Domain: example.org
Stories and comments across the archive that link to example.org.
Comments · 26
-
Re:Javascript and security?
wget -O- https://example.org/install.sh | sh
is a very common installation method presented by various tools (or via curl). In most cases you even need to run them as root due to the fact that the creators of those tools do not understand how to have their software work as non-root users.
For example:
https://toolbelt.heroku.com/de...
https://docs.docker.com/linux/...
https://nodejs.org/en/download... -
Re:Congrats Slashdot!
You get only 1 bit per hostname but can use any number of them. You then make a query to http://bit0.example.org/ http://bit1.example.org/ http://bit2.example.org/ and so on, recording which succeeded and which failed. For HSTS you query http and have https either not work or return a different answer, for HPKP you query https and have test servers use certificates signed by a valid CA that doesn't match the pin.
You don't even need javascript to read the answers, both to display something to the user (pieces of CSS) or notify your server (you know whether the test requests succeeded or not).
-
Re:Congrats Slashdot!
You get only 1 bit per hostname but can use any number of them. You then make a query to http://bit0.example.org/ http://bit1.example.org/ http://bit2.example.org/ and so on, recording which succeeded and which failed. For HSTS you query http and have https either not work or return a different answer, for HPKP you query https and have test servers use certificates signed by a valid CA that doesn't match the pin.
You don't even need javascript to read the answers, both to display something to the user (pieces of CSS) or notify your server (you know whether the test requests succeeded or not).
-
Re:Congrats Slashdot!
You get only 1 bit per hostname but can use any number of them. You then make a query to http://bit0.example.org/ http://bit1.example.org/ http://bit2.example.org/ and so on, recording which succeeded and which failed. For HSTS you query http and have https either not work or return a different answer, for HPKP you query https and have test servers use certificates signed by a valid CA that doesn't match the pin.
You don't even need javascript to read the answers, both to display something to the user (pieces of CSS) or notify your server (you know whether the test requests succeeded or not).
-
Re:Easy fix
For fake domains and URLs you should always use the RFC approved "example.tld" such as https://myproxy.example.org/...
-
Re:What about hybrid sites?
Really, it's not more intensive to use https. There are lots of people who have analyzed the difference.
A few more packets are sent. It's really trivial. While it is measurable, it can be recovered by removing one little picture, and/or compressing one of those pictures.
A trivial amount of CPU time is taken. Most of the measurements saying it was significant was when CPUs were single core 200Mhz or less, and memory was measured in MB rather than GB.
I've been offering or forcing users to SSL, depending on the site. Sometimes I just do it because I can.
There's no good reason to not use SSL now. I've forced it on hobby sites, and huge load sites.
There is a risk of serving even simple elements insecure. It would be mistakes or silly things that don't seem to make a difference. I've seen lots of little mistakes when packet sniffing networks (with explicit permission, of course). Once in a while, someone will make the little mistake developing a site, and I'll see a request like http://example.org/images/logo... .
Your site could be totally perfect today, and you've gone over it every which way to make sure of that. But next week or next year when you make a "simple" change, it could make a huge difference.
-
Re:Readability
Content? Content!? Don't you get it? Internet is the new TV, and it needs more 2-hour-long commercials for Coca-Cola, Ford, and Bing. Who cares who wins? It's all about who fights, who's dating, and who's the 1,000,000th page view (CLICK HERE to claim your prize!).
-
Surprise.... FTTA
Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?
I don't think "oppressive-regime.example.org" would bother with a cheap exploit like this.
The fact of the matter is that since they're the regime, they control the network, and are already sniffing your packets. -
Linked Data = Pointers
"Linked data is data you can click on. It will take you to another data set."
I've thought since early 2000's that our data structures (like JSON) need the concept of a pointer. What would it look like? A URL, of course -- a URL pointing to yet more JSON data.
{"name": "Lion Kimbro", "favorite color": "yellow", "homepage": "http://www.speakeasy.org/~lion/", "friends": [http://example.org/joel, http://example.org/whit, http://example.org/phil, http://example.org/amber%5D}
The idea here being that you have API support to dereference, say, friends[0], when you make use of it. The data is pulled and connected up with the local memory system when it's used.
-
Linked Data = Pointers
"Linked data is data you can click on. It will take you to another data set."
I've thought since early 2000's that our data structures (like JSON) need the concept of a pointer. What would it look like? A URL, of course -- a URL pointing to yet more JSON data.
{"name": "Lion Kimbro", "favorite color": "yellow", "homepage": "http://www.speakeasy.org/~lion/", "friends": [http://example.org/joel, http://example.org/whit, http://example.org/phil, http://example.org/amber%5D}
The idea here being that you have API support to dereference, say, friends[0], when you make use of it. The data is pulled and connected up with the local memory system when it's used.
