By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,027 Members | 1,088 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,027 IT Pros & Developers. It's quick & easy.

How to get an unix programmer started on web programming?

P: n/a
Hi!
I've done lots of programming for CAD, which was basically C/C++ and tcl/tk.
Now, we are thinking about introducing more web based tools, programming
them ourselves and right now the toolchain we think about is apache/oracle/php.

Now, I can do oracle no problem but I'm pretty wet behind the ears about
everything else.
What books could you recommend to me so that I can learn:
- what all this apache stuff is about, the mod_*
- what html or xml looks like, what a css and a dtd is and what I need it for
- session management
- login through active directory
- php

I've thrown my eyes on the php5 and mysql bible (ok it's not oracle but the
mysql part is 150 out of 1000 pages and the rest looks good from the table
of contents).

But what about the other stuff?

Lots of Greetings and thanks!
Volker
Aug 31 '05 #1
Share this Question
Share on Google+
34 Replies


P: n/a
> apache/oracle/php.
Why not apache/mysql/php? My opinion is that using Oracle for web
purposes is like using a rifle to kill a fly.

There are many books on all three. Just go to any competant book store
and spend an hour there looking through some. I tend not to be one who
reads a book from cover to cover, but use books as references when I get
stuck. I've found that books with a massive Index and ToC work best for
me. I also have some "cookbook"-style tutorial books that work great as
references.
Looking at my shelf, I just realized that most of my favorites are
published by O'Reilly.

Mark
Aug 31 '05 #2

P: n/a
Mark wrote:
apache/oracle/php.
Why not apache/mysql/php? My opinion is that using Oracle for web
purposes is like using a rifle to kill a fly.

We do have oracle already running, standby database and all and it
runs other applications too. Especially it holds data we want to access
from the web interface.
Looking at my shelf, I just realized that most of my favorites are
published by O'Reilly.

Ok.

Any idea about a general intro to web stuff, like html/xml/css
and such?

Lots of Greetings!
Volker
Aug 31 '05 #3

P: n/a
On 2005-08-31, Volker Hetzer <vo***********@ieee.org> wrote:
Now, I can do oracle no problem but I'm pretty wet behind the ears about
everything else.
What books could you recommend to me so that I can learn:
- what all this apache stuff is about, the mod_*
You don't really need to know a whole lot about apache or mod_* until
you start doing really advanced stuff. PHP will get you very far on
itself.
- what html or xml looks like, what a css and a dtd is and what I need
it for
HTML/CSS is of course imperative. XML may be depending on your
application. IMHO XML is mostly suited for getting disparate systems to
talk to eachother and usually not very interesting internally in a
system.
- session management
Should be explained in any PHP book.
- login through active directory
AFAIK AD is just LDAP with some M$ stuff on top. I'm not aware of any
PHP to AD bindings, but you can use LDAP from PHP.
I've thrown my eyes on the php5 and mysql bible (ok it's not oracle but the
mysql part is 150 out of 1000 pages and the rest looks good from the table
of contents).


You might want to checkout this review on slashdot:

http://books.slashdot.org/article.pl...&tid=169&tid=6

It looks quite interesting to me but I haven't read the book so I cannot
recommend it personally. Beware of the million and one PHP+MySQL
introduction books, most of them will teach you some bad habbits and
most likely be a whole lot more confusing than needed. That's what my
impression is from people starting out with PHP anyways. And as you know
programming you'll probably find the introduction books below your
level.

You should also checkout the fantastic online manual of PHP on the
official PHP website - there's also a tutorial on PHP which will get you
started with it.

Know that the language itself is quite easy compared to C/C++ and also
it resembles C quite a bit, so you'll most likely find yourself at home
rather quickly.

Enough of the rambling, welcome to a world without pointers, enjoy! ;-)

--
Cheers,
- Jacob Atzen
Aug 31 '05 #4

P: n/a
For having a good HTML - Reference have a look @ http://www.selfhtml.org/
For PHP
http://www.php.net
and XML might be
http://www.xml.com or http://w3c.org

Hope this helps a little bit :-)

Greets Wolfgang ..

Volker Hetzer wrote:
Mark wrote:
apache/oracle/php.

Why not apache/mysql/php? My opinion is that using Oracle for web
purposes is like using a rifle to kill a fly.


We do have oracle already running, standby database and all and it
runs other applications too. Especially it holds data we want to access
from the web interface.
Looking at my shelf, I just realized that most of my favorites are
published by O'Reilly.


Ok.

Any idea about a general intro to web stuff, like html/xml/css
and such?

Lots of Greetings!
Volker

Aug 31 '05 #5

P: n/a
Jacob Atzen wrote:
On 2005-08-31, Volker Hetzer <vo***********@ieee.org> wrote:
Now, I can do oracle no problem but I'm pretty wet behind the ears about
everything else.
What books could you recommend to me so that I can learn:
- what all this apache stuff is about, the mod_* You don't really need to know a whole lot about apache or mod_* until
you start doing really advanced stuff. PHP will get you very far on
itself.

Ok.
- what html or xml looks like, what a css and a dtd is and what I need
it for

HTML/CSS is of course imperative. XML may be depending on your
application. IMHO XML is mostly suited for getting disparate systems to
talk to eachother and usually not very interesting internally in a
system.

I think I'll find something.
You might want to checkout this review on slashdot:

http://books.slashdot.org/article.pl...&tid=169&tid=6

Looks good to me. I haven't had much use of that OOP stoff over the last eight years.

Lots of Thanks!
Volker
Aug 31 '05 #6

P: n/a
Wolfgang Forstmeier wrote:
For having a good HTML - Reference have a look @ http://www.selfhtml.org/
For PHP
http://www.php.net
and XML might be
http://www.xml.com or http://w3c.org

Hope this helps a little bit :-)

It will!

Thanks a lot!
Volker
Aug 31 '05 #7

P: n/a
Volker Hetzer wrote:
Hi!
I've done lots of programming for CAD, which was basically C/C++ and
tcl/tk. Now, we are thinking about introducing more web based tools,
programming them ourselves and right now the toolchain we think about is
apache/oracle/php.


Go build a server - Linux distro's will provide the apache/mysql/php stuff
out of the box (you might have to tick some boxes in the install)
alternatively are several packages which will install apache/mysql/php on a
MS-Win box.

The Oracle PHP extension does lots of things which other DB extensions don't
(like variable binding). There are also a lot more people out there using
MySQL than Oracle (so lots of published examples and people able to help).
However both Oracle and MySQL are supported by the dbx_ driver which
provides an abstraction layer from the actual DBMS - while your still
learning, I'd recommend starting with MySQL, write your code to run through
the dbx interface.

HTH

C.
Aug 31 '05 #8

P: n/a
Volker Hetzer wrote:
Mark wrote:
apache/oracle/php.

Why not apache/mysql/php? My opinion is that using Oracle for web
purposes is like using a rifle to kill a fly.


We do have oracle already running, standby database and all and it
runs other applications too. Especially it holds data we want to access
from the web interface.
Looking at my shelf, I just realized that most of my favorites are
published by O'Reilly.


Ok.

Any idea about a general intro to web stuff, like html/xml/css
and such?

Lots of Greetings!
Volker


Volker,

Don't allow access to your Oracle server through the web, especially if you have
confidential data on it that's not needed by the web. If someone successfully
hacks your system, they not only could have full access to the data in your
Oracle databases, but they could damage them as well.

Rather, replicate only the data necessary to run your website to another
database accessible by the web server (if you're happy with Oracle, that's
fine). Then access that subset from the server.

And if your users update this data from the website (i.e. order entry has to
decrement inventory count), don't just automatically replicate the changes back
to your main database. Rather, have the web site code call a program running on
the Oracle server (or another server behind your firewall). This program should
(again) validate the information and then make the database changes.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Aug 31 '05 #9

P: n/a
Jerry Stuckle wrote:
Volker,

Don't allow access to your Oracle server through the web, especially
if you have confidential data on it that's not needed by the web. If
someone successfully hacks your system, they not only could have full
access to the data in your Oracle databases, but they could damage
them as well.

Rather, replicate only the data necessary to run your website to
another database accessible by the web server (if you're happy with
Oracle, that's fine). Then access that subset from the server.

And if your users update this data from the website (i.e. order entry
has to decrement inventory count), don't just automatically replicate
the changes back to your main database. Rather, have the web site
code call a program running on the Oracle server (or another server
behind your firewall). This program should (again) validate the
information and then make the database changes.


IMHO this is unnecessary paranoia. A well written system will not allow
a user to hack your system and access arbitrary bits of data in a
database nor destroy a database. In any event limiting such data to a
subset and then engineering what needs to be done to keep things in sync
is overkill. If the hacker hacks he'll hack your subset database and
such a hack will probably be as painful.

--
640K ought to be enough RAM for anybody. - Bill Gates, 1981

Aug 31 '05 #10

P: n/a
Now, I can do oracle no problem but I'm pretty wet behind the ears about
everything else.
What books could you recommend to me so that I can learn:
I'd use the web . cheaper and easier to find/search
- what all this apache stuff is about, the mod_*
Apache is just your web server
- what html or xml looks like, what a css and a dtd is and what I need it
for
HTML is pre-defined tags styled with CSS and XML is definable tags and
popular to store data in
- session management
php is good with this. yu can use session variables stored insuperglobals,
cookies or flat files to store your session variables in
- login through active directory
erm?
- php
Top notch tool for writing dynamic web pages and not bad at all for a
freebie...

I've thrown my eyes on the php5 and mysql bible (ok it's not oracle but
the
mysql part is 150 out of 1000 pages and the rest looks good from the table
of contents).
I reference a book called PHP and MySQL Web Development for code examples.

But what about the other stuff?
You can add allsorts...

Flash for 'flashy' animations
XHTML - i think this is for dynamic use of XML
DHTML - Dynamic HTML
ASP - Like PHP but requires IIS (Micro$oft of course) i prefer PHP myself
..net - new webage stuff that I do not pretend to understand - somthing along
the lines of cross language portability...
the list goes on...

