If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?
No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).
So, yes, the Mozilla Organization would prefer that the
developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time.
If you read handling Mozilla security bugs it is clear that they grok.
Smells like a Release Candidate... heck, I renamed N6Setup.exe to N6SetupRC20001110.exe before I even ran it.
Looks like a Release Candidate... Once the setup began, on the big blue background just under "Netscape 6 Setup" there was the text "Version 6.0.0.2000110801". Hmm, guess it's a couple of days old, better change that filename.
Must be a Release Candidate... Sure enough, Apache logs the user agent as "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001108 Netscape6/6.0". The same text appears on the "about:" page. The "200001108" part is a build ID, familiar to anyone who'se worked on Mozilla, but not what you'd want prominent on any build distributed to AOLers!
The whois command is meant to be used as "whois name@server" where name is a domain name or handle, and server is the server that has information on that name. At present, "whois name" tells you the name of the correct whois server to use to complete the lookup request, so long as the name is for a.com,.net,.org,.edu, or a handle for a contact for one of those. It used to be that if no server was specified, rs.internic.net, the default, used Network Solutions' data, but this is inappropriate now that there are other registrars.
The data previously available is still fully available so long as the correct server is queried - and that won't always be whois.networksolutions.com. Some may prefer that rs.internic.net did the heavy lifting and made the request to the correct server and presented the originator with the final query, but I wouldn't expect that to happen.
Don't you just love the willful faux naivete of reporters who would rather ignore any complicating facts they may have learned if they get in the way of a good, focused, controversial story? (Yes, you heard the sarcasm.)
What makes "Web Travelers Follow Beaten Paths to Similar Sites" by Charles Piller so ridiculous and hypocritical is the fact that, to get a job at the L.A. Times, he must have developed some degree of skill at researching and hunting down relevant information that is not already media-predigested. After all, as a newspaper, the L.A. Times is expected to present stories that include at least a little new information, and he is getting paid to write for them. Evidently he expects his readers, who mostly have access to a breadth of information sources through the web that the best funded newsroom could never have afforded ten years ago, to take no advantage of it. Unhappily, I am sure that he is right for far too many people.
But when has it ever been different? Even in historical golden ages of learning most people made no real effort to get out of the rut their lives were in, and likewise most businesses tried to make the best of their situations instead of creating better ones.
The internet lets people connect to information when they want. Is it any wonder that many choose to find structured news - international, financial, weather, sports - through a portal site where it can always be found, and where it is expected to be up to date, rather than looking through a newspaper or waiting for the TV or radio news? I'm not sure this says as much about the internet as about the traditional media.
The real story with the internet is not that the greater part of society continues to make little effort to create and look after their own interests, but that those who don't want to be bored and boring have access to a world of information without needing a major budget.
So only 80% go to websites the repiort categorized as "other" each month. What else is new. Here's the real question: how many experience some of the breadth of the web every week, or every day? How many of them regularly did something similar before the web?
Yes, people who gain some experiance use the web as a tool, rather than just surfing around, but it is the most multivalent information tool civilization has ever had. Lest anyone forget, even the most mainstream of portal sites offers access to a greater variety of information than the 11:00 news ever did. And any story that piques interest can be researched right then.
You don't have to be an activist, or interested in dissent from the conventional, or a Noam Chomsky disciple, to simply want to know more about your skills, your field, your hobbies, your interests, than any portal site will have prepackaged.
It was, after all, people who got really interested in things the mainstream didn't have available who created Yahoo and Hotmail and Amazon. However much big media money enters the web sphere, however much big media pressures the.com companies toward the lowest common denominator, these sites and so many more allow both consumers and those who consider themselves producers to do any number of useful things inexpensively that previously couldn't be done at all. Two steps forward, one step back, perhaps, but that's still ahead.
More importantly, for the individual, there's effectively an infinite number of paths ahead at any time, paths to involvement and challenge or at least customized distraction. Meanwhile, just like always, most people most of the time are bored or tired enough to consider buying what big media is selling a fair trade. Face it, for almost all of us it is a fair trade at least a bit of the time. But really, which is the big story here?
