* Posts by Lee

3 publicly visible posts • joined 24 Jun 2008

Microsoft IIS hole fells university server

Lee
Thumb Up

.NET vs PHP - really?

hmmm, I don't usually pipe up in these comment sections however it is a slow day and I am nursing a large hangover, so here we go...

@Kevin - I really don't think you can compare .NET to PHP at all (for example how can I write a desktop app or windows service in PHP?). However I imagine you are just talking about web development. Even here the comparison doesn't hold up. As an example could you please post code in PHP to do some of the following;

1. Select a certificate, negotiate with a WS-Secuirty compliant web service, authenticate and consume (even Java has a few standards problems here which require programmatic work arounds)

2. Create an Active Directory Group and User

3. Set filesystem permissions explicitly on a file (e.g. one that you allow users to upload)

4. Programmatically Impersonate a specific user account on the server for accessing well secured resources

By having acess to the full .NET framework, ASP.NET allows much more sophisticated applications to be implemented and deployed over HTTP (don't forget the intranet setting so important to the enterprise) that possible in PHP.

Anyway, although the average Reg comments poster will no doubt disagree, I love .NET and find programming in it a pleasure.

:)

Microsoft leaks cloudy OS name

Lee

licensing

I believe that this release will just be a new win 2008 server version with different licensing restriction. Like web server edition but more stripped downand a licence for multiple CPUs. No doubt this is why amazon are able to offer windows on ec2 'sometime this autumn'

Merchants call credit card industry's bluff on compliance

Lee
Black Helicopters

Standards at odds with each other

I have been implementing an ecommerce project and have come up against the issue of PCI-DSS compliance. As the article mentions the 12 points are simple things that anyone handling card data or any personal details should be doing anyway.

However, to my personal grumble.... I have also integerated the ecommerce site with the 3D Secure (Verified by Visa and Mastercard Secure) programme. This is designed to make online transactions more secure, but because of how it works it requires that you collect the payment details from your customer, then get the customers browser to submit the payment details details off to an authentication server which responds with a couple of codes. You then have to append these codes to the payment details you collected earlier (before the users browser was sent off to god knows where) and send them off to your bank for processing.

Because of this 2 stage process it necessitates that the users card details and thier personal details are STORED somewhere before being dispatched to your bank for processing! Until this stupid system came into force ecommerce sites could get away with not persisting payment details (except in memory for a brief period), alas that is no longer the case.

In my opinion forcing ecommerce sites to store payment details is going to be the cause of an awful lot more breaches. PCI-DSS should be welcomed as a means of encouraging best practice, however 3D Secure does precisely the opposite!

</rant>