No one can argue that Fusion-io started the PCIe SSD market - many laughed and now many are competing. I won't say they are the best for the price, but Tom's hardware is misleading people when they compare OCZ against 5 year old hardware. The 160gb iodrive is the original product that FIO launched with. Still a good product, but that is like comparing the top of the line pentium with today's CPUs.
I have been working on a large data project for another state - this state has outsourced everything to 3 or 4 large companies. That itself is not so bad, but the state doesn't have anyone left to make decisions. Instead it is all left up to the vendors. It is difficult for vendors, even when trying to do the right thing, to know what the business (state) needs or wants for some things.
Trying to implement proper security controls and create separation of duties when everything is outsourced is hard to do. Especially when all vendors bid their part without expectations of having to handle new requirements.
I am sure Oracle shares some of the blame, but I bet the state is responsible for a lot too.
Writing is terrible as others have mentioned..... I won't rehash, but how could you get anyone to agree when they can't maintain interest.
Also, the premise is poor - at least how I understood it - "Advice is only good if it is followed" ?? People don't do simple things, so the problem is not the advice, it is the inherent laziness or not caring of most people.
Using your example - advice to quit smoking is not good as people still smoke. Sorry, the advice is still valid, but for some reason people feel that it doesn't apply to them. Tech is only different because advice can be simple or overly complex. The overly complex may be valid in some cases - but because people don't do it, doesn't make it bad advice.
"However, the app didn’t validate those connections, so users’ financial information was exposed during transmission." - This is false, the channel was still encrypted, but it is possible for an MTM attack to occur. Now if the client knows who it is talking too (IP Address) with some messages exchanged in the application layer, then SSL verification may not be needed. The real purpose of SSL cert validation is to authenticate who you are talking too - if you know you want to talk to server 10.10.10.10, then someone would have to subvert the routing protocols to intervene. And even with Cert validation, there are ways to conduct a MTM attack if that is turned on - NG firewalls and other SSL decryption corporate tools do it all the time if the users machine or phone has a custom issuing cert installed.
Link to Original Source