Depends how realistic we are being with our range of possible scenarios.
Worst not-ridiculously-unlikely case: ill configured service, service minus important patches, or poorly chosen authentication/privilege setup, or something similar, allows an automated hack in and therefore the server becomes yet another bot in the net or possibly even a C&C box for the botnet.
A zombied server is usually more trouble for the rest of the 'net then a zombied home machine because they generally have access to better bandwidth resources and are more likely to be openly connectible from the outside world so can more easily be used to host services such as phishing websites or a botnet C&C relay.
There is also the potential loss/damage to the information in the server itself to consider. If a "noob" admin is running the server then it is not unlikely that the services and data held on the server are not adequately backed up.
Yes, but the word inexpensive is being used in a relative sense here - the idea being that (ignoring RAID0 which doesn't actually match the definition at all due to not offering any redundancy) a full set of drives including a couple of spares would cost less than any single device that offered the same capacity and long-term reliability. And the expense isn't just talking about the cost of the physical drive - if you ask a manufacturer to guarantee a high level of reliability they will in turn ask a higher price for the device (both to cover R&D on making it more reliable and to cover insurance for in case it fails too early and you require replacement and/or compensation). Even if the individual devices in the array are very expensive, they are probably not so compared to a any single device that claims the same capacity and longevity properties.
Wait a minute... just how is an overheating graphics card causing damage to a CPU?
Depends on the airflow in your case, but many are not well laid out in terms of airflow. If the card is pumping out more heat than usual and this isn't being drawn out correctly, it may build up in the case generally, reducing the ability of the CPU's HS+F to cool it properly. Similarly, if the heat built up is sufficient for an appreciable amount of time (say, over the course of a long gaming session) you may also find drives and other components start failing due to overheating though the CPU is the item most at risk from this collateral warming and would most likely be the first to go (rescuing other parts by falling first, hopefully stopping the heat build up as no more head generating tasks will be run by it of give the the GPU by it) if the situation became extreme enough.
Another GPU-killing-CPU-by-heat scenario exists in liquid cooled systems. If the GPU and CPU share coolant and the GPU heats up so much that it overwhelms the liquid cooling arrangement there may not be a sufficient temperature gradient between the coolant and the CPU for the CPU to be usefully cooled.
I'd file both of these situations under "quite unlikely, but far from impossible".
But what about someone who setup the service initially some months ago and has since moved on and is busy with several other projects, that someone might give the mail a cursory glance and the forward it to the less experienced team/individual currently operating as caretaker for the service. He/she/they might decide to just blindly go ahead either because they are less experienced, they assume the person that forwarded the note to them checked it, or they are numbskull button-pushers employed by the lowest bidding IT outsourcing outfit, or some combination of the above - at which point the ne'er-do-wells have an in...
I fail to see anything illegal in what they're doing...
As I said above:
There system obtained access to resource (the tickets) under false pretences (pretending to be different individual people rather than one organisation). That, I believe, is fraud.
That is what is illegal by my understanding. If not actually illegal in their jurisdiction, it will definitely be a breach of the terms of service they have agreed to by signing up with the relevant people to buy the tickets in the first place - I wonder if they as a company would be OK with their customers blatantly ignoring any terms of service they dictate?
McDonalds and Burger King
They make their money by buying relatively abundant materials in bulk and selling smaller quantities, with a mark-up the customer is generally willing to pay for the convenience of not having to arrange and package the product itself themselves - even as someone who does not like McD and their ilk I see nothing wrong with this part of their business model. These people on the other hand are doing nothing except being mark-up adding middle-men who are making their profit out of nothing more than inconveniencing people by manipulating a finite (sometimes very limited) resource.
There system obtained access to resource (the tickets) under false pretences (pretending to be different individual people rather than one organisation). That, I believe, is fraud.
Anyway, the poster you replied to stated "legitimately", not "legally". In common parlance "legitimate" covers both "legal" and "moral", and taking advantage of people in this way is generally seen as NotTheDoneThing. If you had to pay twice as much (or sometimes it can be several times as much) for something that you wanted simply because a group like that had gamed the market, would you be happy to pay up and consider that everything was proper and above board?
