Slashdot Mirror

Where possible, avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment.

This can prove cost prohibitive when the authentication capabilities provided by the surrounding operating system are marketed for use only by privileged employees, not by the public. Consider the case of an operating system that charges per user account. (Microsoft calls this the "client access license" model.) One might be tempted to use or create an authentication and authorization library that runs independently of the operating system's own auth facility, so that one needs to buy a system user account for only the web server, not for each member of the public who creates a user account on the web site.

For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders

Say I encrypt the keys that a web server uses to communicate with other web services, such as the key used to communicate with a payment processor. Now how do I store the key to decrypt those keys?

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

So how do we prevent an attacker from attacking a system while it is still in "first login" mode?

Clearly specify which data or resources are valuable enough that they should be protected by encryption.

Firesheep shows that this includes users' passwords and cookies containing authenticated session tokens. But with StartSSL having suspended operations and Internet Explorer on Windows XP still not supporting Server Name Indication, how can hobbyist web developers get the certificate and dedicated IPv4 address needed to host an SSL site?

If possible, create isolated accounts with limited privileges that are only used for a single task.

Please see my comment above about the CAL pricing model.

Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form.

If you've ever seen errors about a "form key" on Slashdot, Slashdot is doing exactly this.

Do not use the GET method for any request that triggers a state change.

Is a hit counter a state change?

Use a built-in path canonicalization function (such as realpath() in C)

According to this page: "The realpath() function is not described in the C Standard." It's available only in UNIX, not in Windows.

Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.

Does this mean don't bounce messages to nonexistent users but instead treat them as delivered and discard them? That would provide a bad user experience for people attempting to contact these users.

Use code signing technologies such as Authenticode.

How does a hobbyist afford the certificate for Authenticode?

For all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator.

Writable I agree with, but readable I'm not so sure. If configuration files are readable only by the adm

Why not go to a good source from actual devs?

If an exploding ball of fire isn't dangerous, what is?

Isn't D copiled by GCC? Why would it not have a 64-bit compiler (you mean a compiler for ia64?)?

It's not that simple according to this page.

I know someone who was developing a medium-sized program in D and decided to start over in C++ due to compiler bugs and general lack of compiler maturity.

JavaScript truth table:
[ see link - filter won't let me post ]

source

No, the salt is a large block of random data (usually stored as a string) that you append to the password before generating the hash.

Stealing the salt does nothing to prevent its purpose, which is to stop the use of precomputed hash tables, because it's not feasible to compute a table with all the possible large inputs.

http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190

I can't tell if you are trolling or not, but just in case.

I'll bet Amazon.com doesn't have 13,000 CONCURRENT clients. Gimme a break! When you LIE, at least make it believable

In fact, I wonder if there is a database on the planet that has that many CONCURRENT accesses.

Google has over 30,000 searches per second. Secondly he states that 13,000 users where using it simultaneously, not that the database had 13,000 open DB connections. Slashdot probably has more people viewing it than that now. I am sorry you suck at computing, but writing a web app to deal with 13,000 simultaneous clients is trivial. You will have room to talk when you need to deal with 30,000,000.

First, is Google running on PHP and MySQL? I think not. They use thier own database called Bigtable. Bigtable is NOT an SQL database. In fact, it isn't even a Relational Database. They even run their own custom Linux distro, don't they?

Sorry you suck at RDBMS design, and fact-checking. I would imagine that Google doesn't use Apache, neither. Nope. They use the Google Web Server. So, what was your point, again? Second, it depends on what he meant by 13,000 simultaneous users were USING it.

Third, I still call shenanigans because FMP Server has a hard limit of 100 concurrent web users (100 concurrent sessions), if they were using it to publish the database directly. And if they WEREN'T using it to publish the database to the web directly, I'm not sure how they were getting the data to the clients. And if they were using FileMaker Clients, FMP is only tested to 250 clients. It has no actual maximum; but 250 is pretty far from 13,000. and FMP isn't like MySQL: You don't open a connection; do a transaction or two, and close the connection, like you do in PHP/MySQL. Opening a FMP database is a many-seconds-long process. He said that FMP ran for 3 hours before it buckled. I don't think 13,000 FMP clients could have OPENED the database in 3 hours!

Ok, let's look at some REAL concurrent numbers. We'll leave the likes of Google, Yahoo, eBay, the NFL, GoDaddy and Amazon out of it; because what they are doing is FAR from trivial. And BTW, anyone can throw numbers around; but I am having a real hard time verifying your claim, other than the Google number. And as I said, what they are doing has NOTHING to do with PHP/MySQL; and so is a non-sequitur:

This Tomcat/Apache and Tomcat/IIS article seems to suggest a number of concurrent sessions that is a couple of orders of magnitude LOWER than 13,000 simultaneous users.

Apache documentation seems to suggest that 13,000 concurrent open sessions is pretty damned many, too.

OTOH, WebSphere has the ability to handle hundreds of thousands of concurrent connections; but again, we ain't talking no steenkin' LAMP configuration, like the original LIAR suggested. And those applications aren't thrown together in six hours, neither. So again, not germane.

So, the bottom line is: I'm positive it can be done; but it is not "trivial" to make it run well, and I have serious doubts as to whether a LAMP solution can get there in six hours worth of real-world MySQL/PHP coding.

I just mean that a standards body couldn't create a globally definitive Standard for a GUI. It's impossible, because there are too many platform and context specific things that do not cross over unilaterally.

There are no officially defined standards I'm aware of, and I looked when we started this discussion, for GUIs across platforms. As this discussion points out, there are a bunch of platform specific standards and best practices, but nothing universal.

I agree that everyone that is significantly involved with computers should know that defined standards are critical to the entire computing ecology. But aside from us, nobody really needs to. They don't need to know how the stuff works any more than I need to know about the inner workings of accounting or marketing or any of that other crap. It's our job to understand this stuff and make it work, it's the accountant's job to make sure I get paid, and marketing's job to make sure I spend that money.

We're a developer group that is now writing a server library. We plan to
use it for commercial projects by putting all the code into the library
and creating a thin proprietary wrapper to keep clients happy.

It's a strategic move to use the LGPL, as if we used GPL then we'd have to
sell proprietary licenses. Proprietary people would choose to either:

- Re-implement their own closed-source version of the software.
- Buy a proprietary license from us and then not make the changes public.

This way (by using LGPL) we get to extract as much free source-code from
them as possible.

The problem now comes with the fact that our library can be used for web
services. People could make changes to our library, use them in their
commercial service and not make changes public.

I was searching the net and found these links:

http://stackoverflow.com/questions/731246/lgpl-for-php-applications
http://mohammed.morsi.org/blog/?q=node/270

The 2nd link claims you can just include an affero clause in the LGPLv3?
What is your word on this?

Many thanks to the FSF. I love your work.

Don't use MS products if you want to scale.

Can you back that up with some technical points? I would not recommend MS products either (never used them, our stuff works fine with Linux), but highly successful projects like stackoverflow.com scale fine with MS products. All it takes is familiarity with the available software nowdays, it does not seem to be the case anymore that you need a much higher budget for hardware/software to run a MS shop.

http://stackoverflow.com/ has experts that go there just to help with questions like this.

IMHO, it's better to never write them down and just generate them algorithmically based on the site's domain or a memorable keyword. Several years ago I just kept a tabula recta in my wallet. Nowadays, you can use something like SuperGenPass.

Personally, I wrote my own equivalent of SuperGenPass that addresses some of the security concerns. That said, I use PassPack with a tediously strong password to keep a backup in case I inadvertantly break compatibility, and a copy of the generator on my website.

I used to think that, too, but actually the grandparent is right: all cryptosystems invented so far rely on something more than P!=NP.

It's true that some cryptosystems reduce to NP-hard problems, but that doesn't mean they rely solely on P!=NP to be secure.

The problem is that when you have a NP-hard problem, that doesn't mean that all its instances are hard to solve. For a cryptosystem based on NP-hardness, this means that not all messages are hard to decode, only that there exists at least one message that is hard to decode. To prove the system is really secure, you need to rely on some other assumption, or you'd need to find a way to use only instances of the NP-hard problem that are actually hard, and there's no known way to do that yet.

Also, lattice-based cryptography is not known to be NP-hard: as far as I understand, to break it you must find an approximate solution to SVP, you don't need to solve it exactly (which would be NP-hard). Still, it's believed that lattice-based cryptography it's harder to break than factoring.

For more information: http://stackoverflow.com/questions/311064/are-there-public-key-cryptography-algorithms-that-are-provably-np-hard-to-defeat

Canonical's Unity interface too seems full of Mono crap. http://stackoverflow.com/questions/1827157/mono-compatible-dependency-injection-framework

Perhaps Canonical will pick up some of the key developers in selfish self-interest.

Option C(a): root the device.

Option C(b): root the device (temporarily); enable ADB over WiFi. No drivers needed.

I think that the lack of guided optimization on gcc is a fair indication that Microsoft offers a better compiler

Maybe I've misunderstood your meaning, but wasn't the whole point of this article that with a newer gcc you can use guided optimization and link-time code generation ?

Maybe its just because I use MSVC and gcc every day, but when MSVC lacks even C99 support I find it hard to call it a "better compiler".

-Malloc

You watch less than 5 hours a month??

"HDV is 25Mb/s, so non-transcoded it would be (I think)..
25 mbits * 3600 sec = 3.125 MB * 3600 sec = 11250 MB*hr ~ 11 GB per hour"
- http://stackoverflow.com/questions/701991/h-264-file-size-for-1-hr-of-hd-video

Now, on the other hand, about 3 hours a day = 100h a month, of uncompressed 1080p30 video would require 1920*1080*3channels*30fps*3600s/hr*100hr ~ 61TB. Try that with a 250Gb cap.

What exactly do people gain by using their internet connection to watch live sports, news, or the latest episode of their favorite sitcom, instead of just watching it as broadcast or recording the broadcast, like they have done every day for the last 30 years?

No commercials. More choices. Not being tied sown to the Network's schedule.

This.

Fujitsu’s proposal is to build a second, wholly independent fibre infrastructure that will compete with BT’s. This can only be a good thing. (Assuming the holy grail of public infrastructure is unicorny for the time being in the UK.)

Woot, the FCC is following this retarded "beta" website fad. Started with Google, and now EVERYONE has caught on--news sites, vendors' hardware driver sites, forums, etc. Yes, our site is in a constant state of development, so let's misuse the beta term. But at least some people do realize what has been going on.

Dumbest complaint ever.

Woot, the FCC is following this retarded "beta" website fad. Started with Google, and now EVERYONE has caught on--news sites, vendors' hardware driver sites, forums, etc. Yes, our site is in a constant state of development, so let's misuse the beta term.
 
But at least some people do realize what has been going on.

Reminds me of this story. Stackoverflow employee who decided to stop playing WOW, and start leveling up at real life.

I understand that a self-signed certificate is vulnerable to MitM... however, it's still better than plain-text!

Unfortunately that is not the case. If you are browsing on an untrusted network (free wireless for instance) a transparent proxy could be MitMing the certificate process be cause anyone can "self sign" a certificate for any resource name. That nefarious proxy could decrypt the content and re-encrypt it using keys for the cert it self-signed, and inspect & log the content on the way through. This could also be done by other users of the network (not just the network itself) if done in tandem with some sort of arp spoofing attack or similar which redirects your traffic to a proxy outside the normal routing path. So it is a bit better than plain text (intercepting the content is a bit harder), but if you care enough about the content to use HTTPS in the first place then "a bit better" is not enough.

SSH is a perfect example. When you first connect via SSH, you confirm that you trust the certificate. Your client then remembers the certificate for future use. Why doesn't web technology do this?!?

This relies on you always using the same machine(s) otherwise you constantly have to accept the server certificate (via acknowledging its fingerprint is correct). Unless you actually check that the fingerprint is correct this doesn't protect you from a MitM attack at all if you are accessing the service for the first time (or from a place you've not accessed it from before so don;t have the cert stored in your known_hosts file), so it wouldn't help the general public to whom you have no efficient and secure way to transmit the correct fingerprint to check the one presented to them against. What the SSH method does protect you from (in the case when you didn't properly verify the cert on initial connection) is when the certificate changes - i.e. it stops you connecting to a host that starts handing out a different certificate (or a host that is pretending to be that host so does not have the right private key) until you have verify that the change is legitimate.

Instead, when you self-sign a cert, browsers throw a hissy fit and shows a huge warning.

The SSH model would not work for HTTPS on public services (heck, the SSH model doesn't work for SSH quite the way many people assume it does!), and self-signed certificates have the proxy problem - this is why the warning exists. You can get free certs that are trusted by the vast majority of browsers, see http://en.wikipedia.org/wiki/Startssl#StartSSL for information and links to the one source I know of (to my knowledge no other free CAs like cacert yet have that level of acceptedness). You have to renew these once per year but that really is no massive hardship.

The things holding back the use of HTTPS for small services aren't the cost (basic certs can be bought very cheaply, often free, these days), the CPU hit (even in overcrowded VPS hosts, a modern CPU doing that work is not going to be one of the significant bottlenecks): they are
1. people still using Internet Explorer under Windows XP (so people running web services don't want to use SNI which is needed for SSL to work when you don't have a dedicated IP address per service name that needs a certificate)
2. a bit of ignorance on the part of the service providers and developers
3. potential caching issues which can cause extra load on the servers (but that would not be solved by the SSH-like solution on its own) though this can be mitigated by correctly marking static content with relevant cache-control headers (see http://stackoverflow.com/questions/174348/will-web-browsers-cache-content-over-https for some relevant discussion and links to more detail)

In what category of animal does ExtJs fit vs. jQuery combined with jQuery UI?

jQuery has basically broken away from the pack from other Javascript toolkits/frameworks/libraries. (Which is not to say they all have the same purpose.)

When you've got a lot of players in the field, and have to decide what to use, and are also thinking about new devs already being familiar with a package, going with the market leader seems to be what most people will do.

The $ and css-based selector syntax of jQuery makes it highly welcoming for devs that have to learn Yet Another Library. See also.

and bouml vs wiki (in French)

Well, in fairness, it's not Adobe's fault that you can't access connected devices (camera, mic, etc.) via HTML5. Yet.

The iPhone/iPad/ios devices can still not do CSS2 (1998) position: fixed correctly, much to the annoyance of web developers

Although Apple has not published the spec exactly, they have said they will (hence that's why it is open) but it's all built atop existing standards glued together, there's plenty enough material there to build an initial implementation atop of.

source: http://stackoverflow.com/questions/311064/are-there-public-key-cryptography-algorithms-that-are-provably-np-hard-to-defeat

Well, perhaps you can count the cost of OS X - people are apparently running that virtualized on Linux and succeeding.

http://stackoverflow.com/questions/276907/starting-iphone-app-development-in-linux

Its a huge deal. Most people don't have it installed.

[citation needed]

There's very little reason for more end users to have java.

There's still loads of Java out there. It's in HP print servers for example. (And still causing problems.)

Beware, Cthulu awaits.

Interesting idea. A Google search revealed that you aren't the first to think of this:

Username as password salt

Non-random salt for password hashes

(assuming the salt is system wide, not per user)

Salt should be per user. (Although I see what you mean: system wide + username = per user)

They do if they depend on more than 5 MB of data. The page you linked mentions storage quotas, and there exist popular user agents that don't let the user increase the quota past 5 MB.

...I think you want StackOverflow which is a few clicks that way ------>

HTML is a markup language and should be used for semantic meaning rather than presentation. The <i> and <b> tags have no semantic meaning, they are purely for presentation. While <i> and <b> are not technically deprecated (and should not have been disabled by slashdot) you should be using <em> and <strong>instead.

Test: this should be emphasised

Test: this should be strong

Further discussion on the subject

I dunno, do you consider Haskell innovative?

Haskell? I don't recall ever hearing of it... Is it another programming language? If that's what you meant, the Wiki article Haskell (programming language) doesn't mention Microsoft once. A brief introduction to Haskell doesn't mention Microsoft either. Well maybe it's something else... If so I don't know what it is.

Falcon

I'm not familiar with the details, but your list of required things sounds remarkably like the current feature list of, say, Mobile Safari.

I haven't been able to find any evidence that Mobile Safari supports WebGL (tried Google mobile safari webgl) or the camera (tried Google mobile safari camera). I checked for how big a web app could be (tried Google mobile safari offline limit), and it appears to be limited to 5 MB. The localStorage object is likewise limited to 5 MB (tried Google mobile safari localstorage limit). Nor does Mobile Safari appear to JIT compile the JavaScript due to iOS's especially strong flavor of W^X (tried Google mobile safari javascript jit). Even accelerometer support wasn't added until iOS 4.2 (came up during the camera search), which wasn't jailbroken until this week (per Wikipedia).

I'm not familiar with the details, but your list of required things sounds remarkably like the current feature list of, say, Mobile Safari.

I haven't been able to find any evidence that Mobile Safari supports WebGL (tried Google mobile safari webgl) or the camera (tried Google mobile safari camera). I checked for how big a web app could be (tried Google mobile safari offline limit), and it appears to be limited to 5 MB. The localStorage object is likewise limited to 5 MB (tried Google mobile safari localstorage limit). Nor does Mobile Safari appear to JIT compile the JavaScript due to iOS's especially strong flavor of W^X (tried Google mobile safari javascript jit). Even accelerometer support wasn't added until iOS 4.2 (came up during the camera search), which wasn't jailbroken until this week (per Wikipedia).

I'm not familiar with the details, but your list of required things sounds remarkably like the current feature list of, say, Mobile Safari.

I haven't been able to find any evidence that Mobile Safari supports WebGL (tried Google mobile safari webgl) or the camera (tried Google mobile safari camera). I checked for how big a web app could be (tried Google mobile safari offline limit), and it appears to be limited to 5 MB. The localStorage object is likewise limited to 5 MB (tried Google mobile safari localstorage limit). Nor does Mobile Safari appear to JIT compile the JavaScript due to iOS's especially strong flavor of W^X (tried Google mobile safari javascript jit). Even accelerometer support wasn't added until iOS 4.2 (came up during the camera search), which wasn't jailbroken until this week (per Wikipedia).

"Don't just take my word for it" followed by a Wikipedia link? Really?

Yeesh. Talk about missing the point.

You could have provided directly relevant links instead:
http://www.d2ca.org/is-abandonware-legal.html

http://www.classic-pc-games.com/disclaimer.php

http://stackoverflow.com/questions/369418/decompiling-and-redistributing-abandonware

http://www.theinquirer.net/inquirer/news/1001232/the-abandonware-dilemma

There. Now hopefully nobody else has to have wikipedia inflicted on them.

I asked the same question on stack overflow and got some good responses:

http://stackoverflow.com/questions/432512/how-to-convince-management-that-qa-is-important

Of course, there is no silver bullet. It really comes down to you being able to convince them with your charisma and charm (+1 charisma is big bonus). These things rarely show up on the bottom line. If they do, it's 6 months down the road and management will just attribute it to some new rock-star salesman.

Sorry to be a downer, but that's the life of an engineer.

Does anyone know if they are able to access and use the native multimedia decoders in Android directly? http://stackoverflow.com/questions/3912563

Yeah, on one hand, I can see why CoderJoe took issue with it. The only way it really supported your point was empirically: that kernel developers probably see a lot of these problems, and I suppose that Linus is as aware of these things as anyone. I am a novice SCM user, at best, and I can definitely say that if I had to ask svn to show me whether my repository had been corrupted or compromised, I would not know where to start. I can easily believe that svn provides little to no assurances of such things. On the other hand, here is a short discussion on a related problem that Google unearthed for me quickly, so I think it's not hard to find examples where svn falls short.

I wonder how git catches these things; Linus talks about "knowing the hash" – I can't tell whether he means the user or the system itself; I would love to understand how git draws attention to unauthorized changes to a repository, if that is actually what is going on. That would be fascinating.

All these issues aside, I have been trying to understand git over the last few months, although I have not actually used it with an active project. In that respect, this was a very timely exposure to the video, and why I am grateful to have come upon your comment. :c)

when a company finds a way to make the world a little more foolproof, the world will make a better fool....

Yes, they will just hold down shift while typing.

"According to Google, this will improve the quality of the comments, because people will not be able to write all in capital letters.

If Google's goal was to limit the number of annoying all-caps posts they should not be relying on the removal of a caps lock key on a device that very few of their users will actually be using... (In other words: they lied to you; Google removed the caps lock key because their hardware designer is a member of the Jobsian Minimalist Cult.)

Web Coder Rule #1: Validate All Input Server Side.

