Search Results

Search found 635 results on 26 pages for 'joel cochran'.

Page 4/26 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Patching and PCI Compliance

    - by Joel Weise
    One of my friends and master of the security universe, Darren Moffat, pointed me to Dan Anderson's blog the other day.  Dan went to Toorcon which is a security conference where he went to a talk on security patching titled, "Stop Patching, for Stronger PCI Compliance".  I realize that often times speakers will use a headline grabbing title to create interest in their talk and this one certainly got my attention.  I did not go to the conference and did not see the presentation, so I can only go by what is in the Toorcon agenda summary and on Dan's blog, but the general statement to stop patching for stronger PCI compliance seems a bit misleading to me.  Clearly patching is important to all systems management and should be a part of any organization's security hygiene.  Further, PCI does require the patching of systems to maintain compliance.  So it's important to mention that organizations should not simply stop patching their systems; and I want to believe that was not the speakers intent. So let's look at PCI requirement 6: "Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor- provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software." Notice the word "appropriate" in the requirement.  This is stated to give organizations some latitude and apply patches that make sense in their environment and that target the vulnerabilities in question.  Haven't we all seen a vulnerability scanner throw a false positive and flag some module and point to a recommended patch, only to realize that the module doesn't exist on our system?  Applying such a patch would obviously not be appropriate.  This does not mean an organization can ignore the fact they need to apply security patches.  It's pretty clear they must.  Of course, organizations have other options in terms of compliance when it comes to patching.  For example, they could remove a system from scope and make sure that system does not process or contain cardholder data.  [This may or may not be a significant undertaking.  I just wanted to point out that there are always options available.] PCI DSS requirement 6.1 also includes the following note: "Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months." Notice there is no mention to stop patching one's systems.  And the note also states organization may apply a risk based approach. [A smart approach but also not mandated].  Such a risk based approach is not intended to remove the requirement to patch one's systems.  It is meant, as stated, to allow one to prioritize their patch installations.   So what does this mean to an organization that must comply with PCI DSS and maintain some sanity around their patch management and overall operational readiness?  I for one like to think that most organizations take a common sense and balanced approach to their business and security posture.  If patching is becoming an unbearable task, review why that is the case and possibly look for means to improve operational efficiencies; but also recognize that security is important to maintaining the availability and integrity of one's systems.  Likewise, whether we like it or not, the cyber-world we live in is getting more complex and threatening - and I dont think it's going to get better any time soon.

    Read the article

  • Issues running commands

    - by Joel
    Every time I run a command I get this back. E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied) E: Unable to lock directory /var/lib/apt/lists/ E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root? christopher@christopher:~$ This didn't start happening until I changed my device name.

    Read the article

  • Git-based storage and publishing, infrastructure advice

    - by Joel Martinez
    I wanted to get some advice on moving a system to "the cloud" ... specifically, I'm looking to move into some of Windows Azure's managed services, as right now I'm managing a VM. Basically, the system operates on some data stored in a github git repository. I'll describe the current architecture: Current system (all hosted on a single server): GitHub - configured with a webhook pointing at ... ASP.NET MVC application - to accept the webhook from git. It pushes a message onto ... Azure service bus Queue - which is drained by ... Windows Service - pulls the message from the queue and ... Fetches the latest data from the git repository (using GitLib2Sharp) onto the local disk and finally ... Operates on the data in git to produce a static HTML website hosted/served by IIS. The system works really well, actually ... but I would like to get out of the business of managing the VM, and move to using some combination of Azure web and worker roles. But because the system relies so heavily on the git repository on the local filesystem, I'm finding it difficult to figure out how to architect in the cloud. I know you can get file system access, so in theory I could just fetch the repository if there's nothing on disk ... but the performance/responsiveness of the system sort of depends on the repository being available and only having to fetch diffs, which is relatively quick. As opposed to periodically having to fetch the entire (somewhat large) git repository if the web or worker role was recycled, or something. So I would love some advice on how you would architect such a system :) Ultimately, the only real requirement is to be able to serve HTML content that's been produced from the contents of a git repository (in a relatively responsive manner, from a publishing perspective) ... please feel free to ask any clarifying questions if there's something I omitted. Thanks!

    Read the article

  • Why do programmers seem to be such bad spellers?