A couple of the food establishments around here used to give their waste food (pre-made snadwiches that were "on date" or always sold as "made today" being the main constituan, though fruit and veg was involved too) to a local hospice at the end of the day - an arragenment the hospice and the people (the truely homeless and those escaping from bad homes) it cared for. The council put a stop to it on health and safety grounds, lord knows why. Now the same food goes into bins that the homeless raid - how much more healthy and safe is that?!
But in neither of those cases are there circumstances where it is find to take what is available (the car, the opportunity to enter the house) whereas there are unsecured wireless APs out there, many of them, that are free for you to use as far as the owner is concerned. So you can argue that you thought it would be OK to use the wireless where you can't so easily argue that it would be OK to borrow the car for an hour. Whether the law takes account of this sort of difference I don't know though, I'll leave that question to legal experts or those that claim to be the same.
One to add to you list if we stray beyond just SQL injection and consider other attack vectors too:
5. Output matters. Check data from the layer below, ensuring any characters that might carry unintended meaning but need to be in the data are escaped as required.
Always check the data on the way out as well as on the way in, in case something malicious got in by any means (due to a failure in steps 1 through 4, or direct database access by other means). This is implied by your supplementary text, but I think it is worth explicitly adding to the list itself.
On of the APs local to me is called "IWillSniffYourPackets" or some such (I'm not at home right now to check). For the time that my SSID was not hidden (for some reason the old man's laptop refused to connect to the AP if the name wasn't visible, a problem that went away when the AP died and was replaced) I used "ReceptionError" figuring people would bypass a secured AP with a name that implied it wouldn't work in favour of the unsecured one called "Netgear" that was in the vicinity.
Not to mention that it's trivial for businesses who don't want their users watching videos to simply block the site at the firewall.
Trivial, but more obviously their choice. If YouTube stops working for their people by circumstance beyond their control (it no longer working on the company's chosen standard browser) they'll get less complaints (or at least less complaints that they can't just say "not our fault guv" to) than if it stops working because they explicitly block it.
It could actually work in favor of people getting upgrades. If the PHBs start being inconvenienced maybe they'll demand the upgrade option gets taken seriously. Actually, cancel that - they'll just demand that they get upgraded.
UAC is not a bad idea, though it is not IMO particularly well implemented. They tried to so sudo but for the traditional Windows way of working (i.e. admin by default and adding blockers, where the sudo way starts unprivileged).
If you don't understand how UAC works, you shouldn't try and criticise it.
Care to enlighten me with your superior knowledge (or just a link to a good article that documents what I'm assuming wrong)? I'm always willing to learn and/or correct existing understanding.
I know my statement of "trying to do sudo" is a gross over-simplification as the family of features UAC belongs to tries to do more than just that specific sort of privilege management, but a more detailed discussion didn't seem relevant to pointing out that UAC (as most end users see it, which is just the prompts on the "secure desktop") was far from the top sticking point that stopped people and companies upgrading to Vista if they would otherwise have put the time/money down for the upgrade.
Vista was mostly looked badly because they introduced new security features.
This was one of the issues, yes, but not the only one and not even the most important one for many users. Vista's key problem was lack of drivers for a lot of hardware and some of the drivers available for common parts were not all that stable initially even though they passed relevant certififcation. Second came performance especially on "vista capable" (or "vista ready", which ever was the lower designation) machines (many reported significant issues on better kit too, though this situation improved greatly with service pack 1). UAC was thrid on the average user's list of hates though it sounded worse as it was usually the straw that started the major rant "it asked me for confirmation X times before very slowly failing to work because of driver problems!".
UAC is not a bad idea, though it is not IMO particularly well implemented. They tried to so sudo but for the traditional Windows way of working (i.e. admin by default and adding blockers, where the sudo way starts unprivelaged). The result didn't fit as well as intended with Windows users processes and was sometimes overly naggy (three prompts for some file operations where sudo would need one escalation request) and just ended up being more OK buttons for clueless users to click, and to top it off it worked badly for people expecting a more linux/bsd/other way of doing thing - so essentually they failed to please either major group (i.e. neither those the feature was intended to protect nor those most likely to make a noise about such things were happy with it).
