Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Comment Re:Important to note (Score 1) 289

Think of literally *any* activity, object or substance, and you can find a person who has serious addiction issues with it. Usually it has more to do with the personality type than the subject of their addiction.

Too lazy to find the citation - it was an article in the New Scientist, but data from the heroin riddled veins of Vietnam vets returning to the USA backs this up. Home grown junkies are a self selected group. When you take a broad chunk of society and put them on heroin (as happened in the Vietnam war), they mostly drop it when they return home.

This was pretty good evidence that the addition is more a function of the addict than the drug.

Comment Re: Further proof the web model blows (Score 1) 54

I coded the payment system on our store's website in python CGI scripts.

You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you can in any language. It's not the language, it's the implementation of the code you write.

I was answering the question as asked, not filling in the details to satisfy your curiosity.
The relevant bit is attack surface and the reduction thereof, by doing things outside the memory space of the web server and passing all data through a well controlled pipe. You might be able to write secure code in PHP. But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to, whereas CGI is. Old school, simple, separated.

Comment Re: Further proof the web model blows (Score 1) 54

The honeypot is a simple way to identify an attack source. It's only one thing. As for any defense-in-depth structure, the failure of one thing doesn't compromise the whole. Preferably the failure of several things doesn't compromise the whole.

If you think there is anything to do with security in the PCI-DSS specs, you are sadly mistaken. They are a pile of poo.

Comment Re:The latest version as well? (Score 1) 54

heh, and how many websites get updated? If it ain't hacked yet... well, don't look... we don't want to upgrade.

It is the norm for these frameworks that the installation involves fifteen pages of "put that there, set that permission, put this in the apache config, install this pre-req". Tomato Cart and Zen Cart, I'm looking at you.

By the time you finally get it running, it seems like you have a massively fragile configuration consisting of many small changes. The idea of dropping an upgraded codebase on that is akin to saying "Your website will go down for a week while you get it running again, because that's how long it took you last time".

What is needed for a fix is instructions to "Change this line to say this" in your existing codebase. So you can make a minimally invasive change.

Comment Re: Further proof the web model blows (Score 1) 54

OK, I'll bite. What do you consider to be better than php?

I coded the payment system on our store's website in python CGI scripts. Keep it simple first. It helps that I'm a crypto security type engineer for a big techy company in my day job, so it's not a challenge to bake in defense in depth. It sucks when PCI-DSS scans ding you for insecure versions after their probe finds my honeypot.

Comment Re:And this is why modern systems abstract the UI/ (Score 1) 192

As far as I can tell, that's been trending since before I was at college. I graduated in 1991.

It's still a good idea though. I tend to build things as a collection of command line tools first. Usually operating against a shared data model, be it in RAM, or a database or whatever. Then it's easy to add arbitrary UIs and really easy to script actions within the system. If it's for my own use only, then it doesn't need to get past command line tools because GUIs are a crutch in most cases.

Comment Re:Go Work for the Competition (Score 1) 192

-it would be a *massive* undertaking, because the underlying, after *10 years* is likely a "big ball of mud" at this point

Unless they built 'robust, maintainable code' (TM) ^_^

It's probably written in COBOL with subroutines RPG II and 360 Assembler.

Or something ludicrous, like as a minecraft mod.

Comment Re:This is stupid ... (Score 1) 143

Example: on January 2200 we could just apply all leap seconds that are stale, around 10 or so.

The alternative, which is better is to do something so often that implementation problems get ironed out before the big-saved-up-event.

So instead of a leap second, have a leap milisecond inserted 10,000 times more often than the leap-10-seconds. Humans wouldn't notice and implementation errors would be seen and fixed quickly.

The brain is a wonderful organ; it starts working the moment you get up in the morning, and does not stop until you get to work.