruno wasn’t malicious, but it easily could have been,” Weiss notes. “It’s a nonmalicious event that killed 8 people and destroyed a neighborhood.”

Submission + - Modern PHP: New Features and Good Practices

Submitted by Michael Ross
Michael Ross writes: Robert, here is the book review meta-data: author: Josh Lockhart pages: 268 publisher: O'Reilly Media rating: 8/10 reviewer: Michael Ross ISBN: 978-1491905012 summary: Solid advice on some state-of-the-art PHP tools and techniques.

In recent years, JavaScript has enjoyed a dramatic renaissance as it has been transformed from a browser scripting tool primarily used for special effects and form validation on web pages, to a substantial client-side programming language. Similarly, on the server side, after years as the target of criticism, the PHP computer programming language is seeing a revival, partly due to the addition of new capabilities, such as namespaces, traits, generators, closures, and components, among other improvements. PHP enthusiasts and detractors alike can learn more about these changes from the book Modern PHP: New Features and Good Practices, authored by Josh Lockhart.

Programmers familiar with the language and its community may recognize the author's name, because he is the creator of PHP The Right Way, a website which he describes as "an easy-to-read, quick reference for PHP popular coding standards, links to authoritative tutorials around the Web and what the contributors consider to be best practices at the present time," in 21 different languages.

Yet rest assured that the book under review is not merely a dead-tree version of the website. Instead, the book covers the more recent advancements within the language, while the website covers best practices and standards. This should be borne in mind, otherwise the reader may be baffled by the absence from the book of certain topics on the website essential to the language, such as SPL, PEAR, and PHPDoc. Moreover, of the topics shared between the book and the website, the information is generally organized quite differently, with more example code in the book.

This title was published on 1 March 2015, under the ISBN 978-1491905012, by O'Reilly Media, who kindly provided me with a review copy. Its material is presented in 268 pages, organized into 13 chapters (The New PHP; Features; Standards; Components; Good Practices; Posting; Provisioning; Tuning; Deployment; Testing; Profiling; HHVM and Hack; Community), which are grouped into three parts (Language Features; Good Practices; Deployment, Testing, and Tuning) — as well as two appendices (Installing PHP; Local Development Environments) and an index. The publisher's page does not offer much of interest. However, all of the example code is available from the book's GitHub repository. There are differences between the GitHub code and what is printed in the book, e.g., a baffling require 'vendor/autoload.php'; in the first example code file. The author claims that the reader does not need to know PHP, but at least "a basic understanding of [] fundamental programming concepts" (page xiv). However, anyone without at least intermediate skills and experience with PHP could conceivably struggle with these more advanced subjects.

The first chapter is only a brief overview of the history of PHP, its current state, and some possible future changes to the language's engine. The real content starts in the second chapter, in which the author gives the reader a fast-paced introduction to his seven favorite major new features in PHP: namespaces, class interfaces, traits, generators, closures, Zend OPcache, and the built-in HTTP server. In some regards, the coverage is a bit too fast-paced, as some topics and questions likely in the reader's mind are not addressed — for instance, namespace case-sensitivity and techniques for ensuring that a chosen namespace is globally unique (page 9). For each topic, its purpose and advantages are explained, and sometimes illustrated with code examples, although none are extensive.

The second part of the book opens with a chapter on some of the new standards in the PHP ecosystem that are intended to move the common development process from a reliance upon one isolated framework, with an idiosyncratic coding style, to distributed components that can interoperate through the use of interfaces, industry-wide coding standards, and the use of autoloaders for finding and loading classes, interfaces, and traits at runtime. Components are covered in more detail in the subsequent chapter, as is Composer, for installing components and managing dependencies. The fifth chapter is a lengthy but information-packed exposition of numerous best practices regarding input data sanitization, password handling, dates and times, and safe database queries, among other topics. Some of the advice can be found in other PHP books and online, but all of this is neatly explained, updated with the newer PHP versions, and worthwhile as a refresher.