    - by Joel Etherton
    Programming languages are very precise tools based on explicit grammars. They're very picky, and when being used they require an exacting amount of detail. C#, for instance, is case sensitive so even getting the case of an argument wrong will cause an error. Questions asked all over the StackExchange are replete with misspellings, grammatical errors, and other problems that seem to indicate a lack of attention to detail when it comes to the language itself. Now, I understand there are a lot of programmers out there whose native language is not English, and I am not directing this question (rant one might say) at them. I'm referring to the individuals who are clearly from an English speaking background who refuse to pay attention to these simple details. I am not perfect by any means, but I try to use the language correctly so that my meaning will be understood correctly. I find programmers misspelling variable names, classes, and all manner of words in any kind of technical documentation they might write. I have had to withstand code where I am repeatedly referring to the subit[sic] button or HttpWebResponse reponse. The general complaint about bad spelling is one thing, and it will always be there. I accept that. But my question/comment is about the proclivity of bad spelling within the programming community. I would think that people who deal with such exacting tools to be more naturally predisposed towards proper spelling. Yet this doesn't seem to be the case.

    Read the article

  • Buy vs. Build - FTP Service

    - by Joel Martinez
    We have a need to FTP files that are generated by our system, so we're trying to decide whether we should spend the time to build something that meets our criteria (relatively easy, .NET has FTP functionality built in, among other more advanced libs from 3rd parties). Or if we should buy something off the shelf. Our requirements are roughly: Must be able to trigger a file send programmatically Needs to retry N number of times (configurable) Queryable status of FTP requests Callback on completion or fail of an FTP request I don't need to be sold on the relative simplicity of building something like that for myself. However I do want to do the due diligence of seeing what products are available ... because if something does exist that matches the requirements above, I wouldn't mind paying for it :-) Any thoughts or links would be greatly appreciated. Thanks!

    Read the article

  • What should every programmer know about web development?

    - by Joel Coehoorn
    What things should a programmer implementing the technical details of a web application before making the site public? If Jeff Atwood can forget about HttpOnly cookies, sitemaps, and cross-site request forgeries all in the same site, what important thing could I be forgetting as well? I'm thinking about this from a web developer's perspective, such that someone else is creating the actual design and content for the site. So while usability and content may be more important than the platform, you the programmer have little say in that. What you do need to worry about is that your implementation of the platform is stable, performs well, is secure, and meets any other business goals (like not cost too much, take too long to build, and rank as well with Google as the content supports). Think of this from the perspective of a developer who's done some work for intranet-type applications in a fairly trusted environment, and is about to have his first shot and putting out a potentially popular site for the entire big bad world wide web. Also, I'm looking for something more specific than just a vague "web standards" response. I mean, HTML, JavaScript, and CSS over HTTP are pretty much a given, especially when I've already specified that you're a professional web developer. So going beyond that, Which standards? In what circumstances, and why? Provide a link to the standard's specification.

    Read the article

  • What's the difference between cheap and expensive domain registrars?

    - by Joel
    A few years ago I registered a domain with Network Solutions. In recent years I've been using cheaper services such as namecheap, powerpipe etc. Every time that I need to renew some of the older domains with Network Solutions I am surprised at how much expensive they are. What is the reason for the price differences between the services? Why should I use a service like Network Solutions if there are so many companies out there that offer domain registration for a very cheap price?

    Read the article

  • Setting up Beats audio on HP Pavilion m6

    - by Joel Auterson
    I have an HP Pavilion m6-1054sa laptop, with a Beats subwoofer on the bottom. The normal laptop speakers work fine under Ubuntu but the Beats speaker(s?) does not. Anyone know how to get this working? Here's my lspci output, if it helps... 00:00.0 Host bridge: Intel Corporation Ivy Bridge DRAM Controller (rev 09) 00:01.0 PCI bridge: Intel Corporation Ivy Bridge PCI Express Root Port (rev 09) 00:02.0 VGA compatible controller: Intel Corporation Ivy Bridge Graphics Controller (rev 09) 00:14.0 USB controller: Intel Corporation Panther Point USB xHCI Host Controller (rev 04) 00:16.0 Communication controller: Intel Corporation Panther Point MEI Controller #1 (rev 04) 00:1a.0 USB controller: Intel Corporation Panther Point USB Enhanced Host Controller #2 (rev 04) 00:1b.0 Audio device: Intel Corporation Panther Point High Definition Audio Controller (rev 04) 00:1c.0 PCI bridge: Intel Corporation Panther Point PCI Express Root Port 1 (rev c4) 00:1c.1 PCI bridge: Intel Corporation Panther Point PCI Express Root Port 2 (rev c4) 00:1d.0 USB controller: Intel Corporation Panther Point USB Enhanced Host Controller #1 (rev 04) 00:1f.0 ISA bridge: Intel Corporation Panther Point LPC Controller (rev 04) 00:1f.2 RAID bus controller: Intel Corporation 82801 Mobile SATA Controller [RAID mode] (rev 04) 00:1f.3 SMBus: Intel Corporation Panther Point SMBus Controller (rev 04) 01:00.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI Thames XT/GL [Radeon HD 7600M Series] (rev ff) 07:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. Device 5289 (rev 01) 07:00.2 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 0a) 08:00.0 Network controller: Intel Corporation Centrino Wireless-N 2230 (rev c4)

