Because that means you have to buy a bunch of them, and there's no significant vendor competition. What is it with people in this thread having forgotten that Microsoft is trying to make money here?
Microsoft should have never released the core pack.
Why not? The core pack made their platform available to a poorer demographic of users, who happen to be the first adopters in the console game industry, and the hard drive upgrade makes them larger margins than the full box. NPD estimates that this maneuver grew their initial market by 18%, meaning that more people bought a given game, meaning more games were developed, meaning they have a stronger library, drawing in more players. They've been riding that 18%, the interest on that 18% and the upgrade margins on the hard drive for a year now.
Exactly why do you suggest that this was a bad idea? Microsoft has made quite a bit of money and established a much stronger presence for this console as a direct result of the tactic.
I think it was a poor choice for Microsoft as I doubt it really boosted sales in the long run.
NPD group, who have the advantage of statistics and understanding the market, believes that the hard drive being purchasable seperately increased the distribution base by almost 20%, which in turn will have had long-term impacts on the platform.
Generally, large companies like Microsoft put multiple billion dollar projects into the hands of more than one person. Making two seperate system types costs them significant money and introduces inefficiency margins which would not have otherwise existed. They did this for a good reason, and it was professionals who know what they're doing who chose to do it.
As a rule of thumb, if you don't have any data, don't argue with the vendor. All you're doing is making yourself look arrogant and naïve.
I never did understand the Core system concept anyway. If games were going to require a hard drive, what good would it do to purchase a system without one?
Not very many games require the hard drive, and those which do provide an incentive to purchase the hard drive as a peripheral later. The lower price point allows a broader demographic access to the platform, and spreading the total system cost out over time both lowers the financial impact of a competitive system and allows Microsoft to reap larger margins over time. It's pretty much the same thing that any upgrade path does.
Interestingly it's also a relatively new invention, not much more than 50 years old.
Also interesting is that Irish Coffee is an accidental American invention. An individual from a San Fransisco bar called "the Buena Vista" stumbled across a variation on the theme in the Shannon Airport, and on returning home talked the bartender into experimenting with him at length. The drink they ended up with is significantly different than the Irish drink, which was really just a heavy unpasteurized spiked coffee with sugar.
For example, the characteristic "double cream on top" was created here when the local proprietor misunderstood what kept the cream afloat (the cream only floats when cold enough that the drink won't melt it until it releases air; in the original Irish version, it's a thick-walled, refrigerated mug, whereas in the Americanized version, the cream itself is first frothed to make stronger bubbles (as with Cappucino,) then intensely chilled to get the puff to last without the support of the glass.
Unfortunately, Ireland has begun to retcon history to make this drink their own. C'est la vie.
With a simple firmware update they could let people format external drives so they could be used to store content. Why won't they, besides wanting to make $$$ off drive sales? Don't tell me it's DRM through obscurity...
"With a simple piece of fabric, they could be driving blindfolded. Why won't they, besides wanting to not crash and die? Don't tell me they're allergic to cotton..."
Generally, if you want to know why an entity does something, don't start by eliminating the primary reason.
Neither of these things are new. The idea of using them to launch an attack, by altering the behavior of existing objects so that trusted JavaScript behaves differently than expected, may possibly be new
The possibility of using them to launch an attack is what he's claiming is new, and I've never heard of it before. This is something I keep up with, so I'm going to remain somewhat firm in my belief that this is an insightful paper until someone shows me prior exposition.
Would you let me know what's new in XSS? All the paper describes are pedestrian ways to sniff info out of a site via existing XSS exploit.
The thing which is novel in this paper is the delivery mechanism, specifically by fundamentally replacing parts of javascript to carry attacks in what would otherwise be quite clean and legitimate code. The only parallel I can think of is the embedded-in-compiler attack that was referred to by the Guy Steele era TNHD as "the greatest hack ever," wherein the foreign code installed itself into anything compiled by said compiler, including new iterations of said compiler. (By the by, I can think of several hacks I think are better; I just mentioned the phrase because most people know to what that refers.)
And XSS is by no means new, or "fundamental flaw" of JS.
I'm not sure why you keep talking about XSS. XSS prototype overloading attacks are just his first example of something you could deploy over his new attack vector. The paper isn't about the XSS attack at all. It's not the payload he's talking about, it's the delivery mechanism. You might consider re-reading. I mean, come on, he even cites someone named "S. Di Paola" (near the top of the second column on page three of the PDF) as the person who came up with the XSS attack he uses as an example, and the XSS attack starts right after the header "advanced example". Why are you suggesting he claimed that was new?
As far as whether prototype overloading is a fundamental flaw of javascript, from the security perspective the current implementation most certainly is. There is no mechanism to identify whether a fundamental library feature has been replaced, or whose implementation you're using. There is not yet an existing mechanism by which an application can defend itself from this kind of attack; this must be defended against by the runtime environment instead, and there are not currently any runtime environments which defend against this sort of thing. Indeed, some of the JavaScript libraries I use rely on that those features are replacable (specifically prototype, moofx, behaviour and dojo, though I know of quite a few other libraries which do it too.) MooFX adds a ton of new features to fundamental things like Objects, Arrays and Strings that I use all the time.
