Hey, everyone. Not A Programmer in the house here.
I'm going to be starting an Associate Degree education in Web Programming (I can provide specifics if it's important) and I was wondering if I could get an idea of hardware requirements for a laptop. Right now my only computer is hooked up to my TV and there's no way I'm hunching in front of that for all of my class work.
I can't imagine that the hardware requirements would be very demanding for those sorts of projects, correct?
Also, how concerned should I be about being bad at math?
The good news is that the hardware demands for web programming are low. Notepad++ is a free example of software you might use. You however will most likely be looking into Dreamweaver, which should be picked up cheap via your college campus, which is also not demanding. Photoshop comes in handy too. Even if you're not an artist, it has nice things like the Image Processor scripts that let you compress a folder full of pictures and automatically make thumbnails for them, or compress them all for fast web viewing.
You most likely will be buying one of the Adobe packages with a web focus that will have Dreamweaver and Photoshop.
Hey, everyone. Not A Programmer in the house here.
I'm going to be starting an Associate Degree education in Web Programming (I can provide specifics if it's important) and I was wondering if I could get an idea of hardware requirements for a laptop. Right now my only computer is hooked up to my TV and there's no way I'm hunching in front of that for all of my class work.
I can't imagine that the hardware requirements would be very demanding for those sorts of projects, correct?
Also, how concerned should I be about being bad at math?
You can probably pick up a cheapo laptop and be fine. Uninstalling all their crapware first would be beneficial though. Unless you want a desktop then you can splurge for the same price. I'd imagine web devs love laptops though.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Any good books on Cyber Security that you guys are aware of? I'm currently going through "The Rootkit Arsenal" and it's really amazing and I think I'd like to learn more about viruses/malware and stuff like that.
Don't write your password down. That's about all I know.
Also a government organization is arguing about whether SHA2 hashes should be used over SHA1 hashes. Like.. really you think that's going to be your point of weakness, 256 vs 160 bit hashes or whatever? How about not using REST for data transfer, yeah, maybe that'd be a good idea.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Not even just that. How about you TRAIN people how to not be incredibly stupid with their online surfing habits. That's especially including Social Networking sites.
Well this is all for that CCHIT/meaningful use push for medical records. As if a SHA2 hash is going to make user passwords more secure. I think the NSA uses SHA1 because there's just no reason to go above and beyond for hashing.
I'm waiting for them to tell me AES isn't good enough for encryption now.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Well this is all for that CCHIT/meaningful use push for medical records. As if a SHA2 hash is going to make user passwords more secure. I think the NSA uses SHA1 because there's just no reason to go above and beyond for hashing.
I'm waiting for them to tell me AES isn't good enough for encryption now.
I forgot that's what you're dealing with. My apologies.
An application I wrote has just been pen-tested within the past few months, so I've had compliance and security on the brain for a while now.
Basically, SHA1 is next to useless now as there's so many rainbow tables for it available. What's recommended is doing recursive SHA256 hashing as many times as you can handle without affecting performance. Based on the build of the server I was working on and the speed of the language / framework I ended up with a 10,000 pass recursive hash seeded with a private key value and the current time in milliseconds. That satisfied the security company, anyway.
Look into CSRF tokens / nonce values too -- they're exceptionally useful for increasing security at negligible cost.
But, like others have said, even the most secure password hashing / security system in the world is only as good as the users using it. Even if you're storing data securely, there's nothing stopping people writing down their password or reading it out to someone over the phone who sounds professional.
The one about the fucking space hairdresser and the cowboy. He's got a tinfoil pal and a pedal bin
0
baronfelWould you say I havea _plethora_?Registered Userregular
@SporkAndrew pen-tested as in penetration testing? If you can offer specifics, what kind of things were stressed during that testing? Were you pushing a purely software solution, or some kind of integrated hardware/software combo that had to be tested?
I've not done any specifically security-conscious stuff, so am rather intrigued by what pen-testing would cover.