    Read the article

  • How do I make custom bootsplash and wallpapers [closed]

    - by joel
    Possible Duplicate: How to customize live Ubuntu CD? I would like to customize my Ubuntu install with my own Wallpaper. I know where to change the wallpapers I copy my wallpaper in /usr/share/wallpapers and then modify the contests/xml file in order to use it but thats about it. how can I also change the following with the same Image: the login image(lightdm) boot screen and shutdown screen(plymouth)

    Read the article

  • Dynamic audio score/music

    - by Joel Martinez
    I'm interested in developing a game who's background music changes with the mood and scenario of the game's action. Of course many existing games do this (halo for example), but I was interested in any resources/papers/articles talking about the techniques to develop a system like this. I have some ideas, and I understand that this will be equally challenging to implement at the code level as it will be to come up or acquire music that fits this model. Any links or, answers with ideas in them would he appreciated. Edit: this is the kind of info I'm looking for :) http://halo.bungie.org/misc/gdc.2002.music/

    Read the article

  • America The Vulnerable

    - by Naresh Persaud
    At the Executive Edge this week, Joel Brenner shared his perspective on the state of cyber-security. Today our most critical military and corporate secrets are under attack. In his presentation, Joel shared his perspective on how organizations can can better prepare for the changing security climate. The amount of state sponsored espionage has highlighted weaknesses in our national security infrastructure. The Internet was primarily intended to provide a means of collaboration for non-commercial entities. Today it is the backbone of our digital commerce and digital experience and it was not designed to secure the activities and data we share today.  Check out "America The Vulnerable" and learn more. 

    Read the article

  • What should a developer know before building a public web site?

    - by Joel Coehoorn
    What things should a programmer implementing the technical details of a web site address before making the site public? If Jeff Atwood can forget about HttpOnly cookies, sitemaps, and cross-site request forgeries all in the same site, what important thing could I be forgetting as well? I'm thinking about this from a web developer's perspective, such that someone else is creating the actual design and content for the site. So while usability and content may be more important than the platform, you the programmer have little say in that. What you do need to worry about is that your implementation of the platform is stable, performs well, is secure, and meets any other business goals (like not cost too much, take too long to build, and rank as well with Google as the content supports). Think of this from the perspective of a developer who's done some work for intranet-type applications in a fairly trusted environment, and is about to have his first shot and putting out a potentially popular site for the entire big bad world wide web. Also: I'm looking for something more specific than just a vague "web standards" response. I mean, HTML, JavaScript, and CSS over HTTP are pretty much a given, especially when I've already specified that you're a professional web developer. So going beyond that, Which standards? In what circumstances, and why? Provide a link to the standard's specification. This question is community wiki, so please feel free to edit that answer to add links to good articles that will help explain or teach each particular point. To search in only the answers from this question, use the inquestion:this option.

    Read the article

  • Registering domains with Network Solutions

    - by Joel
    Few years ago I registered a domain with Network Solutions. In recent years I've been using cheaper services such as namecheap, powerpipe etc. Every time that I need to renew some of the older domains with Network Solutions I am surprised at how much expensive they are. What is the reason for the price differences between the services? Why should I use a service like Network Solutions if there are so many companies out there that offer domain registration for a very cheap price? Thanks, Meir

    Read the article

  • PCI Compliance Book Suggestion

    - by Joel Weise
    I am always looking for good books on security, compliance and of course, PCI.  Here is one I think you will find very useful. "PCI Compliance, Third Edition: Understand and Implement Effective PCI Data Security Standard Compliance" by Branden Williams and Anton Chuvakin.  [Fair disclosure - Branden and I work together on the Information Systems Security Association Journal's editorial board.]   The primary reason I like this book is that the authors take a holistic architectural approach to PCI compliance and that to me is the most safe and sane way to approach PCI.  Using such an architectural approach to PCI is, in my humble opinion, the underlying intent of PCI.  Don't create a checklist of the PCI DSS and then map a solution to each.  That is a recipe for disaster.  Instead, look at how the different components and their configurations work together in a synergistic fashion.  In short, create a security architecture and governance framework (the ISO 27000 series is a good place to start) that begins with an evaluation of the requirements laid down in the PCI DSS, as well as your other applicable compliance, business and technical requirements.  By developing an integrated security architecture you should be able to not only address current requirements, but also be in a position to quickly address future ones as well.