The same mechanism Moo uses to extend things could be used to extend bad things into place. The XSS attack is just an example. It's the extension he's talking about. It wouldn't be hard to "extend" a "logging" mechanism into XMLHttpRequest; indeed I did that once as a debugging tool. What if said logging mechanism logged to a foreign server? There are a million ways to exploit this.
When XSS can occur, it's an implementation flaw of the browser and/or site, and by no means "fundamental" as it's usually fixed in the next point release or site update.
You seem to have entirely missed the point. The thing this paper describes is an attack mounted by a malicious site against later sites in the user's browsing path, not an attack mounted against a site with a flaw. This attack leverages a flaw in current browser implementations of JavaScript in such a way that there need not be a flaw in the remote site, and it is neither possible for a remote site to detect or resist such attacks.
The fundamental flaw is not in Javscript. It's in current implementations of Javascript. You are confusing mechanisms and targets. Yes, the target of this attack is other sites, but the mechanism has nothing to do with the target, and there's nothing the target can do. It's a browser-side attack.
Fundamental would mean it can't be fixed
Yes and no. It's fundamental *to* *current* *implementations* of the language, not the language itself. So yes, it cannot be fixed, *in* *current* *implementations*; it requires a minor new implementation strategy on the part of browser vendors. This will end up requiring a security patch to all browsers (and probably three to IE.)
and if you BS detectors aren't screaming by his paper, you're more gullible than you suspect.
Please re-read the paper. You seem to have missed the point.
They're significantly better edited. This leads to less ambiguous prose, which in turn affects the readers' ability to write coherently. Furthermore, Wikipedia is dramatically more biased in my admittedly limited experience than are textbooks. I know, it's quite trendy to suggest that for arbitrary rules governing community, that these articles will suddenly magically be clean-cut and impartial, and then to hand-wave half-remembered studies between experts on Brittanica and Wikipedia articles where Brittanica made three or four times more something than something else and they're sure it works out to mean what they want for it to mean.
The problem is, those studies didn't have anything to do with partiality, they had to do with factuality, and they focussed on the sciences, where factuality is (usually) not under dispute. Sure, the average Wikipedia article has fewer errors; it's had more eyes. That doesn't mean that the text is of as high quality; most articles in Wikipedia are rife with errors in grammar, syntax, spelling and usage, and frequently the text is of such poor quality that what's being said simply isn't clear, or is written in a dangerously counterintuitive fashion.
I mean, we've all had to edit a wikipedia page because some text was just disgusting, or because someone misunderstood how to put facts together, haven't we?
Impeccable covers a lot more ground than does bias, but I don't buy that Wikipedia is less biassed than an encyclopedia for a flat second. Wikipedia has trolls that go unnoticed for years at a time. Wikipedia cites opinion as fact so often that the editors have created a macro to identify areas which need to be rewritten. Indeed, there are actually a dozen odd such macros, because it's actually so common that it's useful to differentiate between the various kinds of deceitful textual tactics in appallingly common use (consider weasel words and peacock terms,) and indeed has several FAQs and guidelines explaining rules governing the quality of text.
The masses are great for volume and thorough explanation. For quality, get a professional, or show statistics. By the by, you'll note on reading weasel words that indeed they are to what I'm replying. It's more common than you'd think, and most people do it accidentally or by habit. There's a reason for editors, and it's not because most people write with skill. Hell, a professional writer can't get something published without being edited; why should the masses do better work?
Next time you want to pretend there's a quality difference, show evidence. Notice how you implied a quality difference without actually citing facts? That kind of writing is what makes Wikipedia, and that kind of writing is of unacceptable quality.
Or, didn't you know that textbook authors get paid on a sliding scale governed by how many errors or irresponsible positions other experts can find in their work, and that the other experts make bonuses for finding lots of errors? Did you think the textbook companies don't care about quality? Did you forget that before the internet came into play as a significant documentary force (arguably) five-ish years ago, that they also competed with each other on grounds of quality? Did you think maybe that they just wrote whatever the hell they wanted and that it was largely one guy making shit up? This is Harcourt Brace we're talking about, not the New York Times. They're carefully edited and they care a lot about quality. Did you know textbook companies get sued for serious errors by universities, professors, public action groups and individuals?
Did you think nobody cared?
So look, instead of writing like Wikipedia, start writing like a real encyclopedia. Intimations are poison. Insinuations get people fired. Hinting at statistics gets your article pulled. Not citing numbers when numbers are
This paper is absolutely ridiculous, and its author is scaremongering
Try reading the paper before lambasting it. The stuff you saw in the slashdot article isn't in the paper. The author of the paper says things like "innovative new attack" and "next generation of server side injection." The stuff about end of the web as we know it is from the slashdot poster. The paper is quite insightful, and the author is almost blase about the whole thing. It's quite clear that he simply believes he's unearthed a new form of attack, and he's in fact quite correct.
Do you now or have you ever received compensation from Starbucks in any form for work performed, services rendered, or products sold to them?
Wow, you are a complete and total ass. No, I've never worked for them or owned stock, nor do I have to be a faceless corporate minion to disagree with you. I write Nintendo games for a living. Go to hell. Shame on you.
And it probably seemed like a better solution than a server room which stank up every month for no apparent reason:)
Well, in every mid- or large-sized engineering firm, there's that guy who doesn't bathe. Might be he was just next door, and everybody thought it was him.
