|
As a general rule, I avoid using business data as primary keys. The reason is, some time or the other they're susceptible to change. I understand that modern databases allow cascading updates, but I still feel that it is not an elegant idea and is not worth the pain and effort. I prefer using system-generated keys like GUIDs, IDENTITY columns (and SEQUENCE in Oracle). They're guaranteed to be unique and does not need to change at any point in time.
Don't forget to create an index on your barcode number, though.
|
|
|
|
|
Shameel wrote: As a general rule, I avoid using business data as primary keys
Ahhhh hah hah hah hah slap eh oh sorry...
A general rule - it is a cast iron, I will shoot you rule here, and I don't even have a gun. Absolutely NO flexibility in this rule is allowed - ever. The number of times I have gone, oh just this one, and had it come back and bite me is embarrassing.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Hi All,
I am developing an antivirus scanner module for new security tool, in C++ for the windows operation system.
I have a need for database/list of viruses information so my tool be able to detect them.
Does any one know where i can buy/download a list like that with license to use in my tool.
I hope this is the right forum....
Thanks a lot,
Ram.
|
|
|
|
|
I've never seen an offer for such a list.
Furthermore, those lists are volatile; AntiVirus software manufacturers tend to update their data a couple of times a week. How will you organize that?
|
|
|
|
|
First of all, thanks for the reply.
I will have a team that investigate new threats over time.
But i need a list like that for old virus, that probably exist here and there....
Thanks,
Ram.
|
|
|
|
|
Luc Pattyn wrote: AntiVirus software manufacturers tend to update their data a couple of times a week daily.
FTFY
|
|
|
|
|
I am not sure about full list/database but if you visit the websites of the major anti-virus providers you should be able to find lots of useful information.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|
Thanks for the reply and the information.
|
|
|
|
|
Ram Shmider wrote:
I have a need for database/list of viruses information so my tool be able to detect them.
..scanning a file for a signature isn't the "hard" part that these people solve[^], it's getting those signatures.
Ram Shmider wrote: Does any one know where i can buy/download a list like that with license to use in my tool.
You're always welcome to download ClamWin[^], and build on it's database. You can even look at the sourcecode to see how it's done. If you use that database, your software might fall under the GPL license, dunno - you'd have to check with someone who knows about legal stuff.
A quick consultation with the Almighty Google revealed that Norton's database[^] might be "free" to. It might reveal more if you consult it after sacrificing some bacon.
Bastard Programmer from Hell
|
|
|
|
|
Thanks a lot for the information, i will check it.
|
|
|
|
|
Hello, everyone, this is my first question in codeproject, please forgive me for my bad English.
Currently, I was working on designing a system which will store some data in local PC(ATM machine).
The customers(banks) hope we providing a security mechanism which can make sure any data recorded in PC was not changed by anyone.
I learned from internet and I fail to find a good way to handle it. Since we know if we have the right to visit the pc, we can changed the data, even though we can add MAC field for each records recorded.
I know that a third party CA organization would be involved to add proof to my application, but it is not allowed by my customer.
Any suggestion is welcome and highly appreciated.
|
|
|
|
|
in your database use datetimestamp field
|
|
|
|
|
Thanks for response, could you please detail it more specific.
|
|
|
|
|
Calculate a hash-key and store it in another table with a reference to your original table. If anyone modifies the data, it'll result in a different hash-key than the one that you stored.
Bastard Programmer from Hell
|
|
|
|
|
Hi Eddy, thanks a lot for that response, and I am glad to say you and I have a same understanding on that Issue.
From my previous thought, I think I can at least add a column in the data table, and record the hash key in this column, whereas you mean we can record the hash key in another table.
I think your idea is a little better than me, since if someone delete one row from data table the correlation will be broken for the foreign key doesn't match.
I want to know if tamper man change the data and meanwhile he/she change the hash key, how can we prove the data was not changed.
|
|
|
|
|
songbo07 wrote: I want to know if tamper man change the data and meanwhile he/she change the
hash key, how can we prove the data was not changed.
If the hacker can generate a new hash, you're toast. If the tamper-man has the seal of King Midas - he'll be King Midas.
It's the same as logging who's accesssing your Linux-machine - if a hacker gains root-access, they can change the logs as they like and the logs become useless. Hence the suggestion to store it somewhere else (with limited access).
songbo07 wrote: From my previous thought, I think I can at least add a column in the data table,
and record the hash key in this column, whereas you mean we can record the hash
key in another table. I think your idea is a little better than me,
since if someone delete one row from data table the correlation will be broken
for the foreign key doesn't match.
Not only that; if a hacker sees a column with something that resembles a hash, he/she will focus on that column. If you got .NET code that's not obfuscated, then it might become very easy to break it.
Another layer of security could be added by adding auditing[^], but this requires a licensed version of Sql Server 2008 (not available for Sql Express, but you could leave a trace running there). Additionally, you can have the logs being written to an encrypted drive as suggested by Microsoft.
