No, it isn't the browser that allows such holes, it's the web application.
If Slashdot didn't filter out Javascript in people's comments, and someone appended their post with a quick Javascript fragment to redirect to Goatse then it'd be Slash that was at fault for mindlessly displaying the text another user had entered and not the browser for happily allowing it in a textarea.
It seems Apache agrees with this view here by pointing out that 'The most serious issue [with regards to CSS attacks] is in all the site specific code that generates dynamic content.'
Correct, Javascript is not Java... however cross-site scripting is when the web application allows unchecked injection of Javascript etc. into the output thus allowing one user to run scripts on another users browser, and a whole related host of fun stuff..
The problem here is with the web application, not with Javascript.
The solution is to fix the web application so it doesn't trust user input blindly.
The web application will be written in a language such as Java. The cross-site bug was introduced by a Java programmer.
With the low-level knowledge a C programmer needs to get C to work it's unlikely they'll be as willing to trust user data blindly and so are less likely to have these issues.
Show me where he said 'without encryption' and I'll agree you've got a point.
In fact show me any CC settlement service which can be connected to in an unencrypted way and I'll show you the real morons.
It's generally best when using the Internet to assume that anything you send/receive, whether via. Wifi, wired, or bongo drums, can be compromised if anyone can be bothered.
Put your trust more in encryption and good security practises than wires, my young friend. That data goes through other people's systems, you know.
DNS is the method of resolving names to IP addresses, it's what turns 'www.slashdot.org' into 66.35.250.151, or 'www.google.com' into 216.239.59.99
Wildcarding DNS is when instead of saying 'www.slashdot.org is 66.35.250.151' you effectively say 'Everything is 66.35.250.151' and so any domain you're asked to resolve goes to Slashdot's IP address.
What VeriSign have done is to add a final rule to their list, saying 'Anything not in the above is 64.95.110.11' (Or whatever the IP is of their SiteFinder service). This has the result that any DNS request that formerly would have returned an 'Unable to resolve' message now thinks it's resolved correctly to the IP address.
The stink this is causing with spam mail is that a lot of anti-spam measures rely on being able to weed out mail from made up domains simply by checking if the domain resolves correctly.
DNS is actually a *lot* more complex than this, but I think that'll do to explain what's going on here.
Oh, come on now, play fair. After all, he does take the time to ship them himself as opposed to leaving it to the mailroom. It's not many CEOs that are quite that hands-on.
Re:Microsoft license prohibits CLR benchmarks
on
Does C# Measure Up?
·
· Score: 1
In Svoeit Rssuia jmulbed wrod oevrolrds wcleome YOU!
You may want to have a look at Xapian. It's an Open Source document indexing system, which in my experience scales very nicely. The Omega system, which is built on Xapian, is a nice not-so-little search indexing system. I've used it on multi-million (admittedly reasonably short) document indexing projects in the past and it's coped admirably.
The search refinement system it supports may seem a little strange, but to me it seems powerful and you don't have to use it if you just want 'simple search'.
I do wonder if he's ever played a tabletop, or freeform, roleplaying game? If he did, did he and the other players sit there passing notes instead of speaking so they didn't have to suspend any disbelief for voices?
Roleplaying has a history far longer than MMORPGs, and it's mainly a vocal one. I consider it much easier to manage to get into a character if you speak what they say, and the fact you're typing on a keyboard isn't there to get in the way. I'd say that was a far greater intrusion of reality than someone sounding 'wrong', I don't normally communicate face-to-face with people by typing.
Some players do change their voice, put on accents and so forth, but most just use their normal voices, and it still works if the player can roleplay. If they can't roleplay then it doesn't matter if they're speaking or typing- what's said will still not feel right.
I have played some MMORPGs, admittedly though not to any great extent each. I generally found the worlds to be repetative and also many people just didn't act in the world at all, much metagaming. I remember trying Ultima Online for a bit, spending a few hours digging and lugging stuff so I could make a few low-quality daggers, then going off to the bank to deposit the new-found fortune I'd made.
The bank was absolutely packed, the machine slowed to a crawl. It looked like everyone in the town had come to the bank, and bought their horses, pet dragons, etc. with them.
Whilst some were idly wandering against the tide of lag, many were standing there shouting prescripted offers of items and so forth.
I'd say it takes less suspension of disbelief to imagine the gruff Scots voice coming out of the headphones to be the Elven swordswoman than it does to imagine r0X0r the Ranger going "So, what shall I do today to help serve the Good? I know, I'll take my horse ScreamingDeff and my enchanted rust turtle ScreamingDeffII and go and shout '****Enchanted Axxes to SELL!***** Offers?' in the bank for a few hours.