Deployment, testing, and tuning are the broad subject areas of the third and final part of the book. The author discusses the options for hosting your PHP applications, as well as provisioning any self-managed web server and tuning a server for optimal performance. All of the instructions assume you are using Linux and nginx, and thus would be of less value to those using Windows or Apache, for instance. The material on application deployment is relatively brief, and focuses on use of the Capistrano tool. Testing is often neglected in real-world projects, but certainly not in this book, as the author explains unit and functional testing, illustrated through the use of PHPUnit. This is followed by information on how to use a development or production profiler to analyze the performance of your application, with detailed coverage of Xdebug and XHProf, among other tools. The next two chapters dive into topics related to the (possible) future of PHP — specifically, Facebook's HHVM PHP interpreter and their Hack derivative language. The final chapter briefly discusses the PHP community. The two appendices explain how to install PHP on Linux or OS X for commandline use, and how to set up a local development environment. The author mentions a free edition of Zend Server, but the vendor page mentions no such pricing.

Despite its technical subject matter, this book is not a difficult read. The author's writing style is usually light and friendly, especially in the preface. In a few places, the phrasing is a bit too terse, which might prove momentarily confusing to some readers, e.g., "Function and constant aliases work the same as [those of] classes" (page 11). The text has some errata (aside from the two, as of this writing, already reported): "curl" (pages 15, 220, and 222; should read "cURL"), "a an argument" (page 33), "Prepared statement [to] fetch" (pages 99 and 100), "with [the] php://filter strategy" (page 110), "2 Gb" (page 129; should read "2 GB"), "the the" (page 154), "path to a the code" (page 176), and "Wordpress" (page 190; should read "WordPress").

One weakness with the book is that for several of the topics — including some critical ones — there is not enough detailed information provided that would allow one to begin immediately applying that technique or resource to one's own coding, but instead just enough information to whet one's appetite to learn more (presumably from another book or a website). Secondly, some of the narrative — particularly near the end of the book, when discussing various tools — would be of less value to anyone not developing analytics environment. Beware that some of the tools require numerous dependencies. For instance, do you have Composer, Git, MongoDB, and its PHP extension installed? If not, then you won't be using XHGUI. Also, some of the installation and configuration steps are quite lengthy, with no details provided for troubleshooting issues that might arise. Lastly, despite the promise that any reader with only basic programming knowledge will be able to fully understand the book, such a reader would likely find much of its contents mystifying without further preparation from other sources.

Nonetheless, the book has much to offer, despite its slender size. Numerous resources are recommended — most if not all apparently vetted by the author, who clearly has considerable experience in this arena. Some valuable techniques are presented, such as those instances in the text where the author shows how to use iteration on large data sets to minimize memory usage. In addition, the example code demonstrates that the author has made the effort to produce quality code that can serve as a model to others. Modern PHP does a fine job overall of explaining and advocating the newer capabilities of PHP that would attract developers to choose the language for building state-of-the-art websites and web applications.

Michael Ross is a freelance web developer and writer.

Submission + - Ask Slashdot: Forgot Passwd leads to email with plaintext password, What to do? 1

Submitted by Mike Lape
Mike Lape writes: What is the best thing to do when you click 'Forgot Password' and provide an email address, only to receive an email with your current plaintext password in the email? Should the account just be closed as quickly as possible, or what if this isn't possible for some reason or another? Should a particular party, maybe the admin or tech listed in Whois, be contacted and see if they can/will remedy the situation? Has anyone had the experience where a simple email to someone at the company led to an actual change in both the policy and implementation of password storage? Could an email like this in any way possibly lead to the company trying to press charges, claiming they've been hacked or something?

Submission + - Space CAN expand faster than the speed of light

Submitted by StartsWithABang
StartsWithABang writes: You know the fundamental principle of special relativity: nothing can move faster than the speed of light. But space itself? That's not a "thing" in the conventional sense. Two years after coming up with special relativity, Einstein devised the equivalence principle, and thus began the development of general relativity, where space itself would have properties that changed over time, responding to changes in matter and energy. This includes the ability for it to expand, even faster than the speed of light, if the conditions are right.

Submission + - Ask Slashdot: Advice for domain name registration

Submitted by codepigeon
codepigeon writes: Hello, Slashdot! I would like to ask for your advice on selecting a domain name registration service to use (possibly registration with website hosting?). The last time I registered a domain name was around 1999, so I am out of touch with the current offerings.