Central air is neither reliable enough nor uniform enough for a serious server room. One keeps air conditioners in the server room for the same reason one keeps backup generators - external services go down, and in that kind of environment, that simply cannot be tolerated.
Also, since when is "Water + Electricity = Danger" a "Superstitious Belief"?
Since clean water suspended in air, such as produced by an air conditioner's condensation process, is an extremely poor conductor of electricity, and since it's not exactly hard to keep control of a fluid volume that small (I mean, it's not like the air conditioner is left to drip on the floor, where the servers are haphazardly strewn amongst beer bottles, unless you get colo at Alpha Chi Kappa.) You should go to an actual data center, and ask to see their air conditioning setup. Just tell them you're considering buying a half rack and you want to see their backup systems personally; they'll give you a guided tour and will positively hammer you with details.
Then ask them how humidity in the data center works, because you don't actually want aridity. Data centers in Arizona actually run humidifiers, because the air is undesirably dry.
a "Superstitious Belief"? Exactly what universe are you living in again?
The one where ambient humidity serves as an insulator and thereby prevents the aggregation of static charge, which is a tremendous risk in a room with that many highly charged moving parts.
You really shouldn't get on horses that high. The fall hurts.
Because in mine that's not superstition, it's a basic saftey rule you learn in elementary school.
I believe the traditional response to this kind of ad verecundiam reference to the extremely detailed and thoroughly considered descriptions of physics given to elementary school children is "yes, and get under your desk and put your head between your knees to keep you safe from the bomb."
We also tell elementary school children that pixies replace their juvenile teeth with money when they sleep, that the stork brought their little brother timmy, that eating brussels sprouts will make them grow big and tall and that if they keep making that face, it's going to get stuck like that. Also, an eight hundred year old Dutchman with a serious weight problem climbs down a chimney that won't pass a football to give them presents once a year (and go as far as to have the military track him and then superimpose it on weather radar on the news.) In fact, about the only thing we tell them the truth about is that it really isn't what it looks like and daddy isn't hurting mommy and go back to bed.
So, as a general rule of thumb, if you learned it when you were eight and don't have anything since on which to hang your hat, you don't really understand it well enough to get all high and mighty in public. Why do we oversimplify and tell kids that electricity plus water equals danger? because we don't want them experimenting to sort out when it is and when it isn't. Stray dogs aren't fundamentally dangerous either, but you sure fucking tell them they are, to keep them the hell away from them, for those cases when it's an issue.
Apparently you can bathe with toasters in your dimension.
Yeah, putting a heavy power line like a wall socket
I would think that running the water for 5 minutes while using it
I would think that anyone satisfying the grandparent's actual description, "if you leave a drain long enough without water passing through it," doesn't have the option of running the water for five minutes while using it, since they're obviously not using it.
But I guess you guys aren't responsible for utility bills and stuff.
That light you leave on in the kitchen costs quite a bit more than a dripping faucet.
Sony's electronic bookstore has 11,000 books, and has been running (under various names) since at least early 2002, giving them a post rate of approximately 6.02 books per day. In late December, I gave some webspace to a guy from IRC who wanted to start converting e-books for MoonShell for the Nintendo DS; he's already over the 200 mark.
At this rate, Brandon's personal, free pet project is going to personally overtake Sony in about 27 years. MoonBooks defeats Connect, and it has classics instead of just (chargeable) modern content. Yay Dickens!
I don't understand why they do it. I know they know better. In fact, they used to roast to a "full city" roast, which the best gourmet roasters have always used, and which I prefer to lighter or darker roasts.
I'm not sure why people are stuck on this notion that there's one Best Coffee Roast (tm). Different people prefer different things. You'll notice that as their roast has gotten progressively darker, their sales have gotten progressively stronger. What's critical to understand about Starbucks is that they do not market to the average coffee drinker. Starbucks markets to three demographics: the conspicuous spending consumer (someone who buys a $5 coffee instead of a $0.75 coffee because they expect it to be better,) the retreat consumer and the serious coffee addict.
In the case of the conspicuous consumer, the roast doesn't really matter. They don't honestly know better. That's why so many of Starbucks' drinks are sweetened and dairy-focussed; it's to help manage the bitterness of the deeper roast.
In the case of the retreat consumer, the customer goes to Starbucks to have a quiet, pleasant place to hide from the world (same mechanism in use by Borders and Barnes and Nobles.) That's why Starbucks has the big comfy chairs, the quiet music, the MP3 CD creation hotspots, etc. Many of these customers are people looking for a 15 minute escape from work. For these consumers, the setting is more important than the roast.
It's the third group of consumers who sets Starbucks' roast, because it doesn't matter for the other two, and besides the third group is where the money is. These are the coffee junkies, who will spend an extra dollar per shot and get five extra shots in every frappucino they wolf down. These are the people who get more than one coffee for themselves while they're there. For these people, the dark roast is the only preference you will ever see.
Why?
It's really quite simple. Coffee is a waxy bean. The longer you roast it, the more caffeine you release. These people aren't in it for the flavor. They're in it for the buzz. Starbucks is just being a smart drug dealer. Give the coffee parallel to potheads to Burger King and Dunkin Donuts; Starbucks wants the coffee equivalent of crackheads.
