Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Sequencing the Weed Genome

twistah Re:Now all we need is... (315 comments)

You would likely need something you could smoke or vaporize, or at least easily cook into/dissolve in fat, because I don't *think* enough cannabinoids would be released for a person to feel the effects, otherwise.

more than 2 years ago
top

Security For Open Source Web Projects?

twistah Re:Game or not, web app security is web app securi (105 comments)

To add to that, I guess magic_quotes_gpc is deprecated in PHP 5.x anyway, so you're right that it's not worth using. But there are settings within php.ini that can help harden PHP, though as I've said, it's absolutely no substitute for well-written code.

more than 4 years ago
top

Security For Open Source Web Projects?

twistah Game or not, web app security is web app security (105 comments)

You got me before my morning (afternoon) coffee so here are some haphazard thoughts:

1) You're writing a PHP/MySQL app. It doesn't matter if it's a game or the next big social networking site. There are holes common to all web apps (check out the OWASP Top 10). There are also holes common in PHP code, such as remote file inclusion. There are things you can do wrong with JavaScript. Learn about them, learn about how to prevent them and write your code accordingly. Security should be part of development, not something you tack on afterward. This means using good coding convention (i.e using parametrized queries instead of concatenation, always encoding output, etc) and ensuring that any design decision you make does not compromise the security of your application. Make sure security is multi-layered as well. For example, even if you think your app is 100% free of SQL injection (wrong assumption!), you still need to make sure you've properly hashed user passwords in the database in case they're exposed. (Side note: please don't use MD5 for this; look into bcrypt, or at least many rounds of SHA-256 or such.)

2) Harden your environment. No amount of hardening will stop all attacks, but it may help mitigate their impact, and if you're lucky, it may thwart some script kiddies or automated scripts. Running PHP? Harden the crap out of your php.ini (magic_quotes_gpc, turn off fopen() for URLs, etc). Think about installing the Suhosin patch. Just don't get complacent; there are ways around all these protections and they are not a substitute for secure code! You may also consider a web-app firewall (WAF), in the vein of mod_security, but don't fully rely on these either. If you're publishing code for others to use, don't ever count on your users to implement these same protections in their environment.

3) Web app scanners can help, especially if you're a novice with security, but once again, they will not catch everything (probably not even a lot of things.) There's skipfish, NetSparker and free versions of some of the more commercial scanners.

4) I know your question was whether to publish your code. I say "Yes", but this is a personal opinion -- I just happen to think it will give security dudes more of a chance to audit your code, and attackers will find your vulnerabilities anyway, through poking at your app and fuzzing even if nothing is published.

I hope that helps a little!

more than 4 years ago
top

Venezuela's Last Opposition TV Owner Arrested

twistah Re:Uh oh (433 comments)

Who are these "common people" you're talking about? At least you give them credit for knowing what the Internet is. But since they've, ostensibly, been on the Internet before, why do you think a Photoshop on a government site would somehow make them revolt against their government?

more than 4 years ago
top

Android and the Linux Kernel Community

twistah Re:Google (354 comments)

Did you forget about the Google Summer of Code and multiple other projects where they basically fund the development of OSS tools?

more than 4 years ago
top

Space Station Astronauts Gain Internet Access

twistah Previous access (201 comments)

Previous astronaut tweets had been posted by a third party on the ground via email.

So, then, they did have SOME access before?

more than 4 years ago
top

DECAF Was Just a Stunt, Now Over

twistah So apparently.. (206 comments)

What DECAF giveth, DECAF taketh away.

more than 4 years ago
top

Judge Rejects Sheriff's Suit Against Craigslist

twistah Re:To add a little context... (121 comments)

I'm a resident too, and I love this city to death, but I also know too well about Toddler Stroger and his antics.

more than 4 years ago
top

Judge Rejects Sheriff's Suit Against Craigslist

twistah To add a little context... (121 comments)

When you say "local sheriff", it makes it sound like he's the sheriff of some small town. In fact, Tom Dart is the sheriff of Cook County, which contains Chicago, is the second most populous county in the U.S, and his department is the second largest in the U.S.

