Uber HQ knows what's going on in the local offices simply because they're constantly listening in through real-time audio conferencing (for all I know they could be using constant video-conferencing too) in addition to the real-time screen-sharing as well.
I was thinking it would be a good thing if the pager numbers were published (and updated as they changed) by some whistleblower so that "concerned citizens" could "test" it whenever they felt like it....but this is even better. All it needs is a speaker outside of Uber offices transmitting what sounds like a police raid in progress and the criminal scum will DOS themselves.
if the auto-shutdown is done by AI rather than human intervention, it could even be done with frequencies that humans can't hear (as in the recent alexa/google home/etc hacks).
"We built a compulsively addictive brainwashing and spying propaganda machine and got caught renting it to some people who wanted to use it to bullshit to and brainwash and spy on billions of people. We could never have imagined that"
Corporate death penalties are usually worse on the market, consumers, workers [...]
How can you say "usually" when it's never actually happened?
Sounds like yet more libertarian theology, gospel explaining why it's a mortal sin to hold corporations to account for their actions.
The same kind of bullshit as "taxing or fining corporations or requiring them to pay living wages etc etc etc is wrong and/or pointless because they'll just pass it on to the consumers" (hints: 1. no, they won't - there's a very small limit as to what they can get away with passing on before they price themselves out of the market. Most, or even all of it in some cases, will come out of their profit margins; 2. consumers don't have a right to havie their goods and services subsidised by tax payers or employees of a corporation)
Only Americans could believe that California is "far left" or even "left" at all.
To the rest of the world, Californian politics and society are very far from left - centre-right at the very most. Neo-liberal corporate capitalism with a few minor bandaids to help keep it from being completely unbearable.
Americans tend to believe that anything which makes life under capitalism even slightly more tolerable is outrageously socialist.
so, yeah, California is deranged....but less so than most of the rest of America. and deranged by leaning towards the far right, not the left.
PS: I'd like to see the more civilised parts of America (i.e. most of the east and west coast, and northern border states) secede from the US, and build a huge fucking wall around Jesusland to keep the worst nutters inside. It would still be a far-right corporate kleptocracy, but that's better than a corporate kleptocracy combined with a stone-age theocracy.
I might be movin' t' Mongolia soon
Just to mine me up a crop of
Crypto Coins
Minin' it up
Cashin' it down
In a little white box
That I can sell uptown
By myself I wouldn't
Have no boss,
But I'd be minin' my lonely
Crypto Coin
Minin' my lonely
Crypto Coin
Well I just might grow me some bees
But I'd leave the sweet stuff
For somebody else...but then, on the other hand I would
Keep the cash
N' melt it down
Mine some coin
N' hash it aroun'
I'd have me a crop
An' it'd be on top (that's why I'M movin' to Mongolia)
Movin' to Mongolia soon
Gonna be a crypto coin tycoon (yes I am)
Movin' to Mongolia soon
Gonna be a mental toss flycoon
I'm minin' the ol'
crypto coin
That's hashin' on the pc
Minin' the coin!
I mined all day an' all nite an' all
Afternoon...
I'm ridin' a small tiny hoss
(His name is MIGHTY LITTLE)
He's a good hoss
Even though
He's a bit dinky to strap a big saddle or
Blanket on anyway
He's a bit dinky to strap a big saddle or
Blanket on anyway
It will enter a recurring cycle of pump and dump(*), until there aren't enough suckers left to take the bait.
This will probably be a very long time, given that there are people still being suckered by 419 scams even though just about everyone in the world should know by now that there's no such thing as a Nigerian prince or whatever wanting to give you a hundred million dollars.
(*) or, as the boosters and true believers put it, "growth and profit-taking"
It's the ultimate "fiat currency", created by wasting enormous amounts of electricity to produce absolutely nothing of any value in the physical world.
and then speculated on by gamblers and wanna-be finance-industry scammers (playing kiddie versions of the same scams in their bitcoin sandpit just like the big boys on wall st) to inflate it's non-value to completely ludicrous prices.
and the funniest/worst of it is that even though it's the ultimate fiat currency, it's not actually a currency at all, and barely even pretends to be one. It's a greater fool gamble that the purchaser can offload their worthless gimmicks for an even greater price than they paid for it to someone even dumber than them.