If it was wrong, they wouldn't be growing this fast. There's no shortage of other quality coffee chains with roasts you would prefer, such as Peet's, who have nice buildings and who charge just as preposterous amounts. Peet's is growing phenomenally quickly, but nowhere near as quickly as Starbucks.
Coffee vendors are drug dealers. You're being surprised that the guy who used to sell shrooms now sells PCP. It's because the money's in the PCP.
More importantly, from what I understand, they don't do any real pre or post roast QA to remove clinkers, which are light, immature beans that give a grassy or off taste to coffee.
That's FUD spun by other coffee vendors. It's because they pay the producers to remove the clinkers for them. 'S cheaper that way. One might as well suggest that grocery stores don't strip the corn off of the stalk.
They also don't date their roasts like a good gourmet shop will.
They have a Walmart style 6-hour automated supply chain, and foot traffic that makes a McDonalds green with envy. The reason they don't date their coffee is the same as the reason a pizza shop doesn't date its cheese, or why bakeries don't date eggs: there's no need to. There's a predictable, high rate of out-flow. The foodstuffs don't have time to get old; they're consumed too early.
Good gourmet shops can't push coffee fast enough due to a lack of patrons, and end up having to throw stock away. Chains at the scale of Starbucks have the incentive to develop delivery chains to eliminate that kind of waste. It costs millions of dollars to get a modern just in time shipping system together, and stock spoilage probably only costs a small store $10k/y, so for a sm
For those few still using actual radio, rather than just the broadcaster metaphor, sure. But, if you don't mind my asking, to what end? What good would it do you to know the site of origin?
Of course, you guys in the US will have the handsets locked down tighter than a tight thing at a tight things convention...
And yet the British think Americans have a poor use of the language. Here's some charity from the colonies: if you want to talk about how tight something is, describe it as the logical inverse of Paris Hilton, or whoever the public whore is on the other side of the pond.
Actually, I used the lapboard at E3 in 2005. It was a fairly convenient device. Not worth their apparent asking price, but if they were fifty bucks, and could actually be purchased, I might grab one. Kinda sucks about the Phantom - they had a fairly neat UI going, proper backend rights management, the device was pretty polished. Of course, all the games they had at E3 were trash, but hey, it was very pretty trash.
Horseshit. Evolution is simply the progress between successive states. If you're going to play amateur semantician, at least get the terms right. Weather evolves. Traffic evolves. Chess game states evolve. The thing you're trying to talk about is called "natural selection."
[Natural Selection] is defined as unguided.
Bologna. Natural selection is directional, going from less adapted states to more adapted states. Though as a stochastic system you do occasionally see "deselection" happen as a great rarity, on the whole we don't devolve. Bush is a statistical fluke. Natural selection is most certainly guided, and the guiding mechanisms are called pressures - typically we discuss environmental pressure, species competition pressure, selection pressure, and so on, but there are actually quite a few of them.
Don't confuse "guided" to mean "led by the spaghetti monster." A Nunavut (like Eskimo but more Canadian) hunter is guided by the stars to go between their home and the coast, when the interlocated land is a giant featureless white tundra. Mariners were also guided by the stars on the ocean. I am typically guided by maps I get from the interwebs. Natural selection is guided by pressure adaptivity, and evolution is guided by the timeline and chaotic generators.
These things you're talking about, they actually have specific definitions, and those definitions are really important to evolutionary biologists, mathematicians, and so on. I know, you're trying to make a point, and you're probably saying "but that's not what I meant." The problem is, what you said is actually quite the opposite of how these things are believed to work, and if you're gonna use the word "defined," you're going to get argued with by people who know what they're talking about.
Look, if natural selection wasn't guided, it wouldn't work. Natural selection's ability to increase complexity is predicated on its being guided by adaptivity. That's what the whole thing is about in the first place. Natural selection is quite simply the emergent upshot of pressures acting on breeding in terms of guiding species characteristics.
The above is a description of Intelligent Design, not evolution
Oh get off of your soapbox already. It's a video game, not Jerry Falwell.
The player is essentially the god of a universe built via Theistic Evolution, and every game play decision is a miracle.
Actually, the game isn't that simple. You don't generate a planet's entire ecosphere; you're much closer to the black slab obelisk from 2010 than you are to JHVH. Your creations still have to duke it out with the other crap that's on the planet, some of it derived of your own work, and quite a bit of it from other players. JHVH isn't competing with other gods.
That said, your point seems to be more about that the game is less about accurately predicting the upshots of evolutionary pressures wrought by a completely random physical situation, and more about that the player gets to have something to say about the game, and doesn't just sit there watching. You might as well argue that Madden 2003 is closer to body-swapping avatar fantasies than actual football. It is a legitimate, honest and accurate point. It's also enormously stupid.
You seem to have missed the primary difference between games and TV, and you seem to want TV. People don't watch games. We go in expecting to have something to do with it. Exactly what do you think people expect when they hear they get to play with evolution? Do you think that it's a god game has surprised anyone but you? Did you miss that Will Wright frequently says that all of his games are God Games? Did you know that "God Games" are a genre of games?
Is your next big insight going to be that Gran Turismo involves cars?
Slashdot Mirror
Because that means you have to buy a bunch of them, and there's no significant vendor competition. What is it with people in this thread having forgotten that Microsoft is trying to make money here?
Microsoft should have never released the core pack.
