It is a burden, but the responsibility does not lie on a crawling engine. You could check any 10 digit number (and expdate with a lune check if available) but with all the different formatting done on CC numbers (XXXX-XXXX-XXXX-XXXX, XXXXXXXXXXXXXXXX, etc) the algorithm could get ugly to maintain.
I don't see why Google or any other search engine has to even acknowledge this problem, it's simply Someone Else's Problem. If I was paying a web team/master/monkey any money at all and found out about this, heads would roll. It seems that even thinking of pointing a finger at google is the same tactic Microsoft is doing at those "irresponsible" individuals pointing out security flaws.
If anything Google is providing them a service by telling them about the problem.
Religion is so convenient when it's in your favor, and a burden when you are killed because you don't agree with it. The ironic thing, before I read this I just had a long talk about genetic duplication/cloning (in the sense of breeding two genetically identical people in a hypothetical situation).
I don't regularly vote becuase seldom do I get to vote on issues I care about, like this. This will never hit the ballots, neither will a lot of anti-terrorism laws. The problem with a republic is the representatives are not the voice of the majority, just a less-evil choice. You get a bible thumping ex-reverend senator who doesn't understand that if his God didn't want us to create ourselves than he wouldn't have given us a mind to do it.
Work. You think I actually spend 8 hours a day coding? Gotta take a break. Also, the entire structure of my network consists of two networks, one private and one public. The public is done via 802.11 with the exception of one box. I have one computer that shares the link occasionally, but not often. This will change when I finally get my DSL I ordered 4 months ago, but my point still stands. Private networks can be achieved over distance without having a wired connection to the outside world. Short of internal security (which doesn't matter if it's wired to the internet or not) it's not vulnerable to outside attacks.
Check around more, I got my dreamcast a little under a year ago (Jan 3rd, IIRC) and got it with 3 games (Starwars Demolition, THPS2, and Craxy Taxi) and an extra controller plus memory card for $150. From Sears, new in the box. The DC Unit was $79.00 on sale. They were surprised they didn't sell out, one of the few stores in the area that didn't - they had 4 or 5 left in stock.
I have actually worked in a 500+ employee company that had two seperate networks, a private and public network. The reasoning was simple: they needed absolute security from the outside.
It was inconvenient, in every department they had a whole lot of computers that could talk to each other and usually one computer that could talk with the outside world. But, it worked. Mail was handled in a way that the outside mail server did bulk transfers between two servers (one inside, one outside) which I felt was absolutely ridiculous. Their internal security was a joke, but their external security was quite well. It worked, but was inconvenient.
How wonderful, someone who still thinks NAT equals security!
I'm not going to spell it out to you, but I suggest you:
1. tighten up your firewall rules immediately. (You ARE running
a firewall, aren't you?)and
...
What firewall. That was my point. I have one network that I use for development, that is not public. I also have a firewall setup that runs a network via 802.11b and one ethernet connected box that is for checking mail, playing starcraft and such. Rarely, and only with my laptop, do the networks ever talk to each other.
Boasting on slashdot about a network that is not connected to any other network outside of the room each computer resides in, doesn't matter.
Feel free to hack into my home network. It's IP range is 192.168.0.1 - 192.168.0.13.
Running drywire or some other method of lines as long as they are physically seperated from the rest of the internet (think of the way the bank systems do this via verifone boxes) does make it unhackable and private
Of course, it relies upon physical security and not so much bit-based security. Before flaming our president understand it is a real concept. And I'm sure he has quite a few people that know a lot more than you do on the matter; never try to know everything just know people who do.
Note, he didn't say an "internet based private unhackable network" but a private network. My guess in the private IP range. Considering all the secure channels (via satellite, or some other method of communication) I'm sure that this can easily be achieved. Granted all that, I do think it's a stupid idea... but realistic none-the-less.
Looking at both of those I would definitely agree that he is not making good choices as to how to handle things. For his all caps, I think he was trying to illustrate the point that people only read things if it's big and obnoxious (referencing context)
I don't think there is any excuse to be rude, even if you are a volunteer or not. I can relate, and understand where he is coming from. After devoting a lot of time to any project, compensated or not, when you start to feel the nagging lack of justification for doing it it's easy to fall into that role. Being a developer is more than writing good code, it's having the frame of mind that people will criticize and hate your work; just like any artist.
