> I'm against Obama's plan to give tax rebates to people that do not pay federal income taxes. I'm sorry, but, if you get a rebate for something you didn't pay for, that isn't a rebate, it is welfare and income redistribution.
I've never understood why so many people are so hung up on this kind of thing. With the exception of people indulging in tax loopholes or fraud, if you are paying no federal income tax then you are making almost no income at all. You're talking about a small class of people who are living in abject poverty, and you are obsessed with denying them a measly tax credit that might just help them feed their kids and survive a little longer to find a job or climb out of poverty in some other way.
What I really can't understand is the feeling of hostility to people in this situation that most Americans seem to have - what it is that makes you rant and rave as if giving these people some tiny fraction of your tax dollars is going to make the world come to an end? There are so many things that are orders of magnitude larger that are such diabolical wastes of money that this miniscule expense doesn't even appear on the radar - yet this is what catches the public sentiment and dominates conversation. I just don't get it.
> I can go to wordpress, verisign, aol and all that jazz and login with my OpenID.
You are being very disingenuous. There are nearly no big companies that are willing to behave as OpenID relying parties. The ones you mention are probably about it. This is the big problem with OpenID, and it's not the slightest bit unique to Microsoft (although I'll heartily agree that they are yet another addition to the problem).
What I think: OpenID foundation needs to trademark a new logo that can only be used for providers that act as both a provider and a relying party. Then they need to make two tiers of membership: first tier and second tier. You can't join the top tier without supporting a relying party service yourself. Top tier members get double the votes (or some similar measure) in any decisions on the protocol.
Google could easily implement a standard OpenID interface and then provide an extended or improved version as well. OpenID is not hard to support. There is no technical reason not to, so the only explanation that makes sense is that Google has decided it is not in their business interests to support OpenID - ie. screw the community, screw the users, screw the internet, more power, more control for Google. I am happy to say in response to that - screw Google:-)
I've slowly come to the conclusion that what makes people think new browsers so fast is that they are installed with almost no legacy of history, cache, bookmarks, favicons, RSS feeds, plugins, toolbars etc. So you install this "raw" thing that has literally nothing between it and rendering a web page and it screams. Because you don't use it more than 30 minutes in real life you never observe how it slows down and becomes bloated as all the crap builds up.
This happened to me with FireFox 3.0 and now it's also happening with Chrome - what I thought initially was a screaming fast browser is slowly becoming just the usual bloated mediocre piece of software. And it has no extensions, all I've done is browse the web with it.
It's not that there aren't loads of 3rd party virtual desktop solutions. The problem is that because there is no actual support built into windows for this mode of operation there is no standard for window behaviors to ensure that things work properly. Thus even with the best virtual desktop software you continually get things like orphaned windows, lost windows, windows that won't go away when dismissed etc. etc. I've never found a product that didn't suffer from some kind of problem, especially when combined with other apps that also push the boundaries (eg: Trillian which does fancy docking to the side of the desktop, Yahoo Widgets that try to attach to the desktop background, etc etc). If there was only a standard from MS for how these apps should behave, they would have a chance at getting it right. As it is, it's just a mess.
Nobody minds about you protecting your kids. As a software developer you should be aware that the ability to do so is far more in your hands than it is in the government's. A government supplied clean feed simply cannot accurately keep out all "bad" content without *massively* slowing down the connection. They would have to read the live stream and do a semantic analysis on the content - just about impossible. On the other hand, you, the responsible parent can do a lot:
a) put your computer in a public area of the house and keep an eye on what your child is browsing, and carefully explain to them when they accidentally (or intentionally) reach dangerous turf. Believe it or not, allowing your kids to stumble on bad things and then help them to handle it is tremendously helpful in keeping them safe - it's how they learn themselves to become responsible adults.
b) install as draconian a filter as you like on your own computer. Whitelist it if you want, so that your children can only reach sites you explicitly approve. It'll suck, for them, but you can reflect exactly your own level of concern in the filter you set up.
There is no answer that involves centralized interception and monitoring / control of connections. It won't work, can't work and even if it did, will never satisfy basic democratic principles of freedom of speech.
Time to calm down a bit. There is not one word in the linked article that suggests twitter be be outlawed or any restriction or constraint be put on anything.
