In fact, why not expand on this technology and have the e-mail client smart enough to warn the (sub average intelligent) user that this isn't a response to anything you've sent out and is most likely not a safe e-mail to open.
Some of us already have whitelists that do that (Ok, so I only actually use a regex on in-reply-to to match things that are generated by the couple of different clients I use, but you get the point).
It's an obvious first-pass check, though not necessarily enough...
Consider the number guessing game, where you pick a number and some tries to guess it. The game would be much harder if you were allowed to change the number. In fact the game would become impossible to lose.
I was with you until the bold bit.
If you're allowed to change the number after the guess, then sure - it's impossible to guess. Otherwise if you've only allowed to change it between guesses, then the fact that I guess 517 right after you chose it means I win - regardless of how long it took to get there.
If you're considering a game where you have to say "higher" or "lower" - well, that doesn't map at all to the problem space here - all you get is "yes" or "no" from a login prompt.
Any algorithm which leaks partial correctness (e.g. measurably faster or slower response if you get the first letter correct) is going to break quickly anyway - just check out the SSH hacks based on the timing of typed letters to work out the length of a password and get a pretty good guess at the letters as well.
Yeah, thanks for carefully reading what I wrote. You'll notice that Yahoo is running its apps on basically one or at most a few carefully controlled environments - not trying to build something that installs in lots of different versions of PHP on lots of different architectures.
well I have been doing just that with a quite large app (200 000+ lines of php code) and it has been working out just fine.
How many installations? What sort of app? Do you ever install it on systems where you can't insist that PHP is configured a particular way?
I agree that 200,000+ lines of code is big.
I can hardly talk, since I'm working on a fairly large app written in Perl, and it has its fun and games across versions with poorly written 3rd party modules, but at least the core language has been pretty good about keeping compatibility through the entire 5 series.
Do you think people automatically become retarded when they have children?
Speaking from experience, basically - yes. I used to stay up late hacking and be able to sleep in the next morning. Now I get woken up early by the baby and byebye hackmode.
Or something.
Actually, now that she's turned 1 and is sleeping through the night, it's not so bad. Until the next one anyway.
just not well enough to sign off an enterprise solution on...
I wouldn't sign off an enterprise solution on PHP full stop. Vile language.
So says someone who did some work on Squirrelmail a little while back - man it sucks trying to support all the little incompatibilities and changing defaults and changing configurations everywhere. When you're undoing an automatic quote of variables depending on a guess from some other variables you know you've got "Visual Basic for da interweb" - except with a less stable API.
That and the separate functions per DB type which caused all+dog to write their own copy of Perl's DBI in PHP before Pear came along.
It might be an OK language for developping small stand-alone web apps, or a web app which runs on one infrastructure that you control and validate - but it's not a language for writing stuff you can install on any webhost and expect a complex app to keep working across versions.
There are defects in software that have nothing to do with the code or the 'routine' of a program. That is probably why the term 'defect' is used in place of bug. It is more general.
Exactly - so 'bug' is a proper subset of 'defect'. Not every defect is a bug, but every bug is a defect.
"Sounds to me like your brand of 'engineer' excels most at covering his ass with management."
Using more precise terms is bad? Okay....
Let's look back at the comment all the way up thread "zero defects doesn't mean zero bugs".
Using terms incorrectly is. If every defect is a bug, then zero defects means zero bugs. No weasel room.
So yes - a brand of engineering that says "no defects" to mean "no identified bugs" rather than "no bugs" is being weaselly and covering your ass with management - especially when not identified means you haven't got around to classifying the reports yet.
Makes me really glad that I push all my email backwards and forwards through an openvpn connection to my mail server now. As long as my ISP doesn't block UDP port *mumble* I'll be fine.
My wife was not so lucky. She was unable to send email a few weeks ago when our cable modem provider instituted outbound port 25 blocking. Luckily it's really easy to set postfix up to listen for smtp on another port as well - one quick config change and she was back in business. I'm planning to install openvpn for Windows on her box one of these days.
For my laptop, the linuxant drivers cost hardly anything compared to the price of the machine (certainly cheaper than a card modem), so I ponied up.