Lots of Greetings and thanks!
Volker

Aug 31 '05 #11

P: n/a
Andrew DeFaria wrote:

Jerry Stuckle wrote:
Volker,

Don't allow access to your Oracle server through the web, especially
if you have confidential data on it that's not needed by the web. If
someone successfully hacks your system, they not only could have full
access to the data in your Oracle databases, but they could damage
them as well.

Rather, replicate only the data necessary to run your website to
another database accessible by the web server (if you're happy with
Oracle, that's fine). Then access that subset from the server.

And if your users update this data from the website (i.e. order entry
has to decrement inventory count), don't just automatically replicate
the changes back to your main database. Rather, have the web site
code call a program running on the Oracle server (or another server
behind your firewall). This program should (again) validate the
information and then make the database changes.


IMHO this is unnecessary paranoia. A well written system will not allow
a user to hack your system and access arbitrary bits of data in a
database nor destroy a database. In any event limiting such data to a
subset and then engineering what needs to be done to keep things in sync
is overkill. If the hacker hacks he'll hack your subset database and
such a hack will probably be as painful.


Sorry Andrew, but that's a load of BS. Any non-trivial computer program
(including PHP scripts, of course) contains errors, which could
potentially be security hazards. Add to that (potentially even
undiscovered) bugs in the OS, the webserver, PHP itself, ... and the
only possible conclusion is, what every security expert has been
preaching for quite a lot of years: The only computer that is safe from
being hacked is a computer not connected to the net.

So what Jerry suggested is the only sensible thing to and certainly not
overkill.

Bye!
Sep 1 '05 #12

P: n/a
Andrew DeFaria wrote:
Jerry Stuckle wrote:
Volker,

Don't allow access to your Oracle server through the web, especially
if you have confidential data on it that's not needed by the web. If
someone successfully hacks your system, they not only could have full
access to the data in your Oracle databases, but they could damage
them as well.

Rather, replicate only the data necessary to run your website to
another database accessible by the web server (if you're happy with
Oracle, that's fine). Then access that subset from the server.

And if your users update this data from the website (i.e. order entry
has to decrement inventory count), don't just automatically replicate
the changes back to your main database. Rather, have the web site
code call a program running on the Oracle server (or another server
behind your firewall). This program should (again) validate the
information and then make the database changes.

IMHO this is unnecessary paranoia. A well written system will not allow
a user to hack your system and access arbitrary bits of data in a
database nor destroy a database. In any event limiting such data to a
subset and then engineering what needs to be done to keep things in sync
is overkill. If the hacker hacks he'll hack your subset database and
such a hack will probably be as painful.


Andrew,

You've obviously never worked with the (U.S.) Federal government or a large or
medium sized company. These groups have all kinds of data on their system which
could be ripe for hackers - social security numbers and other private
information of personnel, for instance. If such data is hacked, it could lead
to serious criminal and/or civil legal proceedings.

Even non-personnel data such as market research, sales figures and other things
can be expensive to the company if leaked.

And ANY system can be hacked. Some are more secure than others, but ANY system
is vulnerable. But the more roadblocks you put in front of a hacker, the better
chance you have of catching him BEFORE he gets into the system.

You call it paranoia. My customers call it safety. And it isn't all that hard
to implement.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 1 '05 #13

P: n/a
Anonymous wrote:
So what Jerry suggested is the only sensible thing to and certainly not
overkill.


Skipped a word here.

So what Jerry suggested is the only sensible thing to do and certainly
not overkill.
Sep 1 '05 #14

P: n/a
Anonymous wrote:
Sorry Andrew, but that's a load of BS. Any non-trivial computer
program (including PHP scripts, of course) contains errors, which
could potentially be security hazards. Add to that (potentially even
undiscovered) bugs in the OS, the webserver, PHP itself, ... and the
only possible conclusion is, what every security expert has been
preaching for quite a lot of years: The only computer that is safe
from being hacked is a computer not connected to the net.
And therein lies the paranoia! By that standard nothing would be
connected to the net and the net as we know it would not exist! Are you
seriously advocating that?!? If so then you might as well just get rid
of PHP as it'd be useless. Nothing's safe. No computer should be
connected to the net therefore you don't need Apache, the web, email or
anything.

Granted nothing is bug free and nothing is 100% secure. That always was
and will always be. But don't use that as an excuse to hide your head in
the sand and hide useful data from everybody. There are tremendous
benefits that we all enjoy from the explosion of the sharing of
information that the net has widened to the masses. Yes indeed there are
risks. But when you weigh the risks and the benefits I think it's clear
that most people believe the benefits out weigh the risk, with suitable
precautions taken, despite what the "security expert" naysayers say.
So what Jerry suggested is the only sensible thing to and certainly
not overkill.


You are certainly entitled to your opinion but please also allow me mine.
--
Anytime four New Yorkers get into a cab together without arguing, a bank
robbery has just taken place.
Sep 1 '05 #15

P: n/a
Jerry Stuckle wrote:
Andrew,

You've obviously never worked with the (U.S.) Federal government or a
large or medium sized company.
Yes I have. A quick check of my resume would confirm that. And yes I
have experience working with government systems, mostly as a consumer. I
don't know of many people who are actually impressed with government
systems - do you???
These groups have all kinds of data on their system which could be
ripe for hackers - social security numbers and other private
information of personnel, for instance. If such data is hacked, it
could lead to serious criminal and/or civil legal proceedings.
Understood. Again, there is a risk vs. benefits analysis that can be
formed as well as opinions of the interpretations. Opinions will differ.
For example, mine differs from yours.
Even non-personnel data such as market research, sales figures and
other things can be expensive to the company if leaked.

And ANY system can be hacked. Some are more secure than others, but
ANY system is vulnerable. But the more roadblocks you put in front of
a hacker, the better chance you have of catching him BEFORE he gets
into the system.
Agreed, no system is 100% secure. Hacking a system can cause damage. So
then there's a trade off and a wide range of precautions that can be
taken anywhere from 100% open to 100% closed. People formulate opinions
on how important the data is and how much security is needed. You have
your opinion and I have mine and IMHO what was presented was overkill
(IOW severely limits the benefits and makes the system much harder to
implement and provide timely data then is warranted by the perceived
risk). You may be of a different opinion and that's fine.
You call it paranoia. My customers call it safety. And it isn't all
that hard to implement.


A lot depends on the type of data and the security required. It seems it
was just assumed that high security was a requirement. I'm not convinced
that it is in this case.
--
Sex on television can't hurt you unless you fall off.
Sep 1 '05 #16

P: n/a
Hello!
XHTML - i think this is for dynamic use of XML


Found on http://www.w3.org/MarkUp/

The Extensible HyperText Markup Language (XHTML) is a family of current
and future document types and modules that reproduce, subset, and extend
HTML, reformulated in XML. XHTML Family document types are all
XML-based, and ultimately are designed to work in conjunction with
XML-based user agents. XHTML is the successor of HTML, and a series of
specifications has been developed for XHTML.

If you are writing web pages you really should know XHTML.
I use it everywhere I could use HTML 4.01.

HTH
Hero Wanders
Sep 1 '05 #17

P: n/a
Hero Wanders wrote:
If you are writing web pages you really should know XHTML.


Even if you write them in HTML??

--
Jock
Sep 1 '05 #18

P: n/a
Andrew DeFaria wrote:
Jerry Stuckle wrote:
e of a different opinion and that's fine.
You call it paranoia. My customers call it safety. And it isn't all
that hard to implement.

A lot depends on the type of data and the security required. It seems it
was just assumed that high security was a requirement. I'm not convinced
that it is in this case.


Andrew,

Yes, you are entitled to your opinion. But I hope you don't work on any of my
customer's systems!

This is NOT "high security". It's barely above "minimal security" - minimal
being what most sites implement nowadays. - plain text passwords, usually
without SSL, etc.

Medium security would also enforce random password rules, SSL for much of the
data, no telnet/ssh/ftp/sftp access, email on different servers, etc.

Now if you want high security - you're talking multiple passwords which change
by the minute (user has a little credit card sized device which flashes a new
password every minute) and biometric identification, everything ssl, access only
from specific IP addresses, etc.

And no, this isn't hard to implement. Oracle's replication can be set up in a
few minutes by someone who knows what they're doing. The additional scripts
take maybe maybe a half-hour to an hour to write each, depending on their
complexity. Such a system can be easily set up in a couple of days. But, of
course, you'd save some time on the web site because some of the code would be
moved to the server site.

It takes much longer to actually create the web pages and the back end
programming than it does to isolate the database on a different server.

And BTW - you indicated you have worked on government systems from a consumer
POV. You may not think they are the greatest sites - but there is a LOT of
stuff behind the pages you don't see. For instance - check http://www.fcc.gov.
You can access their wireless license database, but not private information
such as DOB's and SSN's. You can even update your own records. But you won't
be able to hack the main database - it isn't on the same system.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 1 '05 #19

P: n/a
Jerry Stuckle wrote:
Don't allow access to your Oracle server through the web, especially if
you have confidential data on it that's not needed by the web. If
someone successfully hacks your system, they not only could have full
access to the data in your Oracle databases, but they could damage them
as well.

Thanks a lot for that advice but we do only an intranet application.
Everything sits behind at least two firewalls, is not visible outside
and users outside the company won't get access to it anymore than they
do to for instance personnel records.
Otherwise I fully agree, if it were visible outside the intranet we'd
be a lot more careful about what we put in there.

Lots of Greetings!
Volker
Sep 2 '05 #20

P: n/a
Domestos wrote:
Now, I can do oracle no problem but I'm pretty wet behind the ears about
everything else.
What books could you recommend to me so that I can learn:

I'd use the web . cheaper and easier to find/search

I've come aacross to that too. I'm buying a book about good OO design
with php abd the syntax stuff I'm sure to pick up on the web.

- what all this apache stuff is about, the mod_*

Apache is just your web server

After one student managed to get php and oracle running in
a nonreproducible way we are looking into zend core for oracle.
Our hope is that we can avoid lots of installation and update issues
and I won't have to bother with modes.