Why not? The core pack made their platform available to a poorer demographic of users, who happen to be the first adopters in the console game industry, and the hard drive upgrade makes them larger margins than the full box. NPD estimates that this maneuver grew their initial market by 18%, meaning that more people bought a given game, meaning more games were developed, meaning they have a stronger library, drawing in more players. They've been riding that 18%, the interest on that 18% and the upgrade margins on the hard drive for a year now.
Exactly why do you suggest that this was a bad idea? Microsoft has made quite a bit of money and established a much stronger presence for this console as a direct result of the tactic.
I think it was a poor choice for Microsoft as I doubt it really boosted sales in the long run.
NPD group, who have the advantage of statistics and understanding the market, believes that the hard drive being purchasable seperately increased the distribution base by almost 20%, which in turn will have had long-term impacts on the platform.
Generally, large companies like Microsoft put multiple billion dollar projects into the hands of more than one person. Making two seperate system types costs them significant money and introduces inefficiency margins which would not have otherwise existed. They did this for a good reason, and it was professionals who know what they're doing who chose to do it.
As a rule of thumb, if you don't have any data, don't argue with the vendor. All you're doing is making yourself look arrogant and naïve.
I never did understand the Core system concept anyway. If games were going to require a hard drive, what good would it do to purchase a system without one?
Not very many games require the hard drive, and those which do provide an incentive to purchase the hard drive as a peripheral later. The lower price point allows a broader demographic access to the platform, and spreading the total system cost out over time both lowers the financial impact of a competitive system and allows Microsoft to reap larger margins over time. It's pretty much the same thing that any upgrade path does.
By the way, there's only one D in "adage."
Interestingly it's also a relatively new invention, not much more than 50 years old.
Also interesting is that Irish Coffee is an accidental American invention. An individual from a San Fransisco bar called "the Buena Vista" stumbled across a variation on the theme in the Shannon Airport, and on returning home talked the bartender into experimenting with him at length. The drink they ended up with is significantly different than the Irish drink, which was really just a heavy unpasteurized spiked coffee with sugar.
For example, the characteristic "double cream on top" was created here when the local proprietor misunderstood what kept the cream afloat (the cream only floats when cold enough that the drink won't melt it until it releases air; in the original Irish version, it's a thick-walled, refrigerated mug, whereas in the Americanized version, the cream itself is first frothed to make stronger bubbles (as with Cappucino,) then intensely chilled to get the puff to last without the support of the glass.
Unfortunately, Ireland has begun to retcon history to make this drink their own. C'est la vie.
How the hell did someone saying "I didn't have time to read the article, someone read it for me" get modded insightful?
With a simple firmware update they could let people format external drives so they could be used to store content. Why won't they, besides wanting to make $$$ off drive sales? Don't tell me it's DRM through obscurity...
"With a simple piece of fabric, they could be driving blindfolded. Why won't they, besides wanting to not crash and die? Don't tell me they're allergic to cotton..."
Generally, if you want to know why an entity does something, don't start by eliminating the primary reason.
Maybe you should point the guy making fun of the macs at a list of Apple ][ software, too.
Neither of these things are new. The idea of using them to launch an attack, by altering the behavior of existing objects so that trusted JavaScript behaves differently than expected, may possibly be new
The possibility of using them to launch an attack is what he's claiming is new, and I've never heard of it before. This is something I keep up with, so I'm going to remain somewhat firm in my belief that this is an insightful paper until someone shows me prior exposition.
Would you let me know what's new in XSS? All the paper describes are pedestrian ways to sniff info out of a site via existing XSS exploit.
The thing which is novel in this paper is the delivery mechanism, specifically by fundamentally replacing parts of javascript to carry attacks in what would otherwise be quite clean and legitimate code. The only parallel I can think of is the embedded-in-compiler attack that was referred to by the Guy Steele era TNHD as "the greatest hack ever," wherein the foreign code installed itself into anything compiled by said compiler, including new iterations of said compiler. (By the by, I can think of several hacks I think are better; I just mentioned the phrase because most people know to what that refers.)
And XSS is by no means new, or "fundamental flaw" of JS.
I'm not sure why you keep talking about XSS. XSS prototype overloading attacks are just his first example of something you could deploy over his new attack vector. The paper isn't about the XSS attack at all. It's not the payload he's talking about, it's the delivery mechanism. You might consider re-reading. I mean, come on, he even cites someone named "S. Di Paola" (near the top of the second column on page three of the PDF) as the person who came up with the XSS attack he uses as an example, and the XSS attack starts right after the header "advanced example". Why are you suggesting he claimed that was new?
As far as whether prototype overloading is a fundamental flaw of javascript, from the security perspective the current implementation most certainly is. There is no mechanism to identify whether a fundamental library feature has been replaced, or whose implementation you're using. There is not yet an existing mechanism by which an application can defend itself from this kind of attack; this must be defended against by the runtime environment instead, and there are not currently any runtime environments which defend against this sort of thing. Indeed, some of the JavaScript libraries I use rely on that those features are replacable (specifically prototype, moofx, behaviour and dojo, though I know of quite a few other libraries which do it too.) MooFX adds a ton of new features to fundamental things like Objects, Arrays and Strings that I use all the time.