That's about one commit per 10 days per person. Is this sort of number normal in the open source scene? It seems very low to me.
It depends on the size of the average commit. If most of them are small changes to single files then yes this is probably slow. But if a developer is working on a complex change then an individual commit could represent a significant number of man-hours developing, unit testing and regression testing before the commit. This is especially true if they are using some form of distributed source control whereby said developer has a local repository to keep inter-commit changes tracked in or if they are using a branch+merge arrangement (so the developer commits partial changes to a "personal" dev branch) and they are only counting commits/merges to the main branch/trunck in the above count.
It isn't that your information is exposed if a friend's account is broken into (if you have stuff on Facebook or similar that you would care about being made public, then you are doing it wrong), it is the fact that a compromised account means the frauster has easten their way at least one level into your trust network. This means you have to think that little bit harder about your day-to-day link clicking (assuming some of your contacts are like some of mine and their dribblings are not always easy to distinguish from spam/phishing).
The real problem is more dangerous phishing - that which attempts to gain access to bank details or attempts to convince the user to let some local code to install. There is no way we'll ever completely stamp that out just as there is no partical way of completely stamping out burglary. The only thing we can do is to try educate the general public (spit) to be a little (or in many cases a lot) less naive. This is unfortunately much easier said than done - some people seem incapable of maintaining a healthy level of synacism when promised free smilies/cheats/porm or just "lols".
Every now and then I consider starting a small spam/phish campaign that collects data, throws it all away, and give the user s "why the hell were you stupid enough to do that?!?!" message. Perhaps distrubuting it as an app that collects Facebook account details and uses them to post a message stating "is stupid enough to give their password to a third party website" before deleting them. The second most significan reason I don't do this (the first being I'm too lazy to bother) is that the idiots caught and made to look daft would see me as the enemy and not learn anything more generally useful (like "if one anonymous site promising free shit can't be trusted with my password/creditcard/wife then maybe others can't either") from the exercise. Maybe banks could do it with their own customer base though - send out a fake phish and lock the accounts of people that fall for it until such time as the phone up and promise to be more careful in future.
The company I work for creates web based software used by large (by UK standards) banks and I can tell you that the vast majority of their userbase is stuck on IE6. The usual reason for this is compatability with old apps, and IE6 is not as backwards as they get - one of the mortgage processing/calculating apps used when I was sorting the paperwork for my flat was DOS based.
But compatability is *not* a valid excuse for not installing something newer. It *is* a reason for not installing IE8 (you can't run IE8 and IE6 on the same machine without virtualisation of some completely unsupported hack), but it doesn't stop them putting on Firefox/Chrome/Opera/... alongside IE6 and just letting IE6 live for as long as the older apps live (which may be some time given my witnessing of a DOS based app in business-as-usual use two-ana-half years ago).
They will not upgrade from "IE6 and only IE6" until the cost of doing so (design/testing/roll-out of new desktop builds, extra support time needed because if they go for the two browser stop-gap it will confuse many of their should-sacked-from-jobs-that-are-well-documented-to-require-computer-competence-for-not-being-able-understanding-such-things staff, paying for old software to be fixed/upgraded, and so on) is outweighed by the cost of staying where they are (those costs basically amounting to not being able to use certain software/sites (but they are big enough that saying "we'll consider your app if you support IE6" neatly sorts that) and looking like neanderthals (but the general public will never know and is doesn't really matter to them what us techies-in-the-know think)).
IE8's compatability mode is almost entirely compatible with IE7 - there differeces enough between it and IE6 that code using IE6 specific hacks and deviations from standard will break.
In fact, I've just bothered to scan the article and related links, and they want you to pay a fair chunk for the laptop then pay for the support contract. That is not going to happen. It reminds me of a cartoon of a computer market stall advertising "computers for people who know nothing about computers, PentiumIIs for only $5,000"!