-
Linked Data = Pointers
"Linked data is data you can click on. It will take you to another data set."
I've thought since early 2000's that our data structures (like JSON) need the concept of a pointer. What would it look like? A URL, of course -- a URL pointing to yet more JSON data.
{"name": "Lion Kimbro", "favorite color": "yellow", "homepage": "http://www.speakeasy.org/~lion/", "friends": [http://example.org/joel, http://example.org/whit, http://example.org/phil, http://example.org/amber%5D}
The idea here being that you have API support to dereference, say, friends[0], when you make use of it. The data is pulled and connected up with the local memory system when it's used.
-
Re:it's the browser implementation
D. Create your own CA cert
Why not create you own signing certificate, and use this to sign your key for https://my-hobby-site.example.org/. You can then install the signing cert in your browser and be happy and secure.
But what about when you want to log in from an internet cafe half-way across the world? Why, just publish your CA cert at http://my-toy-site.example.net/cacert.crt and link from your home page; you'll be prompted to install it in your browsers trusted key-ring. (Of course someone could have MITM'd your certificate install, but then that's the risk you've chosen to take by going for a self-signed cert)
Now you can have a secure connection without paying a so-called "Trusted Third Party" for the privilege, and without requiring the browser to support the easy use of self-signed certs (which we know causes damage to many people's ability to use https web-sites safely).
Personally, I hope that, in the medium term, widespread key distribution based on DNS-SEC will side step this whole issue.
-
Re:URL Shortners Are Bad
I never thought it had to do with bandwidth. I saw URL shorteners become popular shortly after everyone started putting the title of the page into the URL for search engine optimization. It used to be that anyone's blog post would be like http://example.com/blog/2009/09/19 or http://example.com/blog.php?story=urls but now it's like http://example.org/blog/2009/08/19/why-url-shorteners-are-not-a-good-idea . Even Slashdot went this route--one of the URLs for this story is http://tech.slashdot.org/story/09/08/19/120206/URL-Shortener-trim-To-Go-Community-Owned-Open-Source Note that the old style address, http://tech.slashdot.org/story/09/08/19/120206 , also works. The rest is strictly for SEO. (Making it human readable is a nice side benefit, but SEO is the reason.)
-
Really?
I mean I like OSS and all, but I wrote my own redirected for my domain it can't be more than 30 lines of PHP
http://example.com/index.php?url=http://example.org/long+url/
SQL lookup, return the url if it exists, increment last number if it doesn't. Return: http://example.org/10/
Mod Rewrite to assist in the redirect and tada.
Added benefit of not scaring off friends with an odd domain.
-
Re:Anto-phishing? Fuck that.
Yourbank.com...
command.com...
Umm, and I seeing a problem with that idea? Yes I am.
And the reason to turn it off, it doesn't always work (false positives, and false negatives), and it leads to a false sense of security. Like running a virus checker and then not caring about downloading random shit from the web. Better to just not download random shit from the web.
-
Re:The Webspider of Doom
NEVER PUT ANYTHING IN A LINK THAT MODIFIES DATA. NEVER. EVER.
What about if you're running a stock market price website? In your database, you store some html pages for each ticker symbol. When the user goes to http://example.org/stocks/get-latest/ENRON it checks if the last update time on the pages in the database is more than 1 minute ago. If the pages are less than one minute old, it serves the pages from the database. If the pages are more than 1 minute old, it gets the new stock data from the stock database, and makes new pages and puts them in the page database. Then it serves the fresh pages.
Using the link might modify the data, by making it up-to-date. What would you do? Program it so that the user has to submit a form to get current data, or they can only get old data if they got there by a link? Why can't they just follow a link to get the information they want? Obviously you would want to make the user submit a form, since you said "NEVER! EVER! EXTERMINATE! EXTERMINATE!". Look! Yahoo's doing it!
-
Re:The Webspider of Doom
NEVER PUT ANYTHING IN A LINK THAT MODIFIES DATA. NEVER. EVER.
What about if you're running a stock market price website? In your database, you store some html pages for each ticker symbol. When the user goes to http://example.org/stocks/get-latest/ENRON it checks if the last update time on the pages in the database is more than 1 minute ago. If the pages are less than one minute old, it serves the pages from the database. If the pages are more than 1 minute old, it gets the new stock data from the stock database, and makes new pages and puts them in the page database. Then it serves the fresh pages.
Using the link might modify the data, by making it up-to-date. What would you do? Program it so that the user has to submit a form to get current data, or they can only get old data if they got there by a link? Why can't they just follow a link to get the information they want? Obviously you would want to make the user submit a form, since you said "NEVER! EVER! EXTERMINATE! EXTERMINATE!". Look! Yahoo's doing it!