It's digital fucking tulips - something that has little or no actual value, but an over-inflating price just because people think they can buy it at any price and sell it on for more...and as long as they're not the ones holding onto the worthless shit when the bubble inevitably bursts, that's totally OK. Because they're too smart to be those final suckers, right?
blah blah government bad government bad government bad blah blah blah
you dumb, brainwashed and over-propagandised yanks need to stop blaming government for fucking everything and start blaming the corporations who stole your government from you decades ago...and start thinking "cui bono" from your country being turned into a shithole and following the fucking money.
Unless the web proxy can do a MITM attack (e.g. by using a CA cert installed into every client to generate false certificates), it can't do that for https traffic.
With https and other encrypted proxied traffic, the proxy doesn't and can't see the traffic. It doesn't even see the URL that a browser requests. All it sees, and all it can log, is that client on IP x.x.x.x used it and requested a CONNECT to host foo.example.com on port y.
This is by design. It stops ISPs (and others in the network path from client to remote site) from spying on or interfering with traffic.
It also stops people like me who run their own proxy on their own home server from seeing what is being "phoned home" by browsers, javascript and general software running on machines in the internal network (e.g. windows boxes phoning home to microsoft and iphones etc reporting to apple).
I used to use the URLs in my squid logs to maintain my squid-based ad & javascript blocker (which I use in addition to uBlock Origin and uMatrix in the browsers. I've been using it since long before browser ad-blocking plugins existed, in the mid 90s when ads started being animated and that pissed me off enough to do something about it). Now, pretty much all I see is CONNECT entries in the log. Using a squid URL redirector to block unwanted crap is ineffective when the proxy can't see the URL.
I'm generally in favour of "https everywhere" but it has come at a price. I'm a lot more dependent on browser-based blocking than I used to be.
this will surely be welcomed by those whose despair and depression is caused by the stress of living in the panopticon of an ever-increasing surveillance state that makes Orwell seem like a naive optimist.
Your mind is like a sponge and a blender - it soaks up everything and blends it into an incoherent mishmash of bizarro-world nonsensical sludge.
none of what you just said makes any sense, and none of it is true.
for example, absolutely no-one "agrees" that using ZFS with the Linux kernel "somehow relicenses ZFS under GPL2". Nobody even seriously thinks that.
What everyone agrees is that it is completely legal for an end-user to combine software distributed under two different, incompatible licenses (such as the GPL and the CDDL) and compile it for their own use, and it is also legal to distribute scripts and wrappers (e.g. in dkms packages) to help end-users automate that process.
There is a lot of disagreement about whether it is OK to distribute the end result of that combination. Given that copyright works in an all-rights-reserved manner by default, that only explicit permission from the copyright holder(s) (e.g. in a license agreement) can allow re-distribution, it seems to me that the "it's OK" argument boils down to a bet that "neither Oracle nor any of the kernel copyright holders will sue us for it, so we'll get away with it".
Even if Oracle decided to distribute Linux+ZFS together in pre-compiled form, they'd be in violation of Linux's GPL license, and there are only two ways to remedy that:
1. They can relicense ZFS with a GPL-compatible license(*) 2. They can cease distribution of the combined derivative work
(*) normally, IMO the GPL is the most appropriate license for all free software. In the case of ZFS, the BSD license is the most appropriate because it's not only compatible with the GPL and thus Linux, it's also compatible with all the existing *BSD and Illumos and other derivatives. It is extremely unlikely that Oracle will relicense ZFS, though - they've shown less than zero interest in doing that over the years.
That should read "I agree with everything you say about bind variables".
quite obviously, I disagree with what you say about validating and sanitising input being a bad idea. It's not. It's just another layer in the defence strategy.
I agree with everything you say except The actual business logic code [...] should also not be responsible for "sanitising" the input.
It is never wrong to have multiple layers of defence, even if they're mostly or entirely redundant. This is especially true if you can't, or can't easily/quickly, fix the library or the backend server to deal with a newly discovered problem.