"People who love Linux will be keen to develop for this," he said
No they won't. People who love Linux/community/whatever will develop for Linux/community/whatever. People who would love the chance to make a quick quid/dollar by packaging up a FOSS app for the app store will love it, but that won't create a marketplace full of will supported apps. And the general public see the "free!" part of Linux and the "free!" part of FOSS apps and won't be wanting to pay for apps from an app store, especially while paying that much a month for a support contract.
39.95 a month
You can get a free netbook or lowish spec laptop for that, which will come with Windows and will run Ubuntu quite happily, with many mobile phone contracts over here. This comes with mobile Internet access and a phone you can make/take calls and send texts with. I don't see the market - people will not want to get a free computer then pay that much for support when they can get a free netbook just by agreeing to a mobile phone contract and moan about the lack of support they aren't paying for later (and/or get their mate to support them because Dave knows about these things).
The biggest problem with Microsoft is badly-written software — the operating system allows you to write software badly unlike Mac or Linux.
This is wrong on a level or two. While I'm no fan of Windows and the terrible that definitely exists for it, I've also seen terrible apps and scripts for Linux too. No OS can protect the world from slap-dash design/programming with not mind for security.
They have effectively employed a Developer (or more than one if the company wasn't a one man band) for work on their mail related projects taking his existing work on a (popular?) mail related application as part of his CV. They were perhaps on the lookout for a developer with good experience in both mail protocols and UIs for mobile devices (I can see that skillset fitting in to their plans as I understand them). Said developer/company does not have time to maintain/support the iPhone app long term on top of new responsabilities in the new position with Google so decided to stop, and Google has not particular interest in keeping it going by passing it to another team either because the market for it is too small for them to care or it just isn't the direction they want to send a dev team in at the moment.
There doesn't need to be any anti-Apple consideration here at all. Apple users need not worry: if there is a good market for such an application someone will step up to the bat and create one. In fact I predict many will turn up soon as people try follow in this fellow's footsteps - you just need to hope one of the new projects will be both good and long lived...
FYI, here's the memory usage of my Linux server:
total used free shared buffers cached
Mem: 720 702 17 0 55 510
-/+ buffers/cache: 136 583
Swap: 399 0 399
It says 702 MB of used memory. Now look at "-/+ buffers/cache", it says 136 MB. That's the amount of memory *actually* used by applications.
It isn't always that simple. Things other than just cache can get counted in the cached total too, the RAM allocated to VMWare VMs for instance, and and tmpfs mounted filesystems. For instance, running "sync; echo 3 >/proc/sys/vm/drop_caches; free -m" on one of my VM hosts shows 6479Mb reading cached still after the flush when in fact the vast majority of that isn't anything to do with data cached from I/O operations. This means that "free + buffers + cache" does not always give the amount of physical memory that could be allocated right now without needing to swap anything out - you need to flush the cache+buffers to see that.
This is, of course, impossible - which is why the advertising executives of the star system of Bastablon came up with this slogan: "If you've done six impossible things this morning, why not round it off with breakfast at Milliways, the Restaurant at the End of the Universe?"
In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.
It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).
The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.
Completely decentralised would be difficult, probably impractical, to get make work right. If by decentralised you mean people run their own discrete servers then you lose a large chunk of the MM from MMO. If they try disparate but connected servers with no centralised management the key problem would be one of consistency and coherence - the feel of the game could be lost in a mess of individual changes in areas controlled by different servers which would create a complex learning curve at best or alienate players at worst. Of course it could work well, creating an interesting free-form experience, but you would have to be lucky for that to happen.
Caveat: I've never played Myst (it has been on my "really must find time to try that one day" list for many years, but I get the impression it is something that I'd want to find lost of time for to savour rather the rush through) so I might be just talking out of my arse here.
Slashdot Mirror
what could go wrong?
Lots.
worst case scenario?
Depends how realistic we are being with our range of possible scenarios.
