Search Results

Search found 2063 results on 83 pages for 'jason weber'.

Page 80/83 | < Previous Page | 76 77 78 79 80 81 82 83  | Next Page >

  • using PHP to create multidimensional array from simple JSON array

    - by Michael Robinson
    I have a php query the returns the following JSON format from a table. [{"memberid":"18", "useridFK":"30", "loginName":"Johnson", "name":"Frank", "age":"23", "place":"School", }, It needs the following format: [{"memberid":"18" { "useridFK":"30", "loginName":"Johnson", "name":"Frank", "age":"23", "place":"School",} }, I was told in another question that PHP would work and it looks like "Transversing" might be appropriate, I'm looking to find out what to put in the Php before it returns the JASON. My Array.plist will look like the following: Root: Dictionary V Rows: Array V Item 0: Dictionary Title: String 18 V Children Array V Item 0 Dictionary Title String 30 etc. Thanks in advance.

    Read the article

  • Checking for any lowercase letters in a string

    - by pcampbell
    Consider a JavaScript method that needs to check whether a given string is in all uppercase letters. The input strings are people's names. The current algorithm is to check for any lowercase letters. var check1 = "Jack Spratt"; var check2 = "BARBARA FOO-BAR"; var check3 = "JASON D'WIDGET"; var isUpper1 = HasLowercaseCharacters(check1); var isUpper2 = HasLowercaseCharacters(check2); var isUpper3 = HasLowercaseCharacters(check3); function HasLowercaseCharacters(string input) { //pattern for finding whether any lowercase alpha characters exist var allLowercase; return allLowercase.test(input); } Is a regex the best way to go here? What pattern would you use to determine whether a string has any lower case alpha characters?

    Read the article

  • How to upload a CSV file and and read it's data in the client side itself and send the data as a stream through a ajax post?

    - by sunshine
    I need to upload a CSV file and get its contents form the client side itself. Then post it to the server where I can retriev the stream and do the string manipulations in the serer action methods. Is there any jquery plugin for this task to upload a csv file and send data as a stream using ajax or jason? I am really new to this area.I am working in VS2010 AND mvc3. Can some one give me a clear solution for this mater?? Any examples?? I did search a lot but did not find any suitable solution yet. Can anyone please help me with this matter. Thanks so much.

    Read the article

  • Proper way to set object instance variables

    - by ensnare
    I'm writing a class to insert users into a database, and before I get too far in, I just want to make sure that my OO approach is clean: class User(object): def setName(self,name): #Do sanity checks on name self._name = name def setPassword(self,password): #Check password length > 6 characters #Encrypt to md5 self._password = password def commit(self): #Commit to database >>u = User() >>u.setName('Jason Martinez') >>u.setPassword('linebreak') >>u.commit() Is this the right approach? Should I declare class variables up top? Should I use a _ in front of all the class variables to make them private? Thanks for helping out.

    Read the article

  • How to decode a JSON String with several objects in PHP?

    - by ilnur777
    Hi, guys! I know how to decode a JSON string with one object with your help from this example http://stackoverflow.com/questions/2543389/how-to-decode-a-json-string But now I would like to improve decoding JSON string with several objects and I can't understand how to do it. Here is an example: { "programmers": [ { "firstName": "Brett", "lastName":"McLaughlin" }, { "firstName": "Jason", "lastName":"Hunter" }, { "firstName": "Elliotte", "lastName":"Harold" } ], "authors": [ { "firstName": "Isaac", "lastName": "Asimov" }, { "firstName": "Tad", "lastName": "Williams" }, { "firstName": "Frank", "lastName": "Peretti" } ], "musicians": [ { "firstName": "Eric", "lastName": "Clapton" }, { "firstName": "Sergei", "lastName": "Rachmaninoff" } ] } How to decode this JSON, call data and display on the page from what object the informartion list is being read? Thank you!

    Read the article

  • How do I prevent a ManyToManyField('self') from linked an object to itself?

    - by dyve
    Consider this model (simplified for this question): class SecretAgentName(models.Model): name = models.CharField(max_length=100) aliases = ManyToManyField('self') I have three names, "James Bond", "007" and "Jason Bourne". "James Bond" and "007" are aliases of each other. This works exactly like I want it to, except for the fact that every instance can also be an alias of itself. This I want to prevent. So, there can be many SecretAgentNames, all can be aliases of each other as long as "James Bond" does not show up as an alias for "James Bond". Can I prevent this in the model definition? If not, can I prevent it anywhere else, preferably so that the Django Admin understands it?