There are extensions to do it operator overloading. Just like BigDecimal, etc.
And e = a.multiply(b.add(c)).divide(d) is no worse (I find my example more readable: a is multiplied by b plus c then divided by d) than temp = a.multiply(b.add(c)); e = temp.divide(d);
spoken: temp is a times b plus c, then e is temp divided by d.
Just personal tastes on that issue, but you are wrong about operator overloading. Granted, I don't do Java development so I'm not sure of the quality of the extensions, but I do know they exist.
You do realize there is operator overloading in this new day and age right.
Also e = a.multiply(b.add(c)).divide(d); is a better way to write that construct. Please go learn about OOP and operator overloading and all sorts of things that make any class a primitive.
I use my laptop for just about everything. It gets probably 10x more usage than my desktops do. I have a Toshiba 850Mhz with the GeForce2 Go and it dual boots Linux for development and Win2K for gaming. It is pretty much my ultimate machine. Great soundsystem with headphones, and superb graphics performance. If doing visual development in X, having a 3d accelerator rocks, and I also do play Chromium BSU on there when I need a few minutes of utmost carnage to cool down my mind from a coding session.
It works absolutely beautiful as a gaming platform and as a development box. I regularly play CounterStrike, Unreal, and Starcraft (real box breaker there..) I'm not sure of any game that is on the market that is not well playable on it.
Again the point, which you appear to be missing is that while this is not impossible, it's obviously not as ludicrously easy as you think it is. Yes, you've thrown together a neat hack... now you push this out to your customers and they'll come screaming at you as to why they can't get to their favorite website. The other solution of actually fixing the problem that's being exploited may very well be easier, and most certainly easier to test.
It is easy. Look, I don't really care about your opinion of me. If someone can construct a malicious URL than you can deconstruct it. Obviously IE already does this to return the cookie. It is not hard. If you think it is hard, than I know exactly the kind of lame-ass programmer you are. Oh, so what, I didn't include https.. boo-hoo. Apparently a moderated liked it, didn't they? Easy enough to reject a request based off of a scope.
Just for the record, I have written extensive complex isolation algorithms for data a helluvalot more complicated than a URL could ever be. You did make an assumption, you are just too bull-headedly stupid (yes, you are stupid. You have proved this well beyond any reasonable doubt) to understand that to some people, sifting through large scale data analysis is easy because it's what certain people really like to do, and do it well. Sorry if you have a hard time understanding how to parse a URL, but other people don't. Now, if you think you can provide an algorithm to accurately find a T/A stop in a DNA sequence to match up a contiguous sequence from splices with a higher than 97% success rate I'll start listening to you.
I find it easier to believe he's not a troll, and just someone with a misguided assumption who thinks they are entitled to voice their opinion without knowing anything. Which they are entitled, I find it more satisfying to debunk such folk, and hopefully get them to stop and think the next time they open their mouth without really understanding all aspects of the discussion. Getting in an argument with a coder who does mostly network based stuff (including a lot of internet-app development) and saying they don't know code is a great example:)
<I>As far as qualifying that statement, I thought it was fairly obvious from my response. I asked you to provide a ruleset for parsing valid URL strings. Just some simple perl regular expressions would do. </I>
Uhh, no you didn't.
<I>I read the article. The difference is, I happen to know a tiny bit about programming, and you obviously don't.</I>
Yes, obviously it is so difficult to write a valid URL parser that Apache has a problem with it, and Mozilla, and hell, even Slashdot.
You want a URL parser, pick a language. You said perl here ya go (brackets ommited to appease slashdot's stupid filtering):
sub validateURL
my @ValidInstructions = (
'[^/]\.(htm|html)', ## Allow only top level that end in.htm or.html
);
if (/(http|ftp):\/\/([A-Za-z0-9:_\.]+)\/(.*)?/ )
my ($req, $domain, $path ) = ($1,$2,$3);
## Lets check for user combinations, denoted by :
if ( my $userinfo = split(/@/,$domain) )
my ($user,$pass) = split(/:/, $user);
for( my $i = 0; $i < $#ValidInstructions; $i++ )
return 0
if ( $path !~/$ValidInstructions[$i]/ );
else
return 0;
}
I'll leave it as an excercise to figure out where the brackets go
So, all you need to do is add to the valid handler array, and writing reg-ex's for this is not the most efficient method, nor would I recommend it. But, it's also exceptionally easy to verify that the file is there and check the parameters in case of a dynamic page to ensure it's not a malicious intent (go read any howto-secure-a-CGI for more info).