    Read the article

  • What are some practical uses of the "new" modifier in C# with respect to hiding?

    - by Joel Etherton
    A co-worker and I were looking at the behavior of the new keyword in C# as it applies to the concept of hiding. From the documentation: Use the new modifier to explicitly hide a member inherited from a base class. To hide an inherited member, declare it in the derived class using the same name, and modify it with the new modifier. We've read the documentation, and we understand what it basically does and how it does it. What we couldn't really get a handle on is why you would need to do it in the first place. The modifier has been there since 2003, and we've both been working with .Net for longer than that and it's never come up. When would this behavior be necessary in a practical sense (e.g.: as applied to a business case)? Is this a feature that has outlived its usefulness or is what it does simply uncommon enough in what we do (specifically we do web forms and MVC applications and some small factor WinForms and WPF)? In trying this keyword out and playing with it we found some behaviors that it allows that seem a little hazardous if misused. This sounds a little open-ended, but we're looking for a specific use case that can be applied to a business application that finds this particular tool useful.

    Read the article

  • Situations that require protecting files against tampering when stored on a users computer

    - by Joel
    I'm making a 'Pokémon Storage System' with a Client/Server model and as part of that I was thinking of storing an inventory file on the users computer which I do not wish to be edited except by my program. An alternative to this would be to instead to store the inventory file on the server and control it's editing by sending commands to the server but I was wondering if there are any situations which require files to be stored on a users computer where editing would be undesirable and if so how do you protect the files? I was thinking AES with some sort of checksum?

    Read the article

  • Who are the thought leaders in software engineering/development? [closed]

    - by Mohsin Hijazee
    Possible Duplicate: What are the big contemporary names in the programming field? I am sorry if it is a duplicate questions or is useless. I want to compile a list of influential people in our industry who can be termed as "opinionated" and thought leaders. There are basically two characteristics that I'm referring to here: The person has introduced new concepts/terminology/trends or talked about existing ones in thought provoking way. Majority or part of the writings are available online. Some of the people who I think as thought leaders are as under: Martin Fowler Known for domain specific languages, Active Record, IoC. Joel Spolsky known for his 12 point Joel test, Law of Leaky abstractions. Kent Beck known for XP. Paul Graham. Any other names and links?

    Read the article

  • Sun Java crashing, mostly with jboss

    - by Joel
    I'm on Ubuntu 10.10. I keep having problems with Sun Java crashing on me. I mostly have it crashing on my Jboss server, but I've had it crash MANY MANY times running ANT tasks or the IntelliJ IDE. Here's what it prints: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f67e665d440, pid=21260, tid=140082772170512 # # JRE version: 6.0_22-b04 # Java VM: Java HotSpot(TM) 64-Bit Server VM (17.1-b03 mixed mode linux-amd64 ) # Problematic frame: # V [libjvm.so+0x2f2440] # # An error report file with more information is saved as: # /home/blah/blah/blah/hs_err_pid21260.log # # If you would like to submit a bug report, please visit: # http://java.sun.com/webapps/bugreport/crash.jsp # Aborted A co-worker of mine who has the same version of Ubuntu has had the same problem, but has only happened to him once. (I get this probably 2 or 3 times a day, if not more). I have another machine running Ubuntu 10.04 with Sun Java and I have yet to see this problem. 1.0.6_20 is the java version on the 10.04 machine. My machine is running 1.6.0_22. Has anyone else had this problem? Anyone know how to keep it from happening? Also: I have tried reinstalling it and I can't use OpenJDK.

    Read the article

  • unable to boot and boot-loop on splash screen

    - by Joel St Martin
    hey i have tried to install ubuntu many times, but once it installs it boot-loops at the splash screen. it just loops through the boot sound and the screen not sure why. nothing has seemed to work. also its only alowing me to boot windows all other oporating systems crash and loop just like ubuntu (android x86, linux mint, red hat, ubuntustudio). compac amd 64 3400+ 1gig ram 2 hhd (200 gig/120 gig) 1 ssd (500gig) win7 x86 a video showing what happens

    Read the article

  • What technical details should a programmer of a web application consider before making the site public?