The same mechanism Moo uses to extend things could be used to extend bad things into place. The XSS attack is just an example. It's the extension he's talking about. It wouldn't be hard to "extend" a "logging" mechanism into XMLHttpRequest; indeed I did that once as a debugging tool. What if said logging mechanism logged to a foreign server? There are a million ways to exploit this.
When XSS can occur, it's an implementation flaw of the browser and/or site, and by no means "fundamental" as it's usually fixed in the next point release or site update.
You seem to have entirely missed the point. The thing this paper describes is an attack mounted by a malicious site against later sites in the user's browsing path, not an attack mounted against a site with a flaw. This attack leverages a flaw in current browser implementations of JavaScript in such a way that there need not be a flaw in the remote site, and it is neither possible for a remote site to detect or resist such attacks.
The fundamental flaw is not in Javscript. It's in current implementations of Javascript. You are confusing mechanisms and targets. Yes, the target of this attack is other sites, but the mechanism has nothing to do with the target, and there's nothing the target can do. It's a browser-side attack.
Fundamental would mean it can't be fixed
Yes and no. It's fundamental *to* *current* *implementations* of the language, not the language itself. So yes, it cannot be fixed, *in* *current* *implementations*; it requires a minor new implementation strategy on the part of browser vendors. This will end up requiring a security patch to all browsers (and probably three to IE.)
and if you BS detectors aren't screaming by his paper, you're more gullible than you suspect.
Please re-read the paper. You seem to have missed the point.
They're significantly better edited. This leads to less ambiguous prose, which in turn affects the readers' ability to write coherently. Furthermore, Wikipedia is dramatically more biased in my admittedly limited experience than are textbooks. I know, it's quite trendy to suggest that for arbitrary rules governing community, that these articles will suddenly magically be clean-cut and impartial, and then to hand-wave half-remembered studies between experts on Brittanica and Wikipedia articles where Brittanica made three or four times more something than something else and they're sure it works out to mean what they want for it to mean.
The problem is, those studies didn't have anything to do with partiality, they had to do with factuality, and they focussed on the sciences, where factuality is (usually) not under dispute. Sure, the average Wikipedia article has fewer errors; it's had more eyes. That doesn't mean that the text is of as high quality; most articles in Wikipedia are rife with errors in grammar, syntax, spelling and usage, and frequently the text is of such poor quality that what's being said simply isn't clear, or is written in a dangerously counterintuitive fashion.
I mean, we've all had to edit a wikipedia page because some text was just disgusting, or because someone misunderstood how to put facts together, haven't we?
Impeccable covers a lot more ground than does bias, but I don't buy that Wikipedia is less biassed than an encyclopedia for a flat second. Wikipedia has trolls that go unnoticed for years at a time. Wikipedia cites opinion as fact so often that the editors have created a macro to identify areas which need to be rewritten. Indeed, there are actually a dozen odd such macros, because it's actually so common that it's useful to differentiate between the various kinds of deceitful textual tactics in appallingly common use (consider weasel words and peacock terms,) and indeed has several FAQs and guidelines explaining rules governing the quality of text.
The masses are great for volume and thorough explanation. For quality, get a professional, or show statistics. By the by, you'll note on reading weasel words that indeed they are to what I'm replying. It's more common than you'd think, and most people do it accidentally or by habit. There's a reason for editors, and it's not because most people write with skill. Hell, a professional writer can't get something published without being edited; why should the masses do better work?
Next time you want to pretend there's a quality difference, show evidence. Notice how you implied a quality difference without actually citing facts? That kind of writing is what makes Wikipedia, and that kind of writing is of unacceptable quality.
Or, didn't you know that textbook authors get paid on a sliding scale governed by how many errors or irresponsible positions other experts can find in their work, and that the other experts make bonuses for finding lots of errors? Did you think the textbook companies don't care about quality? Did you forget that before the internet came into play as a significant documentary force (arguably) five-ish years ago, that they also competed with each other on grounds of quality? Did you think maybe that they just wrote whatever the hell they wanted and that it was largely one guy making shit up? This is Harcourt Brace we're talking about, not the New York Times. They're carefully edited and they care a lot about quality. Did you know textbook companies get sued for serious errors by universities, professors, public action groups and individuals?
Did you think nobody cared?
So look, instead of writing like Wikipedia, start writing like a real encyclopedia. Intimations are poison. Insinuations get people fired. Hinting at statistics gets your article pulled. Not citing numbers when numbers are
Or a playstation fan.
This paper is absolutely ridiculous, and its author is scaremongering
Try reading the paper before lambasting it. The stuff you saw in the slashdot article isn't in the paper. The author of the paper says things like "innovative new attack" and "next generation of server side injection." The stuff about end of the web as we know it is from the slashdot poster. The paper is quite insightful, and the author is almost blase about the whole thing. It's quite clear that he simply believes he's unearthed a new form of attack, and he's in fact quite correct.
Please get off of your soapbox. You're wrong.
Do you now or have you ever received compensation from Starbucks in any form for work performed, services rendered, or products sold to them?
Wow, you are a complete and total ass. No, I've never worked for them or owned stock, nor do I have to be a faceless corporate minion to disagree with you. I write Nintendo games for a living. Go to hell. Shame on you.
And it probably seemed like a better solution than a server room which stank up every month for no apparent reason :)
Well, in every mid- or large-sized engineering firm, there's that guy who doesn't bathe. Might be he was just next door, and everybody thought it was him.