In some ways this looks like more of the same tempest in a teacup about commercial identity and framed content, and if that's all it was, who'd care? It's not like I ever spend time at framed sites. There's another issue lurking here, though: the appropriate use of the appropriate technology, whether it be sophisticated systems or just the right contract language, to channel the flow of money from listeners to the correct artists.
That is, after all, the whole purpose of performing rights associations - to provide the service of collecting revenues for their members. They are a bit like governments that way: *everyone* complains when overhead and administration costs rise, the fair shares that everyone wants add up to more money than there is coming in, and no matter how the policies are set, they can never, in the real world, be completely fair or accurate. And it's the small fry who can't afford to lobby and are considered hard to count that tend to get proportionately less of the revenue.
OK, so the system can never be perfect. But can't it get better?
When you buy a CD, the correspondences are exact. Aside from overhead, the correct artists and publishing companies get all of the performing rights fees collected from the maker of the CD.
Concert performances fall in the same category. A fee gets paid based on headcount, and the bulk of that revenue goes to those actually responsible for the selections of music heard at that concert.
In radio, the correspondences are less exact. Each radio station pays blanket fees, and is also periodically audited in the simplest possible way: a list is made of every piece of music paid during a period of time. Those lists are the basis for the apportionment of revenues collected from the radio stations. This could never be perfect, and the artists that could most use just a bit more income are the very ones who tend to disappear in the statistical noise, but the system works, and it could always be incrementally improved.
But what ASCAP is trying to do here seems to be to collect more money from additional parties who have no possible way of providing useful data for the apportionment of that revenue.
Ability to pay disregarded, it is quite apparent that most people will willingly pay reasonable fees to listen to the music they prefer. CDs are bought and sold at a more-than-reasonable price, while listeners catch as catch can for any music that they don't prefer to buy at a premium of 1000% or more than the composers and performers will get paid.
It's easy to envision the administrative nightmare that would arise if performing rights tried to collect accurately and directly from each listener for each piece of music enjoyed or endured. Reductio ad absurdum, compromises must be made.
But can't we do better than this? After all, regardless of whether a link to an internet radio station appears to be part of another site or not, music that gets to a listener came from the radio station, not the site providing the link - regardless of all other considerations. The station can presumably provide the straight goods on what music was played and how many were listening (at least on average). Rest assured that all countable listeners, regardless of how they came to listen to that station, will be included in the formula for the amount the station must hand over.
If I read the Wired article right, what ASCAP is doing here is the equivalent of double taxation.
Before trying to collect twice for the same listener, perhaps it makes more sense to collect from those that proxy streaming media. They serve actual *additional* listeners, and besides, they are the most of the ones that get a good enough signal to bother listening nowadays.
OK, for the purpose of discussion let's assume that all the @Home customers are wanting from their internet service is fast web browsing. Let's do some math. The internetnews.com article says that downstream speeds of up to 3 Mbit/s will remain unchanged. So let's divide 128K into 3M: the outgoing traffic associated with full use of the downstream connection would be some 23 times smaller.
Have you ever, while browsing the web, seen outgoing bytes less that one twentieth of incoming bytes? I never have. One to ten, maybe one to twelve is realistic. With modern browsers, more than just the URL is added the TCP header with each HTTP GET request. Yes, for the second and subsequent incoming packets of each connection, nothing much more than an ACK needs to be sent, but the average outgoing packet is still going to be closer to 100 than 50 bytes.
Let's do another calculation: let's divide that factor of 23 and a bit into a typical incoming packet of 1500 bytes. That comes to exactly 64 bytes. Considering that the IP header for each packet is normally 20 bytes, and the TCP header is another 20, that doesn't leave much room for HTTP payload before the 128K upstream cap would start to limit the rate at which downstream traffic can be requested and acknowledged.
About the only kind of web access that would be immune to slowdowns under a 20-to-one ratio policy would be large file downloads, but we were talking about web *browsing*, were't we?