It's just an internal report stating the obvious - that, especially in the event of an attack, terrorists might use a service like twitter to communicate. The entire net result of this is probably that some military boffin will be assigned to write some perl script that grabs twitter feeds and filters them for keywords so that if an attack occurs the military can watch the channels and listen in and if the terrorists are stupid enough to start broadcasting their plans over twitter (really, why?) they can intercept them and intervene.
I think you're right about the apathy but it's an intersection of that and strange and curious culture that operates in businesses and determines how they spend money: ie. budgets.
Basically, for most people responsible for choosing between MS Office and Open Office, the cost of MS Office is already budgeted for, and always has been. Therefore for all the stakeholders who determine whether MS Office is purchased or not, it is for all intents and purposes, zero cost. Given the choice between two products, one which is free and everybody knows and the other which is free but nobody knows and might cause all kinds of problems, stakeholders in the business make the obvious choice, even though for the business as a whole it may not be the most cost effective decision.
YUI is extremely well documented, has a great active forum and has (quite literally) hundreds of examples - dozens for each control / feature offered. They also offer a very nice, consistent theme that goes right across the whole library and integrates with every component.
I haven't looked at dojo in a while but when I did, the documentation was *horrible*. You really had to go through a lot of pain to "grok" how it worked under the hood before you would be productive (this may have gotten better). My impression however is that it is much more cutting edge than YUI - folks doing research into new techniques are far more likely to put it into dojo than any where else (certainly not YUI etc.) - however as a result it is much less stable, less consistent and less well documented.
For a full end to end framework for use in developing a commercial app I prefer YUI, because every aspect of it is mature and solid and the support from Yahoo for it is amazing. On the other hand, if you're doing something cutting edge where you really want to push the limits and use new browser features or super fancy never-before-seen effects - dojo could be the best choice.
I had a similar problem. For about a year you had to choose between Dojo 0.4 - 0.6 which had some very poor documentation but which were obsoleted by massive breaking API changes coming in 1.0. But 1.0 had no documentation and was nearly impossible to decipher and use. So there was simply no good version of dojo to use at all. Add to that the fact that the default dojo theme just looked amateur and ugly - it was a non-starter for us.
We moved to YUI which is like entering a different universe to dojo - hundreds of pages of documentation, great looking default theme, examples, entire videos on how to use it. No regrets.
The whole article is just a troll.
Have a look at John Resig's benchmarks to see some real numbers.
What is notable there is that IE8 has massive javascript performance improvements over IE7 and while it's behind it's still comparable to (as in, same order of magnitude) as the other browsers of the coming generation.
I'm curious what you think about the concept of a community driven tv guide.
Most people care passionately about 1 or two shows a week. If those people care enough to look in a guide (printed, internet, whatever) and type in the names and times of the shows that week, and submit that to a web site (basically a specialized wiki), then is not the skill and labor question moot?
The resulting guide will be a work of the contributors having gathered facts from multiple sources and compiling them into a new work that is not "copied" as a work from any original source. It seems like it would be a rather simple thing to set up, and fairly immune to attack.
No mod points today, but I think you are right on the money.
The thrust of this change seems to be to take away people's ability to have as many profiles as they like, one associated with each alias.
What I think is happening here is that I think they are realizing that Facebook is quickly gaining value over them in the eyes of investors because Facebook does everything it can to force you to use your real identity. When you see an identity on Facebook it has pretty good currency - very likely that's a real person and it's their one and only real identity on Facebook. On Yahoo, it's very unlikely because they make it so cheap and easy to behave pseudonomously - either by creating multiple Yahoo accounts or by using multiple aliases within a single Yahoo account. In short, the value of a Yahoo identity is low and the value of a Facebook identity is high.
It seems to me they are trying here to start clawing back some of that freedom they have given their users, and become more Facebook like (ie. evil). This then increases their value in the social networking space and gives them more ability to compete with Facebook.
They're certainly not incompetent. They run several of the top 10 sites on the internet, and they do it very successfully.
In case you didn't know, they've had an ajax mail interface that is by some measures better than gmail for year's. It may amaze you, but the reason they have not moved people to it is because *most of them are perfectly happy and don't want to*. I had exactly this conversation with my wife a month or two ago where I pointed out how painful and inconvenient the old UI was and pointed to my account and showed how I can drag and drop emails around etc. She just looked at me blankly and said "I like my email the way it is".
In fact I find it ironic that you are criticizing them for not forcing their users to use the new mail interface (which they don't want) in support of an article that is all about them forcing users to adapt to a different change the users don't want.