    Read the article

  • How to Identify a ListViewItem to Update a Single Row

    - by tunneling
    I have a ListView displays information about an object. When I click a ListView Item, I open an Activity that let's me manipulate parameters of the object held in the adapter. These parameters are updated and stored remotely. When I return to the ListView (via the back button), I want to update the ListView Item that I clicked originally by requesting the parameter values from the remote server. I am currently doing this up updating the entire ListView by clearing it and rebuilding it. How do I reference the ListView Item so that I can update the data for that item only? Thanks, Jason

    Read the article

  • Portable way to determining of printer is physical or virtual

    - by Mud
    I need direct-to-printer functionality for my website, with the ability to distinguish a physical printer from a virtual printer (file). Coupons.com has this functionality via a native binary which must be installed by the user. I'd prefer to avoid that. SmartSource.com does it via Java applet: Does anybody know how this is done? I dug through that Java APIs a bit, and don't see anything that would let you determine physical vs virtual, except looking at the name (that seems prone to misidentification). It would be nice to be able to do it in Java, because I already know how to write Java applets. Failing that, is there a way to do this in Flash or Silverlight? Thanks in advance. EDIT: Well deserved bounty awarded to Jason Sperske who worked out an elegant solution. Thanks to those of you who shared ideas, as well as those who actually investigated SmartSource.com's solution (like Adrian).

    Read the article

  • stored procedure to find value in 2 columns out of 3

    - by user1510533
    I am putting in the samle date and i am supposed to do something similar what i am asking. I want to run a query that would pull values in any two columns out 3 if it has a 1 or if any one column has a 1 it will return just those results. However it should search all three columns and in any of the three columns where it found value as 1 it should return that result. Can anyone please help me with this. Thanks in advance. ID Patient Patient Name prio prio2 prio3 ------------------------------------------------- 1 101563 Robert Riley 1 1 1 2 101583 Cody Ayers 1 0 1 3 101825 Jason Lawler 0 0 1 4 101984 Dustin Lumis 1 0 0 5 102365 Stacy smith 1 0 0 6 102564 Frank Milon 1 0 0 7 102692 Thomas Kroning 1 0 0 8 102856 Andrew Philips 1 0 0 9 102915 Alice Davies 0 0 1 10 103785 Jon Durley 0 0 1 11 103958 Clayton Folsom 1 1 1 12 104696 Michelle Holsley 1 1 1 13 104983 Teresa Jones 1 0 1 14 105892 Betsy Prat 1 1 0 15 106859 Casey Ayers 1 1 0

    Read the article

  • What exactly is Two-way databinding in WPF ?

    - by blntechie
    I'm learning WPF with MVVM and for a starter, I viewed Jason Dolinger's video on MVVM . In that he mentioned, that one of the advantage of using MVVM with WPF is two-way data binding. My question is what does he mean by two-way data binding? Is that the feature of ability to 1) bind data from controls(View) to properties in VM and 2) any change in collections or properties are reflected in the view? If I'm wrong, can anyone please explain me in detail what it is and what are its advantages? This might be a very simple doubt, but I'm very new to WPF and it's terminologies and moving away from WinForms now.

    Read the article

  • JavaScript - checking for any lowercase letters in a string

    - by pcampbell
    Consider a JavaScript method that needs to check whether a given string is in all uppercase letters. The input strings are people's names. The current algorithm is to check for any lowercase letters. var check1 = "Jack Spratt"; var check2 = "BARBARA FOO-BAR"; var check3 = "JASON D'WIDGET"; var isUpper1 = HasLowercaseCharacters(check1); var isUpper2 = HasLowercaseCharacters(check2); var isUpper3 = HasLowercaseCharacters(check3); function HasLowercaseCharacters(string input) { //pattern for finding whether any lowercase alpha characters exist var allLowercase; return allLowercase.test(input); } Is a regex the best way to go here? What pattern would you use to determine whether a string has any lower case alpha characters?

    Read the article

  • IO redirect engine with metadata

    - by hawk.hsieh
    Is there any C library or tool to redirect IO and be able to configured by a metadata. And provide a dynamic link library to perform custom process for feeding data into next IO. For example, network video recorder: record video: socket do_something() file preview video: socket do_something() PCI device http service: download file: socket do_something(http) file socket post file: socket do_something(http) file serial control: monitor device: uart do_something(custom protocol) popen("zip") socket I know the unix-like OS has IO redirect feature and integrate all application you want. Even socket IO you can use /dev/tcp or implement a process to redirect to stdout. But this is process based , the process's foot print is big , IPC is heavy. Therefore, I am looking for something to redirect IO in a process and the data redirect between IO is configurable with a metadata (XML,jason or others).

    Read the article

  • why isn't my id showing up in django admin list?

    - by FurtiveFelon
    Hi all, I have a class Task(models.Model), and i didn't define id field explicitly (since it defines automatically for you). I checked in the database, it exists for the Task. Now i would like to display it in the list via list_display property in admin.ModelAdmin. I have a bunch of things in there, only id is not showing up for any of the rows i have. Everything else works fine. Anyone know anything special i have to do to get id to display? Thanks a lot! Jason

    Read the article

  • Err Web Service?