- session management

php is good with this. yu can use session variables stored insuperglobals,
cookies or flat files to store your session variables in

Ok. I've hade a look around. Looks doable.
- login through active directory

Our users log in onto their PC in the morning and I don't want them to have
to log in again. Or at least, not having to manage yet another password.

I reference a book called PHP and MySQL Web Development for code examples.

Ok.
Lots of Thanks!
Volker
Sep 2 '05 #21

P: n/a
Volker Hetzer wrote:
Jerry Stuckle wrote:
Don't allow access to your Oracle server through the web, especially
if you have confidential data on it that's not needed by the web. If
someone successfully hacks your system, they not only could have full
access to the data in your Oracle databases, but they could damage
them as well.


Thanks a lot for that advice but we do only an intranet application.
Everything sits behind at least two firewalls, is not visible outside
and users outside the company won't get access to it anymore than they
do to for instance personnel records.
Otherwise I fully agree, if it were visible outside the intranet we'd
be a lot more careful about what we put in there.

Lots of Greetings!
Volker


Volker,

Ok, glad you're thinking about security.

BTW - while you're at it, those who know better than I estimate > 85% of
successful break-ins are from inside the company.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 2 '05 #22

P: n/a
Jerry Stuckle wrote:
BTW - while you're at it, those who know better than I estimate > 85% of
successful break-ins are from inside the company.

Yes, right, but if you're talking employees selling data aquired
in their normal course of work, that's kind of hard to avoid unless
you want to start an orwellian nightmare at all workplaces.
I mean, do you really want to look for hidden sd-cards in other
peoples boots? Check the memory of their cellphones? USB watches?
You can do that for Los Alamos or Sandia, maybe some departments
at Lockheed or Raytheon but not for a normal, civilian business.
And, you know, this is germany, land of unions and long term
employment. So, employee disgruntlement is not that much of a problem,
neither are bribed short-term-profiteers.

If, on the other hand, we are talking a bribed cleaning lady, ok,
that's always a problem too. But since we are not the first server
or database in our company we simply follow procedure, keep the
data as safe as the data in the previous system was and make sure
the group of people accessing it doesn't get extended inadvertently
beyond the people that had access to the file share before.

Also, we do know the value of that data and while it's substantial
in terms of work spent on it, it's not medical or business data
and engineers and developers access it all the time. :-)

Lots of Greetings!
Volker
Sep 2 '05 #23

P: n/a
Volker Hetzer wrote:
Jerry Stuckle wrote:
BTW - while you're at it, those who know better than I estimate > 85%
of successful break-ins are from inside the company.


Yes, right, but if you're talking employees selling data aquired
in their normal course of work, that's kind of hard to avoid unless
you want to start an orwellian nightmare at all workplaces.
I mean, do you really want to look for hidden sd-cards in other
peoples boots? Check the memory of their cellphones? USB watches?
You can do that for Los Alamos or Sandia, maybe some departments
at Lockheed or Raytheon but not for a normal, civilian business.
And, you know, this is germany, land of unions and long term
employment. So, employee disgruntlement is not that much of a problem,
neither are bribed short-term-profiteers.

If, on the other hand, we are talking a bribed cleaning lady, ok,
that's always a problem too. But since we are not the first server
or database in our company we simply follow procedure, keep the
data as safe as the data in the previous system was and make sure
the group of people accessing it doesn't get extended inadvertently
beyond the people that had access to the file share before.

Also, we do know the value of that data and while it's substantial
in terms of work spent on it, it's not medical or business data
and engineers and developers access it all the time. :-)

Lots of Greetings!
Volker


Volker,

A little of it is from people selling information they have as a normal course
of their work. However, this is pretty easy to trace, and not too many people
are that stupid.

Rather, most of it is from disgruntled employees who shouldn't have access to
the data. This can come from weak passwords, people posting passwords on their
monitor and a whole bunch of other things. Generally it's not the cleaning lady
:-).

Even though there isn't much of a chance of it happening - what would it cost
the company if the data did get out? And how much does it cost to protect the
data from leakage?

And no, I don't think I'm paranoid. Rather, I'm careful. I guess it comes from
too many years working for IBM and consulting for the U.S. Government. :-)

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 2 '05 #24

P: n/a
Volker Hetzer wrote:
- login through active directory


Assuming a Linux or Solaris server, you should be able to use "pam_smb"
and "php_pam". (This is what I have set up at work, though that is with a
Windows NT domain, not AD.)

pam_smb: http://www.csn.ul.ie/~airlied/pam_smb/
php_pam: ftp://ftp.netexpress.net/pub/pam/

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Sep 3 '05 #25

P: n/a
Jerry Stuckle wrote:
Yes, you are entitled to your opinion. But I hope you don't work on
any of my customer's systems!
Who are you customers? ;-)
This is NOT "high security". It's barely above "minimal security" -
minimal being what most sites implement nowadays. - plain text
passwords, usually without SSL, etc.
Ah nobody was speaking of passwords at all really? We were talking about
replicating portions of a database so that the real database we not
directly manipulated by the end user, then implementing some sort of
syncing processes back and forth. To me that's overkill. For all we know
a very good password system is also in place. In fact that was my
assumption.
Medium security would also enforce random password rules, SSL for much
of the data, no telnet/ssh/ftp/sftp access, email on different
servers, etc.

Now if you want high security - you're talking multiple passwords
which change by the minute (user has a little credit card sized device
which flashes a new password every minute) and biometric
identification, everything ssl, access only from specific IP
addresses, etc.
Again we were not talking about passwords and SSL - we (or at at least
I) was talking about unnecessary replication of the database.
And no, this isn't hard to implement. Oracle's replication can be set
up in a few minutes by someone who knows what they're doing. The
additional scripts take maybe maybe a half-hour to an hour to write
each, depending on their complexity. Such a system can be easily set
up in a couple of days. But, of course, you'd save some time on the
web site because some of the code would be moved to the server site.
Ah now you switched the argument back DB replication. Clever, but it
doesn't fool me. And I believe it was also suggested to do a subset of
the DB. Doing the whole DB is wasteful in terms of space and time. Now
doing a subset may be easy and may not - it depends on the organization
of the data.

In any event, I fail to see how subsetting a DB and putting only a part
out there will really achieve any security if the are also all kinds of
automating synchronization scripts. The intruder can still infiltrate
your exposed data then just wait for the sync to occur. This then
becomes a false sense of security.
It takes much longer to actually create the web pages and the back end
programming than it does to isolate the database on a different server.
Irrelevant as the creation of the web pages and back end programming
need to be done anyway. All you're doing is adding more stuff to do,
more complexity to do the replication (thus making the data less
timely), etc. Now that's fine if you really get a benefit somewhere and
if that benefit or security is indeed required. I just don't see it in
this case. It was not even mention that such a worry or a problem
existed nor that there was any requirement for such.
And BTW - you indicated you have worked on government systems from a
consumer POV. You may not think they are the greatest sites - but
there is a LOT of stuff behind the pages you don't see.
BFD. To me that is not relevant to this situation.
For instance - check http://www.fcc.gov. You can access their
wireless license database, but not private information such as DOB's
and SSN's. You can even update your own records. But you won't be
able to hack the main database - it isn't on the same system.


Is that really the situation that we have here? Or is that your assumption?

--
I used to have a handle on life, then it broke.
Sep 4 '05 #26

P: n/a
Andrew DeFaria wrote:
Jerry Stuckle wrote:
Yes, you are entitled to your opinion. But I hope you don't work on
any of my customer's systems!

Who are you customers? ;-)


Small and medium sized businesses and U.S. Government, mainly.

Ah nobody was speaking of passwords at all really? We were talking about
replicating portions of a database so that the real database we not
directly manipulated by the end user, then implementing some sort of
syncing processes back and forth. To me that's overkill. For all we know
a very good password system is also in place. In fact that was my
assumption.


But weak passwords are often how these things are hacked.
Medium security would also enforce random password rules, SSL for much
of the data, no telnet/ssh/ftp/sftp access, email on different
servers, etc.

Now if you want high security - you're talking multiple passwords
which change by the minute (user has a little credit card sized device
which flashes a new password every minute) and biometric
identification, everything ssl, access only from specific IP
addresses, etc.

Again we were not talking about passwords and SSL - we (or at at least
I) was talking about unnecessary replication of the database.


No, but we ARE talking about protecting data.
And no, this isn't hard to implement. Oracle's replication can be set
up in a few minutes by someone who knows what they're doing. The
additional scripts take maybe maybe a half-hour to an hour to write
each, depending on their complexity. Such a system can be easily set
up in a couple of days. But, of course, you'd save some time on the
web site because some of the code would be moved to the server site.

Ah now you switched the argument back DB replication. Clever, but it
doesn't fool me. And I believe it was also suggested to do a subset of
the DB. Doing the whole DB is wasteful in terms of space and time. Now
doing a subset may be easy and may not - it depends on the organization
of the data.

In any event, I fail to see how subsetting a DB and putting only a part
out there will really achieve any security if the are also all kinds of
automating synchronization scripts. The intruder can still infiltrate
your exposed data then just wait for the sync to occur. This then
becomes a false sense of security.


It's all part of protecting data. If you can't understand that data
that isn't there can't be hacked, then you have more than a little problem.
It takes much longer to actually create the web pages and the back end
programming than it does to isolate the database on a different server.

Irrelevant as the creation of the web pages and back end programming
need to be done anyway. All you're doing is adding more stuff to do,
more complexity to do the replication (thus making the data less
timely), etc. Now that's fine if you really get a benefit somewhere and
if that benefit or security is indeed required. I just don't see it in
this case. It was not even mention that such a worry or a problem
existed nor that there was any requirement for such.


You indicated it was unnecessary work. It adds very little complexity
to the system. But a large step in security.
And BTW - you indicated you have worked on government systems from a
consumer POV. You may not think they are the greatest sites - but
there is a LOT of stuff behind the pages you don't see.

BFD. To me that is not relevant to this situation.


