Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.
Instead, the release seems to have been sold as a cosmetic matter, which may have led a number of users to postpone the update.
The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.
On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."
All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.
I read this story on CNN first as well, and my first thought at seeing the headline was nightmares about a Novell operating system.
Could be worse. I read through the whole article waiting for the point where they'd explain how SuSE was involved. Then I finally looked back at the headline and realized I'd misread it.
If IE could simply not display incorrect HTML and CSS the code base should be far smaller, which in turn should make it easier to maintain and probably more secure.
True. Unfortunately, we've got a decade and a half worth of web pages that were built sloppily. Not all of them, but enough to be an issue, especially since many of them are effectively abandoned and don't have anyone to fix the errors. If it had been designed that way from the beginning, it would be feasible, but there's all that legacy data to deal with. Any HTML browser designed to run on the web, and not just on, say a local set of help pages, has to do something with those pages. Dave Hyatt (of Safari fame) made some interesting comments on the issue when discussing XML error handling in browsers -- basically, learning from the consequences of that decision to tolerate HTML errors without specifying how to recover from them.
Things are a bit better with CSS, as there are explicit rules for how to handle broken code (basically, ignore it and skip to the next line). The bigger problem there is handling code that was written to older, broken implementations -- the IE5 box model, for instance -- and trying to determine whether a page was built for the spec or for the broken implementation. This gets into quirks mode, and doctype sniffing, and things get kind of hairy.
(Then there's the fact that HTML and CSS are both designed with extensibility in mind... any unfamiliar tags or attributes in HTML are supposed to be ignored, so an HTML 3.2 browser can still do something useful with an HTML 4.0 page. But that's a slightly different issue.)
Consider that this would be less of an issue if IE weren't used by 70-90% (depending on where you look) of web surfers. Most-used and least-secure is a disastrous combination. This is why alternatives are important. If the space broke down at, say, 30% IE, 30% Gecko, 15% Safari, 15% Opera and 10% random, malware authors would have to go to a lot more effort to exploit the majority.
While ionizing "air cleaners" can produce enough ozone to cause problems, those are intended to move air and particles around an entire room. This only needs to move enough air to cool a small processor. I'd be more worried about the effect on plastic or rubber components inside the computer.
Last of all, perhaps the best thing is that it's not that hard to get hold of - search online and you'll see.
Forget going online. Chances are you can pick it up at your local grocery store. It's been a mainstay at Halloween parties for years: Punch bowl + block of dry ice = foggy punch.
One possible work around on the server side:
Direct your web server to serve.pdf files as mime type "application/octet"
Most people in a position to implement that idea probably know this already, but for those who aren't, the typical MIME-type for generic downloads is "application/octet-stream".
Remember, IE uses an ActiveX interface to load Acrobat Reader, while Firefox and Opera use the Netscape-style plugin interface. If the plugin interface is vulnerable, but the ActiveX interface is not, that would explain why it works with Firefox and Opera but not IE.
Also, as others have pointed out, Adobe Reader 8 appears to not be affected.
UFO vs. alien spacecraft
on
UFOs In the News
·
· Score: 5, Insightful
A while back I was reading some book of short stories by Arthur C. Clarke, and in an essay between stories, he described the time he saw a U.F.O. I was taken aback. Here's an author who practically invented "hard sci-fi," talking about seeing a U.F.O. By the end of the essay he mentioned what it turned out to be (I forget what, exactly, but it was something mundane and Earth-based). But at the time, "UFO" was the appropriate term, not because he thought it was a spacecraft, but because he couldn't figure out what it was.
That left an impression on me. People tend to use "UFO" as a shorthand for alien spacecraft... but when you get down to it, "Unidentified Flying Object" refers to anythingunidentified that you see in the sky. A segment of a sun halo, a satellite, an odd cloud, a distant airplane with the sun glinting off of it... The same would apply to the "Unidentified Aerial Phenomena" term used in the O'Hare article.