1. when i wrote "worthless garbage", I grossly understated it. "worse-than-worthless garbage" is better but still completely inadequate to describe just how shitty such a library would have to be to fail to include such essential basic functionality.
2. I should have pointed out that the basic error in the second example is that because it is directly embedded the user-supplied data into the generated SQL command string, it is causing that data to become code. code is executable. data is not (or shouldn't be).
There's the problem right there. Why is SQL accepting two commands in one line?
the problem is not that SQL accepts two commands in one line. To start with, there's nothing magical about a newline or other EOL marker that makes it ANY different to a semicolon or any other statement separator. Secondly, it's not a security problem in SQL any more than it is in ANY of the other programming languages that allow statements to be separated by a semicolon or EOL or other character (i.e. **ALL** of them, every single scripting/programming language in existence - bash, for example).
The problem highlighted by that xkcd cartoon is not that semi-colons are bad, but that trusting user-supplied data is fucking stupid. Validate your input, sanitise it, clean it up before making any use of it - but do not ever trust it.
In the specific case of SQL, use your SQL library's implementation of prepared statements and placeholder values(*) as a final defence to catch stuff you might have missed, rather than thinking you can get away with just quoting the input data and embedding it in a string to be executed. e.g. in perl DBI, as well as validating and sanitising user-supplied data, you'd use something like:
(*) if your preferred SQL library can't do something analogous to this then it is worthless garbage and you need to replace it immediately with something that can.
# use ? placeholders $sql = 'update account set balance = ? where name = ?'; $sth = $dbh->prepare($sql); $sth->exec($newbalance, $name);
rather than:
# directly embed (possibly user-supplied) data into sql command strings. $dbh->exec("update account set balance = $newbalance where name = '$name'");
With the former, there is no chance that user-supplied data can be executed as an SQL command string (this is not the same as saying it is perfectly safe - the SQL lib or backend database may have other bugs that can be exploited) but it does eliminate a huge category of relatively easy exploits (i.e. exploits caused by idiot devs who don't even make the simplest effort to program defensively). It's also easier and less work - with a little bit of setup, you don't have to fuck around with quoting, which is easy to get wrong and tends to make it difficult to avoid writing unreadable and unmaintainable code.
With the latter example, if either of those two variables ($newbalance and $name) contain un-validated, un-sanitised user data then the sql command can be trivially abused to execute arbitrary sql code, just by adding a semi-colon followed by arbitrary sql code and then another semi-colon (so that your bad sql code isn't invalid syntax due to whatever comes after it in the original sql string) to the end of one of the input variables - optionally preceded by a starting end-quote if the data is a string type.
BTW, many SQL exploits unavoidably cause one or more commands to be invalid and thus generate an error - so wrapping all commands inside a transaction is a useful tactic for defeating many other potential problems - one of the reasons for/benefits of using a transaction is that ALL commands within the transaction must succeed or they are all automatically rolled back.
Wouldn't dropping everything after ";" fix all SQL injection attacks?
congratulations. you're taking the very first steps towards reinventing sanitising data input.
All you've done is rephrase it so someone's PC narrative mind doesn't get hurt in the process, to which I say, who cares?
No, that's not all I've done.
I'll give you a concrete, personalised example to make it easier for you to understand:
If I say that you, personally, Kneo24, whoever the fuck you are in real life, are a fucking moron then that's not sexist. That's just a factual observation.
If I were to say that all, or even most, men are fucking morons then that WOULD be sexist. And it wouldn't be at all hard to find examples to disprove it.
see, that's the difference between loathing an individual for what they say or do rather than an entire class of people for what they happen to be? simple, right? and obvious.
It was a statement that needs about as much reasoning and evidence to back it up as "fire is hot".
while there are some circumstances where evidence and reasoning might be required for such a statement, conversational english is not a physics conference, nor does it always have to involve wasting hours giving free remedial education to misogynist retards.