I know many of the games have come a way since then, but I still think MMORPGs have a loooong way to go before they could consider voices to be a major problem.
I assumed they meant the SSH client. Peering round though reveals it's available as part of a suite for handling Windows machines for a rather hefty fee, or is available free of charge to connect to an unlimited amount of UNIX machines.
Re:The Incas did not have DN3, but...
on
Incas Used Binary?
·
· Score: 1
They were perhaps overly optimistic in their estimation.
Not quite true. Unless strict checking is turned on the HACKERS could be the name of a subroutine. Admittedly this would be breaking almost all sane Perl conventions, but it's still possible given that snippet. I've spent too long trying to understand the inner workings of Perl golf to let that one past me, oh yes.
Where I work the term 'production' more or less qualifies to 'live client-facing systems'. Important but non-production code includes things like data conversion, log file analysis, and so on. The things that if they go wrong won't be noticed by the customer, and generally things where problems aren't quite as major since they don't result in a a live issue and can happily be fixed and re-run. By the sounds of it I'm in a similar situation as this guy. The place I work is primarily a Java place, but I'm a Perl programmer. I mainly do non-live things, although have done some things to handle some back-end live systems such as live database updates.
$self is a reference to an anonymous hash. $self->{groups} dereferences it into the actual hash and obtains the element with the key 'groups'. $self->{groups}[HACKERS] is saying dereference that element as an array reference and give me the element numbered by the constant I've called HACKERS. %{$self->{groups}[HACKERS]} now says that that is itself a hash reference, and dereferences it back to the hash. keys %{$self->{groups}[HACKERS]} returns a list containing the names of all the keys in this hash.
..and finally..
my $count = keys %{ $self->{groups}[HACKERS]}; takes this list and stores the number of elements in the list into the lexically-scoped variable called $count.
Perl's references are like the Hulk. Powerful but ugly.
I think you'll find this guy does know how to program. As well as being well-respected within the Perl community (And possibly other languages too) he's the O'Reilly technical editor, the author of their "Extreme Programming Guide" and the chief author of "Writing Weblogs in Slash". I have a feeling I may well have just been trolled, but I thought it worth dropping this here so people at least knew that this guy was not some random schoolkid knocking out half-formed opinionating. My advice: Do a little research before posting
Odd, I find the Slashdot topics to be remarkably connected..
"Let's boycott people and not buy any DVDs!" "New sci-fi DVD out this week, buy it!" "All big computer companies are simply profit-oriented" "Apple releases new thing" "Most of the world's population are sheep driven by obvious marketing" "Isn't this new thing cool and shiny? Buy one! Hell, buy two! Shiny shiny!" "Microsoft does thing, isn't it evil?" "Linux does thing, rejoicing in the streets"
...oh, and..
"Ask Slashdot: Finding your rear-end with both hands"
...so this guy buys an Apple Airport for his sister, gives it to her as a birthday present, then dismantles it with his handy-dandy toolkit? Ah, there's nothing like the warm glow that comes from the giving of gifts.
I'd say a stronger example would be Bill Gates. Whilst many people here intensely dislike the guy he did very much fit into the nerd stereotype when he was at college, and now he personally wields a hell of a lot of power.
Re:Sounds interesting, but
on
The Cg Tutorial
·
· Score: 5, Informative
Cg is a very specific language which runs on the graphics card itself, and is only used for pixel and vertex shader programming. It's always used in conjunction with one (Or even more) higher level libraries. Firstly you have the application-level library (SDL, for example), this handles the stuff like opening windows, the user interaction. This is also the bit that's often written specifically for the game. At the next level we have the 3d library, normally OpenGL or DirectX. This handles most of the actual graphics work itself, such as displaying your polygon meshes, applying standard lighting effects, and so forth. Finally we hit the shader level. It's here that Cg comes into it's own, with special snippets of Cg code to get the reflections on the water to look just right and ripple as the character walks through, or to make the velvet curtains actually have the distinctive sheen. Special effects work only. It is worth noting that Direct X does have it's own way of doing shaders now, and OpenGL does have a specification for them but last time I looked no one had this implemented. Hope this makes sense.
I don't know about you, but I hate it when the cops find any of my porn. They just end up sitting in front of the computer looking at my porn and drinking my beer, and when they've gone my keyboard is all sticky.
Slashdot Mirror
So they carry half the fuel they use on a trip? That is quite an impressive feat, having the other half miraculously appear in the tanks.
