- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I have a solution to the problem. What he should do is wait until approx. one year after his contract with them expired then
That should pretty much take care of the security issues for that site. Yes, I realize it's a rather hard road, but well, sometimes that's what it takes. It would have been nice if they'd listened at the original meeting.
-- Furry cows moo and decompress.
Admin
I think actually that it is possible to guard against malicious admins. Not all admins have to have the same level of authority, and even when an admin has near god-like power over a system you can still break up key segments to different admins in different areas such that it would require the collusion of several to do real damage. (duh)
I wouldn't bother calling you out on this except that, in TFA, it was very clear that this was one of those Ultimate Security style situations where it's actually appropriate to secure the servers with lots and lots of paranoia. Or at least that's how they were handling their physical security.
To not apply the same level of paranoia in securing the electronic access as you do to the physical access is naive, lazy and foolish at least and egregiously incompetent at worst.
IMHO, anyway.
-- Furry cows moo and decompress.
Admin
The 'psql' command mentioned in the story is a shell command. There is no other way to use it. And, the example (psql –d xxxxxx-db-name) will only work if you are logged in to the server itself, not connecting remotely from another instance of psql. The story makes no sense, unless this is a situation where users get some sort of shell access to the server.
Admin
To be fair, Alex & Co. often "anonymize" and "embellish" the stories to a certain extent. This does sometimes cause them to no longer A) make any sense and/or B) be funny.
Admin
Admin
I'm no expert, but I know that one of the bigger concerns of security is contingency. It's not always enough to ask IF someone can get your data, since there's plenty of ways to do that, especially if the application communicates directly over a network; you need to be ready for WHEN someone gets your data, and THAT is why important data should be encrypted.
Admin
Oh it should be minus signs. So 2009-08-22
or in daft form: 1979
Admin
I think there's a simple explanation for that.
See, the firm was in the business of "building a security system" not "keeping stuff secure".
If an employee is asked for a password to get a file, that's security. If he needs to make a retina scan, that's even better security.
Whether the files are also accessible without such measures is not the firm's business - after all, if a client chooses to not use his security it's his loss.
It's like buying a painting and then keeping it covered. Painting's there, painter's job is done, you can't blame him.
See? makes perfect sense.
Admin
Should we suddenly fear the incompetence of a company that reloads soda machines when we learn that the same company services the employee break room at a nuke plant?
Admin
Beg pardon? I would have twigged far earlier that something was up.
That last sentence is not true. It is not "serious" by any count. Like perhaps, a blanket ban on iPods and cell phones? Allowing some after looking at them is simply not secure.Admin
Judging from the command line ‘psql –d xxxxxx-db-name’ I thought he meant "password-protected", not "encrypted". If you make that substitution in the story, it seems more reasonable.
Admin
This kinda reads like the Brokeback Mountain of WTFs.
“You know, most engineers would’ve stopped that sentence a word earlier,” Mike replied with a chuckle. “I got you something from CompUSA. Come over here and get it, lover.”
“Point three six, then I'll have to quit you.”
Admin
Admin
This.
Admin
Admin
Then you should write "10:11" for "ten past eleven" because you probably have been raised to say "ten past eleven" all your life.
Admin
The English speaking world uses 6 Jan 2009 as well - its just the Americam spoeaking world that gets it the wrong way round ....
Admin
Admin
Reminds me of the time i pointed out to my Boss that his beloved app could have payment skipped by adding CCAuth=true to the query string....
I was told to "Not to worry about it."
Admin
petere963 here, disregard that, I suck cocks.
Admin
And it's a lot easier to do a text sort on ISO dates.
Admin
How about this: The next time you find a security hole like that, walk up to some hacker community and give them the intel. Done!
Admin
An interesting example of bilateral cultural bias there: I'd have thought a Grammar Nazi (which seems to be the universal term of opprobrium for people who actually try to get things right, rather than for nit-picking anal retentives) would have taken a broader view of Germanic languages in general.
I mean, "eleven, twelve"/"elf, zwolf"/"elva, tolv," what's that all about?
This response actually led me to look up a relevant article, for which many thanks. Turns out that almost all languages, beyond those that count as "one, two, many," pick a point on the cardinal scale where the numbering system becomes "big-endian." Quite a few of them start immediately there's a need to take the socks off. German happens to wait until three figures, but even German submits at that point.
French is predictably weird. It waits until 17 before going the obvious way, and even then manages to make the 80s and 90s pointlessly complicated (unless you're a Quebecois, in which case the French will, predictably again, laugh at you).
But, as I say, the really odd thing is this 11/12 business. Languages in general take the sensible approach of stringing new numeric compounds together at basal powers; why Germanic languages differ in this respect is beyond me.
Oh, and I suspect that "zwei-und-zwanzig" is a by-product of excessive saliva. You might be able to say "zwanzig-zwei" without covering your inamorata with spittle; I can't.
Admin
So, what's wrong with YYYYY-MM-DD?
Admin
Admin
I'm hoping to head out to French Polynesia and the more exotic bits of Outre-Mer later in the year. Also, possibly, Guadeloupe and Martinique -- two of the only five interesting islands in the Caribbean, the downsides to the others being dreariness (Cuba), violence (Jamaica) and I'm-no-oilman-me, and shut the fuck up with the banging on cans (Trinidad).
I'll test your assertion then. I'd love to test it against Flemmischers, but I assume they don't give a damn either way.
Admin
Admin
There wouldn't really be any point. A Truecrypt filesystem's encryption is only effective when you unmount the system and remove the decryption key from the host machine. From the point of view of a hacker communicating with a DB server that accesses this filesystem, the data would appear to be unencrypted.
Admin
Bah, just use UNIX time and forget about it
Admin
Alex fix your CAPTCHA.
Admin
come on, this is a company that MAKES security programs to guard against hackers, and it never one occurred to a single one of the higher-ups to protect THEMSELVES against hackers?! WTF indeed. some of the comments reminded me of a terrifying story, which one of the authors called "THE most frightening story i've ever heard"...a book called "@ Large". it's the story of how a retarded kid, yes, LITERALLY retarded, using a few simple hacker tricks he picked up on the internet, a simple computer, and lots of time, hacked into hundreds of companies and stole thousands of people's passwords...seriously, he hacked into a internet provider's company computers and set up a program to steal the passwords of every user...and it stole SO MANY that it filled the entire hard drive and crashed the system! and until that crash, NOT A SINGLE EMPLOYEE NOTICED THE BREACH IN SECURITY! perhaps the scariest part was when an FBI man asked the hacker if he had ever found a system he couldn't break into, and he said no.
Admin
Just report it anonymously to some government institution claiming management refuses to fix the security issues (also show how to hack it) and watch it all burn.