I thought AES had a vulnerability? I thought it could be broken relatively quickly (a few years, rather than outside the length of a human life). So, it should be used for things that are of no use in several years (ie. passwords that change on a regular basis) rather than personal information (ie. Social security numbers and medical records).
It could be a different encryption standard I’m thinking of.
When people unite together, they become stronger than the sum of their parts.
Don't assume bad intentions over neglect and misunderstanding.
An application I wrote has just been pen-tested within the past few months, so I've had compliance and security on the brain for a while now.
Basically, SHA1 is next to useless now as there's so many rainbow tables for it available. What's recommended is doing recursive SHA256 hashing as many times as you can handle without affecting performance. Based on the build of the server I was working on and the speed of the language / framework I ended up with a 10,000 pass recursive hash seeded with a private key value and the current time in milliseconds. That satisfied the security company, anyway.
Look into CSRF tokens / nonce values too -- they're exceptionally useful for increasing security at negligible cost.
But, like others have said, even the most secure password hashing / security system in the world is only as good as the users using it. Even if you're storing data securely, there's nothing stopping people writing down their password or reading it out to someone over the phone who sounds professional.
I'm using SHA256 with a customizable pass setting (as required I guess, they want to be able to modularly set up an interface engine to test data security and imports). By default internally I use a 5 pass SHA256 for password crypto. Passwords are required to be 15 characters in length, but no requirements on complexity, mainly so I get people used to using sentences as passwords rather than writing down things like 135XD$1djjj34%1%%!!!030zj56JJ
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
I thought AES had a vulnerability? I thought it could be broken relatively quickly (a few years, rather than outside the length of a human life). So, it should be used for things that are of no use in several years (ie. passwords that change on a regular basis) rather than personal information (ie. Social security numbers and medical records).
It could be a different encryption standard I’m thinking of.
Well you should never encrypt passwords. Hashing should deal with passwords and passphrases to verify a match. Basically you store the hash of a password in your database, which is a one way encryption, and then when someone logs in, you hash, and see if the hashes match.
As for security wise, it seems to be okay to do this with AES providing you're using a better keysize than 128. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security. You'd need someone with a quantum computer or a huge distributed net of computers attempting to crack the key. Probably not altogether useful unless you have physical access to the machines in question.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
@SporkAndrew pen-tested as in penetration testing? If you can offer specifics, what kind of things were stressed during that testing? Were you pushing a purely software solution, or some kind of integrated hardware/software combo that had to be tested?
I've not done any specifically security-conscious stuff, so am rather intrigued by what pen-testing would cover.
It was a web-based system that was penetration tested, so it covered hardware (the server set-up) as well as software (the system itself). For the hardware side of things they essentially did a few port-scans, checked things with known vulnerabilities weren't installed (phpmyadmin / plesk / etc) and tried to log-in using common username / passwords.
Software-wise they tested for the following (copied straight from the report):
Injection
Cross Site Scripting (XSS)
Broken Authentication/Session Management
Insecure Direct Object References
Cross Site Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Un-validated Redirects and Forwards
If any of those had any vulnerabilities at all then you'd fail. We failed on crypto, broken session management and csrf, which was what prompted me to inplement nonce values, the recursive hashing and locking down the session cookie to httponly. What we ended up implementing was way over the top for the usage that the system gets, but at least it's secure as it can be for now.
The one about the fucking space hairdresser and the cowboy. He's got a tinfoil pal and a pedal bin
I always go to SRP for password logins when I can. It has the nice property that even if the internal DB gets read, I don't think it's possible to log in based on what the DB has in it, additionally the client can verify that the server actually has the password, you don't need an SSL session to secure it and you end up with a session key
I thought AES had a vulnerability? I thought it could be broken relatively quickly (a few years, rather than outside the length of a human life). So, it should be used for things that are of no use in several years (ie. passwords that change on a regular basis) rather than personal information (ie. Social security numbers and medical records).
It could be a different encryption standard I’m thinking of.
