true that.... tablets are a luxury item. They're nice for reading books or surfing the internet while you watch the news maybe. I'd rather watch movies on my 60" flatscreen (or the 36" in my bedroom). I can dock my phone to listen to music.
As far as actually being useful? That's a stretch. They're something cool to sit on your coffee table to impress your friends. That's about it. Touch keyboards are great if you can hold the thing in your hands and type with your thumbs. Tablets are too big for that. I sure as hell wouldn't want to do CAD, write a paper, do emailing, or any other kind of actual work on one. I'd rather have my laptop on a plane, train or on the road.
I'd rather use my iPhone for texting, taking photos, or emailing. That pretty much makes tablets (including the iPad) useless IMHO. They're something else to take up space on my coffee table. I'd probably play with it for a week and it would be gathering dust because it's easier and better to do what you'd do on a tablet in other ways. I'm still coming to grips with the fact that these things actually sell. I guess some people will buy anything.
> So apparently they now have an evolving set of core values that sometimes have to give way to preserving the company.
You need to weigh that against the issue of not having a company. Do we go out of business or feel the sting of our pride fucking with us and stay IN business?
Most people go with the paycheck. Unless you are independently wealthy, that's the smart thing to do, keep a roof over your head and eat. The moral high ground often means bankruptcy once you are squeezed between that rock and the hard place.
LOL my sentiments exactly. In typical US Government fashion they are applying the ethics of the US government to other governments. Only problem is in a lot of other regimes, bribes are a part of normal day to day business. No bribe = no business, end of story.
>Every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection that's essentially what you're doing.
No you don't understand HTTP/HTTPS.
Form loads over http. However the action of the form is https. Here are the form tags: Facebook - form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)" Twitter - form method="post" id="signin" action="https://twitter.com/sessions"
During an https transaction, the secure socket is established before the name resolution happens, long before the form data is sent. Even so, some proxies (such as MSProxy) will log data sent over GET, so as long as the action is an https URL, and method is POST, you are good, provided the certificate is valid.
Here are the steps starting with form load on either of these sites: 1. form loads in your browser 2. you fill it out 3. you click submit 4. in the case of facebook and twitter, a secure sockets connection is initiated to the URL in the action tag of form. This happens after name resolution, but occurs directly with IP of site. This will happen with any https form POST URL. 5. page request headers are sent (including your form data) which include the domain name of the site (host request header) 6. facebook or twitter puts a cookie on your computer with a session id 7. you get bounced back to http
There is nothing insecure about this. I'm the last guy to say that facebook and twitter are secure, and this is due to how information is shared, but their login forms are perfectly fine.
Suggest you learn how http and https work before starting a sensationalist story like this about HTTP security (or lack thereof);-)
I can't believe all these slashdot posts of people that bought into this story before bothering to check the login forms for themselves.
Now go learn how HTTP works before writing stories about it.
Possession is 9/10ths of the law. It's not just a saying. If he didn't steal it himself, he's guilty of receiving stolen property. If he won't roll on the person that gave it to him, he must be the one that stole it. How else would it magically land in his lap? Either way, _someone_ will go to jail for the theft of the ring. In a case like you hypothesize, that someone will be the person in possession of the ring, absent any other suspects. It's hard to argue that someone in possession of a stolen ring didn't steal it.
Add to that the dna test result can end up in duplicates in 1/1000 cases... we aren't testing DNA thoroughly enough to _guarantee_ that we've got the right person. Also using a DNA database, it is possible to take information from a profile already in the DB and manufacture DNA to match it. Researchers in Israel have already proven it can be done.
Me thinks there needs to be a better DNA test before we start killing people or locking them up for life based on DNA evidence. I can use using it to exonerate people, but not as evidence lock them up.
We can prove you didn't do it or that it's possible you did it, but there's no way to know for sure if you are guilty, based on DNA evidence alone.
>Generally, programmers are not asked to program for free by relatives
However, we are considered a "computer guy" by friends and family, even though we haven't had anything to do with windows outside of using it as a life support system for a shell, browsing slashdot, and email.