Worst not-ridiculously-unlikely case: ill configured service, service minus important patches, or poorly chosen authentication/privilege setup, or something similar, allows an automated hack in and therefore the server becomes yet another bot in the net or possibly even a C&C box for the botnet.
A zombied server is usually more trouble for the rest of the 'net then a zombied home machine because they generally have access to better bandwidth resources and are more likely to be openly connectible from the outside world so can more easily be used to host services such as phishing websites or a botnet C&C relay.
There is also the potential loss/damage to the information in the server itself to consider. If a "noob" admin is running the server then it is not unlikely that the services and data held on the server are not adequately backed up.
Yes, but the word inexpensive is being used in a relative sense here - the idea being that (ignoring RAID0 which doesn't actually match the definition at all due to not offering any redundancy) a full set of drives including a couple of spares would cost less than any single device that offered the same capacity and long-term reliability. And the expense isn't just talking about the cost of the physical drive - if you ask a manufacturer to guarantee a high level of reliability they will in turn ask a higher price for the device (both to cover R&D on making it more reliable and to cover insurance for in case it fails too early and you require replacement and/or compensation). Even if the individual devices in the array are very expensive, they are probably not so compared to a any single device that claims the same capacity and longevity properties.
Wait a minute... just how is an overheating graphics card causing damage to a CPU?
Depends on the airflow in your case, but many are not well laid out in terms of airflow. If the card is pumping out more heat than usual and this isn't being drawn out correctly, it may build up in the case generally, reducing the ability of the CPU's HS+F to cool it properly. Similarly, if the heat built up is sufficient for an appreciable amount of time (say, over the course of a long gaming session) you may also find drives and other components start failing due to overheating though the CPU is the item most at risk from this collateral warming and would most likely be the first to go (rescuing other parts by falling first, hopefully stopping the heat build up as no more head generating tasks will be run by it of give the the GPU by it) if the situation became extreme enough.
Another GPU-killing-CPU-by-heat scenario exists in liquid cooled systems. If the GPU and CPU share coolant and the GPU heats up so much that it overwhelms the liquid cooling arrangement there may not be a sufficient temperature gradient between the coolant and the CPU for the CPU to be usefully cooled.
I'd file both of these situations under "quite unlikely, but far from impossible".
But what about someone who setup the service initially some months ago and has since moved on and is busy with several other projects, that someone might give the mail a cursory glance and the forward it to the less experienced team/individual currently operating as caretaker for the service. He/she/they might decide to just blindly go ahead either because they are less experienced, they assume the person that forwarded the note to them checked it, or they are numbskull button-pushers employed by the lowest bidding IT outsourcing outfit, or some combination of the above - at which point the ne'er-do-wells have an in...
I fail to see anything illegal in what they're doing...
As I said above:
There system obtained access to resource (the tickets) under false pretences (pretending to be different individual people rather than one organisation). That, I believe, is fraud.
That is what is illegal by my understanding. If not actually illegal in their jurisdiction, it will definitely be a breach of the terms of service they have agreed to by signing up with the relevant people to buy the tickets in the first place - I wonder if they as a company would be OK with their customers blatantly ignoring any terms of service they dictate?
McDonalds and Burger King
They make their money by buying relatively abundant materials in bulk and selling smaller quantities, with a mark-up the customer is generally willing to pay for the convenience of not having to arrange and package the product itself themselves - even as someone who does not like McD and their ilk I see nothing wrong with this part of their business model. These people on the other hand are doing nothing except being mark-up adding middle-men who are making their profit out of nothing more than inconveniencing people by manipulating a finite (sometimes very limited) resource.
What's illegal about what they have done??
There system obtained access to resource (the tickets) under false pretences (pretending to be different individual people rather than one organisation). That, I believe, is fraud.
Anyway, the poster you replied to stated "legitimately", not "legally". In common parlance "legitimate" covers both "legal" and "moral", and taking advantage of people in this way is generally seen as NotTheDoneThing. If you had to pay twice as much (or sometimes it can be several times as much) for something that you wanted simply because a group like that had gamed the market, would you be happy to pay up and consider that everything was proper and above board?