    - by j-t-s
    Hi All I am trying to implement a feature. But I've never had anything to do with "Web Services" before, other than using them. I have a desktop application, and I want that application to be able to sort of "post" some information (i.e. email address, username, user-selected options (just plain text) etc) to an application or "web service" on my ASP.NET web server. Can somebody please guide me in the right direction? How would I accomplish this? Thank you :) Jason

    Read the article

  • Why Can't I import a UITableViewCell subclass ? That's weird....

    - by user320064
    It's like this, I created a UITableViewCell subclass called NewsItemCell, then I wanna use it in my FirstViewController.m, then I tried to import it, but the compiler keeps telling me this Below is my code, it is driving me mad, thank you if you can help. import "NewsItemCell.h" import "FirstViewController.h" @implementation FirstViewController @synthesize computers; (UITableViewCell *)tableView:(UITableView *)tableView cellForRowAtIndexPath:(NSIndexPath *)indexPath { static NSString *CellIdentifier = @"NewsItemCellIdentifier"; NewsItemcell *cell = (NewsItemcell *)[tableView dequeueReusableCellWithIdentifier: CellIdentifier]; if (cell == nil) { NSArray *nib = [[NSBundle mainBundle] loadNibNamed:@"NewsItemCell" owner:self options:nil]; for (id oneObject in nib) if ([oneObject isKindOfClass:[NewsItemcell class]]) cell = (NewsItemcell *)oneObject; } NSUInteger row = [indexPath row]; NSDictionary *rowData = [self.computers objectAtIndex:row]; cell.newsTitle.text = [rowData objectForKey:@"Color"]; cell.newsDate.text = [rowData objectForKey:@"Name"]; return cell; } Jason

    Read the article

  • How to display more things in admin.StackedInline

    - by FurtiveFelon
    Hi all, I have Article model and a Comment model. Comment is created in admin.py as admin.StackedInline, and it has several fields, notably content and lastUpdate. For lastUpdate, i have specified as follows: lastUpdate = models.DateTimeField('last update', auto_now=True). Understandably, lastUpdate is not displayed when i try to add new comment (or edit old ones). However, i would like it to display for older comments if possible, as a read only thing. Is there anyway of accomplishing that? Thanks a lot! Jason

    Read the article

  • jQuery FadeTo() bg on rollover, IMG animate().width height

    - by jg462095
    Hello all, I have been reading StackOverflow for a while and now I have a question I cannot find an answer to. i am trying to fade a background and increase on img size on rollover. I have tried animate() and fadeTo(), however, the entire div fades. Do I need to absolute position my images over the div and not within it? img or img? Is that the only way to get items within a div to not fade along with the background? Thanks! Jason

    Read the article

  • How can I set breakpoints in an external JS script in Firebug

    - by Manu
    I can easily set breakpoints in embedded JS functions, but I don't see any way of accessing extarnal JS scripts via Firebug unless I happen to enter them during a debug session. Is there a way to do this w/o having to 'explore' my way into the script? @Jason: This is a good point, but in my case I do not have easy access to the script. I am specifically talking about the client scripts which are invoked by the ASP.Net Validators that I would like to debug. I can access them during a debug session through entering the function calls, but I could not find a way to access them directly.

    Read the article

  • I need to create a web service using .NET-- where should I start?

    - by j-t-s
    Hi All I am trying to implement a feature. But I've never had anything to do with "Web Services" before, other than using them. I have a desktop application, and I want that application to be able to sort of "post" some information (i.e. email address, username, user-selected options (just plain text) etc) to an application or "web service" on my ASP.NET web server. Can somebody please guide me in the right direction? How would I accomplish this? Thank you :) Jason

    Read the article

  • what's the best (most effecient) way in asp .net to return a whole page into tabbed content?

    - by ijjo
    what i want to do is every time i click on a tab, the content area is replaced by pretty much a whole new page. i don't want a full page load so i want to do it in ajax, but i'm used to sending back small jason data via page methods. i'm not sure how i would construct a whole new page and return that via ajax and i would like to simply assign the whole content returned to a div and be done with it. what's the best way to do this with the least amount of overhead (i know there are some inefficient ways the scriptmanager does ajax)? or is it better to load the tabbed content in an iframe? fyi i'm already using jquery to call lightweight pagemethods on my asp net page and that works great.