Well you should never encrypt passwords. Hashing should deal with passwords and passphrases to verify a match. Basically you store the hash of a password in your database, which is a one way encryption, and then when someone logs in, you hash, and see if the hashes match.
As for security wise, it seems to be okay to do this with AES providing you're using a better keysize than 128. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security. You'd need someone with a quantum computer or a huge distributed net of computers attempting to crack the key. Probably not altogether useful unless you have physical access to the machines in question.
Yeah, passwords are a bad example, but something that is of strategic importance for only a certain period of time. Maybe a publicly traded company’s quarterly information is a better example. I recall some security technique that could be broken with a few years on a modern computer.
When people unite together, they become stronger than the sum of their parts.
Don't assume bad intentions over neglect and misunderstanding.
I always go to SRP for password logins when I can. It has the nice property that even if the internal DB gets read, I don't think it's possible to log in based on what the DB has in it, additionally the client can verify that the server actually has the password, you don't need an SSL session to secure it and you end up with a session key
SRP appears to be SHA256 bit with some added rejiggering behind the scenes.
And Dogma, that was probably DES or AES128
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
I dont know if its just because its 5pm on Friday but I need some math programming help.
I have two rectangles in 2D space, one is already placed in this 2D space at any rotation. The second will be placed within the boundaries of this first rectangle.
I need to work out if the insert point (the 2D co ord the user picks with the mouse, top left corner of the rect) of this second rectangle sits within the first half or second half of the first and place it inline with the first carrying on the flow, so the rotation and the positioning must match up.
Anyone care to point me in the right thought direction? From what I remember does it involve moving the squares to the origin doing checks then moving them back?
That's probably what I'd do. Keep record of rotation, zero it, place square inside it, rotate both back to the original rotation. I'm sure there are fancy maths, but implement first, then optimize.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
So I am having memory issues in PHP. I posted in my own thread a bit ago, forgetting that its probably best just to post it in here. Long story short, my application is getting majoryly bloated in memory use. I am using zend_framework and it appears as though the zend may be including the models each time a new instance of a class uses the model.
Basically I have two classes, Class 1 and Class 2. Class 2 is an object within Class 1.
So lets say we have Object 1A, which is of Class 1. When it first creates object 2A (of class 2) the memory usage is a ton, lets say 1MB. But if it creates more objects of class 2, it isnt bad, maybe .1mb a piece. So it seems like the auto-loader is using a ton of memory including the file for Class 2. Thats fine, it has to include the file.
But, the part that is messed up is...
Lets say we also have Object 1B, which is of class 1. It experiences the same memory usage as Object 1A. So when it first creates its instance of class 2, it has a 1MB footprint, but additional objects only incur a .1mb footprint.
This ends up making Object 1A and Object 1B have footprints of over 1MB a piece. I have no idea how to solve this issue. I am doing manual memory clean up to unset any variables that are no longer used. The problem is, clearing out object 2A only nets me back .1MB. That initial load still takes up 1MB and I do not know how to clean that up. I think the zend_auto-loader is the problem, but I dont know enough about it to really fix it.
Or maybe I am way off base. I could understand the initial load of a class taking quite a bit of memory, but it shouldnt do it again when another object loads that same class.
Another way would be to construct a basis from the first rectangle, which is similar, but involves moving the point (and "world") to the rectangle, which can be easier if all you have are coordinates and not rotations
For a 2d basis, you need any two points, I'll assume you have the logical top left & top right corners in standard vector x,y form (tl & tr) and the mouse point (pt)
bx = (tr-tl)
by = bx' where bx' is bx rotated by 90 degrees, for 2d this is simply swapping x & y. For a rectangle where "down" is really the positive direction, you may want to negate the resulting vector to get a more sensible result
Then solve for pt = a * bx + b * by. a,b is your coordinate in the rectangle-world. Note that the rectange-world coordinates are scaled to the length of bx, which, conveniently, is what you want, a >= 0.5 gives you the "right half"
No, two sockets, bound to the same port. Basically I want to offer the same service on both ipv4 and ipv6, but I don't think I can say they're on different ports
WSCEnumProtocols to check if ip6 is installed and create your own socket class maybe?? (You'll obviously need a separate code base for BSD sockets on OSX and it supports the IP6 by default anyways... two code-bases for netcode it seems)
bowen on
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Noted. I'll install it and give it a shot... Thanks guys.