-
Sometimes we like to see URLs.
I'm not sure why you'd put a tinyurl on a web page, where you could just embed the URL in a link using href, like this (oh, the temptation to link to goatse was great, but I resisted).
Why? Laziness on the part of the writer, I believe.
While often the ability to give a descriptive link to something is nice, the advent of forum software (or e-mail or IM) which automatically hyperlink any text that looks like a URL means that it is often easier to just type out http://www.example.org/foo/bar.html . Pasting it in is easier for the writer, and also allows the reader to SEE what the link is before highlighting it. The hierarchical nature of URLs enables savvy users to already have some idea what they are getting ("Hmm, that URL has 'goatse' in it ... Danger, Will Robinson!") without having to move their mouse. URLs also survives being printed better.
Hyperlinks are an awesome tool, and of course nothing stops someone making a deceptive link (which has one anchor and descriptive text which lists a different URL), but ... in general it's still very easy to just type out a URL.
So -- that brings us to TinyURLs, and clones thereof. It's good for use on the mobile phone (though I don't know why I'd want to use the web from mine ;)), or in IM, or generally anything where you need to remember something.
As for a single point of failure ... I don't see what's stopping any of us from making our own TinyURL-like-services -- so, you could link to http://www.myblog.org/link/1066 instead of http://en.wikipedia.org/wiki/Battle_of_Hastings ;) (though to be fair, Wikipedia's URLs are already often memorable and easy to type... (-: -
Re:metadata worst idea ever
Re the "very very very important question of where it comes from" and RDF,
...
See the RDF query spec, SPARQL, specifically the "FROM" clause in the query language.
http://www.w3.org/TR/rdf-sparql-query/#specDataset
Section "8.3.1 Accessing Graph Names" ...take a look at the example query there:
PREFIX foaf:
SELECT ?src ?bobNick
FROM NAMED
FROM NAMED
WHERE
{
GRAPH ?src
{ ?x foaf:mbox .
?x foaf:nick ?bobNick
}
}
The spec gives the resultset table, which basically says that according to http://example.org/foaf/aliceFoaf the nickname is "Bobby", and according to http://example.org/foaf/bobFoaf the nickname is "Robert".
It's a mistake (although understandable ... better tutorials and demos are needed) to assume that RDF and SemWeb ignore this problem space.
There's an online SPARQL demo at http://xmlarmyknife.org/api/rdf/sparql/query and another at http://librdf.org/query to get a feel for how some of this stuff works. There are also tools like SquirrelRDF and D2RQ that wrap existing (SQL, LDAP, ...) datasources and make them look like SPARQL too, so your apps can be couched in terms of globally-used schemas rather than per-datasource schemas. It's also worth keeping an eye on what Oracle have been up to ... http://www.oracle.com/technology/tech/semantic_tec hnologies/index.html ... no SPARQL yet but some serious RDF support. -
Re:metadata worst idea ever
Re the "very very very important question of where it comes from" and RDF,
...
See the RDF query spec, SPARQL, specifically the "FROM" clause in the query language.
http://www.w3.org/TR/rdf-sparql-query/#specDataset
Section "8.3.1 Accessing Graph Names" ...take a look at the example query there:
PREFIX foaf:
SELECT ?src ?bobNick
FROM NAMED
FROM NAMED
WHERE
{
GRAPH ?src
{ ?x foaf:mbox .
?x foaf:nick ?bobNick
}
}
The spec gives the resultset table, which basically says that according to http://example.org/foaf/aliceFoaf the nickname is "Bobby", and according to http://example.org/foaf/bobFoaf the nickname is "Robert".
It's a mistake (although understandable ... better tutorials and demos are needed) to assume that RDF and SemWeb ignore this problem space.
There's an online SPARQL demo at http://xmlarmyknife.org/api/rdf/sparql/query and another at http://librdf.org/query to get a feel for how some of this stuff works. There are also tools like SquirrelRDF and D2RQ that wrap existing (SQL, LDAP, ...) datasources and make them look like SPARQL too, so your apps can be couched in terms of globally-used schemas rather than per-datasource schemas. It's also worth keeping an eye on what Oracle have been up to ... http://www.oracle.com/technology/tech/semantic_tec hnologies/index.html ... no SPARQL yet but some serious RDF support. -
Don't drink the Kool-aid
Boy, that sure does sound great. XRI promises global context symbols, peer-to-peer addressing, decentralization, delegation, federation, persistence, human-friendly formats, machine-friendly formats, lightweight resolution, trusted resolution, and transport independence! Amazing!