Typical conversation: relative "I think I have a virus, can you help me?" me "You have the windows install disk?" relative "No the computer didn't come with one" me "That sucks, you are screwed" relative "I thought you were a programmer" me "I am" relative "Why can't you fix it?" me "I could if I had a spare computer, laptop hard drive adapter, subscriptions to the various virus softwares, and the patience to sit there while each of the many virus softwares scans your computer's hard drive. Unfortunately I have none of the above, sorry. Absent this, I could blow away your hard drive and reinstall windows. Then again, you could do that yourself." relative "Wouldn't I lose my stuff?" me "Not if it's backed up. You do back your data up right?"
and so on... I don't get upset. I just convince them that I'm not the right guy for the job, because I'm not. I usually don't get bugged again by the same person.
I'd a skipped it across the harbor the day I found it. When confronted by agents: "What GPS tracking unit? Oh that thing stuck to my car? I didn't know what it was, but it didn't belong there, so I removed it and threw it in the harbor. Track it down. It's a GPS tracking unit right?/facepalm. Oh that's government property? Ya'll should take better care of your property and stop leaving it on other people's cars."
To me GUIs are more complicated. I can't ever find the function I need buried in those oujia boards. They change so often it's impossible to keep up. The CLI, on the other hand, hasn't changed much in the 15 years I've been working on Unix/Linux.
I usually smack people's hands when I see them installing a GUI on a linux server. 2+ GB of complete waste of time. Further they increase the attack surface of whatever you install them on. GUIs (like oujia boards) are bad juju for lots of reasons.
Server GUIs are an attempt to make administration simple. They often do more harm than good because they enable people that would otherwise have no idea of how to break a machine, to break important system settings with point and click. They provide the illusion of simplicity. This is dangerous, especially when the gui is broken in some subtle way (which is often the case) that's not readily apparent to the person using it.
At the end of the day you can't escape the fact that even with a "simple" point and click GUI, you still need to know what you are doing, and if you know what you are doing, you don't need a GUI. If you are new to the game, sit down at a terminal and learn CLI. It will improve your life.
As well if you have a problem and are talking to an old salt, he'll understand what you are trying to tell him if you describe what you do in the CLI. If you are explaining some visual thing you are pointing and clicking on in a GUI, there's a good chance that he won't be able to help you.
In theory you are correct. In reality, IE6 doesn't implement HTML, CSS or javascript properly/well. It also doesn't always handle HTTP headers according to spec.
It's a piece of dogshit. You have to code one site for IE and one for the rest of the browsers which adhere to w3 specs more closely.
In the real world people expect more out of html than simple text. They expect interactive applications with instant gratification. As a developer, if you want to get paid and stay employed, you do what the boss tells you to do, no matter how ridiculous you think it is.
The collective cost of this world wide has been billions in wasted hours coding around IE6 faults. You could feed a continent with the money we've (programmers worldwide) collectively wasted on IE6 workarounds. See the w3 spec tells you exactly how to program all things www. However a significant percentage of it doesn't work in IE because Microsoft decided to do shit their own way. Then to make it work, you need to search the internet high and low for people that have run into the same problem you did, and what they did to work around it. Very little documentation on how to workaround IE issues is available. You either code for IE using Microsoft's textbook, or you code using w3 specs, or worse, in the case of a public site, you need to do both. After 10-15 years of doing this, it gets REALLY old.
I've spent up to a week in the past trying to figure out how to work around a single issue in IE. It can be ridiculous if you find a new problem that no one has documented yet.
I am utterly excited about the IE9 release.
Internally in my company we decided to say fuck IE a long time ago and let our users choose whatever browser they wanted as long as it's not IE. We code to HTTP/w3 spec for our internal applications. All browsers work fine except IE6,7,8.
I was pretty excited when I downloaded IE 9 beta and all of our stuff works.
Some of it fails in IE8.
Glad we did what we did instead of coding for a hopelessly broken browser. We basically cut our internal development costs in half by doing so. We also got our projects done a lot faster. Had we bothered, we'd have completely wasted our time with IE6 workarounds especially now that they finally seem to have fixed their software.
The ONLY reason this happened is that people started using other browsers because they simply work better. That's why, they are more standards compliant. Microsoft apparently has realized that to keep their browser from being completely irrelevant, they need to fix it.