A couple of the food establishments around here used to give their waste food (pre-made snadwiches that were "on date" or always sold as "made today" being the main constituan, though fruit and veg was involved too) to a local hospice at the end of the day - an arragenment the hospice and the people (the truely homeless and those escaping from bad homes) it cared for. The council put a stop to it on health and safety grounds, lord knows why. Now the same food goes into bins that the homeless raid - how much more healthy and safe is that?!
s/wirelist signal/unlocked car/g;
s/wireless signal/unlocked front door/gi
But in neither of those cases are there circumstances where it is find to take what is available (the car, the opportunity to enter the house) whereas there are unsecured wireless APs out there, many of them, that are free for you to use as far as the owner is concerned. So you can argue that you thought it would be OK to use the wireless where you can't so easily argue that it would be OK to borrow the car for an hour. Whether the law takes account of this sort of difference I don't know though, I'll leave that question to legal experts or those that claim to be the same.
One to add to you list if we stray beyond just SQL injection and consider other attack vectors too:
5. Output matters. Check data from the layer below, ensuring any characters that might carry unintended meaning but need to be in the data are escaped as required.
Always check the data on the way out as well as on the way in, in case something malicious got in by any means (due to a failure in steps 1 through 4, or direct database access by other means). This is implied by your supplementary text, but I think it is worth explicitly adding to the list itself.
On of the APs local to me is called "IWillSniffYourPackets" or some such (I'm not at home right now to check). For the time that my SSID was not hidden (for some reason the old man's laptop refused to connect to the AP if the name wasn't visible, a problem that went away when the AP died and was replaced) I used "ReceptionError" figuring people would bypass a secured AP with a name that implied it wouldn't work in favour of the unsecured one called "Netgear" that was in the vicinity.
Not to mention that it's trivial for businesses who don't want their users watching videos to simply block the site at the firewall.
Trivial, but more obviously their choice. If YouTube stops working for their people by circumstance beyond their control (it no longer working on the company's chosen standard browser) they'll get less complaints (or at least less complaints that they can't just say "not our fault guv" to) than if it stops working because they explicitly block it.
It could actually work in favor of people getting upgrades. If the PHBs start being inconvenienced maybe they'll demand the upgrade option gets taken seriously. Actually, cancel that - they'll just demand that they get upgraded.
You might find http://www.walletpop.com/blog/2009/11/25/does-bing-offer-negative-cashback/?icid=sphere_newsaol_inpage_walletpop interesting with regard to Bing related "offers".
UAC is not a bad idea, though it is not IMO particularly well implemented. They tried to so sudo but for the traditional Windows way of working (i.e. admin by default and adding blockers, where the sudo way starts unprivileged).
If you don't understand how UAC works, you shouldn't try and criticise it.
Care to enlighten me with your superior knowledge (or just a link to a good article that documents what I'm assuming wrong)? I'm always willing to learn and/or correct existing understanding.
I know my statement of "trying to do sudo" is a gross over-simplification as the family of features UAC belongs to tries to do more than just that specific sort of privilege management, but a more detailed discussion didn't seem relevant to pointing out that UAC (as most end users see it, which is just the prompts on the "secure desktop") was far from the top sticking point that stopped people and companies upgrading to Vista if they would otherwise have put the time/money down for the upgrade.
Vista was mostly looked badly because they introduced new security features.
This was one of the issues, yes, but not the only one and not even the most important one for many users. Vista's key problem was lack of drivers for a lot of hardware and some of the drivers available for common parts were not all that stable initially even though they passed relevant certififcation. Second came performance especially on "vista capable" (or "vista ready", which ever was the lower designation) machines (many reported significant issues on better kit too, though this situation improved greatly with service pack 1). UAC was thrid on the average user's list of hates though it sounded worse as it was usually the straw that started the major rant "it asked me for confirmation X times before very slowly failing to work because of driver problems!".