0
baronfelWould you say I havea _plethora_?Registered Userregular
We use BeyondCompare at work and it's sexy and all, but I'm not sure what practical advantages it gives above and beyond WinMerge. You could also check out KDiff, which is what we used before the move to BC.
We use BeyondCompare at work and it's sexy and all, but I'm not sure what practical advantages it gives above and beyond WinMerge. You could also check out KDiff, which is what we used before the move to BC.
Same. We have a bunch of licenses at work but there are several free comparibles.
Even as "old" as it is, why is TextMate so good? Seriously I love it
0
GnomeTankWhat the what?Portland, OregonRegistered Userregular
edited May 2012
BeyondCompare is probably the best diff/merge tool I've ever used, but really there is such a small relative gap in functionality, that I'm not sure "best" even matters enough to pay money for it. I use it at work where the company pays for it, but at home I just use KDiff.
Posts
re. Lua: 5.1.4 is currently installed.
The good news is that the hardware demands for web programming are low. Notepad++ is a free example of software you might use. You however will most likely be looking into Dreamweaver, which should be picked up cheap via your college campus, which is also not demanding. Photoshop comes in handy too. Even if you're not an artist, it has nice things like the Image Processor scripts that let you compress a folder full of pictures and automatically make thumbnails for them, or compress them all for fast web viewing.
You most likely will be buying one of the Adobe packages with a web focus that will have Dreamweaver and Photoshop.
You can probably pick up a cheapo laptop and be fine. Uninstalling all their crapware first would be beneficial though. Unless you want a desktop then you can splurge for the same price. I'd imagine web devs love laptops though.
Also a government organization is arguing about whether SHA2 hashes should be used over SHA1 hashes. Like.. really you think that's going to be your point of weakness, 256 vs 160 bit hashes or whatever? How about not using REST for data transfer, yeah, maybe that'd be a good idea.
I'm waiting for them to tell me AES isn't good enough for encryption now.
I forgot that's what you're dealing with. My apologies.
Basically, SHA1 is next to useless now as there's so many rainbow tables for it available. What's recommended is doing recursive SHA256 hashing as many times as you can handle without affecting performance. Based on the build of the server I was working on and the speed of the language / framework I ended up with a 10,000 pass recursive hash seeded with a private key value and the current time in milliseconds. That satisfied the security company, anyway.
Look into CSRF tokens / nonce values too -- they're exceptionally useful for increasing security at negligible cost.
But, like others have said, even the most secure password hashing / security system in the world is only as good as the users using it. Even if you're storing data securely, there's nothing stopping people writing down their password or reading it out to someone over the phone who sounds professional.
I've not done any specifically security-conscious stuff, so am rather intrigued by what pen-testing would cover.
It could be a different encryption standard I’m thinking of.
Don't assume bad intentions over neglect and misunderstanding.
I'm using SHA256 with a customizable pass setting (as required I guess, they want to be able to modularly set up an interface engine to test data security and imports). By default internally I use a 5 pass SHA256 for password crypto. Passwords are required to be 15 characters in length, but no requirements on complexity, mainly so I get people used to using sentences as passwords rather than writing down things like 135XD$1djjj34%1%%!!!030zj56JJ
Well you should never encrypt passwords. Hashing should deal with passwords and passphrases to verify a match. Basically you store the hash of a password in your database, which is a one way encryption, and then when someone logs in, you hash, and see if the hashes match.
As for security wise, it seems to be okay to do this with AES providing you're using a better keysize than 128.
