Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:invite more people in? (Score 1) 547

because they don't integrate. Even politicians have to admit that multiculturalism failed.

This seems to suggest a misunderstanding of what multiculturalism is. The clue is in the name, it doesn't presuppose integration, at least in the sense you seem to be using it, (that would be a monoculture), rather the side by side existence of multiple cultures.

Comment A lot of PCI is about scope management (Score 2) 91

I'd be looking at moving that email server out of scope, ie out of your PCI environment.

You'd need some policies around your use of email (ie "We don't send cardholder data via email", with bonus points if you have a way of 'enforcing' that, eg a mail scanner) but with that in place there should be no reason why your mail server is in scope if it's seperate from your PCI environment (ie hosted elsewhere).

Comment Why I chose PS4 (Score 1) 375

In the same situation I ended up going for the PS4. All in all they seemed pretty similar but the PS4 seemed marginally better performance wise. It's smaller size was also a factor for me.

The swinger though was probably Morpheus/Playstation VR. Obviously it's not out yet, but I've been waiting for decent VR since I was a kid (ie for over two decades) so the possibility of it coming to a home console holds a lot of excitement. Whether I end up getting it depends on reviews etc but, with all other thing being relatively equal between the consoles, keeping that option open down the road was a factor.

Comment Lots of layers to consider (Score 1) 74

There are several layers here that make a solution quite "interesting". On the one hand you are trying to protect your users by avoiding serving them bad content. On the other hand you want to protect your service. Protecting your users means doing more work on the uploaded content which increases your own attack surface.

Personally if we are just talking about PNGs then I think that one of the safest things for your clients/customers would be to not serve the file as uploaded, but to serve a file that is the result of a successful render->save process (which might get you a bonus improvement of allowing you to optimise the image). That way you should end up serving a valid image without any dodgy stuff someone may have tried to sneak through. Of course there have been plenty of vulnerabilities in image handling over the years. So reprocessing the images does come with it's own risk that might suggest it's own mitigations (eg doing it on a seperate untrusted server that doesn't have access to anything interesting).

There might be third party services you could use, but of course that opens up it's own questions in terms of trust, security and availability.

Comment Thank you for playing Wing Commander (Score 4, Interesting) 145

As development for Wing Commander came to a close, the EMM386 memory manager the game used would give an exception when the user exited the game. It would print out a message similar to "EMM386 Memory manager error..." with additional information. The team could not isolate and fix the error and they needed to ship it as soon as possible. As a work-around, one of the game's programmers, Ken Demarest III, hex-edited the memory manager so it displayed a different message. Instead of the error message, it printed "Thank you for playing Wing Commander."


Comment Re:Great news! (Score 1) 125

See, the introduction of the GST was to coincide with the bundling of a bunch of other taxes into one. For some goods, most notably electronics and "luxury items", they actually got cheaper. This was because it's truly a stealth tax on the poor, by taxing commodities like bread and orange juice (which previously would have been taxed at lower rates or even subsidized),

Bread and orange juice are not subject to GST.

Comment Re: Lame (Score 1) 95

There is literally nothing for me to buy right now. Why can't this 10% off be in the form of a code that we can use any time we wish?

Isn't that pretty much what Sony are saying they will give. A code you get to apply to a shopping cart once?

"In addition, sometime this month we will announce that for a limited time, we will be offering a 10 percent discount code good for a one-time discount off a total cart purchase in the PlayStation Store as a thank you to all PSN members."

I suppose the the "for a limited time" could be a problem, depending on how reasonable it is. If it was something like 6 months then it probably isn't too bad. In that time frame there would probably be something you would buy anyway. At that point it probably comes down to whether the code recipient us capable of delaying gratification. If there's plenty of time to use the code and you choose to use it to buy things you wouldn't have otherwise then that'd be your choice (no doubt one Sony would be happy with). Personally I'll aim to hang on to it until there's something I want. If it turns out there's a game I want, a TV series I want and a movie or two I'd like to see then the 10% could be quite a saving. Then again I've already got more games queued up than I have time to play.

Comment Re:Why the distros? (Score 1) 112

"well, distributions backport security fixes, so 5.3.3 is secure on distro XYZ".

Are you aware of any analysis as to the extent that is actually true, ie for distro X or Y which patches really have been backported and which are skipped?

I had a quick poke about the W3Tech site and couldn't really see much of their methodology, especially in terms of how they identify PHP usage and what version is being used. I'd have though that if you looked at their PHP page there should be a not insignificant number where they can reasonably guess it's using PHP (due to file extensions in URLs perhaps) but not be able to identify the version being used.

I wonder how much your "% of installs that are secure" statistic could be inaccurate due to most (I'd hope) sites that care even slightly about security suppressing the Apache header PHP version information. Are they just missing from the W3Tech stats? It's possible that a significant number of the "secure" PHP installs could be invisible to your calculations because the sort of people who keep their software up to date are the same people who follow fairly basic server set up recommendations.

I suppose there are also questions as to what "insecure" means in practice. For bulk hosting sites running unknown third party code everything is critical but for a lot of sites running their own code whether they are actually "insecure" depends not only on what PHP does but also what their code does. Eg for the most recent PHP 5.4 release there is a fix for a fairly nasty looking bug in unserialize(), but (as I understand it) a site admin with a defined codebase might quite legitimately determine that they never use unserialize() on user generated data and not be in any rush to update if they have other things to be doing. PHP version 5.4.35 might be "insecure" for the purposes of your stats but may not be in practice someone's server if they know they don't use unserialize() in an exploitable fashion (or mcrypt).

None of the above should be interpreted as criticism of your analysis, just food for thought. I find what you have done very interesting and expect that even if there are 'hidden' secure servers, the number of insecure ones would still be alarmingly high.

Slashdot Top Deals

"Mr. Watson, come here, I want you." -- Alexander Graham Bell