    Read the article

  • Information stored in a cookie file

    - by jklmuk
    Thanks for you help in advance. I am trying to figure out the structure of the cookie file, more specifically i want to be able to determine the expiry time. From the cookies i have created they all appear to be in a standard format. Name, Value, website,followed by 5 numbers and a star. See example below. name value www.website.co.uk/ 1536 3041141504 30135951 1632526096 30135949 * Obviously the expiry time is one of the numbers, the question is which one. From experiments I have determined that the first and fifth number don't seem to change. In a case where i generated three cookies at the same time with a 1000 second time difference i noticed that the fourth number appeared to increase by 2000 suggesting that this has a connection with the expiry time. Can anyone confirm if i am heading in the right direction? And does any one know how i convert this to a human time and date(preferably in php but any language would give me a starting point) thanks Jason

    Read the article

  • Toorcon14

    - by danx
    Toorcon 2012 Information Security Conference San Diego, CA, http://www.toorcon.org/ Dan Anderson, October 2012 It's almost Halloween, and we all know what that means—yes, of course, it's time for another Toorcon Conference! Toorcon is an annual conference for people interested in computer security. This includes the whole range of hackers, computer hobbyists, professionals, security consultants, press, law enforcement, prosecutors, FBI, etc. We're at Toorcon 14—see earlier blogs for some of the previous Toorcon's I've attended (back to 2003). This year's "con" was held at the Westin on Broadway in downtown San Diego, California. The following are not necessarily my views—I'm just the messenger—although I could have misquoted or misparaphrased the speakers. Also, I only reviewed some of the talks, below, which I attended and interested me. MalAndroid—the Crux of Android Infections, Aditya K. Sood Programming Weird Machines with ELF Metadata, Rebecca "bx" Shapiro Privacy at the Handset: New FCC Rules?, Valkyrie Hacking Measured Boot and UEFI, Dan Griffin You Can't Buy Security: Building the Open Source InfoSec Program, Boris Sverdlik What Journalists Want: The Investigative Reporters' Perspective on Hacking, Dave Maas & Jason Leopold Accessibility and Security, Anna Shubina Stop Patching, for Stronger PCI Compliance, Adam Brand McAfee Secure & Trustmarks — a Hacker's Best Friend, Jay James & Shane MacDougall MalAndroid—the Crux of Android Infections Aditya K. Sood, IOActive, Michigan State PhD candidate Aditya talked about Android smartphone malware. There's a lot of old Android software out there—over 50% Gingerbread (2.3.x)—and most have unpatched vulnerabilities. Of 9 Android vulnerabilities, 8 have known exploits (such as the old Gingerbread Global Object Table exploit). Android protection includes sandboxing, security scanner, app permissions, and screened Android app market. The Android permission checker has fine-grain resource control, policy enforcement. Android static analysis also includes a static analysis app checker (bouncer), and a vulnerablity checker. What security problems does Android have? User-centric security, which depends on the user to grant permission and make smart decisions. But users don't care or think about malware (the're not aware, not paranoid). All they want is functionality, extensibility, mobility Android had no "proper" encryption before Android 3.0 No built-in protection against social engineering and web tricks Alternative Android app markets are unsafe. Simply visiting some markets can infect Android Aditya classified Android Malware types as: Type A—Apps. These interact with the Android app framework. For example, a fake Netflix app. Or Android Gold Dream (game), which uploads user files stealthy manner to a remote location. Type K—Kernel. Exploits underlying Linux libraries or kernel Type H—Hybrid. These use multiple layers (app framework, libraries, kernel). These are most commonly used by Android botnets, which are popular with Chinese botnet authors What are the threats from Android malware? These incude leak info (contacts), banking fraud, corporate network attacks, malware advertising, malware "Hackivism" (the promotion of social causes. For example, promiting specific leaders of the Tunisian or Iranian revolutions. Android malware is frequently "masquerated". That is, repackaged inside a legit app with malware. To avoid detection, the hidden malware is not unwrapped until runtime. The malware payload can be hidden in, for example, PNG files. Less common are Android bootkits—there's not many around. What they do is hijack the Android init framework—alteering system programs and daemons, then deletes itself. For example, the DKF Bootkit (China). Android App Problems: no code signing! all self-signed native code execution permission sandbox — all or none alternate market places no robust Android malware detection at network level delayed patch process Programming Weird Machines with ELF Metadata Rebecca "bx" Shapiro, Dartmouth College, NH https://github.com/bx/elf-bf-tools @bxsays on twitter Definitions. "ELF" is an executable file format used in linking and loading executables (on UNIX/Linux-class machines). "Weird machine" uses undocumented computation sources (I think of them as unintended virtual machines). Some examples of "weird machines" are those that: return to weird location, does SQL injection, corrupts the heap. Bx then talked about using ELF metadata as (an uintended) "weird machine". Some ELF background: A compiler takes source code and generates a ELF object file (hello.o). A static linker makes an ELF executable from the object file. A runtime linker and loader takes ELF executable and loads and relocates it in memory. The ELF file has symbols to relocate functions and variables. ELF has two relocation tables—one at link time and another one at loading time: .rela.dyn (link time) and .dynsym (dynamic table). GOT: Global Offset Table of addresses for dynamically-linked functions. PLT: Procedure Linkage Tables—works with GOT. The memory layout of a process (not the ELF file) is, in order: program (+ heap), dynamic libraries, libc, ld.so, stack (which includes the dynamic table loaded into memory) For ELF, the "weird machine" is found and exploited in the loader. ELF can be crafted for executing viruses, by tricking runtime into executing interpreted "code" in the ELF symbol table. One can inject parasitic "code" without modifying the actual ELF code portions. Think of the ELF symbol table as an "assembly language" interpreter. It has these elements: instructions: Add, move, jump if not 0 (jnz) Think of symbol table entries as "registers" symbol table value is "contents" immediate values are constants direct values are addresses (e.g., 0xdeadbeef) move instruction: is a relocation table entry add instruction: relocation table "addend" entry jnz instruction: takes multiple relocation table entries The ELF weird machine exploits the loader by relocating