UAC is not a bad idea, though it is not IMO particularly well implemented. They tried to so sudo but for the traditional Windows way of working (i.e. admin by default and adding blockers, where the sudo way starts unprivelaged). The result didn't fit as well as intended with Windows users processes and was sometimes overly naggy (three prompts for some file operations where sudo would need one escalation request) and just ended up being more OK buttons for clueless users to click, and to top it off it worked badly for people expecting a more linux/bsd/other way of doing thing - so essentually they failed to please either major group (i.e. neither those the feature was intended to protect nor those most likely to make a noise about such things were happy with it).
That's about one commit per 10 days per person. Is this sort of number normal in the open source scene? It seems very low to me.
It depends on the size of the average commit. If most of them are small changes to single files then yes this is probably slow. But if a developer is working on a complex change then an individual commit could represent a significant number of man-hours developing, unit testing and regression testing before the commit. This is especially true if they are using some form of distributed source control whereby said developer has a local repository to keep inter-commit changes tracked in or if they are using a branch+merge arrangement (so the developer commits partial changes to a "personal" dev branch) and they are only counting commits/merges to the main branch/trunck in the above count.
It isn't that your information is exposed if a friend's account is broken into (if you have stuff on Facebook or similar that you would care about being made public, then you are doing it wrong), it is the fact that a compromised account means the frauster has easten their way at least one level into your trust network. This means you have to think that little bit harder about your day-to-day link clicking (assuming some of your contacts are like some of mine and their dribblings are not always easy to distinguish from spam/phishing).
The real problem is more dangerous phishing - that which attempts to gain access to bank details or attempts to convince the user to let some local code to install. There is no way we'll ever completely stamp that out just as there is no partical way of completely stamping out burglary. The only thing we can do is to try educate the general public (spit) to be a little (or in many cases a lot) less naive. This is unfortunately much easier said than done - some people seem incapable of maintaining a healthy level of synacism when promised free smilies/cheats/porm or just "lols".
Every now and then I consider starting a small spam/phish campaign that collects data, throws it all away, and give the user s "why the hell were you stupid enough to do that?!?!" message. Perhaps distrubuting it as an app that collects Facebook account details and uses them to post a message stating "is stupid enough to give their password to a third party website" before deleting them. The second most significan reason I don't do this (the first being I'm too lazy to bother) is that the idiots caught and made to look daft would see me as the enemy and not learn anything more generally useful (like "if one anonymous site promising free shit can't be trusted with my password/creditcard/wife then maybe others can't either") from the exercise. Maybe banks could do it with their own customer base though - send out a fake phish and lock the accounts of people that fall for it until such time as the phone up and promise to be more careful in future.
The company I work for creates web based software used by large (by UK standards) banks and I can tell you that the vast majority of their userbase is stuck on IE6. The usual reason for this is compatability with old apps, and IE6 is not as backwards as they get - one of the mortgage processing/calculating apps used when I was sorting the paperwork for my flat was DOS based.
But compatability is *not* a valid excuse for not installing something newer. It *is* a reason for not installing IE8 (you can't run IE8 and IE6 on the same machine without virtualisation of some completely unsupported hack), but it doesn't stop them putting on Firefox/Chrome/Opera/... alongside IE6 and just letting IE6 live for as long as the older apps live (which may be some time given my witnessing of a DOS based app in business-as-usual use two-ana-half years ago).
They will not upgrade from "IE6 and only IE6" until the cost of doing so (design/testing/roll-out of new desktop builds, extra support time needed because if they go for the two browser stop-gap it will confuse many of their should-sacked-from-jobs-that-are-well-documented-to-require-computer-competence-for-not-being-able-understanding-such-things staff, paying for old software to be fixed/upgraded, and so on) is outweighed by the cost of staying where they are (those costs basically amounting to not being able to use certain software/sites (but they are big enough that saying "we'll consider your app if you support IE6" neatly sorts that) and looking like neanderthals (but the general public will never know and is doesn't really matter to them what us techies-in-the-know think)).
IE8's compatability mode is almost entirely compatible with IE7 - there differeces enough between it and IE6 that code using IE6 specific hacks and deviations from standard will break.