I just spent about 5 minutes writing this out, with cold hands and all my other text. It's not far more complicated than I think it is; I'm just a good programmer. Before accusing people of how hard something is with knowing "a tiny bit about programming" find out that the person you are talking to does network development for a living. Thanks.
I'd like to take the opportunity to try to have you take a deep breath, and realize that you had no idea who I am before you started your assumption that I wasn't a programmer and just some ass-clown. I've written anything from URL validators to email validators, to pthreaded socket connection. You didn't know that though, you just instantly assumed I was talking out my ass saying that this was just such a wonderful easy idea and I just couldn't understand why they couldn't do it. It's called prioritizing of tasks, someone is in charge of this particular affected code. Whether it be in the URL validation or the cookie retrieval code (I'm not sure how IE is structured), this fix is none-the-less simple, and not an amazingly complex feat of engineering talent.
I'm not sure if you were trying to be funny, or a troll. Either way, it sucked. Read first, then post. Most of the gibberish you posted had nothing to do with his sentiment.
There is no reason for a box this expensive. The major target market isn't going to spend that much on it when they go, "Well, I got a computer to do half and an entertainment to do half" and realize dropping over a grand to do it in one place isn't a good move. That's what I interpreted his point as, plus the additional I'm-a-techy-I-can-h4x0r-it philosophy which is great.
No, I haven't taken a look at URLScan, I do UNIX only. This vulnerability affects Internet Explorer by the formatting of a specific URL. You did read the release right? This has nothing to do with IIS. I believe that the browser should have a valid URL check, similar in style to Mozilla's (type in gibberish not formed correctly and it sends you to a keyword search). It seems more obvious that you didn't read the article, nor understand that I was speaking of this specific example of a way to get a quick patch out.
Never mind, it's obvious you don't know the first thing about software development. Qualify that statement and I will give you a little bit of credit for your argument. Until then you are just being under-informed and trollish.
Tell me, what could possibly break by doing a sanity check inside of the URL request?
You could do it with JavaScript, preface all pages with an onLoad() and verify the URL isn't malicious. Don't tell me that will break things, the only thing it will break is this security flaws break. A quick patch to fix the security flaw, followed by an update that fixes the back end problem. Granted, some problems you can't do this with, but changes a block of code that just verifies that the cookie is secure wont break shit, unless they purposefully have the code in their for internal reasons.
If they can't release a patch within 3 days, they deserve the negative publicity.
From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.
They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.
Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
Bwahahahahahaha. This is too funny. Yes you represent the majority of computer users who of course don't have CD-ROMs in their computer. Funny but I would say that, oh, > 99.9% of the users reading this right now DO have a CD-ROM in their computer. How unbelievably asinine.
I'm not saying my lack of CD-Rom in my desktop computers is representing the majority. What I am sayin is that a significant portion of the P2p-community still do download songs that they do own on CD or some other medium.
On my PC with a utility like MusicMatch it takes about 2 minutes to rip an entire CD (including searching out and using the track names, or subdirectory storying them appropriately),...
Really, could you provide benchmarks? 2 minutes , eh?
You say there is no beating a logical genius like myself, well, you certainly aren't doing very good. You like to pull absolutely bullshit statistics out of your ass (they can't possibly come from anywhere else, otherwise they may make a little bit of sense). Why don't you actually go learn something instead of opening your mouth and spewing garbage. You are noise. In this entire thread you have not made one concise argument backed with any real-life factually correct example that could be backed up, and you have misinterpreted my argument (particularly, my CD-Rom status - as I said I don't have one, and used it as an example of why I don't rip -- other people have many other reasons, just as valid) and claimed I was saying I represented the vast majority. From the songs (non-live concerts) that I have downloaded off of Morpheus (Probably about 10 CDs worth, maybe more) I would say about 5 have been poor quality that I have thrown out, and probably 3 or 4 have been mislabeled (mostly from Tool's new CD). Average download time per CD from my work connection: about 2 minutes.