Conversely, if alien spacecraft are ever verified, they wouldn't really be UFOs, would they?
what's the most effective (time v.s. security) method for cleaning these things?
That depends on whether you want the card to be usable afterward...
Re:Card not wiped because people don't care
on
Memories of a Media Card
·
· Score: 3, Insightful
There's also the possibility that they might not have a way to delete it. If, for instance, the only thing they have that reads the card is the camera itself (and they've been retrieving images via USB), and the reason they're discarding the card is that the camera itself is broken, and their new camera uses different media...
I can see the thought process going from "crap, I left some photos on there" to "eh, they're already on Flickr anyway." Unless there are photos that they haven't already downloaded, there's less motivation to track down something that will read (and erase) the card.
Depends on who has the most influence on the movie: if Spielberg then I think it'll be a fun romp, if Lucas then I'm afraid it'll turn into a moralistic pile o' crap (see "Star Wars Prequels").
I'm still of the opinion that the Star Wars prequels could have been made infinitely better by two things: (1) Letting someone else polish the dialog. (2) Letting someone else direct. In this case, David Koepp wrote the script, and Spielberg will be directing. I didn't know Koepp by name, but looking at his IMDB page I've liked several of the movies he's written. And while I managed to miss roughly a decade of Spielberg films (not much interested me after Jurassic Park II), I did see Munich and thought it was good.
If Lucas were directing, I'd write it off. Spielberg at least has a fighting chance to make it work.
Did anyone else watch The Young Indiana Jones Chronicles in the 1990s? Each episode had a framing sequence that took place in the then-present day with a 90-year-old Indiana Jones. He'd encounter something that reminded him of an event from his childhood or teenage years, then start telling the story to whoever was nearby. Then it would shift into a standard narrative presentation set in 1910, or 1916-1920. Once, for a ratings stunt, they set the framing sequence in the 1950s instead and got Harrison Ford to do the intro.
What we know from these framing sequences: Indy lives until at least 90, ages normally, and has a daughter.
The only thing Spielberg guarantees is some overly cute, sappy kid.
While that does seem to be true for most of Spielberg's movies (he even managed to put a cute kid in peril in Munich), I don't recall there being any kids featured in Raiders or Last Crusade (unless you count the Indy-as-teenager flashback). Though I suppose Short Round and the hundreds of captured kids being forced to work in the mines in Temple of Doom make up for that oversight.
One of the memorable fight scenes in Raiders of the Lost Ark came about in a similar way. During the chase through Cairo, Indy was supposed to have a long fight with a swordsman. Harrison Ford was sick the day they were going to shoot the scene, and asked Spielberg if they could shorten the scene. The result: The guy flashes his swords around, and Indy just pulls out his gun and shoots him. A classic Indy moment that wasn't in the script.
Ideal for power users and a wide range of high-performance technical client applications such as visualization, software development, and engineering design. Red Hat Enterprise Linux WS supports large-memory client systems with up to two CPUs.
Red Hat Desktop
Designed for general users who need a variety of software from email to web applications. Red Hat Desktop is designed for volume deployments that require a secure and centralized management infrastructure for client systems.
A better analogy might be an artist puts their painting in a gallery window, and you open a shop across the street and put in a telescope so people can see the orignal painting
This reminds me of a case in 2002, in which the Chicago Cubs sued businesses that sold access to nearby rooftops where people could watch the games without buying tickets at Wrigley Field.
From what I can tell, they eventually settled out of court.
Re:Are we still angry with them?
on
Red Hat Sales Surge
·
· Score: 4, Insightful
I think we're supposed to scream and yell about how they're a money-grubbing Corporation (with a capital C) that never did anything for Linux, while ignoring all the @redhat.com addresses on contributions to the kernel, RPM (which, like it or not, *is* used by other distributions), various config tools (which, while no one else seems to be using them, are available for other distros to use if they want), debugging, funding of various projects, etc.
But apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health, what have the Romans^W^WRed Hat ever done for us?