They should have done this in 1993 and stuck with it. Then developers wouldn't hate microsoft, or hate everyone else. We'd also be a lot further along with regard to technique because of all the time wasted on workarounds instead of finding better ways to code sites.
> No-one deciding to breach the terms of a security-relevant agreement (with the social networking provider in the instant case) for personal gain should work at a correctional facility.
Neither should people that ask you to breach the terms of a security-relevant agreement.
memory leaks... windows developers were taught for years that garbage collection works. In fact it was a big selling point of VB6.
It doesn't, and not all developers realize this, so some developers don't explicitly kill objects. Maybe they all do by now and they're just sloppy.
It's Too Hard(tm) to find all this stuff so the vendors tell you to reboot instead of spending the money necessary to fix their software.
Even the mighty linux can have memory leaks if the developers suck.
FWIW, I've never seen a garbage collector that actually worked 100%. We'd be better off writing good clean code instead of relying on them.
All of that being said, even on windows you can usually kill a process and reclaim the memory. Reboots are only necessary when you have a service or driver running that gets into an unkillable state. I've seen this happen with IIS and bad NIC drivers.
I've never seen software on a linux box get into the state where you couldn't kill it so until I do, I say linux never needs to be rebooted, except to replace hardware. Even in a failover situation, you can simply unplug the network cable to simulate an outage. No need to bounce the box...
However, prior to 2.6.24 kernel, linux memory manager was still being fixed and memory was subject to excessive fragmentation. Some drivers as well as other progams require contiguous pages of memory (network drivers being a prime example) and if the memory was too fragmented you could run into situations where you'd go to restart network and the NIC wouldn't come back up because there wasn't enough contiguous space to restart the driver.
See http://kernelnewbies.org/Linux_2_6_24 section 2.4 for details. There actually used to be an occasional intermittent need to reboot linux in this limited case but it was rare to need to do this and you could usually get around it by freeing up memory and restarting the troublesome driver, after which you'd bring up the other stuff running on the box./shrug
>At that point, you've got MUCH bigger problems on your hands than their ability to decrypt your password database.
This is definitely true for the server administrator, however the trouble is just beginning for the poor bastards with the encrypted passwords since their username is usually their email address, and most DFU's use the same password for _everything_. It's likely that over half of those decrypted passwords will be very useful indeed.
email address + password = comprimised email account = comprimised _everything_ for that user in many cases. They'll have mail sitting in there from amazon, ebay, their bank, porno sites, yadda yadda yadda.
the attacker can now log into amazon and place orders shipped to PO boxes with someone else's credit card and that's only the tip of the iceburg.
>However I can't help but think that the day of the password is over and we are going to have to come up with something a lot better for authentication on the Internet and in enterprises.
like public key authentication and 2 factor? This is the mid 1970's calling, with my buddy the late 90's and we'd like you to know that we have solutions that are much more secure than passwords.
dude I dated someone for 7 years, lived with her for 5, had a great relationship, got married, and 2 years into the marriage she was a completely different miserable psycho bitch.
Some people don't show their true colors til you say "I do". The rest of it is an act so they can bind you to a contract and fuck you financially. Some people are just fucking evil. I can't think of any other way to describe it.
no it wouldn't, unless he actually stalked her. reposting someone's picture on the internet with funny captions is a simple copyright violation. By doing it without his permission she can be sued by him and the photographer, since there's no model release and the photographer owns the copyright.
There's nothing to indicate that the woman stalked him.
What happens in a year or two when Bionic Commando 3 comes out and they shut down the Bionic Commando 2 phone-home servers? What if you are non-technical and didn't bother to, are afraid to, or can't hook your console up to the internet?
You'd tend to treat your fellow travelers a little better if your lives depended on it. This tendency would be amplified if it was the real thing and you couldn't just quit. You'd tend to let the little things go a little easier.
Slashdot Mirror
true that.... tablets are a luxury item. They're nice for reading books or surfing the internet while you watch the news maybe. I'd rather watch movies on my 60" flatscreen (or the 36" in my bedroom). I can dock my phone to listen to music.