No, it isn't the browser that allows such holes, it's the web application.
If Slashdot didn't filter out Javascript in people's comments, and someone appended their post with a quick Javascript fragment to redirect to Goatse then it'd be Slash that was at fault for mindlessly displaying the text another user had entered and not the browser for happily allowing it in a textarea.
It seems Apache agrees with this view here by pointing out that 'The most serious issue [with regards to CSS attacks] is in all the site specific code that generates dynamic content.'
Damn. If SCO begin tactics using hot girls against Linux users then they'll easily win.
Curse you, SCO's hot girls.. Curse you!
Correct, Javascript is not Java... however cross-site scripting is when the web application allows unchecked injection of Javascript etc. into the output thus allowing one user to run scripts on another users browser, and a whole related host of fun stuff..
The problem here is with the web application, not with Javascript.
The solution is to fix the web application so it doesn't trust user input blindly.
The web application will be written in a language such as Java. The cross-site bug was introduced by a Java programmer.
With the low-level knowledge a C programmer needs to get C to work it's unlikely they'll be as willing to trust user data blindly and so are less likely to have these issues.
It looks like you remember incorrectly. Bloodwych wasn't out till '91, Bard's Tale was out in '85.
The reason I went looking was I remembered Bloodwych being a so-so game for the Amiga, but BT being kick-bottom on the C64.
Can I have my pedant point now, please?
Show me where he said 'without encryption' and I'll agree you've got a point.
In fact show me any CC settlement service which can be connected to in an unencrypted way and I'll show you the real morons.
It's generally best when using the Internet to assume that anything you send/receive, whether via. Wifi, wired, or bongo drums, can be compromised if anyone can be bothered.
Put your trust more in encryption and good security practises than wires, my young friend. That data goes through other people's systems, you know.
Except they seem to be skipping the 'Trying to survive as a company' bit.
Okay, in simple terms..
DNS is the method of resolving names to IP addresses, it's what turns 'www.slashdot.org' into 66.35.250.151, or 'www.google.com' into 216.239.59.99
Wildcarding DNS is when instead of saying 'www.slashdot.org is 66.35.250.151' you effectively say 'Everything is 66.35.250.151' and so any domain you're asked to resolve goes to Slashdot's IP address.
What VeriSign have done is to add a final rule to their list, saying 'Anything not in the above is 64.95.110.11' (Or whatever the IP is of their SiteFinder service). This has the result that any DNS request that formerly would have returned an 'Unable to resolve' message now thinks it's resolved correctly to the IP address.
The stink this is causing with spam mail is that a lot of anti-spam measures rely on being able to weed out mail from made up domains simply by checking if the domain resolves correctly.
DNS is actually a *lot* more complex than this, but I think that'll do to explain what's going on here.
A is for ASCII, and so AAA is for ASCII ASCII ASCII? So good they named it thrice?
Oh, come on now, play fair. After all, he does take the time to ship them himself as opposed to leaving it to the mailroom. It's not many CEOs that are quite that hands-on.
In Svoeit Rssuia jmulbed wrod oevrolrds wcleome YOU!
You may want to have a look at Xapian. It's an Open Source document indexing system, which in my experience scales very nicely. The Omega system, which is built on Xapian, is a nice not-so-little search indexing system. I've used it on multi-million (admittedly reasonably short) document indexing projects in the past and it's coped admirably.
The search refinement system it supports may seem a little strange, but to me it seems powerful and you don't have to use it if you just want 'simple search'.
I do wonder if he's ever played a tabletop, or freeform, roleplaying game? If he did, did he and the other players sit there passing notes instead of speaking so they didn't have to suspend any disbelief for voices?
Roleplaying has a history far longer than MMORPGs, and it's mainly a vocal one. I consider it much easier to manage to get into a character if you speak what they say, and the fact you're typing on a keyboard isn't there to get in the way. I'd say that was a far greater intrusion of reality than someone sounding 'wrong', I don't normally communicate face-to-face with people by typing.
Some players do change their voice, put on accents and so forth, but most just use their normal voices, and it still works if the player can roleplay. If they can't roleplay then it doesn't matter if they're speaking or typing- what's said will still not feel right.
I have played some MMORPGs, admittedly though not to any great extent each. I generally found the worlds to be repetative and also many people just didn't act in the world at all, much metagaming. I remember trying Ultima Online for a bit, spending a few hours digging and lugging stuff so I could make a few low-quality daggers, then going off to the bank to deposit the new-found fortune I'd made.
The bank was absolutely packed, the machine slowed to a crawl. It looked like everyone in the town had come to the bank, and bought their horses, pet dragons, etc. with them.