relocation table entries. The loader will go on forever until told to stop. It stores state on stack at "end" and uses IFUNC table entries (containing function pointer address). The ELF weird machine, called "Brainfu*k" (BF) has: 8 instructions: pointer inc, dec, inc indirect, dec indirect, jump forward, jump backward, print. Three registers - 3 registers Bx showed example BF source code that implemented a Turing machine printing "hello, world". More interesting was the next demo, where bx modified ping. Ping runs suid as root, but quickly drops privilege. BF modified the loader to disable the library function call dropping privilege, so it remained as root. Then BF modified the ping -t argument to execute the -t filename as root. It's best to show what this modified ping does with an example: $ whoami bx $ ping localhost -t backdoor.sh # executes backdoor $ whoami root $ The modified code increased from 285948 bytes to 290209 bytes. A BF tool compiles "executable" by modifying the symbol table in an existing ELF executable. The tool modifies .dynsym and .rela.dyn table, but not code or data. Privacy at the Handset: New FCC Rules? "Valkyrie" (Christie Dudley, Santa Clara Law JD candidate) Valkyrie talked about mobile handset privacy. Some background: Senator Franken (also a comedian) became alarmed about CarrierIQ, where the carriers track their customers. Franken asked the FCC to find out what obligations carriers think they have to protect privacy. The carriers' response was that they are doing just fine with self-regulation—no worries! Carriers need to collect data, such as missed calls, to maintain network quality. But carriers also sell data for marketing. Verizon sells customer data and enables this with a narrow privacy policy (only 1 month to opt out, with difficulties). The data sold is not individually identifiable and is aggregated. But Verizon recommends, as an aggregation workaround to "recollate" data to other databases to identify customers indirectly. The FCC has regulated telephone privacy since 1934 and mobile network privacy since 2007. Also, the carriers say mobile phone privacy is a FTC responsibility (not FCC). FTC is trying to improve mobile app privacy, but FTC has no authority over carrier / customer relationships. As a side note, Apple iPhones are unique as carriers have extra control over iPhones they don't have with other smartphones. As a result iPhones may be more regulated. Who are the consumer advocates? Everyone knows EFF, but EPIC (Electrnic Privacy Info Center), although more obsecure, is more relevant. What to do? Carriers must be accountable. Opt-in and opt-out at any time. Carriers need incentive to grant users control for those who want it, by holding them liable and responsible for breeches on their clock. Location information should be added current CPNI privacy protection, and require "Pen/trap" judicial order to obtain (and would still be a lower standard than 4th Amendment). Politics are on a pro-privacy swing now, with many senators and the Whitehouse. There will probably be new regulation soon, and enforcement will be a problem, but consumers will still have some benefit. Hacking Measured Boot and UEFI Dan Griffin, JWSecure, Inc., Seattle, @JWSdan Dan talked about hacking measured UEFI boot. First some terms: UEFI is a boot technology that is replacing BIOS (has whitelisting and blacklisting). UEFI protects devices against rootkits. TPM - hardware security device to store hashs and hardware-protected keys "secure boot" can control at firmware level what boot images can boot "measured boot" OS feature that tracks hashes (from BIOS, boot loader, krnel, early drivers). "remote attestation" allows remote validation and control based on policy on a remote attestation server. Microsoft pushing TPM (Windows 8 required), but Google is not. Intel TianoCore is the only open source for UEFI. Dan has Measured Boot Tool at http://mbt.codeplex.com/ with a demo where you can also view TPM data. TPM support already on enterprise-class machines. UEFI Weaknesses. UEFI toolkits are evolving rapidly, but UEFI has weaknesses: assume user is an ally trust TPM implicitly, and attached to computer hibernate file is unprotected (disk encryption protects against this) protection migrating from hardware to firmware delays in patching and whitelist updates will UEFI really be adopted by the mainstream (smartphone hardware support, bank support, apathetic consumer support) You Can't Buy Security: Building the Open Source InfoSec Program Boris Sverdlik, ISDPodcast.com co-host Boris talked about problems typical with current security audits. "IT Security" is an oxymoron—IT exists to enable buiness, uptime, utilization, reporting, but don't care about security—IT has conflict of interest. There's no Magic Bullet ("blinky box"), no one-size-fits-all solution (e.g., Intrusion Detection Systems (IDSs)). Regulations don't make you secure. The cloud is not secure (because of shared data and admin access). Defense and pen testing is not sexy. Auditors are not solution (security not a checklist)—what's needed is experience and adaptability—need soft skills. Step 1: First thing is to Google and learn the company end-to-end before you start. Get to know the management team (not IT team), meet as many people as you can. Don't use arbitrary values such as CISSP scores. Quantitive risk assessment is a myth (e.g. AV*EF-SLE). Learn different Business Units, legal/regulatory obligations, learn the business and where the money is made, verify company is protected from script kiddies (easy), learn sensitive information (IP, internal use only), and start with low-hanging fruit (customer service reps and social engineering). Step 2: Policies. Keep policies short and relevant. Generic SANS "security" boilerplate policies don't make sense and are not followed. Focus on acceptable use, data usage, communications, physical security. Step 3: Implementation: keep it simple stupid. Open source, although useful, is not free (implementation cost). Access controls with authentication & authorization for local and remote access. MS Windows has it, otherwise use OpenLDAP, OpenIAM, etc. Application security Everyone tries to reinvent the wheel—use existing static analysis tools. Review high-risk apps and major revisions. Don't run different risk level apps on same system. Assume host/client compromised and use app-level security control. Network security VLAN != segregated because there's too many workarounds. Use explicit firwall rules, active and passive network monitoring (snort is free), disallow end user access to production environment, have a proxy instead of direct Internet access. Also, SSL certificates are not good two-factor auth and SSL does not mean "safe." Operational Controls Have change, patch, asset, & vulnerability management (OSSI is free). For change management, always review code before pushing to production For logging, have centralized security logging for business-critical systems, separate security logging from administrative/IT logging, and lock down log (as it has everything). Monitor with