>>A programmer gets the rock-solid foundation of compiled Java code mixed with the flexibility to diddle with the Java objects in real time.
>Maybe Groovy makes that easier, but Java already had reflection. Next!
Actually you might not understand the full extent of what groovy does. It, for example, allows you to add new methods to existing classes (want a new kind of trim() method on the String class? just add it on!). You can even declare it's use within a certain scope so that your modified String class only applies to a certain block of code. This kind of flexibility is way beyond what Java reflection allows in any usable fashion.
I'm not sure how fast it is, but rhino can give you Javascript on the server side in a very effective manner. And it is shipped by default with the JRE.
So - deploy a standard Tomcat or other java based server environment, write a small controller servlet that intercepts requests and dispatches them into your Javascript handlers. It's easy to do, I've done it once before for slightly different reasons.
The only thing I can't really tell you about is performance - I've never used it for anything performance critical. But a beauty of it is that from your javascript you can call any native java api, so whatever needs speeding up you can just move into java itself.
Cross correlation is a huge problem, because sites do deals with each other to trade information. Advertisers, present on nearly every site get to save cookies that correlate where you have visited. They can then on-sell or match that information to that from other companies. Thus simply by browsing the web you are potentially creating a public profile available to anyone who wants to buy it. How would you feel if a future employer could purchase and review your browsing history and see a large subset of the sites you visit on the internet when considering your job application? It's fast becoming a possibility.
The big problem with flash cookies is that they are out of the browser's control. At least with normal cookies there are indications and controls in the browser to allow you to know and control your privacy. However all these browser privacy features are made moot because flash completely ignores them, and enables it's cookies by default regardless of whatever preferences or settings you have set in the browser.
You want to think *VERY* seriously before using plausible deniability while crossing the border.
Basically, at the moment an official asks you for your encryption password and you provide the incorrect one, you have probably committed a crime. You will probably get away with it, but be aware that the risk you are taking - should they decide to do a more thorough analysis and discover you were lying - could have severe consequences: never being able to travel easily again, restricted in getting foreign visas, being detained for a long and uncomfortable time with a large fine... and that's assuming there is nothing actually illegal on your laptop.
Personally - I think the best approach is to be completely transparent. Upload everything you care about to the cloud before trying to cross the border. If your laptop and photos look completely normal then they are very unlikely to spend any time on you and your privacy will be only very minimally violated.
They don't need to track us all. They just need to be able to cast a net to get whatever interests them.
Eg: Suppose I'm a thief and I want to steal a particular kind of car. With most people on facebook being stupid enough to join a 'network' and expose all their profile to everybody in the network, all I have to do is join some networks and search through profiles until I find someone in my area who has a reference to that car in their profile. I can probably also see where they go to school or work and thereby make a pretty good prediction about where and when the car is going to be available for me to grab it. I might even be able to identify their friends to do a little social engineering... ("Oh I'm a friend of Steven's, do you know when he's going to be back today...").
* significant whitespace does not play well with common development practices (merging, diff'ing, copying, pasting code, esp. on web pages) * GIL makes it very hard to scale or completely unscalable in some situations * no support for static typing makes large projects harder to manage * not truly cross platform - a lot of common libraries are implemented in C and thus you have to install native code for them to work - bad luck if there isn't a binary for your platform. * no common standardized GUI toolkit * poor commitment to backwards compatibility - Python 3k is going to break compatibility in major ways as did releases before it * awkward and ugly object oriented semantics (declaring "self" in class methods, ugh) * poor IDE support * poor adoption - not sure what makes you think the labor pool for Python is better than other languages
I'm sure a dozen python supporters will jump up and object to all these - there is hardly anything revolutionary about these criticisms and most of them have been fought to death in enormous flame wars in the past. But the end result is, Python is not great for a lot of "enterprise" type situations due to these things (and you will quickly see how sensitive pythonistas are to this snub since they constantly mock the word "enterprise" on mailing lists etc.). In other situations it can be brilliant.
> I wonder how this will affect Prototype. It's always had different design goals than jQuery, but will this diminish it's popularity?
Actually my main theory for why MS has done this is that they are sending a message to Yahoo and marginalizing YUI. Although YUI has a slightly different space to jQuery they still compete for javascript developer's mind share and YUI is very comprehensive and well documented and probably represents the best javascript 'platform' when you take into account the depth and breath of what they support and the consistency and quality of the code.
