Caltrain offers this insane discount for employers. $99.50 per employee per year with a minimum purchase of $6,965 per year for a pass for all caltrain zones. This ticket normally costs nearly $3,000 per year, however I don’t think the go pass is honored by VTA and Muni so maybe a farer price is about $1,000 per year. Either way this is at least a 90% discount. I think I may have to buy this and resell them.
Archive for June, 2006
Caltrain GO Pass
Friday, June 9th, 2006OpenOffice Pleading Template
Monday, June 5th, 2006My significant other is currently in a paralegal program, and therefore needs to produce legal documents. However we don’t have Microsoft Word at home. There are really nice templates for Apple Pages, but they don’t have Pages at school or on any of our laptops. So, I’ve started working on a California Pleading template for OpenOffice.
Pessimistic Programming
Sunday, June 4th, 2006I am now totally sold that the only way input validation will ever be secure is by explicitly listing safe characters and not be listing unsafe characters. I was on the fence on this issue. I thought that as long as you used well published open source functions to check for unsafe characters you were pretty secure, but then I saw this bug for mysql_real_escape_string(). This took a year to be fixed as well.
Worst of all is that I’ve tested applications with MySQL backends with many security tools that look for SQL injection, including security tools that costs thousands of dollars per run, and none of these tools found this bug. I read in many places that unicode has been a big recurring headache for software security. So, I would that would be the second place to look after the obvious SQL injection attacks.
This is why I now think everyone should program explicitly listing the safe characters and input lengths, even if this hurts the future flexibiity of the program. The solution is obvious for things like names, zip codes, etc. I know the solution is clearly not obvious for multilingual sites. And binary files are still tricky to validate. The best I can think of for this is to use Base64 encoding.