Central air is neither reliable enough nor uniform enough for a serious server room. One keeps air conditioners in the server room for the same reason one keeps backup generators - external services go down, and in that kind of environment, that simply cannot be tolerated.
Also, since when is "Water + Electricity = Danger" a "Superstitious Belief"?
Since clean water suspended in air, such as produced by an air conditioner's condensation process, is an extremely poor conductor of electricity, and since it's not exactly hard to keep control of a fluid volume that small (I mean, it's not like the air conditioner is left to drip on the floor, where the servers are haphazardly strewn amongst beer bottles, unless you get colo at Alpha Chi Kappa.) You should go to an actual data center, and ask to see their air conditioning setup. Just tell them you're considering buying a half rack and you want to see their backup systems personally; they'll give you a guided tour and will positively hammer you with details.
Then ask them how humidity in the data center works, because you don't actually want aridity. Data centers in Arizona actually run humidifiers, because the air is undesirably dry.
a "Superstitious Belief"? Exactly what universe are you living in again?
The one where ambient humidity serves as an insulator and thereby prevents the aggregation of static charge, which is a tremendous risk in a room with that many highly charged moving parts.
You really shouldn't get on horses that high. The fall hurts.
Because in mine that's not superstition, it's a basic saftey rule you learn in elementary school.
I believe the traditional response to this kind of ad verecundiam reference to the extremely detailed and thoroughly considered descriptions of physics given to elementary school children is "yes, and get under your desk and put your head between your knees to keep you safe from the bomb."
We also tell elementary school children that pixies replace their juvenile teeth with money when they sleep, that the stork brought their little brother timmy, that eating brussels sprouts will make them grow big and tall and that if they keep making that face, it's going to get stuck like that. Also, an eight hundred year old Dutchman with a serious weight problem climbs down a chimney that won't pass a football to give them presents once a year (and go as far as to have the military track him and then superimpose it on weather radar on the news.) In fact, about the only thing we tell them the truth about is that it really isn't what it looks like and daddy isn't hurting mommy and go back to bed.
So, as a general rule of thumb, if you learned it when you were eight and don't have anything since on which to hang your hat, you don't really understand it well enough to get all high and mighty in public. Why do we oversimplify and tell kids that electricity plus water equals danger? because we don't want them experimenting to sort out when it is and when it isn't. Stray dogs aren't fundamentally dangerous either, but you sure fucking tell them they are, to keep them the hell away from them, for those cases when it's an issue.
Apparently you can bathe with toasters in your dimension.
Yeah, putting a heavy power line like a wall socket
I would think that running the water for 5 minutes while using it
I would think that anyone satisfying the grandparent's actual description, "if you leave a drain long enough without water passing through it," doesn't have the option of running the water for five minutes while using it, since they're obviously not using it.
But I guess you guys aren't responsible for utility bills and stuff.
That light you leave on in the kitchen costs quite a bit more than a dripping faucet.
Sony's electronic bookstore has 11,000 books, and has been running (under various names) since at least early 2002, giving them a post rate of approximately 6.02 books per day. In late December, I gave some webspace to a guy from IRC who wanted to start converting e-books for MoonShell for the Nintendo DS; he's already over the 200 mark.
At this rate, Brandon's personal, free pet project is going to personally overtake Sony in about 27 years. MoonBooks defeats Connect, and it has classics instead of just (chargeable) modern content. Yay Dickens!
I don't understand why they do it. I know they know better. In fact, they used to roast to a "full city" roast, which the best gourmet roasters have always used, and which I prefer to lighter or darker roasts.
I'm not sure why people are stuck on this notion that there's one Best Coffee Roast (tm). Different people prefer different things. You'll notice that as their roast has gotten progressively darker, their sales have gotten progressively stronger. What's critical to understand about Starbucks is that they do not market to the average coffee drinker. Starbucks markets to three demographics: the conspicuous spending consumer (someone who buys a $5 coffee instead of a $0.75 coffee because they expect it to be better,) the retreat consumer and the serious coffee addict.
In the case of the conspicuous consumer, the roast doesn't really matter. They don't honestly know better. That's why so many of Starbucks' drinks are sweetened and dairy-focussed; it's to help manage the bitterness of the deeper roast.
In the case of the retreat consumer, the customer goes to Starbucks to have a quiet, pleasant place to hide from the world (same mechanism in use by Borders and Barnes and Nobles.) That's why Starbucks has the big comfy chairs, the quiet music, the MP3 CD creation hotspots, etc. Many of these customers are people looking for a 15 minute escape from work. For these consumers, the setting is more important than the roast.
It's the third group of consumers who sets Starbucks' roast, because it doesn't matter for the other two, and besides the third group is where the money is. These are the coffee junkies, who will spend an extra dollar per shot and get five extra shots in every frappucino they wolf down. These are the people who get more than one coffee for themselves while they're there. For these people, the dark roast is the only preference you will ever see.
Why?
It's really quite simple. Coffee is a waxy bean. The longer you roast it, the more caffeine you release. These people aren't in it for the flavor. They're in it for the buzz. Starbucks is just being a smart drug dealer. Give the coffee parallel to potheads to Burger King and Dunkin Donuts; Starbucks wants the coffee equivalent of crackheads.