    - by Joel Coehoorn
    What things should a programmer implementing the technical details of a web application consider before making the site public? If Jeff Atwood can forget about HttpOnly cookies, sitemaps, and cross-site request forgeries all in the same site, what important thing could I be forgetting as well? I'm thinking about this from a web developer's perspective, such that someone else is creating the actual design and content for the site. So while usability and content may be more important than the platform, you the programmer have little say in that. What you do need to worry about is that your implementation of the platform is stable, performs well, is secure, and meets any other business goals (like not cost too much, take too long to build, and rank as well with Google as the content supports). Think of this from the perspective of a developer who's done some work for intranet-type applications in a fairly trusted environment, and is about to have his first shot and putting out a potentially popular site for the entire big bad world wide web. Also, I'm looking for something more specific than just a vague "web standards" response. I mean, HTML, JavaScript, and CSS over HTTP are pretty much a given, especially when I've already specified that you're a professional web developer. So going beyond that, Which standards? In what circumstances, and why? Provide a link to the standard's specification.

    Read the article

  • can't update 12.04 getting package header error

    - by joel
    I originally posted this question, and was redirected to another thread where the question had already been asked. I then posted to that thread and had my post deleted by moderator fossfreedom, and told to post a "new" question... so wth ever.... I don't care if it's old or new I just need help here people! In a nutshell, I can't use sudo apt-get update or the GUI update tool to update my system. Anytime I try using either tool it gives me an error about packages missing headers. I can't send error reports, I have tried all the listed solutions from this post: I can't update my system properly, "no package header" error and from this post: "Problem with MergeList" error when trying to do an update and neither one work. I just want a working solution since I don't have the means of re-installing the OS entirely, and I REALLY don't want to have to go back to using Windows.

    Read the article

  • Engineered Systems and PCI

    - by Joel Weise
    Oracle has a number of different engineered systems.  These are design to be highly integrated, optimized and secure systems.  The Exadata database engineered system and the Exalogic application engineered system are two good examples.  Often I am asked how these comply with different standards and regulations.  Exalogic is the Oracle engineered system that supports applications and the focus of today's blog.  First, we must recognize that as a collection of hardware and software, we cannot simply state that Exalogic is "compliant" with PCI DSS.  This is because Exalogic must be implemented within the context of one's existing IT infrastructure, the security features of that infrastructure, the governance framework that exists, security policies, operational procedures, and other factors.  What we can say though, is that Exalogic has been designed with various security capabilities that can be utilized to support compliance to PCI DSS as well as other standards and regulations (e.g., NIST and HIPAA).  Given that, Exalogic can be an excellant platform for running PCI related payment applications.  Coalfire Systems, a leading QSA in the US, has evaluated Exalogic against PCI DSS and supports this position.  Their evaluation can be found here: Exalogic and PCI Compliance. I hope you find it useful. 

    Read the article

  • No sound for headphones

    - by Joel Lino
    I was trying some of the solutions published in this forum for the same problem, but just one in particular work for me: add the line of code in the file alsa-base.conf. This just works for a few days, now the problem is back again. Any solution to fix this problem for good? Compaq Presario CQ40 $ lspci | grep -i audio 00:14.2 Audio device: ATI Technologies Inc SBx00 Azalia (Intel HDA) 01:05.1 Audio device: ATI Technologies Inc RS780 Azalia controller

    Read the article

  • WUBI installation can no longer boot, UUID disk not found

    - by Joel Heenan
    Yesterday my Wubi/Vista installation was working fine. I shut it down at the train station, all good then when I attempted to boot ubuntu at home I got a message saying the UUID for root could not be found. By booting with the Ubuntu live CD I found that the C:\ubuntu\disks folder stat structure was broken, reported as "??? ??? ??" kinda thing. I booted into Windows, scheduled a CHKDSK, ran that on boot which found some errors and rebooted. Still no dice. I am not stressed because it appears my home directory is still there with all my content so I don't mind re-installing the OS (probably will clean it up some). What is the best path from here to repair the WUBI installation? Is there anything else I should do to repair it? I'm looking at whether the drive is dying now to work out why this occured. Possibly I moved the laptop before shutdown had completed.

    Read the article

  • what extension for uploading drawings from gimp to facebook

    - by joel
    Today I upgraded to Ubuntu 13.10 from 13.04. It looks good. I didn't test Gimp Image Editor on the 13.04 version but I just tested the 13.10 version with a painting with Gimp and when I tried to upload the file to facebook it tells me that this is an invalid image. I have an older laptop with ubuntu 12.04 and have the same Gimp installed in it. With the 12.04 version I have plenty of extensions for filing the images that I do on gimp and can upload them to facebook. I noticed that the 13.10 version has only a few extensions for saving a file from gimp. Which extension should I use to save a file that facebook will accept in this 13.10 version?

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >