Even "show me a map of 10 Downing Street" or "where is 10 Downing Street" is better than something that could almost just be a standard bookmark with a keyword (which I've set up some additional ones for myself). "Share-on-delicious" - all well and good, but is it "natural language" enough to understand "share-on-somenewsharingsite"? Doubtful.
Overall it sounds like a load of bloat and an excessive claim using buzzwords to garner interest.
PHP and MySQL aren't insecure per-se, it's just that people hack things together quickly with it that are insecure.
AFAIK PHP isn't vulnerable to buffer overflows directly. You have no control over pointers, so any stack overflows vulnerabilities have been in libraries, but exploited via PHP.
Standard MySQL functions in PHP don't support parameterized queries, but the MySQLi methods do, and MySQLi is installed on a lot of hosts these days. If it's not on a server then it's generally easy enough to add it.
The general hacks are the normal site exploits caused by people being taught to just use query strings and posted values as-is by beginner's books and then being hit with either SQL injection, command injection (if, for some reason, they do shell calls using variables), remote includes (passing a URL as a value that's include()d, which pulls in remote code if allow_url_fopen is enabled), or standard content injection to do things like put scripts on the page via a link when someone realises the values aren't validated.
That would be the ideal, sensible, logical, software-developer's Terms of Service, but is that what would come out of a bureaucracy? As I said, there's nothing wrong with the idea in theory, but in practice you're not likely to get a central update system for proprietary apps that has a sensible Terms of Service for those companies providing the apps to stop them sneaking in additional 'features' if they want.
Yes, but at the same time I don't appreciate the idea of paying an extra £5 per month (£60 per year instead ofthe £20 suggested broadband tax) because all of the ISPs have some kind of agreement with some studio or other for content that I don't want. From a purely "how much am I getting charged by my ISP and how much can I afford" measure, £5 per month seems like the worse of the two.
If you can enforce that ToS then great, but by auto-selecting Safari as part of an "update" to iTunes then they were effectively already lying about the update. They're not explicitly saying "iTunes relies on Safari" but they were saying "here is an update, we'll select what you need to update" and including Safari under the 'need' category.
I agree that it's possibly to have an update channel that stops you adding new apps as part of an "update", but I was just pointing out that it's not quite the silver bullet you originally implied since it can be used to drag in "dependencies". Even with a ToS saying you can't do it, you're still relying on someone to check and enforce that ToS.
Except that, to be perfectly fair, they could. If you've got something like Yum/Apt/Smart/Yast then all Apple would do is say "this update also requires on Safari" and you're in a worse situation because you either take Safari or you don't get the update. While it's great to have everything in one place for installs/updates, it's just as liable to include junk you didn't think you wanted/needed if someone sets it up that way.
...the time could be approaching when you'll choose your Internet service based on what selection of content it offers.
Yep, it might, and I'll pick the nice, cheap, fast one that has no additional content along those lines and doesn't go "look customers, you can view videos 24/7 by paying us a bit extra" while ignoring the fact that their bandwidth will be drained in no-time when people try it.
I'm not sure which would be worse - ISPs charging more because content providers add extra content, or the recent UK suggestion of a yearly "broadband tax" to 'compensate' the record labels for P2P downloads.
Well, yeah, but the GP that I was replying to implied that vendor lock was better because if you use MS Office then you can "guarantee" Microsoft won't suddenly decide "I can't be bothered with this app any more" where as you can't "guarantee" the same from say the OpenOffice team (ignoring OOo being a bad example because of the corporate funding it gets from Sun and the like).
The point I was trying to make was that the GP wants yearly fees and vendor lock-in, which results in people getting lumbered with completely new interfaces like MS Office 2007 with no 'choice', where as if you use an open source solution then the file formats are open and so if your chosen app does run out of steam then you may still spend some time/effort learning something new, but it'll be a choice.
(Note: Some of the quoted words above shouldn't be taken literally - it's all about the interpretation of the "must use proprietary" people).
Well the US DoD seems to be trusting to OSS with forge.mil. I know the company I work for does a variety of UK government contracts as well and we're using more and more open source (mainly Eclipse and its plugins, Protege and OWL in my area of work).
Besides, what's the real difference between relying on an OSS project with no license fee for five years then (possibly) having to migrate and learn something new but similar versus being charged year on year for Office 2003 then having to migrate to 2007 and all its new UI and still being charged year on year?
It's akin to saying that Blu-Ray or DVDs were a waste of time because initially there were no players for them
I'd hope there was at least one BluRay and DVD player on the market when they were first released. If not, who is going to buy them? When you've got a medium like a disk and a partner player they should be out at the same time. Granted, the early ones might not be great, but what's the point of having (say) a padlock without having produced any keys?
While I won't go as far as being paranoid about "it was always the governments plan and they just want the data on everyone", it doesn't surprise me that our government isn't even capable of introducing both halves of an ID scheme at the same time.
Until they fix it they've basically just introduced an over-expensive photo ID. Well done, Labour!
Would those adults that should be free to buy whatever they want be the ones who are over 18 and hence generally (unless some countries have odd certificates/classifications) both old enough to be considered adults and old enough to buy any game because the classifications stop at 18?
"It's terrible censorship that games and movies have ratings that stop at 18, thereby not stopping anyone 18 years old or older (who at that age is considered to be an adult) from watching or buying them"!
It's similar to viral advertising - don't pay to show your advert, instead get other people to do the leg work for you. Advertising agencies need to work harder for their right to be ignored and cursed for ruining TV shows, damnit!
And we were damned glad to get rid of them! How are you expected to have decent entertainment with some group of people constantly demonising you for the barest flash of a "soul corrupting nipple"?
An intrusion detection system would be great, and is useful in a business setting, but most of the spam I get is from countries that aren't likely to do anything like that. It'd help in the tech savy nations (since even the US is quite prolific in sending spam from some reports I've seen) but it'd still leave a problem on the receiving end from any network that doesn't use it. That plus I can see ISPs complaining if they have to implement that kind of thing as it'll be expensive and require such terrible things as "experts with knowledge" and "dealing with customer complaints about their network being shut off".
Yes, but it relies on domains setting up records. If they don't have a record then you've generally got to accept them or you're cutting off a large proportion of the Internet, including some big email providers. If you have a replacement protocol you can embed it from the start and properly enforce it. It still won't stop spam (spammers will just say "yes, I can send from icanspam.com") but it will let you filter some emails.
If the spam is done correctly then you can't. Some spam can have give-away features that are basically never seen in legit email (certain malformed dates are one pattern I've seen that accounted for 50% of my spam), but others can look no different to legitimate mailing lists or requested retailer updates.
You could base it on "have I seen lots of emails like this", but then you need lots of accounts to compare across, lots of content processing, and you'll probably still catch mailing lists (plus spammers just insert padding content to look different). You could base it on large numbers of connections from a specific IP address, but again that will catch mailing lists and spammers just spread the load between machines. You could base it on "that doesn't look like a sensible domain", but that would fail both ways (too many nonsensical legit domains and sensible spam domains). You could use whitelists, but then people who are contacting you for the first time get bounced. You could use grey lists, but some legit servers will drop messages because you're breaking the spec, and any new protocol that allows a similar method would just end up with the spammers writing with it in mind. You could base it on any number of things, but as long as the spam is well crafted then just about any measure will either let spam through if it is well crafted or block/junk legitimate emails.
One important point I saw during a Machine Learning course at Uni was an article that said they'd got a very high success rate very quickly just by being personalised. Since one person's spam isn't necessarily another person's spam (in general it is, but what is picked out as a "spam feature" in one may occur in a legit mailing list of another) and each person has their own topics that they discuss in emails then personalised filtering is about as good as it gets.
Yeah, I use SPF records on my own domains, but because it's an optional extra then a lot of places either don't use it (like Yahoo) or don't check it (probably also like Yahoo).
I guess a new protocol would probably get to the same situation, though - you can't ditch the old one (SMTP) because so many legacy systems still use it.
That's because SPF doesn't guarantee that emails are not spam, just that they're allowed to be sent from the domain that they say they're from. A spammer can register weliketospamfromthisdomain.com, set up SPF records and spam like crazy from it, so the SPF records will show "Pass" but it'll still be spam.
Oddly, though, GMail has SPF records. AFAIK the others don't.
Surely that depends how many bots the emailing is split across? Yes, you could set a threshold that any reasonable person wouldn't hit but there will always be some human that'll hit it. Either that or you set it high enough that a lot of bots still get past. There was a story recently about a teen sending crazy numbers of texts in a month, but they were all legit texts.
Throttling would help, but it needs to either hold the connection open for a while longer (which will reduce through-put by clogging connections) or force people to repeatedly re-send if it bounces and says "try again". I can't see either necessarily being popular with an ISP in implementation cost or effort.
That depends how you do the blacklisting. If you just silently blacklist the server and don't tell the owner then you're relying on the innocents to a) notice the bounces and b) complain to the owner. That could take time, during which you're still affecting the communication and potentially business of innocents. You'd get a better response with less side-effects if you could be responsible with the blacklist and notify the responsible party.
Collateral damage is normally something to be avoided - just ask the military.
Yeah, that's the real problem with this suggestion - it'll basically teach people to trust "official government" looking emails instead. Not a good idea!
Send a hit-squad round to the house of everyone found responding to spam? Nuke the earth from orbit, thereby removing both the spam emails (fry the drives) and the recipients/clickers (fry the people)? I'm sure there are ways;)
It's probably a good idea overall, but it would get a lot of criticism as either a) people with email sending addictions sent too many emails and got caught or b) people with infected machines probably wouldn't know/care about what to do and would just object to being blocked.
ISPs blocking ISPs is potentially asking for trouble, though. It's like IP blacklisting, but it leaves a lot of innocents getting hit just because the ISP hasn't dealt with some trouble makers to some arbitrary degree to make another ISP happy.
Slashdot Mirror
Even "show me a map of 10 Downing Street" or "where is 10 Downing Street" is better than something that could almost just be a standard bookmark with a keyword (which I've set up some additional ones for myself). "Share-on-delicious" - all well and good, but is it "natural language" enough to understand "share-on-somenewsharingsite"? Doubtful.
Overall it sounds like a load of bloat and an excessive claim using buzzwords to garner interest.
PHP and MySQL aren't insecure per-se, it's just that people hack things together quickly with it that are insecure.
AFAIK PHP isn't vulnerable to buffer overflows directly. You have no control over pointers, so any stack overflows vulnerabilities have been in libraries, but exploited via PHP.
Standard MySQL functions in PHP don't support parameterized queries, but the MySQLi methods do, and MySQLi is installed on a lot of hosts these days. If it's not on a server then it's generally easy enough to add it.
The general hacks are the normal site exploits caused by people being taught to just use query strings and posted values as-is by beginner's books and then being hit with either SQL injection, command injection (if, for some reason, they do shell calls using variables), remote includes (passing a URL as a value that's include()d, which pulls in remote code if allow_url_fopen is enabled), or standard content injection to do things like put scripts on the page via a link when someone realises the values aren't validated.
That would be the ideal, sensible, logical, software-developer's Terms of Service, but is that what would come out of a bureaucracy? As I said, there's nothing wrong with the idea in theory, but in practice you're not likely to get a central update system for proprietary apps that has a sensible Terms of Service for those companies providing the apps to stop them sneaking in additional 'features' if they want.
Yes, but at the same time I don't appreciate the idea of paying an extra £5 per month (£60 per year instead ofthe £20 suggested broadband tax) because all of the ISPs have some kind of agreement with some studio or other for content that I don't want. From a purely "how much am I getting charged by my ISP and how much can I afford" measure, £5 per month seems like the worse of the two.
If you can enforce that ToS then great, but by auto-selecting Safari as part of an "update" to iTunes then they were effectively already lying about the update. They're not explicitly saying "iTunes relies on Safari" but they were saying "here is an update, we'll select what you need to update" and including Safari under the 'need' category.
I agree that it's possibly to have an update channel that stops you adding new apps as part of an "update", but I was just pointing out that it's not quite the silver bullet you originally implied since it can be used to drag in "dependencies". Even with a ToS saying you can't do it, you're still relying on someone to check and enforce that ToS.
Except that, to be perfectly fair, they could. If you've got something like Yum/Apt/Smart/Yast then all Apple would do is say "this update also requires on Safari" and you're in a worse situation because you either take Safari or you don't get the update. While it's great to have everything in one place for installs/updates, it's just as liable to include junk you didn't think you wanted/needed if someone sets it up that way.
Yep, it might, and I'll pick the nice, cheap, fast one that has no additional content along those lines and doesn't go "look customers, you can view videos 24/7 by paying us a bit extra" while ignoring the fact that their bandwidth will be drained in no-time when people try it.
I'm not sure which would be worse - ISPs charging more because content providers add extra content, or the recent UK suggestion of a yearly "broadband tax" to 'compensate' the record labels for P2P downloads.
Well, yeah, but the GP that I was replying to implied that vendor lock was better because if you use MS Office then you can "guarantee" Microsoft won't suddenly decide "I can't be bothered with this app any more" where as you can't "guarantee" the same from say the OpenOffice team (ignoring OOo being a bad example because of the corporate funding it gets from Sun and the like).
The point I was trying to make was that the GP wants yearly fees and vendor lock-in, which results in people getting lumbered with completely new interfaces like MS Office 2007 with no 'choice', where as if you use an open source solution then the file formats are open and so if your chosen app does run out of steam then you may still spend some time/effort learning something new, but it'll be a choice.
(Note: Some of the quoted words above shouldn't be taken literally - it's all about the interpretation of the "must use proprietary" people).
Well the US DoD seems to be trusting to OSS with forge.mil. I know the company I work for does a variety of UK government contracts as well and we're using more and more open source (mainly Eclipse and its plugins, Protege and OWL in my area of work).
Besides, what's the real difference between relying on an OSS project with no license fee for five years then (possibly) having to migrate and learn something new but similar versus being charged year on year for Office 2003 then having to migrate to 2007 and all its new UI and still being charged year on year?
I'd hope there was at least one BluRay and DVD player on the market when they were first released. If not, who is going to buy them? When you've got a medium like a disk and a partner player they should be out at the same time. Granted, the early ones might not be great, but what's the point of having (say) a padlock without having produced any keys?
While I won't go as far as being paranoid about "it was always the governments plan and they just want the data on everyone", it doesn't surprise me that our government isn't even capable of introducing both halves of an ID scheme at the same time.
Until they fix it they've basically just introduced an over-expensive photo ID. Well done, Labour!
Would those adults that should be free to buy whatever they want be the ones who are over 18 and hence generally (unless some countries have odd certificates/classifications) both old enough to be considered adults and old enough to buy any game because the classifications stop at 18?
"It's terrible censorship that games and movies have ratings that stop at 18, thereby not stopping anyone 18 years old or older (who at that age is considered to be an adult) from watching or buying them"!
It's similar to viral advertising - don't pay to show your advert, instead get other people to do the leg work for you. Advertising agencies need to work harder for their right to be ignored and cursed for ruining TV shows, damnit!
And we were damned glad to get rid of them! How are you expected to have decent entertainment with some group of people constantly demonising you for the barest flash of a "soul corrupting nipple"?
And it's grammatical hotchpotches like this that make the comments section become unreadable!
An intrusion detection system would be great, and is useful in a business setting, but most of the spam I get is from countries that aren't likely to do anything like that. It'd help in the tech savy nations (since even the US is quite prolific in sending spam from some reports I've seen) but it'd still leave a problem on the receiving end from any network that doesn't use it. That plus I can see ISPs complaining if they have to implement that kind of thing as it'll be expensive and require such terrible things as "experts with knowledge" and "dealing with customer complaints about their network being shut off".