I have visited a few of the major players' websites. They seem (mostly) similar in prices and services. I have also seen both positive and negative reviews for those companies. I am concerned about being locked in, or surprised with hidden fees. (I paid $75US for a year of service in 1999, now it is only $10.99US?)

I have been trolling slashdot for about 15 years and respect the views of the users here more than anywhere else. I would love to hear your advice and/or warnings in this matter. I am looking to register a domain name for a development studio that is at the ground level (read: I'm the sole member). I have published a single app to one of the big app stores already and want to have a 'web presence' to publish information about my software and give users a place to submit complaints/requests. I currently don't see the need for any kind of major backend support for the website; simple html or javascript.

Which is the most trustworthy company to use for registration? Which ones have hidden fees or privacy problems?

Thank you.

Submission + - Moonlighting: 6 month hunt for extra work

Submitted by rraylion
rraylion writes: Hello dotters, I graduated from a university, got my CS degree, am in my career job, and it's okay, but i need to broaden my skills, and need more money. So I figured hey, I create things for a living that as a skill a lot of people need. So I started looking for something to moonlight on as a side job. And I can't find anything... at all. I tried the code4money sites and those look unreputable, I look at telecommute sites and those look worse, which is scary. I would love to find a company, or a few companies that just need a few projects done and don't mind someone working part time in off hours. I wouldn't even expect a lot in terms of compensation, this is skill building, but I bring real experience to the table. Is this a unicorn I am seeking or is there a demand for this out there... if so where do I find it. I do MVC in .Net, C, java, SQL, javascript, a lil python — the usual you know. I can pick up anything and run with it. What am I missing, and where do I find it?

Submission + - Poll suggestion: The coolest power drill brand 1

Submitted by jones_supa
jones_supa writes: - Makita
— Black & Decker
— Hitachi
— DeWalt
— Milwaukee
— Hilti
— Bosch
— Ryobi
— Metabo
— Panasonic
— Dremel
— Acme
— Some random store brand
— Unlisted choice
— Manual tools all the way

Submission + - Ask Slashdot: Good Keyboard? (newegg.com) 2

Submitted by Anonymous Coward
An anonymous reader writes: After five years of service, my keyboard is dying, and I'm starting to look for a new one. Since it's for my primary machine, and I spend a lot of hours there for both work and leisure, I'd like to invest in a high-quality replacement. What do you recommend? I've been using a Logitech G15, and it worked well enough — but not enough for me to buy another. (I've also heard that Logitech's build quality has been on the decline in recent years — has that been your experience, those of you who own their recent hardware?) Use cases include coding and gaming, so durability is a big plus.

I'd prefer something a bit less bulky than the G15, which has an area at the top for media controls and a tiny screen. I don't mind a thicker bottom bezel so much. I'm not a huge fan of ergonomic/split keyboard, but if you know a really excellent one, I wouldn't rule it out. Same with mechanical keyboards — love the action, but the noise is an issue. I don't need any particular bells and whistles, but don't mind them. As for a budget... as I said, it's for a heavy-use machine, so I don't mind investing in something. (That said, if I'm spending $150+, it better automatically make sure all my semicolons are in the right place.) So, what keyboard has served you well?

Submission + - Ask Slashdot: Do ITIL hates skilled people? 15

Submitted by ulzeraj
ulzeraj writes: First of all I would like to apologize about the language. I’m not a native english speaker.

I've been working with Linux and in a lower extent Windows setups for 10 years now. During most time of my career I've been involved with IT consulting firms. Last year I've joined a retail store company that was in dire need of someone with good debugging skills. Their team is awfully unskilled and during the course of the year I was able to improve a lot of their network and server systems including automation, backups and restore strategies, complicated image deployment strategies and so on. I've also worked in improving the performance of their database and ERP systems and solved every fucking problem they’ve thrown at my direction including some they didn’t really knew they existed. The company office was a great bazaar and overall fun to work and comfortable to boot because their needs were always simple for someone with my skills so in the end I would always blow their minds with the results. I should note that I never have problem with knowledge sharing and documentation.