I think that MS, realizing that they themselves cannot own the next generation of javascript platforms, have decided that they are not going to leave it to Yahoo and are basically playing spoiler here to ensure that neither Dojo (IBM) or YUI (Yahoo) gets a dominant position.
I agree with your points, but I think everyone here is missing a huge benefit of writing tests: by necessity it forces good design in and of itself because it's near impossible to test anything with with complex behavior. The result is that just to make the unit tests feasible, developers stop writing enormous monster classes without interfaces and start fragmenting things down to small units that do just one or two things with well defined behaviors.
You see a lot of people complaining that tests are "too hard" etc., and in most of these cases it is because the software they are testing is poorly written - huge monolithic chunks of behavior with large dependency sets.
I disagree with you about integration tests: I think they are as essential as unit tests. In fact, I think automated tests all the way up the chain to UI driven end product tests are the best way to do things.
Don't you think Australia came pretty close in the last year or two?
With nearly every adult australian receiving some kind of benefit at some point in their lives, having a social security card with photo, identity and address both visible and embedded, all linked to one enormous nationwide database and available to everyone from employers to your local pharmacist. That was actually more scary than what the Hawke-Keating government proposed.
Never was a more true statement made than that the price of freedom is eternal vigilance. To call out against people raising concerns about this kind of thing as being "inflammatory" works against the very basis of free society.
And it never stops - just look at the current government's obsession with setting up the equivalent of the great firewall of China to filter all internet traffic in the country.
I'm trying to figure out how this iframe trick can be a true exploit that goes beyond your normal phishing type scenario.
If the user is visiting a malicious domain then it will show that in the browser URL bar. No amount of iframe trickery will (or should) change what they see the location bar. If the user is willing to do sensitive things with a bad domain in the location bar then they are basically up for any kind of phishing attack, and I'm not too worried about that.
On the other hand if it somehow puts the trusted domain in the location bar and then lets an attacker overlay the page with their own contents then I'm very scared.
So - does this trick do something more than slightly better phishing, or not?
Slashdot Mirror
> I'm against Obama's plan to give tax rebates to people that do not pay federal income taxes. I'm sorry, but, if you get a rebate for something you didn't pay for, that isn't a rebate, it is welfare and income redistribution.
I've never understood why so many people are so hung up on this kind of thing. With the exception of people indulging in tax loopholes or fraud, if you are paying no federal income tax then you are making almost no income at all. You're talking about a small class of people who are living in abject poverty, and you are obsessed with denying them a measly tax credit that might just help them feed their kids and survive a little longer to find a job or climb out of poverty in some other way.
What I really can't understand is the feeling of hostility to people in this situation that most Americans seem to have - what it is that makes you rant and rave as if giving these people some tiny fraction of your tax dollars is going to make the world come to an end? There are so many things that are orders of magnitude larger that are such diabolical wastes of money that this miniscule expense doesn't even appear on the radar - yet this is what catches the public sentiment and dominates conversation. I just don't get it.
> I can go to wordpress, verisign, aol and all that jazz and login with my OpenID.
You are being very disingenuous. There are nearly no big companies that are willing to behave as OpenID relying parties. The ones you mention are probably about it. This is the big problem with OpenID, and it's not the slightest bit unique to Microsoft (although I'll heartily agree that they are yet another addition to the problem).
What I think: OpenID foundation needs to trademark a new logo that can only be used for providers that act as both a provider and a relying party. Then they need to make two tiers of membership: first tier and second tier. You can't join the top tier without supporting a relying party service yourself. Top tier members get double the votes (or some similar measure) in any decisions on the protocol.
Google could easily implement a standard OpenID interface and then provide an extended or improved version as well. OpenID is not hard to support. There is no technical reason not to, so the only explanation that makes sense is that Google has decided it is not in their business interests to support OpenID - ie. screw the community, screw the users, screw the internet, more power, more control for Google. I am happy to say in response to that - screw Google :-)
I've slowly come to the conclusion that what makes people think new browsers so fast is that they are installed with almost no legacy of history, cache, bookmarks, favicons, RSS feeds, plugins, toolbars etc. So you install this "raw" thing that has literally nothing between it and rendering a web page and it screams. Because you don't use it more than 30 minutes in real life you never observe how it slows down and becomes bloated as all the crap builds up.