Feel free to make more of an ass out of yourself though, it's funny watching people argue something they have no clue about. It's like watching fat kids play dance dance revolution.
Until, of course, the RIAA goes in and pulls the centralized plug.
More proof you don't know anything about the other P2P software. FastTrak is not a centralized plug, the modification for centralized authorization can easily be removed but there is no centralized database or otherwise single point of failure, it is a user maintained network consisting of broadband super nodes and low-bandwidth leaf nodes. Thank you, come again.
You have the CD, and could drop it in your drive and go "rip CD" and have perfect quality at the bitrate that you want with perfect labels and everything, but rather you go hunting through Morpheus for them....Alrighty. BTW: How much can you sell me the Golden Gate bridge for? Funny, I didn't know I had a CD-Rom in my computer... thanks for letting me know, that clears up a lot of confusion. The only computers that I have that have CD-Roms are servers, and only one of them has a decent CD-Rom. I have a CD-RW/DVD in my laptop, but the only time my laptop is booted is while I'm working and I'm not going to waste cycles. And it's a whole lot easier to search, "Dave Matthews Band Crash" or the 5 other songs on that CD that I really like, and download in a few minutes than rip. You just don't like to admit that you're wrong, but thanks for proving it yet again. Go read a book.
Gnutella is an inferior P2P implementation, that has been easily proven by example time and time again. I use Morpheus, and often download legitimate CDs. Same with most of the people that I know, because we like to have them in the car, etc. IF I buy the CD, I have rights to the MP3. Therefor your statistic of MP3 trading is skewed, because you are assuming that everyone is trading illegitimately. That's absolute bullshit. Even though I buy most my CDs used, so the RIAA still won't get a cut I have a right to listen to the music in MP3 or in my car's cd player. Whether I'm ripping the CD myself, or downloading pre-ripped mp3's I'm not pirating. Granted, there are a few songs I have downloaded that I don't own the album too - but I would never buy the album they were on anyway so it goes into the whole "I'm getting a little, they get nothing but piracy wouldn't change that" - which I still don't agree with because they do get something, another listener.
My comment still stands, you have no clue as to what the actual rate of legitimate traffic across any P2P network because it's virtually impossible to track. So stop with the blanket assumptions that every transfer is theft.
Slashdot Mirror
I meant 16, but the mod(10) popped into my head.
Oops.
I wasn't saying you said that. More supporting your argument and putting in my own 2c.
I just hope that the proper heads roll on this one.
It is a burden, but the responsibility does not lie on a crawling engine. You could check any 10 digit number (and expdate with a lune check if available) but with all the different formatting done on CC numbers (XXXX-XXXX-XXXX-XXXX, XXXXXXXXXXXXXXXX, etc) the algorithm could get ugly to maintain.
I don't see why Google or any other search engine has to even acknowledge this problem, it's simply Someone Else's Problem. If I was paying a web team/master/monkey any money at all and found out about this, heads would roll. It seems that even thinking of pointing a finger at google is the same tactic Microsoft is doing at those "irresponsible" individuals pointing out security flaws.
If anything Google is providing them a service by telling them about the problem.
Damn, you hit that straight on.
Religion is so convenient when it's in your favor, and a burden when you are killed because you don't agree with it. The ironic thing, before I read this I just had a long talk about genetic duplication/cloning (in the sense of breeding two genetically identical people in a hypothetical situation).
I don't regularly vote becuase seldom do I get to vote on issues I care about, like this. This will never hit the ballots, neither will a lot of anti-terrorism laws. The problem with a republic is the representatives are not the voice of the majority, just a less-evil choice. You get a bible thumping ex-reverend senator who doesn't understand that if his God didn't want us to create ourselves than he wouldn't have given us a mind to do it.
Don't blame the scientist, blame God.
Work. You think I actually spend 8 hours a day coding? Gotta take a break. Also, the entire structure of my network consists of two networks, one private and one public. The public is done via 802.11 with the exception of one box. I have one computer that shares the link occasionally, but not often. This will change when I finally get my DSL I ordered 4 months ago, but my point still stands. Private networks can be achieved over distance without having a wired connection to the outside world. Short of internal security (which doesn't matter if it's wired to the internet or not) it's not vulnerable to outside attacks.