But recently the managers were replaced and the new guys don't seem to like me. They are pushing for ITIL doctrine on the IT department (and the whole company afterwards). For starters they keep pushing me administrative tasks that I'm not really fond of like keeping in touch with our suppliers and managing project dependencies so I’ve been spending more time attending meetings and mailing people than typing on a terminal. I've heard somewhere that the cult of ITIL somewhat hates the "hero culture" and people like me are not really healthy for their dogmas and I’m considered a “risk". I feel that even as I have so much that I can do for the company I'll probably be cockblocked by their new "project management" department and whatnot.

As this is happening it seems that people on the IT consulting firms really like my job and there are plenty of oportunities around. I know many slashdoters like me that are more experienced have encountered similar situations. Do ITIL really creative and skilled people? Is my kind doomed to oblivion and I’ll face stuff like this anywhere I go?

Submission + - Issue tracker for non-engineers?

Submitted by purplie
purplie writes: My non-technical spouse is an analyst in a small county government department, a handful of people plus some contractors for projects. Their project/task management is mouth-to-mouth, sticky notes, and emails, and it's driving them crazy.

I want to suggest something like an issue tracker. It would have to work for tasks both large (year-long investigations) and small (arranging catering for a meeting).

The issue trackers I'm familiar with with are too software-development-oriented, or make too many assumptions about your "agile" religion. Are there any good options for non-engineers?

They use mainly Windows and have iPads. I don't like web-based tools, but that might work better for them because they don't have administrative privs on their machines. Something that also incorporates a wiki might be nice. There will be resistance if it's not really easy to use.

Submission + - Companies are held back from using big data by IT execs scared of open source

Submitted by Lemeowski
Lemeowski writes: Most organizations are sitting on a goldmine of data, but they're not doing anything with it because technology and service vendors have led IT leaders to believe that to be "best in class analytics, you have to pay millions of dollars and wait years for its value to materialize." That is not necessarily the case, writes Sergo Grigalashvili, who oversees analytics for his company. He says open source tools and databases combined with "the government releasing treasure troves of data" can help companies see results quickly and cost effectively. The problem, he says, is there are still IT executives who "are not comfortable or even scared of using open source tools."

Submission + - The White House's $100M, H-1B funded tech job plan comes under fire (computerworld.com)

Submitted by walterbyrd
walterbyrd writes: The White House has established a $100 million program that endorses fast-track, boot camp IT training efforts and other four-year degree alternatives. But this plan is drawing criticism because of the underlying message it sends in the H-1B battle.

The federal program, called TechHire, will get its money from H-1B visa fees, and the major users of this visa are IT services firms that outsource jobs.

Submission + - Monday's Keep Us Up At Night

Submitted by randomErr
randomErr writes: Tune Hotels Group completed a study that we're like Wowbagger from The Hitchhiker's Guide to the Galaxy in that we can't deal well with Sunday afternoons and nights. People in general have a sleep deficit because of the anxieties about starting the working week. Jason Ellis, Professor of Sleep Science at Northumbria University is quotes as saying "Sunday-somnia" is something I see a lot and it's important that people deal with the issues surrounding their sleep deprivation so that it doesn't have a knock on effect on sleep later in the week.'

Comment Re:define terms in article summary (Score 1) 44

by Gazzonyx (#49201775) Attached to: Red Hat Strips Down For Docker

[...]

I'd be interested to see which distro can get their image down to the smallest (functional) size. Strip the OS down to just the absolute minimum required to boot it up, then leave it upto the docker image creators to decide what services to enable. It's a great way to minimize attack vectors, keep image size down and make the container nice and lightweight.

A few years ago for a special purposed built box, I gutted a Slackware install, modified the disk scheduler in the kernel and removed every driver and every module that my hardware didn't use. My memory is a foggy on the numbers, but I believe the install itself was under a handful of GB (with my development tool chain and libraries) and booted to run level 3 using somewhere between 64-128 MB RAM (I think it was actually in the 32 MB range, but that sounds too small for me to be confident about it) and part of that was actually dedicated to the readahead daemon.

Granted I'd never do that again, but it was a fun summer project to build a server rack when I was just out of college. These days I don't flinch to throw hardware at a problem if I think it's going to take up my valuable time and it will scale for whatever values of "N" I'm expecting to be reasonable.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close