OSSIM (open source). Use intrusion detection, but not just to fulfill a checkbox: build rules from a whitelist perspective (snort). OSSEC has 95% of what you need. Vulnerability management is a QA function when done right: OpenVas and Seccubus are free. Security awareness The reality is users will always click everything. Build real awareness, not compliance driven checkbox, and have it integrated into the culture. Pen test by crowd sourcing—test with logging COSSP http://www.cossp.org/ - Comprehensive Open Source Security Project What Journalists Want: The Investigative Reporters' Perspective on Hacking Dave Maas, San Diego CityBeat Jason Leopold, Truthout.org The difference between hackers and investigative journalists: For hackers, the motivation varies, but method is same, technological specialties. For investigative journalists, it's about one thing—The Story, and they need broad info-gathering skills. J-School in 60 Seconds: Generic formula: Person or issue of pubic interest, new info, or angle. Generic criteria: proximity, prominence, timeliness, human interest, oddity, or consequence. Media awareness of hackers and trends: journalists becoming extremely aware of hackers with congressional debates (privacy, data breaches), demand for data-mining Journalists, use of coding and web development for Journalists, and Journalists busted for hacking (Murdock). Info gathering by investigative journalists include Public records laws. Federal Freedom of Information Act (FOIA) is good, but slow. California Public Records Act is a lot stronger. FOIA takes forever because of foot-dragging—it helps to be specific. Often need to sue (especially FBI). CPRA is faster, and requests can be vague. Dumps and leaks (a la Wikileaks) Journalists want: leads, protecting ourselves, our sources, and adapting tools for news gathering (Google hacking). Anonomity is important to whistleblowers. They want no digital footprint left behind (e.g., email, web log). They don't trust encryption, want to feel safe and secure. Whistleblower laws are very weak—there's no upside for whistleblowers—they have to be very passionate to do it. Accessibility and Security or: How I Learned to Stop Worrying and Love the Halting Problem Anna Shubina, Dartmouth College Anna talked about how accessibility and security are related. Accessibility of digital content (not real world accessibility). mostly refers to blind users and screenreaders, for our purpose. Accessibility is about parsing documents, as are many security issues. "Rich" executable content causes accessibility to fail, and often causes security to fail. For example MS Word has executable format—it's not a document exchange format—more dangerous than PDF or HTML. Accessibility is often the first and maybe only sanity check with parsing. They have no choice because someone may want to read what you write. Google, for example, is very particular about web browser you use and are bad at supporting other browsers. Uses JavaScript instead of links, often requiring mouseover to display content. PDF is a security nightmare. Executible format, embedded flash, JavaScript, etc. 15 million lines of code. Google Chrome doesn't handle PDF correctly, causing several security bugs. PDF has an accessibility checker and PDF tagging, to help with accessibility. But no PDF checker checks for incorrect tags, untagged content, or validates lists or tables. None check executable content at all. The "Halting Problem" is: can one decide whether a program will ever stop? The answer, in general, is no (Rice's theorem). The same holds true for accessibility checkers. Language-theoretic Security says complicated data formats are hard to parse and cannot be solved due to the Halting Problem. W3C Web Accessibility Guidelines: "Perceivable, Operable, Understandable, Robust" Not much help though, except for "Robust", but here's some gems: * all information should be parsable (paraphrasing) * if not parsable, cannot be converted to alternate formats * maximize compatibility in new document formats Executible webpages are bad for security and accessibility. They say it's for a better web experience. But is it necessary to stuff web pages with JavaScript for a better experience? A good example is The Drudge Report—it has hand-written HTML with no JavaScript, yet drives a lot of web traffic due to good content. A bad example is Google News—hidden scrollbars, guessing user input. Solutions: Accessibility and security problems come from same source Expose "better user experience" myth Keep your corner of Internet parsable Remember "Halting Problem"—recognize false solutions (checking and verifying tools) Stop Patching, for Stronger PCI Compliance Adam Brand, protiviti @adamrbrand, http://www.picfun.com/ Adam talked about PCI compliance for retail sales. Take an example: for PCI compliance, 50% of Brian's time (a IT guy), 960 hours/year was spent patching POSs in 850 restaurants. Often applying some patches make no sense (like fixing a browser vulnerability on a server). "Scanner worship" is overuse of vulnerability scanners—it gives a warm and fuzzy and it's simple (red or green results—fix reds). Scanners give a false sense of security. In reality, breeches from missing patches are uncommon—more common problems are: default passwords, cleartext authentication, misconfiguration (firewall ports open). Patching Myths: Myth 1: install within 30 days of patch release (but PCI §6.1 allows a "risk-based approach" instead). Myth 2: vendor decides what's critical (also PCI §6.1). But §6.2 requires user ranking of vulnerabilities instead. Myth 3: scan and rescan until it passes. But PCI §11.2.1b says this applies only to high-risk vulnerabilities. Adam says good recommendations come from NIST 800-40. Instead use sane patching and focus on what's really important. From NIST 800-40: Proactive: Use a proactive vulnerability management process: use change control, configuration management, monitor file integrity. Monitor: start with NVD and other vulnerability alerts, not scanner results. Evaluate: public-facing system? workstation? internal server? (risk rank) Decide:on action and timeline Test: pre-test patches (stability, functionality, rollback) for change control Install: notify, change control, tickets McAfee Secure & Trustmarks — a Hacker's Best Friend Jay James, Shane MacDougall, Tactical Intelligence Inc., Canada "McAfee Secure Trustmark" is a website seal marketed by McAfee. A website gets this badge if they pass their remote scanning. The problem is a removal of trustmarks act as flags that you're vulnerable. Easy to view status change by viewing McAfee list on website or on Google. "Secure TrustGuard" is similar to McAfee. Jay and Shane wrote Perl scripts to gather sites from McAfee and search engines. If their certification image changes to a 1x1 pixel image, then they are longer certified. Their scripts take deltas of scans to see what changed daily. The bottom line is change in TrustGuard status is a flag for hackers to attack your site. Entire idea of seals is silly—you're raising a flag saying if you're vulnerable.