Slashdot Mirror
I was thinking it would be a good thing if the pager numbers were published (and updated as they changed) by some whistleblower so that "concerned citizens" could "test" it whenever they felt like it....but this is even better. All it needs is a speaker outside of Uber offices transmitting what sounds like a police raid in progress and the criminal scum will DOS themselves.
if the auto-shutdown is done by AI rather than human intervention, it could even be done with frequencies that humans can't hear (as in the recent alexa/google home/etc hacks).
"We built a compulsively addictive brainwashing and spying propaganda machine and got caught renting it to some people who wanted to use it to bullshit to and brainwash and spy on billions of people. We could never have imagined that"
systemd overtly funded by redhat in order to gain absolute control and veto power over the low-level linux ecosystem.
The USA is the biggest importer and user of cocaine, yet both the importation and the use of cocaine are banned there.
How can you say "usually" when it's never actually happened?
Sounds like yet more libertarian theology, gospel explaining why it's a mortal sin to hold corporations to account for their actions.
The same kind of bullshit as "taxing or fining corporations or requiring them to pay living wages etc etc etc is wrong and/or pointless because they'll just pass it on to the consumers" (hints: 1. no, they won't - there's a very small limit as to what they can get away with passing on before they price themselves out of the market. Most, or even all of it in some cases, will come out of their profit margins; 2. consumers don't have a right to havie their goods and services subsidised by tax payers or employees of a corporation)
copyright laws are for people to obey, not for corporations.
copyright laws are for corporations to wield, not for people.
Only Americans could believe that California is "far left" or even "left" at all.
To the rest of the world, Californian politics and society are very far from left - centre-right at the very most. Neo-liberal corporate capitalism with a few minor bandaids to help keep it from being completely unbearable.
Americans tend to believe that anything which makes life under capitalism even slightly more tolerable is outrageously socialist.
so, yeah, California is deranged....but less so than most of the rest of America. and deranged by leaning towards the far right, not the left.
PS: I'd like to see the more civilised parts of America (i.e. most of the east and west coast, and northern border states) secede from the US, and build a huge fucking wall around Jesusland to keep the worst nutters inside. It would still be a far-right corporate kleptocracy, but that's better than a corporate kleptocracy combined with a stone-age theocracy.
FZ (almost) said it best:
I might be movin' t' Mongolia soon
Just to mine me up a crop of
Crypto Coins
Minin' it up
Cashin' it down
In a little white box
That I can sell uptown
By myself I wouldn't
Have no boss,
But I'd be minin' my lonely
Crypto Coin
Minin' my lonely
Crypto Coin
Well I just might grow me some bees
But I'd leave the sweet stuff
For somebody else...but then, on the other hand I would
Keep the cash
N' melt it down
Mine some coin
N' hash it aroun'
I'd have me a crop
An' it'd be on top (that's why I'M movin' to Mongolia)
Movin' to Mongolia soon
Gonna be a crypto coin tycoon (yes I am)
Movin' to Mongolia soon
Gonna be a mental toss flycoon
I'm minin' the ol'
crypto coin
That's hashin' on the pc
Minin' the coin!
I mined all day an' all nite an' all
Afternoon...
I'm ridin' a small tiny hoss
(His name is MIGHTY LITTLE)
He's a good hoss
Even though
He's a bit dinky to strap a big saddle or
Blanket on anyway
He's a bit dinky to strap a big saddle or
Blanket on anyway
it will never "return" to being a currency.
It will enter a recurring cycle of pump and dump(*), until there aren't enough suckers left to take the bait.
This will probably be a very long time, given that there are people still being suckered by 419 scams even though just about everyone in the world should know by now that there's no such thing as a Nigerian prince or whatever wanting to give you a hundred million dollars.
(*) or, as the boosters and true believers put it, "growth and profit-taking"
they're protesting too much - don't throw us into the bitcoin patch!
and what real value do you think bitcoin has?
It's the ultimate "fiat currency", created by wasting enormous amounts of electricity to produce absolutely nothing of any value in the physical world.
and then speculated on by gamblers and wanna-be finance-industry scammers (playing kiddie versions of the same scams in their bitcoin sandpit just like the big boys on wall st) to inflate it's non-value to completely ludicrous prices.
and the funniest/worst of it is that even though it's the ultimate fiat currency, it's not actually a currency at all, and barely even pretends to be one. It's a greater fool gamble that the purchaser can offload their worthless gimmicks for an even greater price than they paid for it to someone even dumber than them.