Sure it is. For instance - the FCC has my SSN in its database. But you
won't be able to hack it through the web because that data is protected.

Remember - YOU brought up the subject of government systems. I just
gave you a real-life example of YOUR subject.
For instance - check http://www.fcc.gov. You can access their
wireless license database, but not private information such as DOB's
and SSN's. You can even update your own records. But you won't be
able to hack the main database - it isn't on the same system.

Is that really the situation that we have here? Or is that your assumption?


That is the situation.

In case you're wondering - I do live in the D.C. area - and do a fair
amount of government work. And although I didn't work on this
particular system, I know some of the programmers who did.

It really looks like you have no idea of what security is. So - please
don't work on any of my customers systems. And let me know which ones
you do work on - I don't want ANY of my personal data on them!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 4 '05 #27

P: n/a
Jerry Stuckle wrote:
Andrew DeFaria wrote:
Jerry Stuckle wrote:
Yes, you are entitled to your opinion. But I hope you don't work on
any of my customer's systems!
Who are you customers? ;-)


Small and medium sized businesses and U.S. Government, mainly.


Name names. I cannot tell if I've worked on any of your customer's
system without such info!
Ah nobody was speaking of passwords at all really? We were talking
about replicating portions of a database so that the real database we
not directly manipulated by the end user, then implementing some sort
of syncing processes back and forth. To me that's overkill. For all
we know a very good password system is also in place. In fact that
was my assumption.


But weak passwords are often how these things are hacked.


That may be, however that was not what was being discussed here.
Medium security would also enforce random password rules, SSL for
much of the data, no telnet/ssh/ftp/sftp access, email on different
servers, etc.

Now if you want high security - you're talking multiple passwords
which change by the minute (user has a little credit card sized
device which flashes a new password every minute) and biometric
identification, everything ssl, access only from specific IP
addresses, etc.


Again we were not talking about passwords and SSL - we (or at at
least I) was talking about unnecessary replication of the database.


No, but we ARE talking about protecting data.


So what? We are talking about protecting data even without any stated
requirement that the data needs protection. That's putting the cart
before the horse.
And no, this isn't hard to implement. Oracle's replication can be
set up in a few minutes by someone who knows what they're doing.
The additional scripts take maybe maybe a half-hour to an hour to
write each, depending on their complexity. Such a system can be
easily set up in a couple of days. But, of course, you'd save some
time on the web site because some of the code would be moved to the
server site.


Ah now you switched the argument back DB replication. Clever, but it
doesn't fool me. And I believe it was also suggested to do a subset
of the DB. Doing the whole DB is wasteful in terms of space and time.
Now doing a subset may be easy and may not - it depends on the
organization of the data.

In any event, I fail to see how subsetting a DB and putting only a
part out there will really achieve any security if the are also all
kinds of automating synchronization scripts. The intruder can still
infiltrate your exposed data then just wait for the sync to occur.
This then becomes a false sense of security.


It's all part of protecting data. If you can't understand that data
that isn't there can't be hacked, then you have more than a little
problem.


As it turns out the system involved is not facing the "outside world"
anyway. IOW security requirements are not as broad as you incorrectly
assumed.
It takes much longer to actually create the web pages and the back
end programming than it does to isolate the database on a different
server.


Irrelevant as the creation of the web pages and back end programming
need to be done anyway. All you're doing is adding more stuff to do,
more complexity to do the replication (thus making the data less
timely), etc. Now that's fine if you really get a benefit somewhere
and if that benefit or security is indeed required. I just don't see
it in this case. It was not even mention that such a worry or a
problem existed nor that there was any requirement for such.


You indicated it was unnecessary work.


Yes and I still believe it is unnecessary especially lacking a stated
requirement.
It adds very little complexity to the system.
I disagree. It adds complexity to the system. If, or rather when, the
synchronization breaks down and needs attending too it adds to the workload.
But a large step in security.
I would beg to differ that it's a large step in security at all, but
nonetheless a step in security that was not asked for.
And BTW - you indicated you have worked on government systems from a
consumer POV. You may not think they are the greatest sites - but
there is a LOT of stuff behind the pages you don't see.


BFD. To me that is not relevant to this situation.


Sure it is. For instance - the FCC has my SSN in its database.


So does Albertsons or any of a host of other business much less "secure"
than your blessed FCC. A false sense of security is what one gets when
they secure one place and fail to recognize that there are thousands of
other places that would be thieves would probably use to get such info.
But you won't be able to hack it through the web because that data is
protected.
If your SS # is replicated to the external database then it would be as
exposed to capture as if the database was not replicated. Besides, and
real world, your SS# is probably available from many other sources anyway.
Remember - YOU brought up the subject of government systems. I just
gave you a real-life example of YOUR subject.
And I fail to see how it's relevant at all. We have no clear security
requirements stated yet you put forth recommendations on based on FUD.
We have no indication of what the data is nor whether it contains
personal or confidential data nor an estimation of it's value. We didn't
even have any indication of whether or not the data was available to the
masses or confined to an already secured lab (turns out it's Intranet only).
For instance - check http://www.fcc.gov. You can access their
wireless license database, but not private information such as DOB's
and SSN's. You can even update your own records. But you won't be
able to hack the main database - it isn't on the same system.


Is that really the situation that we have here? Or is that your
assumption?


That is the situation.


Really? But you are not the OP. How do you know that the FCC security
requirements are the same as that which is needed for the OP's
situation? Do you work with the OP? Or are you just spreading more
misinformation?
In case you're wondering - I do live in the D.C. area - and do a fair
amount of government work.
Good for you. That's wonderful (and wonderfully irrelevant).
And although I didn't work on this particular system, I know some of
the programmers who did.
Ah so then you have insight into the security requirements for this
project? Or are you still just guessing? Because geeze you didn't even
appear to know that it was Intranet only...
It really looks like you have no idea of what security is.
Yes I do know what security is. I was just questioning whether or not
such security was needed in this specific case. I saw nothing to
indicate that it was required and lacking that the steps proposed to get
additional security seemed like overkill to me. Why do you have sort a
hard time grasping that simple concept?
So - please don't work on any of my customers systems.
Thanks for asking nicely however I will work for whatever people wish to
employ me provided they pay well, your polite request notwithstanding.

And nay I will implement as much security as required for the system
under task, but I do so from clear specifications that such security is
required. IOW I don't build a fortress when what was asked for is a tool
shed (this is one way to get $500 toilet seats!). Similarly, however, if
I notice that the tool shed would be carrying toxic stuff and there was
a real threat that it required stronger walls or a lock I surely will
suggest such things.

I do not, however, attempt to scare people into implementing additional
security where it is unwarranted simply to extend my contract..
And let me know which ones you do work on - I don't want ANY of my
personal data on them!


I'm everywhere! It's too late! ;-)
--
The trouble with doing something right the first time is that nobody
appreciates how difficult it was.
Sep 4 '05 #28

P: n/a
Andrew DeFaria wrote:
Small and medium sized businesses and U.S. Government, mainly.

Name names. I cannot tell if I've worked on any of your customer's
system without such info!


I'm sorry - I don't give out my customer's names - especially in a
public forum!


But weak passwords are often how these things are hacked.

That may be, however that was not what was being discussed here.


We were talking SECURITY - and passwords are part of it.

No, but we ARE talking about protecting data.

So what? We are talking about protecting data even without any stated
requirement that the data needs protection. That's putting the cart
before the horse.


And a LOT of companies don't realize their data needs protection -
because they don't understand the risks and consequences. As a
consultant, part of my job is to identify possible risks and inform my
customers of them.


As it turns out the system involved is not facing the "outside world"
anyway. IOW security requirements are not as broad as you incorrectly
assumed.

If the database is being directly accessed by the web site, it is facing
the outside world. Anyone hacking the web site can really screw up the
database.

And I did not "assume" anything. I pointed out a potential risk and how
to prevent it. It is up to the consultant and the company to determine
if the risk is valid and my solution is necessary.

But you incorrectly assumed the security requirements are not at all
necessary.

Yes and I still believe it is unnecessary especially lacking a stated
requirement.

Not understanding the customer's situation, you really have no idea.
It adds very little complexity to the system.

I disagree. It adds complexity to the system. If, or rather when, the
synchronization breaks down and needs attending too it adds to the
workload.


Have you ever done it? I have many times. I've done it on DB2, SQL
Server and Oracle.

If synchronization breaks down, that's a major problem with the
database. But it's a lot LESS of a problem than if the database gets
hacked!
But a large step in security.

I would beg to differ that it's a large step in security at all, but
nonetheless a step in security that was not asked for.


Right.

Sure it is. For instance - the FCC has my SSN in its database.

So does Albertsons or any of a host of other business much less "secure"
than your blessed FCC. A false sense of security is what one gets when
they secure one place and fail to recognize that there are thousands of
other places that would be thieves would probably use to get such info.


I'm familiar with Albertsons as a company. While I don't know about
their IT department in detail, if they are anywhere near as competent as
the rest of the company, their critical data is not live on the web.


If your SS # is replicated to the external database then it would be as
exposed to capture as if the database was not replicated. Besides, and
real world, your SS# is probably available from many other sources anyway.

But my SSN is NOT replicated to the external database. Part of security
is to replicate ONLY THE REQUIRED DATA.
Remember - YOU brought up the subject of government systems. I just
gave you a real-life example of YOUR subject.

And I fail to see how it's relevant at all. We have no clear security
requirements stated yet you put forth recommendations on based on FUD.
We have no indication of what the data is nor whether it contains
personal or confidential data nor an estimation of it's value. We didn't
even have any indication of whether or not the data was available to the
masses or confined to an already secured lab (turns out it's Intranet
only).


Of course you don't. You don't understand security basics.
That is the situation.

Really? But you are not the OP. How do you know that the FCC security
requirements are the same as that which is needed for the OP's
situation? Do you work with the OP? Or are you just spreading more
misinformation?


Because I know the person who designed this part of the web site, and we
have discussed its implementation in detail.
In case you're wondering - I do live in the D.C. area - and do a fair
amount of government work.