Check around more, I got my dreamcast a little under a year ago (Jan 3rd, IIRC) and got it with 3 games (Starwars Demolition, THPS2, and Craxy Taxi) and an extra controller plus memory card for $150. From Sears, new in the box. The DC Unit was $79.00 on sale. They were surprised they didn't sell out, one of the few stores in the area that didn't - they had 4 or 5 left in stock.
I have actually worked in a 500+ employee company that had two seperate networks, a private and public network. The reasoning was simple: they needed absolute security from the outside.
It was inconvenient, in every department they had a whole lot of computers that could talk to each other and usually one computer that could talk with the outside world. But, it worked. Mail was handled in a way that the outside mail server did bulk transfers between two servers (one inside, one outside) which I felt was absolutely ridiculous. Their internal security was a joke, but their external security was quite well. It worked, but was inconvenient.
What firewall. That was my point. I have one network that I use for development, that is not public. I also have a firewall setup that runs a network via 802.11b and one ethernet connected box that is for checking mail, playing starcraft and such. Rarely, and only with my laptop, do the networks ever talk to each other.
Boasting on slashdot about a network that is not connected to any other network outside of the room each computer resides in, doesn't matter.
Yeah, and my girlfriend made me delete my pr0n..
Feel free to hack into my home network. It's IP range is 192.168.0.1 - 192.168.0.13.
Running drywire or some other method of lines as long as they are physically seperated from the rest of the internet (think of the way the bank systems do this via verifone boxes) does make it unhackable and private
Of course, it relies upon physical security and not so much bit-based security. Before flaming our president understand it is a real concept. And I'm sure he has quite a few people that know a lot more than you do on the matter; never try to know everything just know people who do.
Note, he didn't say an "internet based private unhackable network" but a private network. My guess in the private IP range. Considering all the secure channels (via satellite, or some other method of communication) I'm sure that this can easily be achieved. Granted all that, I do think it's a stupid idea... but realistic none-the-less.
Looking at both of those I would definitely agree that he is not making good choices as to how to handle things. For his all caps, I think he was trying to illustrate the point that people only read things if it's big and obnoxious (referencing context)
I don't think there is any excuse to be rude, even if you are a volunteer or not. I can relate, and understand where he is coming from. After devoting a lot of time to any project, compensated or not, when you start to feel the nagging lack of justification for doing it it's easy to fall into that role. Being a developer is more than writing good code, it's having the frame of mind that people will criticize and hate your work; just like any artist.
Keep in mind, that he stated that they discussed it on the forked.net board and apex deleted the thread from the message board.
You don't know what the discussion was like before then.
There are extensions to do it operator overloading. Just like BigDecimal, etc.
And e = a.multiply(b.add(c)).divide(d) is no worse (I find my example more readable: a is multiplied by b plus c then divided by d) than temp = a.multiply(b.add(c)); e = temp.divide(d);
spoken: temp is a times b plus c, then e is temp divided by d.
Just personal tastes on that issue, but you are wrong about operator overloading. Granted, I don't do Java development so I'm not sure of the quality of the extensions, but I do know they exist.
You do realize there is operator overloading in this new day and age right.
Also e = a.multiply(b.add(c)).divide(d); is a better way to write that construct. Please go learn about OOP and operator overloading and all sorts of things that make any class a primitive.
It works absolutely beautiful as a gaming platform and as a development box. I regularly play CounterStrike, Unreal, and Starcraft (real box breaker there..) I'm not sure of any game that is on the market that is not well playable on it.
Again the point, which you appear to be missing is that while this is not impossible, it's obviously not as ludicrously easy as you think it is. Yes, you've thrown together a neat hack... now you push this out to your customers and they'll come screaming at you as to why they can't get to their favorite website. The other solution of actually fixing the problem that's being exploited may very well be easier, and most certainly easier to test.
It is easy. Look, I don't really care about your opinion of me. If someone can construct a malicious URL than you can deconstruct it. Obviously IE already does this to return the cookie. It is not hard. If you think it is hard, than I know exactly the kind of lame-ass programmer you are. Oh, so what, I didn't include https.. boo-hoo. Apparently a moderated liked it, didn't they? Easy enough to reject a request based off of a scope.