This happened to me with FireFox 3.0 and now it's also happening with Chrome - what I thought initially was a screaming fast browser is slowly becoming just the usual bloated mediocre piece of software. And it has no extensions, all I've done is browse the web with it.
This is one of my constant bug bears.
It's not that there aren't loads of 3rd party virtual desktop solutions. The problem is that because there is no actual support built into windows for this mode of operation there is no standard for window behaviors to ensure that things work properly. Thus even with the best virtual desktop software you continually get things like orphaned windows, lost windows, windows that won't go away when dismissed etc. etc. I've never found a product that didn't suffer from some kind of problem, especially when combined with other apps that also push the boundaries (eg: Trillian which does fancy docking to the side of the desktop, Yahoo Widgets that try to attach to the desktop background, etc etc). If there was only a standard from MS for how these apps should behave, they would have a chance at getting it right. As it is, it's just a mess.
Nobody minds about you protecting your kids. As a software developer you should be aware that the ability to do so is far more in your hands than it is in the government's. A government supplied clean feed simply cannot accurately keep out all "bad" content without *massively* slowing down the connection. They would have to read the live stream and do a semantic analysis on the content - just about impossible. On the other hand, you, the responsible parent can do a lot:
a) put your computer in a public area of the house and keep an eye on what your child is browsing, and carefully explain to them when they accidentally (or intentionally) reach dangerous turf. Believe it or not, allowing your kids to stumble on bad things and then help them to handle it is tremendously helpful in keeping them safe - it's how they learn themselves to become responsible adults.
b) install as draconian a filter as you like on your own computer. Whitelist it if you want, so that your children can only reach sites you explicitly approve. It'll suck, for them, but you can reflect exactly your own level of concern in the filter you set up.
There is no answer that involves centralized interception and monitoring / control of connections. It won't work, can't work and even if it did, will never satisfy basic democratic principles of freedom of speech.
Time to calm down a bit. There is not one word in the linked article that suggests twitter be be outlawed or any restriction or constraint be put on anything.
It's just an internal report stating the obvious - that, especially in the event of an attack, terrorists might use a service like twitter to communicate. The entire net result of this is probably that some military boffin will be assigned to write some perl script that grabs twitter feeds and filters them for keywords so that if an attack occurs the military can watch the channels and listen in and if the terrorists are stupid enough to start broadcasting their plans over twitter (really, why?) they can intercept them and intervene.
I think you're right about the apathy but it's an intersection of that and strange and curious culture that operates in businesses and determines how they spend money: ie. budgets. Basically, for most people responsible for choosing between MS Office and Open Office, the cost of MS Office is already budgeted for, and always has been. Therefore for all the stakeholders who determine whether MS Office is purchased or not, it is for all intents and purposes, zero cost. Given the choice between two products, one which is free and everybody knows and the other which is free but nobody knows and might cause all kinds of problems, stakeholders in the business make the obvious choice, even though for the business as a whole it may not be the most cost effective decision.
YUI is extremely well documented, has a great active forum and has (quite literally) hundreds of examples - dozens for each control / feature offered. They also offer a very nice, consistent theme that goes right across the whole library and integrates with every component.
I haven't looked at dojo in a while but when I did, the documentation was *horrible*. You really had to go through a lot of pain to "grok" how it worked under the hood before you would be productive (this may have gotten better). My impression however is that it is much more cutting edge than YUI - folks doing research into new techniques are far more likely to put it into dojo than any where else (certainly not YUI etc.) - however as a result it is much less stable, less consistent and less well documented.
For a full end to end framework for use in developing a commercial app I prefer YUI, because every aspect of it is mature and solid and the support from Yahoo for it is amazing. On the other hand, if you're doing something cutting edge where you really want to push the limits and use new browser features or super fancy never-before-seen effects - dojo could be the best choice.
I had a similar problem. For about a year you had to choose between Dojo 0.4 - 0.6 which had some very poor documentation but which were obsoleted by massive breaking API changes coming in 1.0. But 1.0 had no documentation and was nearly impossible to decipher and use. So there was simply no good version of dojo to use at all. Add to that the fact that the default dojo theme just looked amateur and ugly - it was a non-starter for us.
We moved to YUI which is like entering a different universe to dojo - hundreds of pages of documentation, great looking default theme, examples, entire videos on how to use it. No regrets.
The whole article is just a troll.
Have a look at John Resig's benchmarks to see some real numbers.