Removing the caps is akin to validating the input on the Client Side with JavaScript, and not validating it at all Server Side. This is a huge mistake.

IMO, since Google employs at least one high-school level coder, they should get said coder to validate user post content on the server side: Replace long strings of all-caps words with lower case equivalents.

Hints: In Perl, the "lc" builtin function. In C++, it's the "tolower" function. In Java or JavaScript use "String.toLowerCase", in PHP use "strtolower", in Python use... wait, no, in Python you're screwed, try to write your own locale independent to lowercase function (good luck with that. damn Python, WTF!).

Bonus: provide a button next to posts that were converted to lowercase so that I can see the original post's text if I so desire (False positives are always a possibility; Post could be laden with acronyms).

There's nothing wrong with AJAX per se, it's just that most developers (including the ones at Slashdot) don't know how to use it properly. One of the very few sites that does it right is StackOverflow.

Geez, you are terrible. You are posting something like this and then you can't even explain it? Bad form, lad, bad form.

Anyway, it's not very 'mystical' at all. Everyone who has anything to do with javascript (for a given definition of 'has to do with') could figure it out.

1 is a [primitive] number. Once you try to access a property on it, it gets converted on the fly to Number(1) [an object], which possesses a toString method. All stock JS functions have Function(...){...} as their constructor.

The Function constructor is used to construct an anonymous function from strings (n-1 many for the parameter list and 1 for the body). Using the Function constructor in your JS is bad practice, though it has some legitimate use cases. It should raise red flags, however.

Everyone's point (or my interpretation thereof) is still valid though... static code analysis probably isn't the way forward.

Looks like Java Swing is still popular. http://stackoverflow.com/questions/422956/java-swing-or-java-qt Now we have JavaFX for many more special graphical effects: http://www.oracle.com/technetwork/java/javafx/overview/index-jsp-139879.html http://javafx.com/

SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even the images) is encrypted before it is transferred. So increased HTTPS traffic leads to load increases. Why does my webserver have a higher load, now that it serves SSL encrypted traffic?

All servers will display an increased load how ever

In my experience, servers that are heavy on dynamic content tend to be impacted less by HTTPS because the time spent encrypting (SSL-overhead) is insignificant compared to content generation time. HTTP vs HTTPS performance

yet with web 2.0 type stuff with lots of ajax

Many, very short sessions means that handshaking time will overwhelm any other performance factors. Longer sessions will mean the handshaking cost will be incurred at the start of the session, but subsequent requests will have relatively low overhead.HTTP vs HTTPS performance

all of the connections are going to kill you. The short answer is 10-20% but YMMV. No idea what happens when you start adding in Google adsense and other third party crap.

SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even the images) is encrypted before it is transferred. So increased HTTPS traffic leads to load increases. Why does my webserver have a higher load, now that it serves SSL encrypted traffic?

All servers will display an increased load how ever

In my experience, servers that are heavy on dynamic content tend to be impacted less by HTTPS because the time spent encrypting (SSL-overhead) is insignificant compared to content generation time. HTTP vs HTTPS performance

yet with web 2.0 type stuff with lots of ajax

Many, very short sessions means that handshaking time will overwhelm any other performance factors. Longer sessions will mean the handshaking cost will be incurred at the start of the session, but subsequent requests will have relatively low overhead.HTTP vs HTTPS performance

all of the connections are going to kill you. The short answer is 10-20% but YMMV. No idea what happens when you start adding in Google adsense and other third party crap.

Case in point: http://stackoverflow.com/questions/2196825/why-does-system-threading-timer-stop-on-its-own

Sometimes the language makes it "too" easy to pretend you are good.

For the last ten plus years, we have been steadily moving in the direction of more human readable data - the move to XML was supposed to be a huge improvement. It meant you could - sort of - read what was going on at ever level.

Who is "we"? Not everybody uses US-ASCII as their native character set.

Nor do mathematicians. Isn't this beautiful code? With the right font it's not ambiguous at all. (With the wrong font there's no distinction between I and l either.) Sorry, can't quote because Slashcode is stuck in the 1980s.

why, oh tell me why, when I write a simple - trivial - bit of Java code, do I need to write funtions for getters and setters all over the place

Because it's Java. Try Ruby.