If it was wrong, they wouldn't be growing this fast. There's no shortage of other quality coffee chains with roasts you would prefer, such as Peet's, who have nice buildings and who charge just as preposterous amounts. Peet's is growing phenomenally quickly, but nowhere near as quickly as Starbucks.
Coffee vendors are drug dealers. You're being surprised that the guy who used to sell shrooms now sells PCP. It's because the money's in the PCP.
More importantly, from what I understand, they don't do any real pre or post roast QA to remove clinkers, which are light, immature beans that give a grassy or off taste to coffee.
That's FUD spun by other coffee vendors. It's because they pay the producers to remove the clinkers for them. 'S cheaper that way. One might as well suggest that grocery stores don't strip the corn off of the stalk.
They also don't date their roasts like a good gourmet shop will.
They have a Walmart style 6-hour automated supply chain, and foot traffic that makes a McDonalds green with envy. The reason they don't date their coffee is the same as the reason a pizza shop doesn't date its cheese, or why bakeries don't date eggs: there's no need to. There's a predictable, high rate of out-flow. The foodstuffs don't have time to get old; they're consumed too early.
Good gourmet shops can't push coffee fast enough due to a lack of patrons, and end up having to throw stock away. Chains at the scale of Starbucks have the incentive to develop delivery chains to eliminate that kind of waste. It costs millions of dollars to get a modern just in time shipping system together, and stock spoilage probably only costs a small store $10k/y, so for a sm
Grab a dictionary and look up "rhetorical question."
For those few still using actual radio, rather than just the broadcaster metaphor, sure. But, if you don't mind my asking, to what end? What good would it do you to know the site of origin?
Of course, you guys in the US will have the handsets locked down tighter than a tight thing at a tight things convention ...
And yet the British think Americans have a poor use of the language. Here's some charity from the colonies: if you want to talk about how tight something is, describe it as the logical inverse of Paris Hilton, or whoever the public whore is on the other side of the pond.
We all already read Wired on a daily basis
Pfft. You might. I don't even have it turned on as a slashbox.
Actually, I used the lapboard at E3 in 2005. It was a fairly convenient device. Not worth their apparent asking price, but if they were fifty bucks, and could actually be purchased, I might grab one. Kinda sucks about the Phantom - they had a fairly neat UI going, proper backend rights management, the device was pretty polished. Of course, all the games they had at E3 were trash, but hey, it was very pretty trash.
Evolution is defined as unguided.
Horseshit. Evolution is simply the progress between successive states. If you're going to play amateur semantician, at least get the terms right. Weather evolves. Traffic evolves. Chess game states evolve. The thing you're trying to talk about is called "natural selection."
[Natural Selection] is defined as unguided.
Bologna. Natural selection is directional, going from less adapted states to more adapted states. Though as a stochastic system you do occasionally see "deselection" happen as a great rarity, on the whole we don't devolve. Bush is a statistical fluke. Natural selection is most certainly guided, and the guiding mechanisms are called pressures - typically we discuss environmental pressure, species competition pressure, selection pressure, and so on, but there are actually quite a few of them.
Don't confuse "guided" to mean "led by the spaghetti monster." A Nunavut (like Eskimo but more Canadian) hunter is guided by the stars to go between their home and the coast, when the interlocated land is a giant featureless white tundra. Mariners were also guided by the stars on the ocean. I am typically guided by maps I get from the interwebs. Natural selection is guided by pressure adaptivity, and evolution is guided by the timeline and chaotic generators.
These things you're talking about, they actually have specific definitions, and those definitions are really important to evolutionary biologists, mathematicians, and so on. I know, you're trying to make a point, and you're probably saying "but that's not what I meant." The problem is, what you said is actually quite the opposite of how these things are believed to work, and if you're gonna use the word "defined," you're going to get argued with by people who know what they're talking about.
Look, if natural selection wasn't guided, it wouldn't work. Natural selection's ability to increase complexity is predicated on its being guided by adaptivity. That's what the whole thing is about in the first place. Natural selection is quite simply the emergent upshot of pressures acting on breeding in terms of guiding species characteristics.
The above is a description of Intelligent Design, not evolution
Oh get off of your soapbox already. It's a video game, not Jerry Falwell.
The player is essentially the god of a universe built via Theistic Evolution, and every game play decision is a miracle.
Actually, the game isn't that simple. You don't generate a planet's entire ecosphere; you're much closer to the black slab obelisk from 2010 than you are to JHVH. Your creations still have to duke it out with the other crap that's on the planet, some of it derived of your own work, and quite a bit of it from other players. JHVH isn't competing with other gods.
That said, your point seems to be more about that the game is less about accurately predicting the upshots of evolutionary pressures wrought by a completely random physical situation, and more about that the player gets to have something to say about the game, and doesn't just sit there watching. You might as well argue that Madden 2003 is closer to body-swapping avatar fantasies than actual football. It is a legitimate, honest and accurate point. It's also enormously stupid.
You seem to have missed the primary difference between games and TV, and you seem to want TV. People don't watch games. We go in expecting to have something to do with it. Exactly what do you think people expect when they hear they get to play with evolution? Do you think that it's a god game has surprised anyone but you? Did you miss that Will Wright frequently says that all of his games are God Games? Did you know that "God Games" are a genre of games?
Is your next big insight going to be that Gran Turismo involves cars?
and every game play decision is a miracle.
If by miracle you mean