What is notable there is that IE8 has massive javascript performance improvements over IE7 and while it's behind it's still comparable to (as in, same order of magnitude) as the other browsers of the coming generation.
No mod points today, but just wanted to say thanks for the laughs - your post was so bad it was amusing.
I'm curious what you think about the concept of a community driven tv guide.
Most people care passionately about 1 or two shows a week. If those people care enough to look in a guide (printed, internet, whatever) and type in the names and times of the shows that week, and submit that to a web site (basically a specialized wiki), then is not the skill and labor question moot?
The resulting guide will be a work of the contributors having gathered facts from multiple sources and compiling them into a new work that is not "copied" as a work from any original source. It seems like it would be a rather simple thing to set up, and fairly immune to attack.
No mod points today, but I think you are right on the money.
The thrust of this change seems to be to take away people's ability to have as many profiles as they like, one associated with each alias.
What I think is happening here is that I think they are realizing that Facebook is quickly gaining value over them in the eyes of investors because Facebook does everything it can to force you to use your real identity. When you see an identity on Facebook it has pretty good currency - very likely that's a real person and it's their one and only real identity on Facebook. On Yahoo, it's very unlikely because they make it so cheap and easy to behave pseudonomously - either by creating multiple Yahoo accounts or by using multiple aliases within a single Yahoo account. In short, the value of a Yahoo identity is low and the value of a Facebook identity is high.
It seems to me they are trying here to start clawing back some of that freedom they have given their users, and become more Facebook like (ie. evil). This then increases their value in the social networking space and gives them more ability to compete with Facebook.
They're certainly not incompetent. They run several of the top 10 sites on the internet, and they do it very successfully.
In case you didn't know, they've had an ajax mail interface that is by some measures better than gmail for year's. It may amaze you, but the reason they have not moved people to it is because *most of them are perfectly happy and don't want to*. I had exactly this conversation with my wife a month or two ago where I pointed out how painful and inconvenient the old UI was and pointed to my account and showed how I can drag and drop emails around etc. She just looked at me blankly and said "I like my email the way it is".
In fact I find it ironic that you are criticizing them for not forcing their users to use the new mail interface (which they don't want) in support of an article that is all about them forcing users to adapt to a different change the users don't want.
>>A programmer gets the rock-solid foundation of compiled Java code mixed with the flexibility to diddle with the Java objects in real time.
>Maybe Groovy makes that easier, but Java already had reflection. Next!
Actually you might not understand the full extent of what groovy does. It, for example, allows you to add new methods to existing classes (want a new kind of trim() method on the String class? just add it on!). You can even declare it's use within a certain scope so that your modified String class only applies to a certain block of code. This kind of flexibility is way beyond what Java reflection allows in any usable fashion.
I'm not sure how fast it is, but rhino can give you Javascript on the server side in a very effective manner. And it is shipped by default with the JRE.
So - deploy a standard Tomcat or other java based server environment, write a small controller servlet that intercepts requests and dispatches them into your Javascript handlers. It's easy to do, I've done it once before for slightly different reasons.
The only thing I can't really tell you about is performance - I've never used it for anything performance critical. But a beauty of it is that from your javascript you can call any native java api, so whatever needs speeding up you can just move into java itself.
Cross correlation is a huge problem, because sites do deals with each other to trade information. Advertisers, present on nearly every site get to save cookies that correlate where you have visited. They can then on-sell or match that information to that from other companies. Thus simply by browsing the web you are potentially creating a public profile available to anyone who wants to buy it. How would you feel if a future employer could purchase and review your browsing history and see a large subset of the sites you visit on the internet when considering your job application? It's fast becoming a possibility.
The big problem with flash cookies is that they are out of the browser's control. At least with normal cookies there are indications and controls in the browser to allow you to know and control your privacy. However all these browser privacy features are made moot because flash completely ignores them, and enables it's cookies by default regardless of whatever preferences or settings you have set in the browser.
So - yes, flash is evil and yes, it's a problem.
You want to think *VERY* seriously before using plausible deniability while crossing the border.
Basically, at the moment an official asks you for your encryption password and you provide the incorrect one, you have probably committed a crime. You will probably get away with it, but be aware that the risk you are taking - should they decide to do a more thorough analysis and discover you were lying - could have severe consequences: never being able to travel easily again, restricted in getting foreign visas, being detained for a long and uncomfortable time with a large fine ... and that's assuming there is nothing actually illegal on your laptop.