For a desktop box - well, apart from the fact that I use a modem about never these days, it's always broadband of some sort - what I _used_ to do was buy a decent quality external modem and not have all the problems that plague cheap crap.
Actually, with any proper implementation of RAID 5 you wouldn't lose functionality during a single drive failure, but you would suffer a performance hit because every read would require the drive controller to reconstruct the missing data from the checksums.
My personal server has 5 disks with 4 set up as a RAID5 and the extra a hot spare. I've successfully pulled one of the disks and watched the hot spare spin up, then plugged it back in the next day and watched it rebuild, followed by the hot spare spinning back down.
If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.
Actually, you're wrong. It's people that the business runs on in almost all cases. IT is a tool that makes people so much more efficient that processes now assume that it's available and most of those people don't know how to function without it (and more to the point the information they need to operate is stored in it rather than kept in folders on their desk where they could get at it).
A design where authentication is centralised to a secure enough server and that authentication attempts are throttled so that guessing attacks are restricted means that you don't _need_ such a draconian password policy. My work uses RSA SecureID for all logins from outside the corporate intranet. Within the intranet we're a little soft and squishy, but that's considered a lower cost than the cost of having to tell people their passwords all the time. And yes, we do have password policies, but they're not insanely complex.
While the Marines are all there staring at their TV sets, the bad guys will sneak out the back door, walk around the house and blow the crap out of the distracted Marines.
Lets count, who here knew of the word "Googol" prior to this posting?
Well, yeah.
Personally, I'm off to sue that confectionary company which makes hundreds and thousands. My number trademark is being infringed all over the place. Not to mention the rude bastards who make jokes about 71.
Anyway this technique is easily foiled; just produce a document with randomly increased or shrink Blacked out boxes; or just subsitute all blacked out phrases with "***". Even if it's a photostat you can photoshop it.
So speaks some clueless twonk who didn't think through the technique at all. If it's a photostat then it will have all the text positioned based on the exact width of the word you want to hide - blacking out the word, no matter how much black you put on either side (even if it's right up to the next word) won't change the fact that the width between the end of the word before and the start of the word afterwards is exactly that which would be created by having one particular word in between.
Sheesh.
If you're doing the blacked out boxes electronically before printing, then sure, just replace all the words to be removed with *****, exactly the same width, nothing to analyse. Even black out multiple words with one blocker. Easy.
This technique only works if the blacked out word _is_ the original, but it's a damn good idea, and a fine example of side-channel analysis.
So if they paid the publisher for the documentation, why is this even a story?
Because the were stealing, and like... not respecting the inviolable rights of someone else to not have their stuff pinched. They're terrorists like Linux Torvols.
If you and your wife aren't having sex then either you are a shitty husband or she is a shitty wife.
Or you're both so busy/tired all the time that you don't get the opportunities.
A couple of years ago when she was teaching (early starts, early to bed) and I was working late hours on a deathmatch project and too tired to get up early each morning, we hardly saw each other - that was very hard on the relationship.
(and don't get me started on the amount of time kids take out of your day - but it's worth every second of it)
Granted alot of people might qualify especially in the us.
Yeah, I'm finding that here - even more high-paced than life in Australia, and that was pretty stressful doing in-house development work. Not that I'm likely to leave the industry any time soon, there are rewards as well (money for one thing!)
Actually, I am - but that doesn't mean I can't joke about it.
A better example is the effect on the GDP of a woman stopping being a mother to her family and going out to become a prostitute - I tell you, it's great for the economy - employment for child carers, she's earning money herself. Yay for synthetic metrics.
(and I know the counter argument - you can always come up with specific cases that break a general metric - the question is whether they're a reasonably accurate indicator at the high-level they're pitched at. I can't answer that one)
If you pass out, your RFID chip still works, guess who's buying! At least with cash, when your out, your done.
Huh? So you're saying that the bartender is less likely to accept that cash that someone lifted from your wallet than to accept your passed-out body being dumped on the bar to pay for the drinks?