Too bad it's all a bunch of complicated bullshit. We don't need it, and we don't want it. Want to know why? Seven different special symbols (@, +, =, !, $, /, .), all with meaning (they "provide a simple, human-friendly way to indicate the global context of an i-name or i-number.") Hah!). HTTP requests and XML parsing to determine the real location of anything ("lightweight resolution"); this means at least 2 HTTP GET requests to resolve the location of a resource. Wow, persistence with numbers! Couldn't have done that with a simple UUID scheme! And what's with having a machine-friendly format and a human-friendly format? If every machine has to be able to parse them both, then why bother with the bloat?
I fail to see how any of this will allow you to develop anything you've mentioned. If anything technological is holding us back from general programmatic contracts, it's not a resource identification scheme.
Luckily, this will never catch on. XRIs have no use cases. Why would I want xri://@example.org*blah=Bob/ when http://blah.example.org/Bob/ already works with my existing software without any problems? My only fear is that OpenID 2.0 will require that all software understand XRIs. So much for lightweight software. -
Least specific to most specific
Why not no slash? http:org/slashdot. Much like mailto:foo@example.org (or would that be mailto:foo@org/example). Or aim:do_something_really_annoying, bittorrent:linux.iso.torrent, irc:freenode.org/#debian.
The good thing about going from least specific to most specific is that it's easy to chop off unnecessary data. In dates for example, "the 25th of March, 2006" is a mouthful to say. But saying just "the 25th" is sufficient because one can assume the month is March. Or if not, "the 25th of March" is enough for an entire year. You can keep adding more information as needed.
That wouldn't seem to work very well with on the web though... you could type "some_unique_webpage" and be taken there immediately. Or you could type "some_non-unique_webpage/slashdot" which would take you to slashdot's version of that page. Or "very_non-unique_webpage/joesblog/org" for a complete specification. I wonder if that would work well or be horribly awful if you integrated a search engine with DNS... there would need to be a different separator between the DNS stuff and the webpage (although some cleverness could probably guess most of the time) "pic_001/niagra_falls/picture:joesblog.org".
Since there are so many websites, this probably wouldn't save much typing in practice... The browser could perhaps limit its domain to sites often visited, unless explicitly taken to a new site or an explicit search requested. If you typed in something unique, it could take you there. Something non-unique, and it would show a list of more specific choices. In both cases, there would be a search button to expand the domain to the entire web (or maybe specific subsections of the web much like google.com/linux etc.).
And of course, this doesn't map directly onto a filesystem.
-
Re:OpenOffice
I use it every day.
I use Outlook XP (passable).
I use Outlook 2003 (much better).
I use the latter over the internet from home (RPC over HTTP). It is fast and keeps the same functionality I have a work.
Even more often, I use OWA (Web Access). https://example.org/exchange and I sign in to the best webmail program I've ever used. [If you've seen better, let me know. GMail doesn't do Calendar (yet), Notes sucks remotely, Groupwise doesn't even hav e a decent normal client]
The latter doesn't require any email client at all on the client. Now, admittedly I've never used IMAP or POP3 to access Exchange, but I've never had to. I'm running Opera right now and could use the mail client to connect, but what would that gain me?
I'm actually looking forward to getting a new Treo which will get push mail directly from Exchagne. [Both the existing Palm Treo and the new Windows version support it, IIRC] -
The idea behind PageRank
is that it's hard to spoof. Getting your example.org to become #1 in the search results would require a whole lotta linking! And it'd have to be other people linking to you, not vice-versa.
-
Google attack!
Google not only blocks the spam, but every result after it.
Sounds like an attack waiting to happen. Lets see, I really hate that blasted www.example.com site, ever since they totally ripped off my page! First, I'm going to mirror it here! Then I'm going to take that collection of spam I've been saving up all these years and attach it to my mirrored site. Then, if I can somehow push my site above in google page rank, they should not show up in any search and I have thwarted my opponent! YES! -
I think you're right
I'm going to start following your excelent example with my Slashdot comments.
Make money fast! Click here now!
I think it will help to improve the quality of my comments, and bring in more readers.
Your computer is not optimised. Optimise now!
However I'm a little concerned that people may find it difficult to follow my posts if I keep breaking them up with adverts and links.
Naked cheerleaders!
I guess it might also be a problem for users on high latency links.
Get your University diploma. Act now!
Who am I kidding? Fuck um, I'll just milk a single post for 6 page impressions per reader and overload it with adverts, animated GIFs and other shit. All I need to do is work out how to make Slashdot accept blink tags and embedded Flash, I can be just as leet as your site is every day!
Adverts got you down? Want content? Well we can't help!