As far as actually being useful? That's a stretch. They're something cool to sit on your coffee table to impress your friends. That's about it. Touch keyboards are great if you can hold the thing in your hands and type with your thumbs. Tablets are too big for that. I sure as hell wouldn't want to do CAD, write a paper, do emailing, or any other kind of actual work on one. I'd rather have my laptop on a plane, train or on the road.
I'd rather use my iPhone for texting, taking photos, or emailing. That pretty much makes tablets (including the iPad) useless IMHO. They're something else to take up space on my coffee table. I'd probably play with it for a week and it would be gathering dust because it's easier and better to do what you'd do on a tablet in other ways. I'm still coming to grips with the fact that these things actually sell. I guess some people will buy anything.
> So apparently they now have an evolving set of core values that sometimes have to give way to preserving the company.
You need to weigh that against the issue of not having a company. Do we go out of business or feel the sting of our pride fucking with us and stay IN business?
Most people go with the paycheck. Unless you are independently wealthy, that's the smart thing to do, keep a roof over your head and eat. The moral high ground often means bankruptcy once you are squeezed between that rock and the hard place.
LOL my sentiments exactly. In typical US Government fashion they are applying the ethics of the US government to other governments. Only problem is in a lot of other regimes, bribes are a part of normal day to day business. No bribe = no business, end of story.
>Every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection that's essentially what you're doing.
No you don't understand HTTP/HTTPS.
Form loads over http. However the action of the form is https.
Here are the form tags:
Facebook - form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"
Twitter - form method="post" id="signin" action="https://twitter.com/sessions"
During an https transaction, the secure socket is established before the name resolution happens, long before the form data is sent. Even so, some proxies (such as MSProxy) will log data sent over GET, so as long as the action is an https URL, and method is POST, you are good, provided the certificate is valid.
Here are the steps starting with form load on either of these sites:
1. form loads in your browser
2. you fill it out
3. you click submit
4. in the case of facebook and twitter, a secure sockets connection is initiated to the URL in the action tag of form. This happens after name resolution, but occurs directly with IP of site. This will happen with any https form POST URL.
5. page request headers are sent (including your form data) which include the domain name of the site (host request header)
6. facebook or twitter puts a cookie on your computer with a session id
7. you get bounced back to http
There is nothing insecure about this. I'm the last guy to say that facebook and twitter are secure, and this is due to how information is shared, but their login forms are perfectly fine.
Suggest you learn how http and https work before starting a sensationalist story like this about HTTP security (or lack thereof) ;-)
I can't believe all these slashdot posts of people that bought into this story before bothering to check the login forms for themselves.
Now go learn how HTTP works before writing stories about it.
Possession is 9/10ths of the law. It's not just a saying. If he didn't steal it himself, he's guilty of receiving stolen property. If he won't roll on the person that gave it to him, he must be the one that stole it. How else would it magically land in his lap? Either way, _someone_ will go to jail for the theft of the ring. In a case like you hypothesize, that someone will be the person in possession of the ring, absent any other suspects. It's hard to argue that someone in possession of a stolen ring didn't steal it.
He had to get the ring from somewhere.
Add to that the dna test result can end up in duplicates in 1/1000 cases... we aren't testing DNA thoroughly enough to _guarantee_ that we've got the right person. Also using a DNA database, it is possible to take information from a profile already in the DB and manufacture DNA to match it. Researchers in Israel have already proven it can be done.
Me thinks there needs to be a better DNA test before we start killing people or locking them up for life based on DNA evidence. I can use using it to exonerate people, but not as evidence lock them up.
We can prove you didn't do it or that it's possible you did it, but there's no way to know for sure if you are guilty, based on DNA evidence alone.
>Generally, programmers are not asked to program for free by relatives
However, we are considered a "computer guy" by friends and family, even though we haven't had anything to do with windows outside of using it as a life support system for a shell, browsing slashdot, and email.