People all over the country are destroying the American way of live by entering into a Marxist arrangement called "Marriage" in which they agree to share resources.
This "Marriage" is destroying the market for prostitutes and other providers traditional pay-per-use facilities. While it is true that using the opensource style "Marriage" arrangements it is often more difficult to arrange to get sex, with cryptic error messages like "I've got a headache" with no friendly interface where you can uncheck headache box and get your end in, many people are still choosing this threat to society.
It must stop. Join with the good capitalists and put an end to these terrorists trying to take out country by stealth. Ban marriage!
Maybe slashdot needs a filesystem update to one with more powerful meta-data support like something that can detect when the same URL has been used in more than one post within a certain time. Sheesh.
Surely they wouldn't be stupid enough to piss about 95% of 'their' developers?
Not to mention that if the patents cover anything they've distributed under the GPL then they're going to be in direct contridiction of:
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
So the only GPL products they could use their patents against are those that don't incorporate any source code from IBM - and even then the person distributing them could just link them against something IBM distributed to them and be safe.
You sound like the people in the porn industry who try to justify having sex without condoms.... only that's not the case at all. It's like only having sex with one person (wife/husband if you will) and putting up a big moral shield of not just randomly having sex with any stranger. Hence no need for condoms (assuming you're happy to have kids)
If you have no antivirus software, how can you be so sure that there are no viruses?
If you have antivirus software, how can you be so sure that there are no viruses?
Block the paths the virus can get in, practice 'safe hex' (what a horrible term) and you don't catch viruses. Sure, one mistake and you've caught it - well, one virus that the antivirus product doesn't know about yet and you're just as screwed - especially if it's a clever enough virus to "patch" the antivirus product to ignore it. Sheesh.
Slashdot Mirror
In fact, why not expand on this technology and have the e-mail client smart enough to warn the (sub average intelligent) user that this isn't a response to anything you've sent out and is most likely not a safe e-mail to open.
Some of us already have whitelists that do that (Ok, so I only actually use a regex on in-reply-to to match things that are generated by the couple of different clients I use, but you get the point).
It's an obvious first-pass check, though not necessarily enough...
Consider the number guessing game, where you pick a number and some tries to guess it. The game would be much harder if you were allowed to change the number. In fact the game would become impossible to lose.
I was with you until the bold bit.
If you're allowed to change the number after the guess, then sure - it's impossible to guess. Otherwise if you've only allowed to change it between guesses, then the fact that I guess 517 right after you chose it means I win - regardless of how long it took to get there.
If you're considering a game where you have to say "higher" or "lower" - well, that doesn't map at all to the problem space here - all you get is "yes" or "no" from a login prompt.
Any algorithm which leaks partial correctness (e.g. measurably faster or slower response if you get the first letter correct) is going to break quickly anyway - just check out the SSH hacks based on the timing of typed letters to work out the length of a password and get a pretty good guess at the letters as well.
Have a look for "The Peace War" and "Marooned in Real Time" by Vinge as well - I believe they've recently been republished.
;)
Considering that my wife and I chose the name for our daughter based on one of the characters in these books, I guess you could say we liked them
Yeah, thanks for carefully reading what I wrote. You'll notice that Yahoo is running its apps on basically one or at most a few carefully controlled environments - not trying to build something that installs in lots of different versions of PHP on lots of different architectures.
Thanks for playing though.
Yep, and there's a fair bit of that in any language unfortunately. I guess if it's a big enough app the abstracting is really important.
We suffer from not enough abstraction in some ways.
well I have been doing just that with a quite large app (200 000+ lines of php code) and it has been working out just fine.
How many installations? What sort of app? Do you ever install it on systems where you can't insist that PHP is configured a particular way?
I agree that 200,000+ lines of code is big.
I can hardly talk, since I'm working on a fairly large app written in Perl, and it has its fun and games across versions with poorly written 3rd party modules, but at least the core language has been pretty good about keeping compatibility through the entire 5 series.
Do you think people automatically become retarded when they have children?
Speaking from experience, basically - yes. I used to stay up late hacking and be able to sleep in the next morning. Now I get woken up early by the baby and byebye hackmode.