    Read the article

  • Summit Old, Summit New, Summit Borrowed...

    - by Rob Farley
    PASS Summit is coming up, and I thought I’d post a few things. Summit Old... At the PASS Summit, you will get the chance to hear presentations by the SQL Server establishment. Just about every big name in the SQL Server world is a regular at the PASS Summit, so you will get to hear and meet people like Kalen Delaney (@sqlqueen) (who just recently got awarded MVP status for the 20th year running), and from all around the world such as the UK’s Chris Webb (@technitrain) or Pinal Dave (@pinaldave) from India. Almost all the household names in SQL Server will be there, including a large contingent from Microsoft. The PASS Summit is by far the best place to meet the legends of SQL Server. And they’re not all old. Some are, but most of them are younger than you might think. ...Summit New... The hottest topics are often about the newest technologies (such as SQL Server 2012). But you will almost certainly learn new stuff about older versions too. But that’s not what I wanted to pick on for this point. There are many new speakers at every PASS Summit, and content that has not been covered in other places. This year, for example, LobsterPot’s Roger Noble (@roger_noble) is giving a presentation for the first time. He’s a regular around the Australian circuit, but this is his first time presenting to a US audience. New Zealand’s Paul White (@sql_kiwi) is attending his first PASS Summit, and will be giving over four hours of incredibly deep stuff that has never been presented anywhere in the US before (I can’t say the world, because he did present similar material in Adelaide earlier in the year). ...Summit Borrowed... No, I’m not talking about plagiarism – the talks you’ll hear are all their own work. But you will get a lot of stuff you’ll be able to take back and apply at work. The PASS Summit sessions are not full of sales-pitches, telling you about how great things could be if only you’d buy some third-party vendor product. It’s simply not that kind of conference, and PASS doesn’t allow that kind of talk to take place. Instead, you’ll be taught techniques, and be able to download scripts and slides to let you perform that magic back at work when you get home. You will definitely find plenty of ideas to borrow at the PASS Summit. ...Summit Blue Yeah – and there’s karaoke. Blue - Jason - SQL Karaoke - YouTube