Just for the record, I have written extensive complex isolation algorithms for data a helluvalot more complicated than a URL could ever be. You did make an assumption, you are just too bull-headedly stupid (yes, you are stupid. You have proved this well beyond any reasonable doubt) to understand that to some people, sifting through large scale data analysis is easy because it's what certain people really like to do, and do it well. Sorry if you have a hard time understanding how to parse a URL, but other people don't. Now, if you think you can provide an algorithm to accurately find a T/A stop in a DNA sequence to match up a contiguous sequence from splices with a higher than 97% success rate I'll start listening to you.
I find it easier to believe he's not a troll, and just someone with a misguided assumption who thinks they are entitled to voice their opinion without knowing anything. Which they are entitled, I find it more satisfying to debunk such folk, and hopefully get them to stop and think the next time they open their mouth without really understanding all aspects of the discussion. Getting in an argument with a coder who does mostly network based stuff (including a lot of internet-app development) and saying they don't know code is a great example :)
<I>As far as qualifying that statement, I thought it was fairly obvious from my response. I asked you to provide a ruleset for parsing valid URL strings. Just some simple perl regular expressions would do. </I>
.htm or .html
/(http|ftp):\/\/([A-Za-z0-9:_\.]+)\/(.*)?/ )
/$ValidInstructions[$i]/ );
Uhh, no you didn't.
<I>I read the article. The difference is, I happen to know a tiny bit about programming, and you obviously don't.</I>
Yes, obviously it is so difficult to write a valid URL parser that Apache has a problem with it, and Mozilla, and hell, even Slashdot.
You want a URL parser, pick a language. You said perl here ya go (brackets ommited to appease slashdot's stupid filtering):
sub validateURL
my @ValidInstructions = (
'[^/]\.(htm|html)', ## Allow only top level that end in
);
if (
my ($req, $domain, $path ) = ($1,$2,$3);
## Lets check for user combinations, denoted by :
if ( my $userinfo = split(/@/,$domain) )
my ($user,$pass) = split(/:/, $user);
for( my $i = 0; $i < $#ValidInstructions; $i++ )
return 0
if ( $path !~
else
return 0;
}
I'll leave it as an excercise to figure out where the brackets go
So, all you need to do is add to the valid handler array, and writing reg-ex's for this is not the most efficient method, nor would I recommend it. But, it's also exceptionally easy to verify that the file is there and check the parameters in case of a dynamic page to ensure it's not a malicious intent (go read any howto-secure-a-CGI for more info).
I just spent about 5 minutes writing this out, with cold hands and all my other text. It's not far more complicated than I think it is; I'm just a good programmer. Before accusing people of how hard something is with knowing "a tiny bit about programming" find out that the person you are talking to does network development for a living. Thanks.
I'd like to take the opportunity to try to have you take a deep breath, and realize that you had no idea who I am before you started your assumption that I wasn't a programmer and just some ass-clown. I've written anything from URL validators to email validators, to pthreaded socket connection. You didn't know that though, you just instantly assumed I was talking out my ass saying that this was just such a wonderful easy idea and I just couldn't understand why they couldn't do it. It's called prioritizing of tasks, someone is in charge of this particular affected code. Whether it be in the URL validation or the cookie retrieval code (I'm not sure how IE is structured), this fix is none-the-less simple, and not an amazingly complex feat of engineering talent.
I'm not sure if you were trying to be funny, or a troll. Either way, it sucked. Read first, then post. Most of the gibberish you posted had nothing to do with his sentiment.
There is no reason for a box this expensive. The major target market isn't going to spend that much on it when they go, "Well, I got a computer to do half and an entertainment to do half" and realize dropping over a grand to do it in one place isn't a good move. That's what I interpreted his point as, plus the additional I'm-a-techy-I-can-h4x0r-it philosophy which is great.
Score: -1, Dumbass.
No, I haven't taken a look at URLScan, I do UNIX only. This vulnerability affects Internet Explorer by the formatting of a specific URL. You did read the release right? This has nothing to do with IIS. I believe that the browser should have a valid URL check, similar in style to Mozilla's (type in gibberish not formed correctly and it sends you to a keyword search). It seems more obvious that you didn't read the article, nor understand that I was speaking of this specific example of a way to get a quick patch out.
Never mind, it's obvious you don't know the first thing about software development.
Qualify that statement and I will give you a little bit of credit for your argument. Until then you are just being under-informed and trollish.