Typical conversation:
relative "I think I have a virus, can you help me?"
me "You have the windows install disk?"
relative "No the computer didn't come with one"
me "That sucks, you are screwed"
relative "I thought you were a programmer"
me "I am"
relative "Why can't you fix it?"
me "I could if I had a spare computer, laptop hard drive adapter, subscriptions to the various virus softwares, and the patience to sit there while each of the many virus softwares scans your computer's hard drive. Unfortunately I have none of the above, sorry. Absent this, I could blow away your hard drive and reinstall windows. Then again, you could do that yourself."
relative "Wouldn't I lose my stuff?"
me "Not if it's backed up. You do back your data up right?"
and so on... I don't get upset. I just convince them that I'm not the right guy for the job, because I'm not. I usually don't get bugged again by the same person.
I'd a skipped it across the harbor the day I found it. When confronted by agents: "What GPS tracking unit? Oh that thing stuck to my car? I didn't know what it was, but it didn't belong there, so I removed it and threw it in the harbor. Track it down. It's a GPS tracking unit right? /facepalm. Oh that's government property? Ya'll should take better care of your property and stop leaving it on other people's cars."
"Talk is cheap. Show me the code."
-Linus Torvalds
To me GUIs are more complicated. I can't ever find the function I need buried in those oujia boards. They change so often it's impossible to keep up. The CLI, on the other hand, hasn't changed much in the 15 years I've been working on Unix/Linux.
I usually smack people's hands when I see them installing a GUI on a linux server. 2+ GB of complete waste of time. Further they increase the attack surface of whatever you install them on. GUIs (like oujia boards) are bad juju for lots of reasons.
Server GUIs are an attempt to make administration simple. They often do more harm than good because they enable people that would otherwise have no idea of how to break a machine, to break important system settings with point and click. They provide the illusion of simplicity. This is dangerous, especially when the gui is broken in some subtle way (which is often the case) that's not readily apparent to the person using it.
At the end of the day you can't escape the fact that even with a "simple" point and click GUI, you still need to know what you are doing, and if you know what you are doing, you don't need a GUI. If you are new to the game, sit down at a terminal and learn CLI. It will improve your life.
As well if you have a problem and are talking to an old salt, he'll understand what you are trying to tell him if you describe what you do in the CLI. If you are explaining some visual thing you are pointing and clicking on in a GUI, there's a good chance that he won't be able to help you.
In theory you are correct. In reality, IE6 doesn't implement HTML, CSS or javascript properly/well. It also doesn't always handle HTTP headers according to spec.
It's a piece of dogshit. You have to code one site for IE and one for the rest of the browsers which adhere to w3 specs more closely.
In the real world people expect more out of html than simple text. They expect interactive applications with instant gratification. As a developer, if you want to get paid and stay employed, you do what the boss tells you to do, no matter how ridiculous you think it is.
The collective cost of this world wide has been billions in wasted hours coding around IE6 faults. You could feed a continent with the money we've (programmers worldwide) collectively wasted on IE6 workarounds. See the w3 spec tells you exactly how to program all things www. However a significant percentage of it doesn't work in IE because Microsoft decided to do shit their own way. Then to make it work, you need to search the internet high and low for people that have run into the same problem you did, and what they did to work around it. Very little documentation on how to workaround IE issues is available. You either code for IE using Microsoft's textbook, or you code using w3 specs, or worse, in the case of a public site, you need to do both. After 10-15 years of doing this, it gets REALLY old.
I've spent up to a week in the past trying to figure out how to work around a single issue in IE. It can be ridiculous if you find a new problem that no one has documented yet.
I am utterly excited about the IE9 release.
Internally in my company we decided to say fuck IE a long time ago and let our users choose whatever browser they wanted as long as it's not IE. We code to HTTP/w3 spec for our internal applications. All browsers work fine except IE6,7,8.
I was pretty excited when I downloaded IE 9 beta and all of our stuff works.
Some of it fails in IE8.
Glad we did what we did instead of coding for a hopelessly broken browser. We basically cut our internal development costs in half by doing so. We also got our projects done a lot faster. Had we bothered, we'd have completely wasted our time with IE6 workarounds especially now that they finally seem to have fixed their software.
The ONLY reason this happened is that people started using other browsers because they simply work better. That's why, they are more standards compliant. Microsoft apparently has realized that to keep their browser from being completely irrelevant, they need to fix it.
They should have done this in 1993 and stuck with it. Then developers wouldn't hate microsoft, or hate everyone else. We'd also be a lot further along with regard to technique because of all the time wasted on workarounds instead of finding better ways to code sites.