Good for you. That's wonderful (and wonderfully irrelevant).


It is relevant when you're questioning whether I understand Federal
government systems.


Ah so then you have insight into the security requirements for this
project? Or are you still just guessing? Because geeze you didn't even
appear to know that it was Intranet only...


This project was intranet only. However, > 85% of security breaches
occur from INSIDE the company.
It really looks like you have no idea of what security is.

Yes I do know what security is. I was just questioning whether or not
such security was needed in this specific case. I saw nothing to
indicate that it was required and lacking that the steps proposed to get
additional security seemed like overkill to me. Why do you have sort a
hard time grasping that simple concept?


So far I haven't seen any indication that you can do anything more than
spell security. But your spell checker probably help there, also.
So - please don't work on any of my customers systems.

Thanks for asking nicely however I will work for whatever people wish to
employ me provided they pay well, your polite request notwithstanding.

And nay I will implement as much security as required for the system
under task, but I do so from clear specifications that such security is
required. IOW I don't build a fortress when what was asked for is a tool
shed (this is one way to get $500 toilet seats!). Similarly, however, if
I notice that the tool shed would be carrying toxic stuff and there was
a real threat that it required stronger walls or a lock I surely will
suggest such things.

I do not, however, attempt to scare people into implementing additional
security where it is unwarranted simply to extend my contract..


I explain the risks and consequences of poor security. I do it in a way
they can understand. That's one of the reasons they pay me. Another is
because I can implement multi-tiered security solutions.

Of course, they also hire me to help with run of the mill web page work.
And let me know which ones you do work on - I don't want ANY of my
personal data on them!

I'm everywhere! It's too late! ;-)


Names, please! I can sell those names to hackers and make a fortune!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 5 '05 #29

P: n/a
Jerry Stuckle wrote:
Andrew DeFaria wrote:
Small and medium sized businesses and U.S. Government, mainly.
Name names. I cannot tell if I've worked on any of your customer's
system without such info!


I'm sorry - I don't give out my customer's names - especially in a
public forum!


Then I cannot answer your question.
But weak passwords are often how these things are hacked.


That may be, however that was not what was being discussed here.


We were talking SECURITY - and passwords are part of it.


No we were talking about needless replication of data in the name of a
false sense of security...
No, but we ARE talking about protecting data.


So what? We are talking about protecting data even without any stated
requirement that the data needs protection. That's putting the cart
before the horse.


And a LOT of companies don't realize their data needs protection -
because they don't understand the risks and consequences.


And a lot of companies don't need the security you are pushing.
As a consultant, part of my job is to identify possible risks and
inform my customers of them.
Yes, but I remain unconvinced that such a need exists still. And you
can't tell if it's necessary either. Neither of us have the specs,
requirements, etc.
As it turns out the system involved is not facing the "outside world"
anyway. IOW security requirements are not as broad as you incorrectly
assumed.


If the database is being directly accessed by the web site, it is
facing the outside world. Anyone hacking the web site can really
screw up the database.


No you are wrong. The data is not facing the outside world - it's in the
intranet and not accessible by the outside world. It is accessible to
the inside world as it were. (Later you admit that you have knowledge
that this is an intranet only situation. Why then do you say "If the
database is being directly access by the web site, it is facing the
outside world" when it clearly is not - at least not in most people's
common usage of "inside world" = intranet and "outside world" =
internet? Are you just trying to be argumentative?)
And I did not "assume" anything. I pointed out a potential risk and
how to prevent it.
You assumed there was a need for security did you not?
It is up to the consultant and the company to determine if the risk is
valid and my solution is necessary.
You're selling FUD, plain and simple. Most security people do - that's
their thing.
But you incorrectly assumed the security requirements are not at all
necessary.
I stated my opinion, that it was overkill, especially given the lack of
a security requirement at all.
Yes and I still believe it is unnecessary especially lacking a stated
requirement.


Not understanding the customer's situation, you really have no idea.


Nor do you. In general, however, if you are exposing parts of your
database to update from a web interface and wish to have other parts
remain secure then most DBMS' provide various forms and ways to
accomplish such security. It is reasonable to assume that the whole damn
database is not open wide to anybody who gets in, therefore the idea of
having to replicate just parts of the database so as to keep the other
parts "safe" seems ludicrous to me because it assume that there is
absolutely no security implemented in the database to start with.
It adds very little complexity to the system.


I disagree. It adds complexity to the system. If, or rather when, the
synchronization breaks down and needs attending too it adds to the
workload.


Have you ever done it? I have many times. I've done it on DB2, SQL
Server and Oracle.

If synchronization breaks down, that's a major problem with the
database. But it's a lot LESS of a problem than if the database gets
hacked!


As I said, and you seem to agree, it adds complexity and yet another
point of failure. What we are really arguing is is such added complexity
worth it? It may be, if the data is highly confidential and requires
extra security measures. Your assumption is that it does. What you base
that assumption on is questionable to me as you have not seen the specs.
My assumption is that it does not. What I base my assumption on is the
lack of any clear statement of required security. Hey it may very well
require such security precautions or even more. But so far that still
has not been specified.
But a large step in security.


I would beg to differ that it's a large step in security at all, but
nonetheless a step in security that was not asked for.


Right.


So it should not be implemented unless requested (or unless you really
know the data and feel the company is risking things perhaps not knowing
the risks involved but again we don't know that).
Sure it is. For instance - the FCC has my SSN in its database.


So does Albertsons or any of a host of other business much less
"secure" than your blessed FCC. A false sense of security is what one
gets when they secure one place and fail to recognize that there are
thousands of other places that would be thieves would probably use to
get such info.


I'm familiar with Albertsons as a company. While I don't know about
their IT department in detail, if they are anywhere near as competent
as the rest of the company, their critical data is not live on the web.


Expand that to a myriad of other companies that have the same info. Do
you really believe that your SS# is secure at every company that has
that info?
If your SS # is replicated to the external database then it would be
as exposed to capture as if the database was not replicated. Besides,
and real world, your SS# is probably available from many other
sources anyway.


But my SSN is NOT replicated to the external database.


Did you miss that first word were I said "If"?
Part of security is to replicate ONLY THE REQUIRED DATA.


Thus making such data less useful. Then again it's hard to say that
because again (I know I sound like a broken record) neither you nor I
have any inkling of the requirements and needs of this web application.
Maybe the SS# is required. Maybe even it needs to be available for
update. We just don't know the specifics. We could continue to speculate
if you like but I really don't see the point.
Remember - YOU brought up the subject of government systems. I just
gave you a real-life example of YOUR subject.


And I fail to see how it's relevant at all. We have no clear security
requirements stated yet you put forth recommendations on based on
FUD. We have no indication of what the data is nor whether it
contains personal or confidential data nor an estimation of it's
value. We didn't even have any indication of whether or not the data
was available to the masses or confined to an already secured lab
(turns out it's Intranet only).


Of course you don't. You don't understand security basics.


Yeah, right. But I sure know overkill when I see it. Of course our
government is the model of efficiency, modern data processing and
sharing of information, that's for sure! Hell just take the USCIS for
example. Last I checked it they still haven't updated their PDF files
with the correct pricing information. It's only been about 2 years now
but then again that's way faster than most normal businesses!

Yeah I understand security. Security only really keeps honest people
honest. The dishonest people hardly slow down at all with security. It
just causes more frustration for honest, regular users and makes it so
that it's actually quicker to do things without computer systems! Yeah
but we have to throw up these security barriers, even when unasked for
and unneeded, otherwise we'd process too many things at once and lord
knows different branches of the government that are supposed to talk to
one another will actually talk to one another and then the terrorists
will have a tough time and we wouldn't want that happening!

Give me a break!
That is the situation.


Really? But you are not the OP. How do you know that the FCC security
requirements are the same as that which is needed for the OP's
situation? Do you work with the OP? Or are you just spreading more
misinformation?


Because I know the person who designed this part of the web site, and
we have discussed its implementation in detail.


Then you are working with details that I am not. Now you could have
simply stated up front that you knew this and that such security was
required for this project, but no you figured you'd argue a little
first. I see...
In case you're wondering - I do live in the D.C. area - and do a
fair amount of government work.


Good for you. That's wonderful (and wonderfully irrelevant).


It is relevant when you're questioning whether I understand Federal
government systems.


Not really but you can continue to think so if you want. Federal
government systems don't all emanate from DC ya know.
Ah so then you have insight into the security requirements for this
project? Or are you still just guessing? Because geeze you didn't
even appear to know that it was Intranet only...


This project was intranet only. However, > 85% of security breaches
occur from INSIDE the company.
It really looks like you have no idea of what security is.


Yes I do know what security is. I was just questioning whether or not
such security was needed in this specific case. I saw nothing to
indicate that it was required and lacking that the steps proposed to
get additional security seemed like overkill to me. Why do you have
sort a hard time grasping that simple concept?


So far I haven't seen any indication that you can do anything more
than spell security. But your spell checker probably help there, also.


Look ma, no spell checker, security (and I didn't even just copy your
spelling either! :-P
So - please don't work on any of my customers systems.


Thanks for asking nicely however I will work for whatever people wish
to employ me provided they pay well, your polite request
notwithstanding.

And nay I will implement as much security as required for the system
under task, but I do so from clear specifications that such security
is required. IOW I don't build a fortress when what was asked for is
a tool shed (this is one way to get $500 toilet seats!). Similarly,
however, if I notice that the tool shed would be carrying toxic stuff
and there was a real threat that it required stronger walls or a lock
I surely will suggest such things.

I do not, however, attempt to scare people into implementing
additional security where it is unwarranted simply to extend my
contract..


I explain the risks and consequences of poor security. I do it in a
way they can understand. That's one of the reasons they pay me.
Another is because I can implement multi-tiered security solutions.

Of course, they also hire me to help with run of the mill web page work.


Good for you. I hope you don't resort to the same argument tactics you
do here with them.
And let me know which ones you do work on - I don't want ANY of my
personal data on them!