Tell me, what could possibly break by doing a sanity check inside of the URL request?
You could do it with JavaScript, preface all pages with an onLoad() and verify the URL isn't malicious. Don't tell me that will break things, the only thing it will break is this security flaws break. A quick patch to fix the security flaw, followed by an update that fixes the back end problem. Granted, some problems you can't do this with, but changes a block of code that just verifies that the cookie is secure wont break shit, unless they purposefully have the code in their for internal reasons.
If they can't release a patch within 3 days, they deserve the negative publicity.
From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.
They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.
Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
Bwahahahahahaha. This is too funny. Yes you represent the majority of computer users who of course don't have CD-ROMs in their computer. Funny but I would say that, oh, > 99.9% of the users reading this right now DO have a CD-ROM in their computer. How unbelievably asinine.
I'm not saying my lack of CD-Rom in my desktop computers is representing the majority. What I am sayin is that a significant portion of the P2p-community still do download songs that they do own on CD or some other medium.
On my PC with a utility like MusicMatch it takes about 2 minutes to rip an entire CD (including searching out and using the track names, or subdirectory storying them appropriately),...
Really, could you provide benchmarks? 2 minutes , eh?
You say there is no beating a logical genius like myself, well, you certainly aren't doing very good. You like to pull absolutely bullshit statistics out of your ass (they can't possibly come from anywhere else, otherwise they may make a little bit of sense). Why don't you actually go learn something instead of opening your mouth and spewing garbage. You are noise. In this entire thread you have not made one concise argument backed with any real-life factually correct example that could be backed up, and you have misinterpreted my argument (particularly, my CD-Rom status - as I said I don't have one, and used it as an example of why I don't rip -- other people have many other reasons, just as valid) and claimed I was saying I represented the vast majority. From the songs (non-live concerts) that I have downloaded off of Morpheus (Probably about 10 CDs worth, maybe more) I would say about 5 have been poor quality that I have thrown out, and probably 3 or 4 have been mislabeled (mostly from Tool's new CD). Average download time per CD from my work connection: about 2 minutes.
Feel free to make more of an ass out of yourself though, it's funny watching people argue something they have no clue about. It's like watching fat kids play dance dance revolution.
Until, of course, the RIAA goes in and pulls the centralized plug.
More proof you don't know anything about the other P2P software. FastTrak is not a centralized plug, the modification for centralized authorization can easily be removed but there is no centralized database or otherwise single point of failure, it is a user maintained network consisting of broadband super nodes and low-bandwidth leaf nodes. Thank you, come again.
You have the CD, and could drop it in your drive and go "rip CD" and have perfect quality at the bitrate that you want with perfect labels and everything, but rather you go hunting through Morpheus for them....Alrighty. BTW: How much can you sell me the Golden Gate bridge for?
Funny, I didn't know I had a CD-Rom in my computer... thanks for letting me know, that clears up a lot of confusion. The only computers that I have that have CD-Roms are servers, and only one of them has a decent CD-Rom. I have a CD-RW/DVD in my laptop, but the only time my laptop is booted is while I'm working and I'm not going to waste cycles. And it's a whole lot easier to search, "Dave Matthews Band Crash" or the 5 other songs on that CD that I really like, and download in a few minutes than rip. You just don't like to admit that you're wrong, but thanks for proving it yet again. Go read a book.
Gnutella is an inferior P2P implementation, that has been easily proven by example time and time again. I use Morpheus, and often download legitimate CDs. Same with most of the people that I know, because we like to have them in the car, etc. IF I buy the CD, I have rights to the MP3. Therefor your statistic of MP3 trading is skewed, because you are assuming that everyone is trading illegitimately. That's absolute bullshit. Even though I buy most my CDs used, so the RIAA still won't get a cut I have a right to listen to the music in MP3 or in my car's cd player. Whether I'm ripping the CD myself, or downloading pre-ripped mp3's I'm not pirating. Granted, there are a few songs I have downloaded that I don't own the album too - but I would never buy the album they were on anyway so it goes into the whole "I'm getting a little, they get nothing but piracy wouldn't change that" - which I still don't agree with because they do get something, another listener.
My comment still stands, you have no clue as to what the actual rate of legitimate traffic across any P2P network because it's virtually impossible to track. So stop with the blanket assumptions that every transfer is theft.