It's digital fucking tulips - something that has little or no actual value, but an over-inflating price just because people think they can buy it at any price and sell it on for more...and as long as they're not the ones holding onto the worthless shit when the bubble inevitably bursts, that's totally OK. Because they're too smart to be those final suckers, right?
you dumb, brainwashed and over-propagandised yanks need to stop blaming government for fucking everything and start blaming the corporations who stole your government from you decades ago...and start thinking "cui bono" from your country being turned into a shithole and following the fucking money.
Unless the web proxy can do a MITM attack (e.g. by using a CA cert installed into every client to generate false certificates), it can't do that for https traffic.
With https and other encrypted proxied traffic, the proxy doesn't and can't see the traffic. It doesn't even see the URL that a browser requests. All it sees, and all it can log, is that client on IP x.x.x.x used it and requested a CONNECT to host foo.example.com on port y.
This is by design. It stops ISPs (and others in the network path from client to remote site) from spying on or interfering with traffic.
It also stops people like me who run their own proxy on their own home server from seeing what is being "phoned home" by browsers, javascript and general software running on machines in the internal network (e.g. windows boxes phoning home to microsoft and iphones etc reporting to apple).
I used to use the URLs in my squid logs to maintain my squid-based ad & javascript blocker (which I use in addition to uBlock Origin and uMatrix in the browsers. I've been using it since long before browser ad-blocking plugins existed, in the mid 90s when ads started being animated and that pissed me off enough to do something about it). Now, pretty much all I see is CONNECT entries in the log. Using a squid URL redirector to block unwanted crap is ineffective when the proxy can't see the URL.
I'm generally in favour of "https everywhere" but it has come at a price. I'm a lot more dependent on browser-based blocking than I used to be.
this will surely be welcomed by those whose despair and depression is caused by the stress of living in the panopticon of an ever-increasing surveillance state that makes Orwell seem like a naive optimist.
Yes, MtG is gambling. Dunno about Hearthstone, never played it - but if you buy can buy random packs of unknown cards then it's also gambling.
Similarly, WotC sells D&D miniatures in random sealed packages - that's also gambling.
All of these and similar gambling schemes should be either prohibited or regulated like similar forms of gambling.
Your mind is like a sponge and a blender - it soaks up everything and blends it into an incoherent mishmash of bizarro-world nonsensical sludge.
none of what you just said makes any sense, and none of it is true.
for example, absolutely no-one "agrees" that using ZFS with the Linux kernel "somehow relicenses ZFS under GPL2". Nobody even seriously thinks that.
What everyone agrees is that it is completely legal for an end-user to combine software distributed under two different, incompatible licenses (such as the GPL and the CDDL) and compile it for their own use, and it is also legal to distribute scripts and wrappers (e.g. in dkms packages) to help end-users automate that process.
There is a lot of disagreement about whether it is OK to distribute the end result of that combination. Given that copyright works in an all-rights-reserved manner by default, that only explicit permission from the copyright holder(s) (e.g. in a license agreement) can allow re-distribution, it seems to me that the "it's OK" argument boils down to a bet that "neither Oracle nor any of the kernel copyright holders will sue us for it, so we'll get away with it".
Even if Oracle decided to distribute Linux+ZFS together in pre-compiled form, they'd be in violation of Linux's GPL license, and there are only two ways to remedy that:
1. They can relicense ZFS with a GPL-compatible license(*)
2. They can cease distribution of the combined derivative work
(*) normally, IMO the GPL is the most appropriate license for all free software. In the case of ZFS, the BSD license is the most appropriate because it's not only compatible with the GPL and thus Linux, it's also compatible with all the existing *BSD and Illumos and other derivatives. It is extremely unlikely that Oracle will relicense ZFS, though - they've shown less than zero interest in doing that over the years.
The Las Vegas shooting was downplayed by the media because the shooter wasn't conveniently brown or muslim or otherwise identifiably foreign/alien.
He was a White Christian MRA gun nut with a history of domestic violence. Just like most other perpetrators of mass shootings.
damn. clicked Submit too soon again.