I'm everywhere! It's too late! ;-)


Names, please! I can sell those names to hackers and make a fortune!


Just as soon as you reveal yours! ;-)

However, if I say "I'm everywhere" then you can just assume it's
"everybody".

Have a nice day! Now go away because I really have no time for somebody
who withholds information like they have seen the specifications just to
argue with somebody else. You could have been up front and clear but
instead you decided just to be argumentative and quite frankly I do not
wish to argue with such deceptive people.
Sep 5 '05 #30

P: n/a
Toby Inkster wrote:
Volker Hetzer wrote:

- login through active directory

Assuming a Linux or Solaris server, you should be able to use "pam_smb"
and "php_pam". (This is what I have set up at work, though that is with a
Windows NT domain, not AD.)

pam_smb: http://www.csn.ul.ie/~airlied/pam_smb/
php_pam: ftp://ftp.netexpress.net/pub/pam/

Will do!
Volker
Sep 5 '05 #31

P: n/a
Andrew DeFaria wrote:
Jerry Stuckle wrote:

We were talking SECURITY - and passwords are part of it.

No we were talking about needless replication of data in the name of a
false sense of security...


It is needless to an idiot.


And a lot of companies don't need the security you are pushing.

And a lot of "consultants" have their heads up their anal orifices when
it comes to security.

Yes, but I remain unconvinced that such a need exists still. And you
can't tell if it's necessary either. Neither of us have the specs,
requirements, etc.

The clueless normally do. Are you also unconvinced you shouldn't leave
your front door unlocked? Or the keys in your car? I suspect so.


No you are wrong. The data is not facing the outside world - it's in the
intranet and not accessible by the outside world. It is accessible to
the inside world as it were. (Later you admit that you have knowledge
that this is an intranet only situation. Why then do you say "If the
database is being directly access by the web site, it is facing the
outside world" when it clearly is not - at least not in most people's
common usage of "inside world" = intranet and "outside world" =
internet? Are you just trying to be argumentative?)

By "outside world" I mean areas which do not normally have access to
that data. It may be inside the company or outside the company.

For instance - from the HR department's POV, the marketing department is
the "outside world". And HR is the "outside world" to the marketing
department. But of course you wouldn't understand this.


You assumed there was a need for security did you not?

I assumed nothing. I pointed out a potential weakness in their proposed
design, and an easy way to limit the exposure.



You're selling FUD, plain and simple. Most security people do - that's
their thing.

ROFLMAO! First of all, I am not a "security person". I am a developer
with almost 40 years of programming experience. I have worked on every
sized system from PC's to mainframes, in almost 20 different languages.

I started learning about data protection in my 13 years with IBM. I've
continued during the last 15 years as a consultant.

I've worked with "security people". They have a much different job. If
you knew anything about security, you'd understand that.

I stated my opinion, that it was overkill, especially given the lack of
a security requirement at all.

And you are totally clueless. Do you think every requirement was
specified in the original post? And do you think the customer
understands everything about potential exposures?

Not understanding the customer's situation, you really have no idea.

Nor do you. In general, however, if you are exposing parts of your
database to update from a web interface and wish to have other parts
remain secure then most DBMS' provide various forms and ways to
accomplish such security. It is reasonable to assume that the whole damn
database is not open wide to anybody who gets in, therefore the idea of
having to replicate just parts of the database so as to keep the other
parts "safe" seems ludicrous to me because it assume that there is
absolutely no security implemented in the database to start with.


I have enough understanding to indicate a potential exposure and a
possible solution - which is all I did. It is up to them to determine
if the risk is acceptable or not.

And if you understood ANYTHING, you would realize that the security that
"most DBMS' provide" is very minimal. If the database is accessible, it
can be hacked. Just ask some major companies with serious DBMS' like
Oracle, SQL Server and DB2. All of these have been hacked.

And these are just the big cases. There are numerous other cases where
data has been accessed by unauthorized people. As I indicated earlier,
industry estimates are that > 85% if all security breeches are internal
- from disgruntled employees, for instance. But you normally don't hear
about them on the national news. However, this doesn't mean the breech
is not costly to the company.

And data which isn't there cannot be hacked.

As I said, and you seem to agree, it adds complexity and yet another
point of failure. What we are really arguing is is such added complexity
worth it? It may be, if the data is highly confidential and requires
extra security measures. Your assumption is that it does. What you base
that assumption on is questionable to me as you have not seen the specs.
My assumption is that it does not. What I base my assumption on is the
lack of any clear statement of required security. Hey it may very well
require such security precautions or even more. But so far that still
has not been specified.

No, we don't agree.

You're "adding complexity" by putting up a web page. You're "adding
complexity" by accessing a database. You're "adding complexity" by
providing password protection.

This implementation adds less complexity to the system than any of the
above. Replication is already built into the database - and well
tested. Setting up the replication is < 30 minutes. Then it runs
itself - and is as reliable as the DBMS itself.

You still have to read from the database. And write to the database.
This is still being done. The only difference is the writing is done
from a separate system. And there must be all of a couple of dozen
extra LOC to do this. Yea, when compared to a couple of thousand lines
on a web site, it's pretty minimal.

So it should not be implemented unless requested (or unless you really
know the data and feel the company is risking things perhaps not knowing
the risks involved but again we don't know that).

No, we don't know that. So you can't say it's unnecessary, can you?
Oh, but you have. Do you have some magic ESP or something?

Remember - all I did was mention a potential exposure and how it could
be minimized. I left it up to them to determine if it was necessary or not.

YOU are the one who determined it was overkill - with absolutely no more
knowledge of their situation than I had.

I love your kind of consultant. You know more about the "solution" than
you do the problem. You don't take the time to understand the
customer's needs. But you know the answer. They don't need security!

I've made hundreds of thousands of dollars in my consulting business by
picking up after people like you. But then I bother to understand my
customer's needs, clearly explain possible solutions and risks involved
with each solution, and let them make the decision.


Expand that to a myriad of other companies that have the same info. Do
you really believe that your SS# is secure at every company that has
that info?

I believe it's secure in every company system I've work on. I don't
believe it's secure in ANY system you've worked on.

But my SSN is NOT replicated to the external database.

Did you miss that first word were I said "If"?


No, I didn't miss the "if". My SSN was not replicated - so the rest of
your statement was meaningless.
Part of security is to replicate ONLY THE REQUIRED DATA.

Thus making such data less useful. Then again it's hard to say that
because again (I know I sound like a broken record) neither you nor I
have any inkling of the requirements and needs of this web application.
Maybe the SS# is required. Maybe even it needs to be available for
update. We just don't know the specifics. We could continue to speculate
if you like but I really don't see the point.


Wrong again. Data which is unnecessary does not make the anything less
useful. If I'm designing an inventory control system, I really don't
care what about the orbit of Jupiter. It's unnecessary data, and does
not affect my HR system at all. However, if I'm working on a guidance
system for a space probe, details on the orbit of Jupiter are important.

The same here. SSN's are of no importance to the marketing department,
and HR doesn't care about sales figures. To each, the other's data is
superfluous and does not affect the usability of their own data.

Yeah, right. But I sure know overkill when I see it. Of course our
government is the model of efficiency, modern data processing and
sharing of information, that's for sure! Hell just take the USCIS for
example. Last I checked it they still haven't updated their PDF files
with the correct pricing information. It's only been about 2 years now
but then again that's way faster than most normal businesses!

Again, you understand the user's company, the data involved,
requirements for how the data is to be used, the potential exposures if
the data is misused, and the consequences thereof.

Gee, you must have the greatest ESP around!
Yeah I understand security. Security only really keeps honest people
honest. The dishonest people hardly slow down at all with security. It
just causes more frustration for honest, regular users and makes it so
that it's actually quicker to do things without computer systems! Yeah
but we have to throw up these security barriers, even when unasked for
and unneeded, otherwise we'd process too many things at once and lord
knows different branches of the government that are supposed to talk to
one another will actually talk to one another and then the terrorists
will have a tough time and we wouldn't want that happening!

Give me a break!

Of course you believe that. Minimal security as you propose only keeps
the honest people honest.

Fortunately, my bank, my doctor, the government and virtually every
medium and large company understand that this isn't true - and that you
can implement higher security which will keep dishonest people out.

What I suggested will not keep everyone out. But it will provide a lot
more protection.
Because I know the person who designed this part of the web site, and
we have discussed its implementation in detail.

Then you are working with details that I am not. Now you could have
simply stated up front that you knew this and that such security was
required for this project, but no you figured you'd argue a little
first. I see...


Again, I didn't say that such security was necessary for the project. I
only pointed out a potential weakness and a possible solution, leaving
it up to them to determine if it was necessary.

It was YOU who, in all of your great knowledge, indicated that this
level of security was unnecessary. Again - your ESP must be on overtime
because you knew the security was unnecessary from the little bit of
data given.


It is relevant when you're questioning whether I understand Federal
government systems.

Not really but you can continue to think so if you want. Federal
government systems don't all emanate from DC ya know.


No, they don't all emanate from D.C. But they are all managed from D.C.
in one way or another.


Good for you. I hope you don't resort to the same argument tactics you
do here with them.

No, I don't argue with them. They're not clueless.

And BTW, YOU are the one who hopped in uninvited and indicated my
solution was "unnecessary". And you continue to indicate my solution is
unnecessary. Despite no knowledge of the customer's needs or situation.


Just as soon as you reveal yours! ;-)

However, if I say "I'm everywhere" then you can just assume it's
"everybody".

Have a nice day! Now go away because I really have no time for somebody
who withholds information like they have seen the specifications just to
argue with somebody else. You could have been up front and clear but
instead you decided just to be argumentative and quite frankly I do not
wish to argue with such deceptive people.


Speaking about yourself, huh? Remember - you started it!

And no, I don't have any other information on the customer's needs. But
I don't tell him something is necessary or unnecessary. But I do offer
options.

And I have no desire to have a discussion with a "know it all" idiot who
is way out of his league - but too stupid to realize it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 5 '05 #32

P: n/a
Jerry Stuckle wrote:
And a lot of companies don't need the security you are pushing.
And a lot of "consultants" have their heads up their anal orifices
when it comes to security.