Unless I missed something, the article doesn't break down the figures into server and workstation. It's possble for the surge to have been an even mix, mostly desktop, or -- more likely -- mostly server.
No need to freak out on contradictory reality just yet.
Slashdot Mirror
Keep in mind that the article's sources include security bulletins released by Opera. It's not that they didn't disclose them at all, it's that they waited until the fix had been out for ~3 weeks before disclosing them.
The article claims that:
The major focus for promoting 9.10 release, at least in everything I read, was the new fraud protection feature. Even though it was turned off by default. Otherwise it was all about stability.
On the plus side, Opera did fix these vulnerabilities, and quickly. So it's not like they left people completely unprotected. But considering that the changelog had a security section, you'd think, even if they weren't going to disclose the details just yet, that they'd include a note about "Additional security fixes to be disclosed soon."
All that said, I occasionally encounter people on the Opera forums who insist on running Opera 8 (or older) because they think it's "more stable." It's an uphill fight to convince them to run Opera 9, even when they complain about some site that doesn't work on the older version. Known security issues didn't get them to upgrade to 9.0, so I wouldn't expect it to convince them to upgrade to 9.10.
Not likely. But it does bear a disturbing resemblance to a pirate flag.
Could be worse. I read through the whole article waiting for the point where they'd explain how SuSE was involved. Then I finally looked back at the headline and realized I'd misread it.
True. Unfortunately, we've got a decade and a half worth of web pages that were built sloppily. Not all of them, but enough to be an issue, especially since many of them are effectively abandoned and don't have anyone to fix the errors. If it had been designed that way from the beginning, it would be feasible, but there's all that legacy data to deal with. Any HTML browser designed to run on the web, and not just on, say a local set of help pages, has to do something with those pages. Dave Hyatt (of Safari fame) made some interesting comments on the issue when discussing XML error handling in browsers -- basically, learning from the consequences of that decision to tolerate HTML errors without specifying how to recover from them.
Things are a bit better with CSS, as there are explicit rules for how to handle broken code (basically, ignore it and skip to the next line). The bigger problem there is handling code that was written to older, broken implementations -- the IE5 box model, for instance -- and trying to determine whether a page was built for the spec or for the broken implementation. This gets into quirks mode, and doctype sniffing, and things get kind of hairy.
(Then there's the fact that HTML and CSS are both designed with extensibility in mind... any unfamiliar tags or attributes in HTML are supposed to be ignored, so an HTML 3.2 browser can still do something useful with an HTML 4.0 page. But that's a slightly different issue.)
Consider that this would be less of an issue if IE weren't used by 70-90% (depending on where you look) of web surfers. Most-used and least-secure is a disastrous combination. This is why alternatives are important. If the space broke down at, say, 30% IE, 30% Gecko, 15% Safari, 15% Opera and 10% random, malware authors would have to go to a lot more effort to exploit the majority.
While ionizing "air cleaners" can produce enough ozone to cause problems, those are intended to move air and particles around an entire room. This only needs to move enough air to cool a small processor. I'd be more worried about the effect on plastic or rubber components inside the computer.
And yet there are seven layers in their burritos. We've accounted for six, but what's the seventh? Please, someone fund this vital research!
Forget going online. Chances are you can pick it up at your local grocery store. It's been a mainstay at Halloween parties for years: Punch bowl + block of dry ice = foggy punch.
Another option is to keep a second browser around that's not logged in.
Most people in a position to implement that idea probably know this already, but for those who aren't, the typical MIME-type for generic downloads is "application/octet-stream".
Remember, IE uses an ActiveX interface to load Acrobat Reader, while Firefox and Opera use the Netscape-style plugin interface. If the plugin interface is vulnerable, but the ActiveX interface is not, that would explain why it works with Firefox and Opera but not IE.
Also, as others have pointed out, Adobe Reader 8 appears to not be affected.
Or am I seeing a pattern in today's story titles?