Personally - I think the best approach is to be completely transparent. Upload everything you care about to the cloud before trying to cross the border. If your laptop and photos look completely normal then they are very unlikely to spend any time on you and your privacy will be only very minimally violated.
They don't need to track us all. They just need to be able to cast a net to get whatever interests them.
Eg: Suppose I'm a thief and I want to steal a particular kind of car. With most people on facebook being stupid enough to join a 'network' and expose all their profile to everybody in the network, all I have to do is join some networks and search through profiles until I find someone in my area who has a reference to that car in their profile. I can probably also see where they go to school or work and thereby make a pretty good prediction about where and when the car is going to be available for me to grab it. I might even be able to identify their friends to do a little social engineering ... ("Oh I'm a friend of Steven's, do you know when he's going to be back today ...").
Here are some problems with Python:
* significant whitespace does not play well with common development practices (merging, diff'ing, copying, pasting code, esp. on web pages)
* GIL makes it very hard to scale or completely unscalable in some situations
* no support for static typing makes large projects harder to manage
* not truly cross platform - a lot of common libraries are implemented in C and thus you have to install native code for them to work - bad luck if there isn't a binary for your platform.
* no common standardized GUI toolkit
* poor commitment to backwards compatibility - Python 3k is going to break compatibility in major ways as did releases before it
* awkward and ugly object oriented semantics (declaring "self" in class methods, ugh)
* poor IDE support
* poor adoption - not sure what makes you think the labor pool for Python is better than other languages
I'm sure a dozen python supporters will jump up and object to all these - there is hardly anything revolutionary about these criticisms and most of them have been fought to death in enormous flame wars in the past. But the end result is, Python is not great for a lot of "enterprise" type situations due to these things (and you will quickly see how sensitive pythonistas are to this snub since they constantly mock the word "enterprise" on mailing lists etc.). In other situations it can be brilliant.
> I wonder how this will affect Prototype. It's always had different design goals than jQuery, but will this diminish it's popularity?
Actually my main theory for why MS has done this is that they are sending a message to Yahoo and marginalizing YUI. Although YUI has a slightly different space to jQuery they still compete for javascript developer's mind share and YUI is very comprehensive and well documented and probably represents the best javascript 'platform' when you take into account the depth and breath of what they support and the consistency and quality of the code.
I think that MS, realizing that they themselves cannot own the next generation of javascript platforms, have decided that they are not going to leave it to Yahoo and are basically playing spoiler here to ensure that neither Dojo (IBM) or YUI (Yahoo) gets a dominant position.
I agree with your points, but I think everyone here is missing a huge benefit of writing tests: by necessity it forces good design in and of itself because it's near impossible to test anything with with complex behavior. The result is that just to make the unit tests feasible, developers stop writing enormous monster classes without interfaces and start fragmenting things down to small units that do just one or two things with well defined behaviors.
You see a lot of people complaining that tests are "too hard" etc., and in most of these cases it is because the software they are testing is poorly written - huge monolithic chunks of behavior with large dependency sets.
I disagree with you about integration tests: I think they are as essential as unit tests. In fact, I think automated tests all the way up the chain to UI driven end product tests are the best way to do things.
Don't you think Australia came pretty close in the last year or two?
With nearly every adult australian receiving some kind of benefit at some point in their lives, having a social security card with photo, identity and address both visible and embedded, all linked to one enormous nationwide database and available to everyone from employers to your local pharmacist. That was actually more scary than what the Hawke-Keating government proposed.
Never was a more true statement made than that the price of freedom is eternal vigilance. To call out against people raising concerns about this kind of thing as being "inflammatory" works against the very basis of free society.
And it never stops - just look at the current government's obsession with setting up the equivalent of the great firewall of China to filter all internet traffic in the country.
I'm trying to figure out how this iframe trick can be a true exploit that goes beyond your normal phishing type scenario.
If the user is visiting a malicious domain then it will show that in the browser URL bar. No amount of iframe trickery will (or should) change what they see the location bar. If the user is willing to do sensitive things with a bad domain in the location bar then they are basically up for any kind of phishing attack, and I'm not too worried about that.
On the other hand if it somehow puts the trusted domain in the location bar and then lets an attacker overlay the page with their own contents then I'm very scared.
So - does this trick do something more than slightly better phishing, or not?