You mean like you...
Yes, but I remain unconvinced that such a need exists still. And you
can't tell if it's necessary either. Neither of us have the specs,
requirements, etc.


The clueless normally do.


I'm not clueless - just not paranoid like you.
Are you also unconvinced you shouldn't leave your front door
unlocked? Or the keys in your car? I suspect so.
Right. I can say that sometimes I lock it and sometimes I don't.
No you are wrong. The data is not facing the outside world - it's in
the intranet and not accessible by the outside world. It is
accessible to the inside world as it were. (Later you admit that you
have knowledge that this is an intranet only situation. Why then do
you say "If the database is being directly access by the web site, it
is facing the outside world" when it clearly is not - at least not in
most people's common usage of "inside world" = intranet and "outside
world" = internet? Are you just trying to be argumentative?)


By "outside world" I mean areas which do not normally have access to
that data. It may be inside the company or outside the company.


How convenient that you have chosen to redefine common usage of such
terms so as to cover your ass...
You assumed there was a need for security did you not?


I assumed nothing. I pointed out a potential weakness in their
proposed design, and an easy way to limit the exposure.


Are you really this dense? Of course you assumed stuff. You assumed that
there was a need for security and that they were concerned about it. Now
they may or may not be - but assumptions you made nonetheless.
You're selling FUD, plain and simple. Most security people do -
that's their thing.


ROFLMAO! First of all, I am not a "security person".


I know - you're just pretending to be!
I am a developer with almost 40 years of programming experience. I
have worked on every sized system from PC's to mainframes, in almost
20 different languages.

I started learning about data protection in my 13 years with IBM.
I've continued during the last 15 years as a consultant.
Toot, toot. BFD.
I've worked with "security people". They have a much different job.
If you knew anything about security, you'd understand that.
I do know about security - at least enough to know that it's not always
a requirement.
I stated my opinion, that it was overkill, especially given the lack
of a security requirement at all.


And you are totally clueless.


No.
Do you think every requirement was specified in the original post?
And do you think the customer understands everything about potential
exposures?
I would think, especially after haggling about this for this long, that
if there were any requirements then they would be been stated by now, or
at least an acknowledgment that there were at least some security
requirements. But they still haven't said anything, and that says a lot
- all in my favor.
Not understanding the customer's situation, you really have no idea.


Nor do you. In general, however, if you are exposing parts of your
database to update from a web interface and wish to have other parts
remain secure then most DBMS' provide various forms and ways to
accomplish such security. It is reasonable to assume that the whole
damn database is not open wide to anybody who gets in, therefore the
idea of having to replicate just parts of the database so as to keep
the other parts "safe" seems ludicrous to me because it assume that
there is absolutely no security implemented in the database to start
with.


I have enough understanding to indicate a potential exposure and a
possible solution - which is all I did. It is up to them to determine
if the risk is acceptable or not.

And if you understood ANYTHING, you would realize that the security
that "most DBMS' provide" is very minimal.


And your supposed solution adds nothing really to make things more
secure. Mere replication merely replicates. If you allow updates to the
replicated data and them sync them the updates get replicated. If the
aim of the hacker was to say change or erase data then you're
replication has done absolutely zip to stop him from accomplishing his
goal save made him wait until sync time. BFD!
If the database is accessible, it can be hacked. Just ask some major
companies with serious DBMS' like Oracle, SQL Server and DB2. All of
these have been hacked.
Anything can be hacked. Security is never 100%. If it's the data that
you are protecting then you're solution has added no security - at least
no security the DBMS couldn't have equally done.
And these are just the big cases. There are numerous other cases
where data has been accessed by unauthorized people. As I indicated
earlier, industry estimates are that > 85% if all security breeches
are internal - from disgruntled employees, for instance. But you
normally don't hear about them on the national news. However, this
doesn't mean the breech is not costly to the company.

And data which isn't there cannot be hacked.
But the data is there - it's replicated according to you.
As I said, and you seem to agree, it adds complexity and yet another
point of failure. What we are really arguing is is such added
complexity worth it? It may be, if the data is highly confidential
and requires extra security measures. Your assumption is that it
does. What you base that assumption on is questionable to me as you
have not seen the specs. My assumption is that it does not. What I
base my assumption on is the lack of any clear statement of required
security. Hey it may very well require such security precautions or
even more. But so far that still has not been specified.


No, we don't agree.

You're "adding complexity" by putting up a web page. You're "adding
complexity" by accessing a database. You're "adding complexity" by
providing password protection.

This implementation adds less complexity to the system than any of the
above.


Yes however the whole frigging point here is that they are implementing
the web page and adding access to the database based on
username/passwords to provide utility and functionality to a subset of
people. This is indeed useful, otherwise they wouldn't be doing it in
the first place! You're idea of securing things by replication adds
little additional security that is probably already present in the DB
itself (or at least it should be). IOW it adds light not heat.
Replication is already built into the database - and well tested.
Setting up the replication is < 30 minutes. Then it runs itself - and
is as reliable as the DBMS itself.

You still have to read from the database. And write to the database.
This is still being done.
Which doesn't increase security as it is still possible that the hacker
can write or read the data he or she wants.
The only difference is the writing is done from a separate system.
Which really means nothing at all (save possibly another system sale).
And there must be all of a couple of dozen extra LOC to do this. Yea,
when compared to a couple of thousand lines on a web site, it's pretty
minimal.
Most of those couple of thousand lines on the web site is just
descriptive text - not code. Descriptive text never has bugs save say
misspellings which doesn't actively perform any action!
So it should not be implemented unless requested (or unless you
really know the data and feel the company is risking things perhaps
not knowing the risks involved but again we don't know that).


No, we don't know that.


Oh so your previous implication that you were privy to the requirements
was a pure fabrication and you're pulling assumptions out of your
frigging ass! I see - not surprised but I do see.
So you can't say it's unnecessary, can you? Oh, but you have. Do you
have some magic ESP or something?
No but it's not necessarily rocket science to assume that since it was
not mentioned it probably was not wanted. Sure you can propose anything
you want. I could, for example, propose that they relocate the systems
to some underground secret lab and require that anybody wishing to have
access to said data pass through 2 guards, a finger print check and a
retina scan before being allowed to access a terminal into the secure
system. That surely would be even more secure than your solution however
it is equally unwarranted. Before suggesting such things it makes sense
to understand the nature of the data and it's importance. Then you can
suggest additional security.
Remember - all I did was mention a potential exposure and how it could
be minimized. I left it up to them to determine if it was necessary
or not.
So did I above. And it was silly, just like your suggestion.
YOU are the one who determined it was overkill - with absolutely no
more knowledge of their situation than I had.
Absolutely, because I'm reasonable and not paranoid.
I love your kind of consultant. You know more about the "solution"
than you do the problem. You don't take the time to understand the
customer's needs. But you know the answer. They don't need security!
What? How is this any different than you! You know the solution before
you do the problem too. You make a suggestion, one that will take
effort, perhaps hoping that they'd hire you (i.e. self interest). You
have not taken the time to understand the customer's needs either and
then you play between implying that you understand the requirements to
you just don't know. You also suggest you know the answer too - they
need additional security, and yet you have no indication that they do.
On my side is the fact that they didn't request it. On your side is
nothing - ' cept FUD of course, which was my original point.
I've made hundreds of thousands of dollars in my consulting business
by picking up after people like you.
Bingo! You wish to sell them security.
But then I bother to understand my customer's needs, clearly explain
possible solutions and risks involved with each solution, and let them
make the decision.
'Cept you surely didn't bother to understand this customers needs before
offering your solution. Just like any other two faced consultant
speaking out of both sides of your ass at the same time. Good work there!
Expand that to a myriad of other companies that have the same info.
Do you really believe that your SS# is secure at every company that
has that info?


I believe it's secure in every company system I've work on. I don't
believe it's secure in ANY system you've worked on.


Nor is it secure in hundreds of other systems that neither of us have
worked on, which is my point! The data is not secure to start with.
Making it secure in this instance does little to nothing to secure the
this data as this data does not solely emanate from only secure system.
This it is not secure by definition. As an analogy, it's like putting 2,
3 or 4 locks on the driver's side door of a car when the passenger's
side has no locks. It's a foolish and stupid activity.
But my SSN is NOT replicated to the external database.


Did you miss that first word were I said "If"?


No, I didn't miss the "if". My SSN was not replicated - so the rest
of your statement was meaningless.


But your SS# was indeed replicated - not by a DBMS nor even by the same
company. To use the analogy again, yes that 4th lock on the drivers door
did add additional security to that side - however the other side it
still totally open. To assume your "car" is therefore now safe is stupid!
Part of security is to replicate ONLY THE REQUIRED DATA.


Thus making such data less useful. Then again it's hard to say that
because again (I know I sound like a broken record) neither you nor I
have any inkling of the requirements and needs of this web
application. Maybe the SS# is required. Maybe even it needs to be
available for update. We just don't know the specifics. We could
continue to speculate if you like but I really don't see the point.


Wrong again. Data which is unnecessary does not make the anything
less useful.


Yes but your assumption is that the data is unnecessary. As you don't
know which data is necessary or unnecessary you just can't say - even
though you will. For all you know all of the data is necessary.
If I'm designing an inventory control system, I really don't care what
about the orbit of Jupiter. It's unnecessary data, and does not
affect my HR system at all. However, if I'm working on a guidance
system for a space probe, details on the orbit of Jupiter are important.
Come on! Really. What DBA designed a database that contains both
inventory control data with guidance data into the same database?!?
Geeze what a weak argument. And BTW, why does the HR database have
inventory control stuff in it and why would HR care to access it? Geeze
if this is how you build databases it's no wonder you are so paranoid.
Hell I wouldn't even want anybody to see such a crummy design!
The same here. SSN's are of no importance to the marketing
department, and HR doesn't care about sales figures. To each, the
other's data is superfluous and does not affect the usability of their
own data.
And thus shouldn't be in the same database to start with!
Yeah, right. But I sure know overkill when I see it. Of course our
government is the model of efficiency, modern data processing and
sharing of information, that's for sure! Hell just take the USCIS for
example. Last I checked it they still haven't updated their PDF files
with the correct pricing information. It's only been about 2 years
now but then again that's way faster than most normal businesses!