People claiming Dart is drumming up publicity are pretty much correct. Keep in mind, we're talking Chicago here, so consider the history of the political machine here. Dart also refused to evict renters from houses when their landlords lost the mortgage. In a way, this is an honorable thing to do, but the way it played out, everyone read it as once again more publicity for Dart. The Craigslist case just further proves his motives.

more than 4 years ago
top

Banking Via Twitter?

twistah Why this is a bad idea (193 comments)

Does anyone else worry about sending sensitive information over a service like Twitter, which has had security issues in the past? And, assuming this works over DMs, what if a user instead accidentally uses a reply or just a straight Twitter post? What sort of information have they just inadvertently exposed?

more than 4 years ago
top

Twitter To Add Money Making Features

twistah Re:Astroturfers Wanted (89 comments)

You have to wonder why this kind of thing can't just be easily implemented using Twitter's API, instead of having to pay them for it.

more than 4 years ago
top

Hackers (or Pen-Testers) Hit Credit Unions With Malware on CD

twistah Bad name for pen-testing (205 comments)

Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.

more than 4 years ago
top

Clojure and Heroku Predict Flight Delays

twistah FlightStats? (109 comments)

Hasn't FlightStats.com been doing something similar for years, just without the trendy technologies?

more than 4 years ago
top

First American Internet Addiction Treatment Center

twistah Hmmmm (278 comments)

I wonder what kind of Internet connection they have there?

more than 4 years ago
top

Illinois Bans Social Network Use By Sex Offenders

twistah Social networking blanket? (587 comments)

So, sex offenders aren't allowed to use LinkedIn, but they're allowed to use AIM, Yahoo and chat rooms? Interesting approach; this is what happens when the government tries to regulate something they know nothing about, and take the easy approach of using overarching, way-too-generalized statements.

more than 4 years ago
top

Hackers Get Free Parking In San Francisco

twistah Re:Portable Oscilloscope? (221 comments)

Please tell me you don't seriously think they did this to get away with not paying for parking.

about 5 years ago
top

Critical Flaw Discovered In DD-WRT

twistah Re:Worse than that (225 comments)

I am guessing this was meant as a troll/joke, but, you may to actually put a real command in there.

about 5 years ago
top

Critical Flaw Discovered In DD-WRT

twistah Re:Worse than that (225 comments)

Did you bother even reading the article? The code is in httpd.c, which obviously handled both types of connections. I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity, but that somehow it's a magical fix-all for whatever the security flaw is. I see this kind of thinking in IT people in charge of the enterprise and it scares me. Security is not about having a setting enabled, and it certainly requires much more analysis than a simple dismissive suggestion.

about 5 years ago
top

Best Tools For Network Inventory Management?

twistah TrackIt! (251 comments)

TrackIt! seems to be very popular with my clients, but it is a commercial tool and may be overkill for your needs. Still, it may be worth a look.

about 5 years ago
top

Firefox 3.5's First Vulnerability "Self-Inflicted"

twistah Re:Why do we trust Javascript all of a sudden (156 comments)

But there have been many browser exploits recently, and they've been in virtually every component of the browser. This flaw has nothing to do with JavaScript itself, just the implementation. Flaws have been found in XML and HTML rendering engines, third-party components, URL handlers and many other pieces of the browser. If we're going to disable every feature that's potentially vulnerable, we might as well stay off the Web.

about 5 years ago

Submissions

top

State Dept e-mail crash after "reply-all"

twistah twistah writes  |  more than 5 years ago

twistah (194990) writes "It seems that a recent "reply-all storm" at the State Department caused the entire e-mail infrastructure to crash. A notice sent to all State Department employees warned of disciplinary actions which will be taken if users "reply-all" to lists with a large amount of users. Apparently, the problem was compounded by not only angry replies asking to be taken off the errant list, but by the e-mail recall function, which generated further e-mail traffic. One has to wonder if capacity planning was performed correctly — should an e-mail system be able to handle this type of traffic, or is it an unreasonable task for even the best system?"
Link to Original Source

Journals

twistah has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>