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security. You'd need someone with a quantum computer or a huge distributed net of computers attempting to crack the key. Probably not altogether useful unless you have physical access to the machines in question.
It was a web-based system that was penetration tested, so it covered hardware (the server set-up) as well as software (the system itself). For the hardware side of things they essentially did a few port-scans, checked things with known vulnerabilities weren't installed (phpmyadmin / plesk / etc) and tried to log-in using common username / passwords.
Software-wise they tested for the following (copied straight from the report):
Injection
Cross Site Scripting (XSS)
Broken Authentication/Session Management
Insecure Direct Object References
Cross Site Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Un-validated Redirects and Forwards
If any of those had any vulnerabilities at all then you'd fail. We failed on crypto, broken session management and csrf, which was what prompted me to inplement nonce values, the recursive hashing and locking down the session cookie to httponly. What we ended up implementing was way over the top for the usage that the system gets, but at least it's secure as it can be for now.
Yeah, passwords are a bad example, but something that is of strategic importance for only a certain period of time. Maybe a publicly traded company’s quarterly information is a better example. I recall some security technique that could be broken with a few years on a modern computer.
Don't assume bad intentions over neglect and misunderstanding.
SRP appears to be SHA256 bit with some added rejiggering behind the scenes.
And Dogma, that was probably DES or AES128
http://srp.stanford.edu/design.html
I have two rectangles in 2D space, one is already placed in this 2D space at any rotation. The second will be placed within the boundaries of this first rectangle.
I need to work out if the insert point (the 2D co ord the user picks with the mouse, top left corner of the rect) of this second rectangle sits within the first half or second half of the first and place it inline with the first carrying on the flow, so the rotation and the positioning must match up.
Anyone care to point me in the right thought direction? From what I remember does it involve moving the squares to the origin doing checks then moving them back?
Basically I have two classes, Class 1 and Class 2. Class 2 is an object within Class 1.
So lets say we have Object 1A, which is of Class 1. When it first creates object 2A (of class 2) the memory usage is a ton, lets say 1MB. But if it creates more objects of class 2, it isnt bad, maybe .1mb a piece. So it seems like the auto-loader is using a ton of memory including the file for Class 2. Thats fine, it has to include the file.
But, the part that is messed up is...
Lets say we also have Object 1B, which is of class 1. It experiences the same memory usage as Object 1A. So when it first creates its instance of class 2, it has a 1MB footprint, but additional objects only incur a .1mb footprint.
This ends up making Object 1A and Object 1B have footprints of over 1MB a piece. I have no idea how to solve this issue. I am doing manual memory clean up to unset any variables that are no longer used. The problem is, clearing out object 2A only nets me back .1MB. That initial load still takes up 1MB and I do not know how to clean that up. I think the zend_auto-loader is the problem, but I dont know enough about it to really fix it.
Or maybe I am way off base. I could understand the initial load of a class taking quite a bit of memory, but it shouldnt do it again when another object loads that same class.
For a 2d basis, you need any two points, I'll assume you have the logical top left & top right corners in standard vector x,y form (tl & tr) and the mouse point (pt)
bx = (tr-tl)
by = bx' where bx' is bx rotated by 90 degrees, for 2d this is simply swapping x & y. For a rectangle where "down" is really the positive direction, you may want to negate the resulting vector to get a more sensible result
Then solve for pt = a * bx + b * by. a,b is your coordinate in the rectangle-world. Note that the rectange-world coordinates are scaled to the length of bx, which, conveniently, is what you want, a >= 0.5 gives you the "right half"
http://msdn.microsoft.com/en-us/library/system.net.sockets.socketoptionname.aspx (ipv6_only set to false)
Edit: seems to be supported on Unix and it's already off by default there:
http://stackoverflow.com/questions/1618240/how-to-support-both-ipv4-and-ipv6-connections
WinMerge is likely more than enough.
Same. We have a bunch of licenses at work but there are several free comparibles.