Yes, but it relies on domains setting up records. If they don't have a record then you've generally got to accept them or you're cutting off a large proportion of the Internet, including some big email providers. If you have a replacement protocol you can embed it from the start and properly enforce it. It still won't stop spam (spammers will just say "yes, I can send from icanspam.com") but it will let you filter some emails.
If the spam is done correctly then you can't. Some spam can have give-away features that are basically never seen in legit email (certain malformed dates are one pattern I've seen that accounted for 50% of my spam), but others can look no different to legitimate mailing lists or requested retailer updates.
You could base it on "have I seen lots of emails like this", but then you need lots of accounts to compare across, lots of content processing, and you'll probably still catch mailing lists (plus spammers just insert padding content to look different). You could base it on large numbers of connections from a specific IP address, but again that will catch mailing lists and spammers just spread the load between machines. You could base it on "that doesn't look like a sensible domain", but that would fail both ways (too many nonsensical legit domains and sensible spam domains). You could use whitelists, but then people who are contacting you for the first time get bounced. You could use grey lists, but some legit servers will drop messages because you're breaking the spec, and any new protocol that allows a similar method would just end up with the spammers writing with it in mind. You could base it on any number of things, but as long as the spam is well crafted then just about any measure will either let spam through if it is well crafted or block/junk legitimate emails.
One important point I saw during a Machine Learning course at Uni was an article that said they'd got a very high success rate very quickly just by being personalised. Since one person's spam isn't necessarily another person's spam (in general it is, but what is picked out as a "spam feature" in one may occur in a legit mailing list of another) and each person has their own topics that they discuss in emails then personalised filtering is about as good as it gets.
Yeah, I use SPF records on my own domains, but because it's an optional extra then a lot of places either don't use it (like Yahoo) or don't check it (probably also like Yahoo).
I guess a new protocol would probably get to the same situation, though - you can't ditch the old one (SMTP) because so many legacy systems still use it.
That's because SPF doesn't guarantee that emails are not spam, just that they're allowed to be sent from the domain that they say they're from. A spammer can register weliketospamfromthisdomain.com, set up SPF records and spam like crazy from it, so the SPF records will show "Pass" but it'll still be spam.
Oddly, though, GMail has SPF records. AFAIK the others don't.
Surely that depends how many bots the emailing is split across? Yes, you could set a threshold that any reasonable person wouldn't hit but there will always be some human that'll hit it. Either that or you set it high enough that a lot of bots still get past. There was a story recently about a teen sending crazy numbers of texts in a month, but they were all legit texts.
Throttling would help, but it needs to either hold the connection open for a while longer (which will reduce through-put by clogging connections) or force people to repeatedly re-send if it bounces and says "try again". I can't see either necessarily being popular with an ISP in implementation cost or effort.
That depends how you do the blacklisting. If you just silently blacklist the server and don't tell the owner then you're relying on the innocents to a) notice the bounces and b) complain to the owner. That could take time, during which you're still affecting the communication and potentially business of innocents. You'd get a better response with less side-effects if you could be responsible with the blacklist and notify the responsible party.
Collateral damage is normally something to be avoided - just ask the military.
Yeah, that's the real problem with this suggestion - it'll basically teach people to trust "official government" looking emails instead. Not a good idea!
Send a hit-squad round to the house of everyone found responding to spam? Nuke the earth from orbit, thereby removing both the spam emails (fry the drives) and the recipients/clickers (fry the people)? I'm sure there are ways ;)
It's probably a good idea overall, but it would get a lot of criticism as either a) people with email sending addictions sent too many emails and got caught or b) people with infected machines probably wouldn't know/care about what to do and would just object to being blocked.
ISPs blocking ISPs is potentially asking for trouble, though. It's like IP blacklisting, but it leaves a lot of innocents getting hit just because the ISP hasn't dealt with some trouble makers to some arbitrary degree to make another ISP happy.