> No-one deciding to breach the terms of a security-relevant agreement (with the social networking provider in the instant case) for personal gain should work at a correctional facility.
Neither should people that ask you to breach the terms of a security-relevant agreement.
This is what I was thinking. What's next, bank account logins so they can see what your spending patterns are?
You can tell a lot about a person by how, where, and when they spend money. This is important too right?
I'm sure Mark Zuckerberg is proud that someone named their baby after his.
It's not democracy, it's bureaucracy.
If they block websites shortly after they are created, they aren't using a white list.
memory leaks... windows developers were taught for years that garbage collection works. In fact it was a big selling point of VB6.
It doesn't, and not all developers realize this, so some developers don't explicitly kill objects. Maybe they all do by now and they're just sloppy.
It's Too Hard(tm) to find all this stuff so the vendors tell you to reboot instead of spending the money necessary to fix their software.
Even the mighty linux can have memory leaks if the developers suck.
FWIW, I've never seen a garbage collector that actually worked 100%. We'd be better off writing good clean code instead of relying on them.
All of that being said, even on windows you can usually kill a process and reclaim the memory. Reboots are only necessary when you have a service or driver running that gets into an unkillable state. I've seen this happen with IIS and bad NIC drivers.
I've never seen software on a linux box get into the state where you couldn't kill it so until I do, I say linux never needs to be rebooted, except to replace hardware. Even in a failover situation, you can simply unplug the network cable to simulate an outage. No need to bounce the box...
However, prior to 2.6.24 kernel, linux memory manager was still being fixed and memory was subject to excessive fragmentation. Some drivers as well as other progams require contiguous pages of memory (network drivers being a prime example) and if the memory was too fragmented you could run into situations where you'd go to restart network and the NIC wouldn't come back up because there wasn't enough contiguous space to restart the driver.
See http://kernelnewbies.org/Linux_2_6_24 section 2.4 for details. There actually used to be an occasional intermittent need to reboot linux in this limited case but it was rare to need to do this and you could usually get around it by freeing up memory and restarting the troublesome driver, after which you'd bring up the other stuff running on the box. /shrug
Blasphemy! Pick a side man. If you aren't with us, you're against us!
>At that point, you've got MUCH bigger problems on your hands than their ability to decrypt your password database.
This is definitely true for the server administrator, however the trouble is just beginning for the poor bastards with the encrypted passwords since their username is usually their email address, and most DFU's use the same password for _everything_. It's likely that over half of those decrypted passwords will be very useful indeed.
email address + password = comprimised email account = comprimised _everything_ for that user in many cases. They'll have mail sitting in there from amazon, ebay, their bank, porno sites, yadda yadda yadda.
the attacker can now log into amazon and place orders shipped to PO boxes with someone else's credit card and that's only the tip of the iceburg.
>However I can't help but think that the day of the password is over and we are going to have to come up with something a lot better for authentication on the Internet and in enterprises.
like public key authentication and 2 factor? This is the mid 1970's calling, with my buddy the late 90's and we'd like you to know that we have solutions that are much more secure than passwords.
dude I dated someone for 7 years, lived with her for 5, had a great relationship, got married, and 2 years into the marriage she was a completely different miserable psycho bitch.
Some people don't show their true colors til you say "I do". The rest of it is an act so they can bind you to a contract and fuck you financially. Some people are just fucking evil. I can't think of any other way to describe it.
no it wouldn't, unless he actually stalked her. reposting someone's picture on the internet with funny captions is a simple copyright violation. By doing it without his permission she can be sued by him and the photographer, since there's no model release and the photographer owns the copyright.
There's nothing to indicate that the woman stalked him.
What happens in a year or two when Bionic Commando 3 comes out and they shut down the Bionic Commando 2 phone-home servers?
What if you are non-technical and didn't bother to, are afraid to, or can't hook your console up to the internet?
Don't buy this game.
A trebuchet is a type of catapult ;-)
true that
You'd tend to treat your fellow travelers a little better if your lives depended on it. This tendency would be amplified if it was the real thing and you couldn't just quit. You'd tend to let the little things go a little easier.