Again, you understand the user's company, the data involved,
requirements for how the data is to be used, the potential exposures
if the data is misused, and the consequences thereof.


I do understand that in normal operations of thousands, if not millions
of other businesses it surely does not take 2 years to fix a pricing
error in a PDF file. In fact it takes minutes! But not for our
government thanks to asinine thinking from government contractors like
you. It really has nothing to do with a user's company (this is no
company involved here rather the government) nor the data involved (save
to say that the data is incorrect). As for requirements of the data it
seems pretty clear to me that the requirement of this particular piece
of data is to inform the sure of the data what the fucking price is! And
it's wrong, and has been for the last 2 years! Potential for misuse?!?
Are you kidding! The misuse of this data is to either pay too much or
too little for the service. In either case the government only accepts
the exact amount. Pay too little and you don't get the service (and you
get months of additional delay). Pay too much and you get the same
thing. This is unlike most business where if they did list the wrong
price they would be forced to accept the price they listed.

Then again wasn't it those wonderful contractors who actually approved
the visas of several of the 9/11 terrorists 6 months after 9/11! Ah yes,
government efficiency and superior skills in securing what needs to be
secured and making available data to only those who need it. A fine
example indeed.
Gee, you must have the greatest ESP around!
Not ESP but indeed practical intelligence. And yes I knew this already.
Yeah I understand security. Security only really keeps honest people
honest. The dishonest people hardly slow down at all with security.
It just causes more frustration for honest, regular users and makes
it so that it's actually quicker to do things without computer
systems! Yeah but we have to throw up these security barriers, even
when unasked for and unneeded, otherwise we'd process too many things
at once and lord knows different branches of the government that are
supposed to talk to one another will actually talk to one another and
then the terrorists will have a tough time and we wouldn't want that
happening!

Give me a break!


Of course you believe that. Minimal security as you propose only
keeps the honest people honest.


Yes it does. Maximum security promote uselessness.
Fortunately, my bank, my doctor, the government and virtually every
medium and large company understand that this isn't true - and that
you can implement higher security which will keep dishonest people out.
As well as make systems that frustrate honest people enough that they
just don't even use them anymore or that cause correcting a simple
pricing error a 2 year or longer affair. Meantime honest people get hurt
badly. But that's OK because you cannot argue nor sue government for
their screw ups and you give such government employees such wonder
excuses to justify their ungodly and otherwise unacceptably long wait
times. Wonderful system you got there.
What I suggested will not keep everyone out. But it will provide a
lot more protection.
Unwanted and unasked for protection that is.
Because I know the person who designed this part of the web site,
and we have discussed its implementation in detail.


Then you are working with details that I am not. Now you could have
simply stated up front that you knew this and that such security was
required for this project, but no you figured you'd argue a little
first. I see...


Again, I didn't say that such security was necessary for the project.
I only pointed out a potential weakness and a possible solution,
leaving it up to them to determine if it was necessary.


I still think they should go with my "under the mountain, must give a
DNA sample to access the secure lab" idea. Much, much more secure... ;-)
It was YOU who, in all of your great knowledge, indicated that this
level of security was unnecessary. Again - your ESP must be on
overtime because you knew the security was unnecessary from the little
bit of data given.
Yes, thank you very much for recognizing my superior insight here. :-P
It is relevant when you're questioning whether I understand Federal
government systems.


Not really but you can continue to think so if you want. Federal
government systems don't all emanate from DC ya know.


No, they don't all emanate from D.C. But they are all managed from
D.C. in one way or another.


Again adding the irrelevancy...
Good for you. I hope you don't resort to the same argument tactics
you do here with them.


No, I don't argue with them. They're not clueless.

And BTW, YOU are the one who hopped in uninvited and indicated my
solution was "unnecessary". And you continue to indicate my solution
is unnecessary. Despite no knowledge of the customer's needs or
situation.


And you have very little knowledge too, but pretend to know it all. And
BTW, how did I hop in here any more uninvited than you. Your solution
was not asked for either. Finally, why do you think I need an
invitation? This is, after all, an open forum.
Just as soon as you reveal yours! ;-)

However, if I say "I'm everywhere" then you can just assume it's
"everybody".

Have a nice day! Now go away because I really have no time for
somebody who withholds information like they have seen the
specifications just to argue with somebody else. You could have been
up front and clear but instead you decided just to be argumentative
and quite frankly I do not wish to argue with such deceptive people.


Speaking about yourself, huh? Remember - you started it!


No I didn't. You posted first. I commented on your post - remember? Or
are you that senile. I do not need permission to offer my opinion, nor
do you. As for information of requirements I'm still not clear that you
have that information or not. Sometimes you say you do, and sometimes
you say you don't. In any event it seems clear to me that you selling
security and you do so through FUD.
And no, I don't have any other information on the customer's needs.
But I don't tell him something is necessary or unnecessary. But I do
offer options.
Yes I have not one but two options. One is that perhaps additional
security is not a concern. The other is the secure bunker option. Pick
one! :-D
And I have no desire to have a discussion with a "know it all" idiot
who is way out of his league - but too stupid to realize it.


That's funny but one couldn't prove that. After all you keep yapping and
yapping! (As I do back at you but at this point it's more to expose you
and to have fun at your expense).
--
If it's true that we are here to help others, then what exactly are the
others here for?
Sep 5 '05 #33

P: n/a
Andrew DeFaria wrote:
Jerry Stuckle wrote:
I'm not clueless - just not paranoid like you.


ROFLMAO!

By "outside world" I mean areas which do not normally have access to
that data. It may be inside the company or outside the company.

How convenient that you have chosen to redefine common usage of such
terms so as to cover your ass...


ROFLMAO! No - you just assumed a POV which wasn't accurate.

ROFLMAO! First of all, I am not a "security person".

I know - you're just pretending to be!


Nope. I have never claimed to be a security person. Unlike you who has
claimed to be a programmer.
I am a developer with almost 40 years of programming experience. I
have worked on every sized system from PC's to mainframes, in almost
20 different languages.

I started learning about data protection in my 13 years with IBM.
I've continued during the last 15 years as a consultant.

Toot, toot. BFD.


Better than you!
I've worked with "security people". They have a much different job.
If you knew anything about security, you'd understand that.

I do know about security - at least enough to know that it's not always
a requirement.


You don't know shit about security.
I stated my opinion, that it was overkill, especially given the lack
of a security requirement at all.

And you are totally clueless.

No.


Yep.
Do you think every requirement was specified in the original post?
And do you think the customer understands everything about potential
exposures?

I would think, especially after haggling about this for this long, that
if there were any requirements then they would be been stated by now, or
at least an acknowledgment that there were at least some security
requirements. But they still haven't said anything, and that says a lot
- all in my favor.


Nope. This has all been about your stupidity and naivette.

<rest of the drivel snipped>

Sorry, I just realized I'm arguing with a complete idiot. And I don't
lower myself to that level.

Have fun. And I hope you don't cost your customers TOO much. I don't
give a damn about you. However, I REALLY hate to see people be snowed
by the likes of you.

OTOH, I've made some of my best money picking up the pieces idiots just
like you have left.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 6 '05 #34

P: n/a
Jerry Stuckle wrote:
I'm not clueless - just not paranoid like you.
ROFLMAO!


Glad I could entertain you...
By "outside world" I mean areas which do not normally have access to
that data. It may be inside the company or outside the company.


How convenient that you have chosen to redefine common usage of such
terms so as to cover your ass...


ROFLMAO! No - you just assumed a POV which wasn't accurate.


Not really. The outside and inside worlds are pretty well known. It was
you who abused the term not I.
ROFLMAO! First of all, I am not a "security person".


I know - you're just pretending to be!


Nope. I have never claimed to be a security person.


Whew! That's a relief!
Unlike you who has claimed to be a programmer.
Ah but I am.
I am a developer with almost 40 years of programming experience. I
have worked on every sized system from PC's to mainframes, in almost
20 different languages.

I started learning about data protection in my 13 years with IBM.
I've continued during the last 15 years as a consultant.


Toot, toot. BFD.


Better than you!


Not really dude.
Do you think every requirement was specified in the original post?
And do you think the customer understands everything about potential
exposures?


I would think, especially after haggling about this for this long,
that if there were any requirements then they would be been stated by
now, or at least an acknowledgment that there were at least some
security requirements. But they still haven't said anything, and that
says a lot - all in my favor.


Nope. This has all been about your stupidity and naivette.


Doesn't matter. Fact remains. There are no stated security requirements.
To assume otherwise is your foolishness.
<rest of the drivel snipped>
Because you had no come back for the truth.
Sorry, I just realized I'm arguing with a complete idiot.
You're just realizing this? What does that say about you?
And I don't lower myself to that level.
You have already and have continued to do so. If you really thought I
was just an idiot you would have quit long ago. IOW you've already
lowered yourself to what you perceive my level is. Truth be told you
have not managed to elevate your level high enough yet so you're
quitting. Great!
Have fun.
I always do.
And I hope you don't cost your customers TOO much.
I don't cost my customers anything. It's strictly a value for value deal.
I don't give a damn about you.
Sure you do. Otherwise you would not have responded as often as you did.
However, I REALLY hate to see people be snowed by the likes of you.
I'm snowing nobody. I'm simply telling it like it is, based on what it
is. It was you who was spreading FUD not me - remember?
OTOH, I've made some of my best money picking up the pieces idiots
just like you have left.


I'd venture to guess that you've never made a penny off of anything I've
ever did.
--
And when I get real, real bored, I like to drive downtown and get a
great parking spot, then sit in my car and count how many people ask me
if I'm leaving.
Sep 6 '05 #35

This discussion thread is closed

Replies have been disabled for this discussion.