That should read "I agree with everything you say about bind variables".
quite obviously, I disagree with what you say about validating and sanitising input being a bad idea. It's not. It's just another layer in the defence strategy.
I agree with everything you say except The actual business logic code [...] should also not be responsible for "sanitising" the input .
It is never wrong to have multiple layers of defence, even if they're mostly or entirely redundant. This is especially true if you can't, or can't easily/quickly, fix the library or the backend server to deal with a newly discovered problem.
two things occurred to me after posting:
1. when i wrote "worthless garbage", I grossly understated it. "worse-than-worthless garbage" is better but still completely inadequate to describe just how shitty such a library would have to be to fail to include such essential basic functionality.
2. I should have pointed out that the basic error in the second example is that because it is directly embedded the user-supplied data into the generated SQL command string, it is causing that data to become code. code is executable. data is not (or shouldn't be).
the problem is not that SQL accepts two commands in one line. To start with, there's nothing magical about a newline or other EOL marker that makes it ANY different to a semicolon or any other statement separator. Secondly, it's not a security problem in SQL any more than it is in ANY of the other programming languages that allow statements to be separated by a semicolon or EOL or other character (i.e. **ALL** of them, every single scripting/programming language in existence - bash, for example).
The problem highlighted by that xkcd cartoon is not that semi-colons are bad, but that trusting user-supplied data is fucking stupid. Validate your input, sanitise it, clean it up before making any use of it - but do not ever trust it.
In the specific case of SQL, use your SQL library's implementation of prepared statements and placeholder values(*) as a final defence to catch stuff you might have missed, rather than thinking you can get away with just quoting the input data and embedding it in a string to be executed. e.g. in perl DBI, as well as validating and sanitising user-supplied data, you'd use something like:
(*) if your preferred SQL library can't do something analogous to this then it is worthless garbage and you need to replace it immediately with something that can.
rather than:
With the former, there is no chance that user-supplied data can be executed as an SQL command string (this is not the same as saying it is perfectly safe - the SQL lib or backend database may have other bugs that can be exploited) but it does eliminate a huge category of relatively easy exploits (i.e. exploits caused by idiot devs who don't even make the simplest effort to program defensively). It's also easier and less work - with a little bit of setup, you don't have to fuck around with quoting, which is easy to get wrong and tends to make it difficult to avoid writing unreadable and unmaintainable code.
With the latter example, if either of those two variables ($newbalance and $name) contain un-validated, un-sanitised user data then the sql command can be trivially abused to execute arbitrary sql code, just by adding a semi-colon followed by arbitrary sql code and then another semi-colon (so that your bad sql code isn't invalid syntax due to whatever comes after it in the original sql string) to the end of one of the input variables - optionally preceded by a starting end-quote if the data is a string type.
BTW, many SQL exploits unavoidably cause one or more commands to be invalid and thus generate an error - so wrapping all commands inside a transaction is a useful tactic for defeating many other potential problems - one of the reasons for/benefits of using a transaction is that ALL commands within the transaction must succeed or they are all automatically rolled back.
congratulations. you're taking the very first steps towards reinventing sanitising data input.
beg away, although you really don't need my permission to be wrong.
No, that's not all I've done.
I'll give you a concrete, personalised example to make it easier for you to understand:
If I say that you, personally, Kneo24, whoever the fuck you are in real life, are a fucking moron then that's not sexist. That's just a factual observation.
If I were to say that all, or even most, men are fucking morons then that WOULD be sexist. And it wouldn't be at all hard to find examples to disprove it.
see, that's the difference between loathing an individual for what they say or do rather than an entire class of people for what they happen to be? simple, right? and obvious.
now fuck off back under your rock.
It was a statement that needs about as much reasoning and evidence to back it up as "fire is hot".
while there are some circumstances where evidence and reasoning might be required for such a statement, conversational english is not a physics conference, nor does it always have to involve wasting hours giving free remedial education to misogynist retards.
In acerbe dici veritas
He may not meet all the selection criteria - being a racist misogynist doesn't necessarily mean he's a paedophile.