..and no, there is no fool-proof lock. The idea is to make it as hard as possible, just as you lock the doors around your house. Ask the bank, even their vault is vulnerable to attack in certain (yet hard to create) circumstances.
Bastard Programmer from Hell
|
|
|
|
|
He wants to PREVENT from people modifying the data. Not to KNOW if someone modified it.
Plus, if someone can modify the data, she can also calculate the hash and modify it too. And then you wont even KNOW!
My answer is, use asymmetric encryption. Encrypt data with banks public key. And only the bank can retrieve the data then.
|
|
|
|
|
krumia wrote: He wants to PREVENT from people modifying the data. Not to KNOW if someone modified it
Hmz, might have missed that bit.
krumia wrote: Plus, if someone can modify the data, she can also calculate the hash and modify it too. And then you wont even KNOW!
With the salt in another location, I would now.
krumia wrote: My answer is, use asymmetric encryption. Encrypt data with banks public key. And only the bank can retrieve the data then.
Bastard Programmer from Hell
|
|
|
|
|
Quote: With the salt in another location, I would now.
|
|
|
|
|
songbo07 wrote: designing a system which will store some data in local PC(ATM machine).
songbo07 wrote: know that a third party CA organization would be involved to add proof to my application, but it is not allowed by my customer.
What I see there is a contradiction. How is the bank going to verify that what you wrote does what it says it does?
Not to mention that if an ATM requires PCI compliance, which is probably something that will happen in the near future, it would require a PCI audit.
|
|
|
|
|
This is indeed a contradiction.
When customer came to Bank and claims he/she got a fake money from ATM machine. bank need a proof to prove whether or not this money was dispensed by their ATM or not. Obviously, Bank will always announce the security of their ATM and won't like to pay for the cost of fake money.
If bank and their customer can not get an agreement on that, there is probably a court case to deal with it. The court will ask bank to give our a proof to prove the money was not dispensed from their ATM.
So bank want ATM vender to record transaction information on ATM for at least 30 days, if there is any case like we mentioned happened, ATM should provide this type of information including serial number of each money. it is quite easy to get and record these required information on ATM, but who can prove no one changed in after it is record on hard disk.
Bank ask us do it, we have to do it, because "Customers are always right". this transfer the responsibility of proof from Bank to ATM vender(my company), meanwhile the trouble and risk was changed to us.
Now, without 3rd party certification organization, I think we need to hold a hash function in same assembly and generate runtime key with this function, then encrypt sensitive data with the generated key.
I don't know if this method have the legal validity, all in all, I think I have to do it for time urgency.
And I believe other venders will have the same problem. we can do it first and see what need to do to solve this problem.
|
|
|
|
|
|
I want to design and implement an arquictecture for manage alert in real time for geofencing information. The system must trigger an alert (email/sms) when a vehicle arrive or aprouch in an pre definined route.
My actual system is based in Java (server), php, google map, OpenLayers and Postgis database.
I have no experience in this area, I would appreciate any kind of help, either in reference bibliografica, sites or ideas.
|
|
|
|
|
Outside of your normal n-tier approach there is not so much different going on.
email
for email you can always write it to use smtp. This implies you have an smtp server. (IIS eg is already capable of doing this, so I guess a java equivalent can also)
An smtp mail is pretty straightforward, to, cc, bcc, from, subject, mailbody and attachments depending on what you need and I'm pretty sure Java has objects available.
Sms.
To send an sms you'll need an application that can do this and provides a component that you can use. I say application, because that will have to go through a phone central or something similar. The best thing you can do is check with the provider, who knows they have a webservice that you can use. Once you have that, it's basically the same as an email: phonenumber sender, phonenumber receiver, smstext.
shelltton wrote: when a vehicle arrive or aprouch in an pre definined route
This will be the hard part depending on your needs. If it is a real route they're following you'd somehow need to match the 'triggering' route with the real followed route. Can't help you here.
If the 'route' corresponds to an area and you need to trigger if an object entered that area this might be simpler, unless the area is polygon (polygons can be pretty complex), in that case you need a special algorithm that divides the polygon in seperate regular polygons (square, triangle, ...). If the area is a circle or a square or something like that you just need to check if the XY coordinate of the object is within the regular square/triangle/circle/... If you can go for a square or circle.
Triggering
Normally you can subscribe to a callback of the object that provides the coordinates of the moving vehicle (GPS?). In that callback you need to check whether it is within the boundaries of the area or is on the triggering route for an email/sms and send.
I realize that this not a complete answer to what you probably want, but I hope it might give you enough information to start. if you have more detailed questions, shoot, I'm no wizard, but I can try to answer
V.
|
|
|
|
|
I wonder how you can mention real-time and e-mail in one thread. All an email system does is try and deliver your message at some undefined point in time, there is no guarantee whatsoever as to success nor speed. Messages that typically arrive in under one minute may as well take hours to arrive, or get lost permanently.
I'm not sure, however I guess the same holds true for SMS.
|
|
|
|
|