Or something.
Actually, now that she's turned 1 and is sleeping through the night, it's not so bad. Until the next one anyway.
just not well enough to sign off an enterprise solution on...
I wouldn't sign off an enterprise solution on PHP full stop. Vile language.
So says someone who did some work on Squirrelmail a little while back - man it sucks trying to support all the little incompatibilities and changing defaults and changing configurations everywhere. When you're undoing an automatic quote of variables depending on a guess from some other variables you know you've got "Visual Basic for da interweb" - except with a less stable API.
That and the separate functions per DB type which caused all+dog to write their own copy of Perl's DBI in PHP before Pear came along.
It might be an OK language for developping small stand-alone web apps, or a web app which runs on one infrastructure that you control and validate - but it's not a language for writing stuff you can install on any webhost and expect a complex app to keep working across versions.
*grumble*
There are defects in software that have nothing to do with the code or the 'routine' of a program. That is probably why the term 'defect' is used in place of bug. It is more general.
Exactly - so 'bug' is a proper subset of 'defect'. Not every defect is a bug, but every bug is a defect.
"Sounds to me like your brand of 'engineer' excels most at covering his ass with management."
Using more precise terms is bad? Okay....
Let's look back at the comment all the way up thread "zero defects doesn't mean zero bugs".
Using terms incorrectly is. If every defect is a bug, then zero defects means zero bugs. No weasel room.
So yes - a brand of engineering that says "no defects" to mean "no identified bugs" rather than "no bugs" is being weaselly and covering your ass with management - especially when not identified means you haven't got around to classifying the reports yet.
Makes me really glad that I push all my email backwards and forwards through an openvpn connection to my mail server now. As long as my ISP doesn't block UDP port *mumble* I'll be fine.
My wife was not so lucky. She was unable to send email a few weeks ago when our cable modem provider instituted outbound port 25 blocking. Luckily it's really easy to set postfix up to listen for smtp on another port as well - one quick config change and she was back in business. I'm planning to install openvpn for Windows on her box one of these days.
For my laptop, the linuxant drivers cost hardly anything compared to the price of the machine (certainly cheaper than a card modem), so I ponied up.
For a desktop box - well, apart from the fact that I use a modem about never these days, it's always broadband of some sort - what I _used_ to do was buy a decent quality external modem and not have all the problems that plague cheap crap.
Actually, with any proper implementation of RAID 5 you wouldn't lose functionality during a single drive failure, but you would suffer a performance hit because every read would require the drive controller to reconstruct the missing data from the checksums.
:)
My personal server has 5 disks with 4 set up as a RAID5 and the extra a hot spare. I've successfully pulled one of the disks and watched the hot spare spin up, then plugged it back in the next day and watched it rebuild, followed by the hot spare spinning back down.
Nice
Hint: in most places, killing someone in self-defense is only legal if you had good reason to believe that your own life was in danger.
[quote source="southpark"]he's coming right at me, *blam*[/quote]
If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.
Actually, you're wrong. It's people that the business runs on in almost all cases. IT is a tool that makes people so much more efficient that processes now assume that it's available and most of those people don't know how to function without it (and more to the point the information they need to operate is stored in it rather than kept in folders on their desk where they could get at it).
A design where authentication is centralised to a secure enough server and that authentication attempts are throttled so that guessing attacks are restricted means that you don't _need_ such a draconian password policy. My work uses RSA SecureID for all logins from outside the corporate intranet. Within the intranet we're a little soft and squishy, but that's considered a lower cost than the cost of having to tell people their passwords all the time. And yes, we do have password policies, but they're not insanely complex.
While the Marines are all there staring at their TV sets, the bad guys will sneak out the back door, walk around the house and blow the crap out of the distracted Marines.
Go the glass knife every time.
Lets count, who here knew of the word "Googol" prior to this posting?
Well, yeah.
Personally, I'm off to sue that confectionary company which makes hundreds and thousands. My number trademark is being infringed all over the place. Not to mention the rude bastards who make jokes about 71.