Whilst some were idly wandering against the tide of lag, many were standing there shouting prescripted offers of items and so forth.
I'd say it takes less suspension of disbelief to imagine the gruff Scots voice coming out of the headphones to be the Elven swordswoman than it does to imagine r0X0r the Ranger going "So, what shall I do today to help serve the Good? I know, I'll take my horse ScreamingDeff and my enchanted rust turtle ScreamingDeffII and go and shout '****Enchanted Axxes to SELL!***** Offers?' in the bank for a few hours.
I know many of the games have come a way since then, but I still think MMORPGs have a loooong way to go before they could consider voices to be a major problem.
I assumed they meant the SSH client. Peering round though reveals it's available as part of a suite for handling Windows machines for a rather hefty fee, or is available free of charge to connect to an unlimited amount of UNIX machines.
They were perhaps overly optimistic in their estimation.
Hold on, Waste was released under the GPL.. exactly how can AOL plan to pull that?
Not quite true. Unless strict checking is turned on the HACKERS could be the name of a subroutine. Admittedly this would be breaking almost all sane Perl conventions, but it's still possible given that snippet.
I've spent too long trying to understand the inner workings of Perl golf to let that one past me, oh yes.
Where I work the term 'production' more or less qualifies to 'live client-facing systems'. Important but non-production code includes things like data conversion, log file analysis, and so on. The things that if they go wrong won't be noticed by the customer, and generally things where problems aren't quite as major since they don't result in a a live issue and can happily be fixed and re-run.
By the sounds of it I'm in a similar situation as this guy. The place I work is primarily a Java place, but I'm a Perl programmer. I mainly do non-live things, although have done some things to handle some back-end live systems such as live database updates.
$self->{groups} dereferences it into the actual hash and obtains the element with the key 'groups'.
$self->{groups}[HACKERS] is saying dereference that element as an array reference and give me the element numbered by the constant I've called HACKERS.
%{$self->{groups}[HACKERS]} now says that that is itself a hash reference, and dereferences it back to the hash.
keys %{$self->{groups}[HACKERS]} returns a list containing the names of all the keys in this hash.
..and finally..
my $count = keys %{ $self->{groups}[HACKERS]}; takes this list and stores the number of elements in the list into the lexically-scoped variable called $count.
Perl's references are like the Hulk. Powerful but ugly.
I think you'll find this guy does know how to program.
As well as being well-respected within the Perl community (And possibly other languages too) he's the O'Reilly technical editor, the author of their "Extreme Programming Guide" and the chief author of "Writing Weblogs in Slash".
I have a feeling I may well have just been trolled, but I thought it worth dropping this here so people at least knew that this guy was not some random schoolkid knocking out half-formed opinionating.
My advice: Do a little research before posting
"Let's boycott people and not buy any DVDs!"
"New sci-fi DVD out this week, buy it!"
"All big computer companies are simply profit-oriented"
"Apple releases new thing"
"Most of the world's population are sheep driven by obvious marketing"
"Isn't this new thing cool and shiny? Buy one! Hell, buy two! Shiny shiny!"
"Microsoft does thing, isn't it evil?"
"Linux does thing, rejoicing in the streets"
...oh, and..
"Ask Slashdot: Finding your rear-end with both hands"
...so this guy buys an Apple Airport for his sister, gives it to her as a birthday present, then dismantles it with his handy-dandy toolkit?
Ah, there's nothing like the warm glow that comes from the giving of gifts.
I'd say a stronger example would be Bill Gates. Whilst many people here intensely dislike the guy he did very much fit into the nerd stereotype when he was at college, and now he personally wields a hell of a lot of power.
Cg is a very specific language which runs on the graphics card itself, and is only used for pixel and vertex shader programming. It's always used in conjunction with one (Or even more) higher level libraries.
Firstly you have the application-level library (SDL, for example), this handles the stuff like opening windows, the user interaction. This is also the bit that's often written specifically for the game.
At the next level we have the 3d library, normally OpenGL or DirectX. This handles most of the actual graphics work itself, such as displaying your polygon meshes, applying standard lighting effects, and so forth.
Finally we hit the shader level. It's here that Cg comes into it's own, with special snippets of Cg code to get the reflections on the water to look just right and ripple as the character walks through, or to make the velvet curtains actually have the distinctive sheen. Special effects work only.
It is worth noting that Direct X does have it's own way of doing shaders now, and OpenGL does have a specification for them but last time I looked no one had this implemented.
Hope this makes sense.
Eww. I don't want to think about it.