In fact, I've just bothered to scan the article and related links, and they want you to pay a fair chunk for the laptop then pay for the support contract. That is not going to happen. It reminds me of a cartoon of a computer market stall advertising "computers for people who know nothing about computers, PentiumIIs for only $5,000"!
"People who love Linux will be keen to develop for this," he said
No they won't. People who love Linux/community/whatever will develop for Linux/community/whatever. People who would love the chance to make a quick quid/dollar by packaging up a FOSS app for the app store will love it, but that won't create a marketplace full of will supported apps. And the general public see the "free!" part of Linux and the "free!" part of FOSS apps and won't be wanting to pay for apps from an app store, especially while paying that much a month for a support contract.
39.95 a month
You can get a free netbook or lowish spec laptop for that, which will come with Windows and will run Ubuntu quite happily, with many mobile phone contracts over here. This comes with mobile Internet access and a phone you can make/take calls and send texts with. I don't see the market - people will not want to get a free computer then pay that much for support when they can get a free netbook just by agreeing to a mobile phone contract and moan about the lack of support they aren't paying for later (and/or get their mate to support them because Dave knows about these things).
The biggest problem with Microsoft is badly-written software — the operating system allows you to write software badly unlike Mac or Linux.
This is wrong on a level or two. While I'm no fan of Windows and the terrible that definitely exists for it, I've also seen terrible apps and scripts for Linux too. No OS can protect the world from slap-dash design/programming with not mind for security.
They have effectively employed a Developer (or more than one if the company wasn't a one man band) for work on their mail related projects taking his existing work on a (popular?) mail related application as part of his CV. They were perhaps on the lookout for a developer with good experience in both mail protocols and UIs for mobile devices (I can see that skillset fitting in to their plans as I understand them). Said developer/company does not have time to maintain/support the iPhone app long term on top of new responsabilities in the new position with Google so decided to stop, and Google has not particular interest in keeping it going by passing it to another team either because the market for it is too small for them to care or it just isn't the direction they want to send a dev team in at the moment.
There doesn't need to be any anti-Apple consideration here at all. Apple users need not worry: if there is a good market for such an application someone will step up to the bat and create one. In fact I predict many will turn up soon as people try follow in this fellow's footsteps - you just need to hope one of the new projects will be both good and long lived...
FYI, here's the memory usage of my Linux server: total used free shared buffers cached Mem: 720 702 17 0 55 510 -/+ buffers/cache: 136 583 Swap: 399 0 399 It says 702 MB of used memory. Now look at "-/+ buffers/cache", it says 136 MB. That's the amount of memory *actually* used by applications.
It isn't always that simple. Things other than just cache can get counted in the cached total too, the RAM allocated to VMWare VMs for instance, and and tmpfs mounted filesystems. For instance, running "sync; echo 3 > /proc/sys/vm/drop_caches; free -m" on one of my VM hosts shows 6479Mb reading cached still after the flush when in fact the vast majority of that isn't anything to do with data cached from I/O operations. This means that "free + buffers + cache" does not always give the amount of physical memory that could be allocated right now without needing to swap anything out - you need to flush the cache+buffers to see that.
This is, of course, impossible - which is why the advertising executives of the star system of Bastablon came up with this slogan: "If you've done six impossible things this morning, why not round it off with breakfast at Milliways, the Restaurant at the End of the Universe?"
In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.
It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).
The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.
Completely decentralised would be difficult, probably impractical, to get make work right. If by decentralised you mean people run their own discrete servers then you lose a large chunk of the MM from MMO. If they try disparate but connected servers with no centralised management the key problem would be one of consistency and coherence - the feel of the game could be lost in a mess of individual changes in areas controlled by different servers which would create a complex learning curve at best or alienate players at worst. Of course it could work well, creating an interesting free-form experience, but you would have to be lucky for that to happen.
Caveat: I've never played Myst (it has been on my "really must find time to try that one day" list for many years, but I get the impression it is something that I'd want to find lost of time for to savour rather the rush through) so I might be just talking out of my arse here.