A while back I was reading some book of short stories by Arthur C. Clarke, and in an essay between stories, he described the time he saw a U.F.O. I was taken aback. Here's an author who practically invented "hard sci-fi," talking about seeing a U.F.O. By the end of the essay he mentioned what it turned out to be (I forget what, exactly, but it was something mundane and Earth-based). But at the time, "UFO" was the appropriate term, not because he thought it was a spacecraft, but because he couldn't figure out what it was.
That left an impression on me. People tend to use "UFO" as a shorthand for alien spacecraft... but when you get down to it, "Unidentified Flying Object" refers to anything unidentified that you see in the sky. A segment of a sun halo, a satellite, an odd cloud, a distant airplane with the sun glinting off of it... The same would apply to the "Unidentified Aerial Phenomena" term used in the O'Hare article.
Conversely, if alien spacecraft are ever verified, they wouldn't really be UFOs, would they?
That depends on whether you want the card to be usable afterward...
There's also the possibility that they might not have a way to delete it. If, for instance, the only thing they have that reads the card is the camera itself (and they've been retrieving images via USB), and the reason they're discarding the card is that the camera itself is broken, and their new camera uses different media...
I can see the thought process going from "crap, I left some photos on there" to "eh, they're already on Flickr anyway." Unless there are photos that they haven't already downloaded, there's less motivation to track down something that will read (and erase) the card.
I'm still of the opinion that the Star Wars prequels could have been made infinitely better by two things: (1) Letting someone else polish the dialog. (2) Letting someone else direct. In this case, David Koepp wrote the script, and Spielberg will be directing. I didn't know Koepp by name, but looking at his IMDB page I've liked several of the movies he's written. And while I managed to miss roughly a decade of Spielberg films (not much interested me after Jurassic Park II), I did see Munich and thought it was good.
If Lucas were directing, I'd write it off. Spielberg at least has a fighting chance to make it work.
Impossible. Nothing would have been deemed "too goofy" in 1978.
Did anyone else watch The Young Indiana Jones Chronicles in the 1990s? Each episode had a framing sequence that took place in the then-present day with a 90-year-old Indiana Jones. He'd encounter something that reminded him of an event from his childhood or teenage years, then start telling the story to whoever was nearby. Then it would shift into a standard narrative presentation set in 1910, or 1916-1920. Once, for a ratings stunt, they set the framing sequence in the 1950s instead and got Harrison Ford to do the intro.
What we know from these framing sequences: Indy lives until at least 90, ages normally, and has a daughter.
While that does seem to be true for most of Spielberg's movies (he even managed to put a cute kid in peril in Munich), I don't recall there being any kids featured in Raiders or Last Crusade (unless you count the Indy-as-teenager flashback). Though I suppose Short Round and the hundreds of captured kids being forced to work in the mines in Temple of Doom make up for that oversight.
One of the memorable fight scenes in Raiders of the Lost Ark came about in a similar way. During the chase through Cairo, Indy was supposed to have a long fight with a swordsman. Harrison Ford was sick the day they were going to shoot the scene, and asked Spielberg if they could shorten the scene. The result: The guy flashes his swords around, and Indy just pulls out his gun and shoots him. A classic Indy moment that wasn't in the script.
This reminds me of a case in 2002, in which the Chicago Cubs sued businesses that sold access to nearby rooftops where people could watch the games without buying tickets at Wrigley Field.
From what I can tell, they eventually settled out of court.
I think we're supposed to scream and yell about how they're a money-grubbing Corporation (with a capital C) that never did anything for Linux, while ignoring all the @redhat.com addresses on contributions to the kernel, RPM (which, like it or not, *is* used by other distributions), various config tools (which, while no one else seems to be using them, are available for other distros to use if they want), debugging, funding of various projects, etc.
But apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health, what have the Romans^W^WRed Hat ever done for us?
Unless I missed something, the article doesn't break down the figures into server and workstation. It's possble for the surge to have been an even mix, mostly desktop, or -- more likely -- mostly server.
No need to freak out on contradictory reality just yet.