Anyway this technique is easily foiled; just produce a document with randomly increased or shrink Blacked out boxes; or just subsitute all blacked out phrases with "***". Even if it's a photostat you can photoshop it.
So speaks some clueless twonk who didn't think through the technique at all. If it's a photostat then it will have all the text positioned based on the exact width of the word you want to hide - blacking out the word, no matter how much black you put on either side (even if it's right up to the next word) won't change the fact that the width between the end of the word before and the start of the word afterwards is exactly that which would be created by having one particular word in between.
Sheesh.
If you're doing the blacked out boxes electronically before printing, then sure, just replace all the words to be removed with *****, exactly the same width, nothing to analyse. Even black out multiple words with one blocker. Easy.
This technique only works if the blacked out word _is_ the original, but it's a damn good idea, and a fine example of side-channel analysis.
So if they paid the publisher for the documentation, why is this even a story?
Because the were stealing, and like... not respecting the inviolable rights of someone else to not have their stuff pinched. They're terrorists like Linux Torvols.
If you and your wife aren't having sex then either you are a shitty husband or she is a shitty wife.
Or you're both so busy/tired all the time that you don't get the opportunities.
A couple of years ago when she was teaching (early starts, early to bed) and I was working late hours on a deathmatch project and too tired to get up early each morning, we hardly saw each other - that was very hard on the relationship.
(and don't get me started on the amount of time kids take out of your day - but it's worth every second of it)
Granted alot of people might qualify especially in the us.
Yeah, I'm finding that here - even more high-paced than life in Australia, and that was pretty stressful doing in-house development work. Not that I'm likely to leave the industry any time soon, there are rewards as well (money for one thing!)
Hmm. You're not married, are you...?
Actually, I am - but that doesn't mean I can't joke about it.
A better example is the effect on the GDP of a woman stopping being a mother to her family and going out to become a prostitute - I tell you, it's great for the economy - employment for child carers, she's earning money herself. Yay for synthetic metrics.
(and I know the counter argument - you can always come up with specific cases that break a general metric - the question is whether they're a reasonably accurate indicator at the high-level they're pitched at. I can't answer that one)
If you pass out, your RFID chip still works, guess who's buying! At least with cash, when your out, your done.
Huh? So you're saying that the bartender is less likely to accept that cash that someone lifted from your wallet than to accept your passed-out body being dumped on the bar to pay for the drinks?
People all over the country are destroying the American way of live by entering into a Marxist arrangement called "Marriage" in which they agree to share resources.
This "Marriage" is destroying the market for prostitutes and other providers traditional pay-per-use facilities. While it is true that using the opensource style "Marriage" arrangements it is often more difficult to arrange to get sex, with cryptic error messages like "I've got a headache" with no friendly interface where you can uncheck headache box and get your end in, many people are still choosing this threat to society.
It must stop. Join with the good capitalists and put an end to these terrorists trying to take out country by stealth. Ban marriage!
Maybe slashdot needs a filesystem update to one with more powerful meta-data support like something that can detect when the same URL has been used in more than one post within a certain time. Sheesh.
Surely they wouldn't be stupid enough to piss about 95% of 'their' developers?
Not to mention that if the patents cover anything they've distributed under the GPL then they're going to be in direct contridiction of:
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
So the only GPL products they could use their patents against are those that don't incorporate any source code from IBM - and even then the person distributing them could just link them against something IBM distributed to them and be safe.
You sound like the people in the porn industry who try to justify having sex without condoms. ... only that's not the case at all. It's like only having sex with one person (wife/husband if you will) and putting up a big moral shield of not just randomly having sex with any stranger. Hence no need for condoms (assuming you're happy to have kids)
If you have no antivirus software, how can you be so sure that there are no viruses?
If you have antivirus software, how can you be so sure that there are no viruses?
Block the paths the virus can get in, practice 'safe hex' (what a horrible term) and you don't catch viruses. Sure, one mistake and you've caught it - well, one virus that the antivirus product doesn't know about yet and you're just as screwed - especially if it's a clever enough virus to "patch" the antivirus product to ignore it. Sheesh.