    Read the article

  • SQL SERVER – BI Quiz Hint – Performance Tuning Cubes – Hints

    - by pinaldave
    I earlier wrote about SQL BI Quiz over here and here. The details of the quiz is here: Working with huge data is very common when it is about Data Warehousing. It is necessary to create Cubes on the data to make it meaningful and consumable. There are cases when retrieving the data from cube takes lots of the time. Let us assume that your cube is returning you data very quickly. Suddenly on one day it is returning the data very slowly. What are the three things will you to diagnose this. After diagnose what you will do to resolve performance issue. Participate in my question over here I required BI Expert Jason Thomas to help with few hints to blog readers. He is one of the leading SSAS expert and writes a complicated subject in simple words. If queries were executing properly before but now take a long time to return the data, it means that there has been a change in the environment in which it is running. Some possible changes are listed below:-  1) Data factors:- Compare the data size then and now. Increase in data can result in different execution times. Poorly written queries as well as poor design will not start showing issues till the data grows. How to find it out? (Ans : SQL Server profiler and Perfmon Counters can be used for identifying the issues and performance  tuning the MDX queries)  2) Internal Factors:- Is some slow MDX query / multiple mdx queries running at the same time, which was not running when you had tested it before? Is there any locking happening due to proactive caching or processing operations? Are the measure group caches being cleared by processing operations? (Ans : Again, profiler and perfmon counters will help in finding it out. Load testing can be done using AS Performance Workbench (http://asperfwb.codeplex.com/) by running multiple queries at once)  3) External factors:- Is some other application competing for the same resources?  HINT : Read “Identifying and Resolving MDX Query Performance Bottlenecks in SQL Server 2005 Analysis Services” (http://sqlcat.com/whitepapers/archive/2007/12/16/identifying-and-resolving-mdx-query-performance-bottlenecks-in-sql-server-2005-analysis-services.aspx) Well, these are great tips. Now win big prizes by participate in my question over here. Reference: Pinal Dave (http://blog.SQLAuthority.com) Filed under: PostADay, SQL, SQL Authority, SQL Query, SQL Server, SQL Tips and Tricks, T SQL, Technology

    Read the article

  • 24 Hours of PASS coming up soon!

    - by Rob Farley
    Massive thanks to all the people that have been shouting about this event already. I’ve seen quite a number of blog posts about it, and rather than listing some and missing others, please assume I’ve noticed your blog and accept my thanks. But in case this is all news to you – the next 24 Hours of PASS event is less than a fortnight away (Sep 20/21)! And there’s lots of info about it at http://www.sqlpass.org/24hours/fall2012/  (Don’t ask why it’s “Fall 2012”. Apparently that’s what this time of year is called in at least two countries. I would call it “Spring”, personally, but do appreciate that it’s “Autumn” in the Northern Hemisphere...) Yes, I blogged about it on the PASS blog a few weeks ago, but haven’t got around to writing about it here yet. As always, 24HOP is going to have some amazing content. But it’s going to be pointing at the larger event, which now less than two months away. That’s right, this 24HOP is the Summit 2012 Preview event. Most of the precon speakers are going to be represented, as are half-day session presenters, quite a few of the Spotlight presenters and some of the Microsoft speakers too. When you look down the list of sessions at http://www.sqlpass.org/24hours/fall2012/SessionsbySchedule.aspx, you’ll find yourself wondering how you can fit them all in. Luckily, that’s not my problem. For me, it’s just about making sure that you can get to hear these people present, and get a taste for the amazing time that you’ll have if you can come to the Summit. I see this 24HOP as the kind of thing that will just drive you crazy if you can’t get to the Summit. There will be so much great content, and every one of these presenters will be delivering even more than this at the Summit itself. If you tune into Jason Strate’s 24HOP session on the Plan Cache and are impressed – well, you can get to a longer session by him on that same topic at the Summit. And the same goes for all of them. If you’re anything like me, you’ll find yourself looking at the Summit schedule, wishing you could get to several presentations for every time slot. So get yourself registered for 24HOP and help yourself make that decision. And if you can’t go to the Summit, tune in anyway. You’ll still learn a lot, and you might just be able to help persuade someone to send you to the Summit after all (before the price goes up after Sep 30).

    Read the article

< Previous Page | 76 77 78 79 80 81 82 83  | Next Page >