The conclusion of this exercise? Let's look at it this way: Of course ftp servers etc. would slow things down - if outgoing bandwith is clogged, incoming traffic will need to wait for the acknowledgements of already-received packets to get out, and new requests to get out. That much is elementary. From an egalitarian perspective, capping everyone at a "reasonable" outgoing data rate will have the desired effect of allowing everyone to get their due share of the inbound data. But from a selfish perspective, a 128Kbit/s cap on outbound data will cut my incoming data rate from 3 Mbit/s to something more like half that. A cap of 256Kbit would be large enough to create almost no practical limitation on web browsing speed, and very little effect on the cost of providing service.
So why is the cap at 128, not 256? Here's my guess, and this is only a guess: 256Kbit/s would still be enough to make it "worth the while" for those who want to flout the AUP and run a server from home.
If I'd installed it first on my main machine, I'd never have noticed. On the old 486 where I install s/w that I need to document for tech support, it's painfully obvious that IE5 looks faster than it really is.
Yes, IE5 is much faster putting something up on the screen when you hit the back button, but if you immediately try to scroll down, there's still a wait. It looks like IE5 caches a bitmap of the last window, and remembers where the hotspots are, but if you want to click on something that is outside the "viewport," you still have to wait for the re-render -- delayed a little more by the re-draw.
That's not faster, that's just craftier. Arguably, with the mix of machines out there it's the right thing to do. Just call it what it is.
Slashdot Mirror
So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?
Quoting from the Mozilla Security Bug Bounty FAQ,
So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.
Try http://recall.mozdev.org, but see also http://bugzilla.mozilla.org/show_bug.cgi?id=36810 -- quote: "I started a project here but haven't worked on it in a while."
Smells like a Release Candidate... heck, I renamed N6Setup.exe to N6SetupRC20001110.exe before I even ran it.
Looks like a Release Candidate... Once the setup began, on the big blue background just under "Netscape 6 Setup" there was the text "Version 6.0.0.2000110801". Hmm, guess it's a couple of days old, better change that filename.
Must be a Release Candidate... Sure enough, Apache logs the user agent as "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001108 Netscape6/6.0". The same text appears on the "about:" page. The "200001108" part is a build ID, familiar to anyone who'se worked on Mozilla, but not what you'd want prominent on any build distributed to AOLers!
Actually, this is an anti-monopolistic change!
.com, .net, .org, .edu, or a handle for a contact for one of those. It used to be that if no server was specified, rs.internic.net, the default, used Network Solutions' data, but this is inappropriate now that there are other registrars.
The whois command is meant to be used as "whois name@server" where name is a domain name or handle, and server is the server that has information on that name. At present, "whois name" tells you the name of the correct whois server to use to complete the lookup request, so long as the name is for a
The data previously available is still fully available so long as the correct server is queried - and that won't always be whois.networksolutions.com. Some may prefer that
rs.internic.net did the heavy lifting and made
the request to the correct server and presented
the originator with the final query, but I wouldn't expect that to happen.
Situation normal: trendwatching is not thinking.
.com companies toward the lowest common denominator, these sites and so many more allow both consumers and those who consider themselves producers to do any number of useful things inexpensively that previously couldn't be done at all. Two steps forward, one step back, perhaps, but that's still ahead.
Don't you just love the willful faux naivete of reporters who would rather ignore any complicating facts they may have learned if they get in the way of a good, focused, controversial story? (Yes, you heard the sarcasm.)
What makes "Web Travelers Follow Beaten Paths to Similar Sites" by Charles Piller so ridiculous and hypocritical is the fact that, to get a job at the L.A. Times, he must have developed some degree of skill at researching and hunting down relevant information that is not already media-predigested. After all, as a newspaper, the L.A. Times is expected to present stories that include at least a little new information, and he is getting paid to write for them. Evidently he expects his readers, who mostly have access to a breadth of information sources through the web that the best funded newsroom could never have afforded ten years ago, to take no advantage of it. Unhappily, I am sure that he is right for far too many people.
But when has it ever been different? Even in historical golden ages of learning most people made no real effort to get out of the rut their lives were in, and likewise most businesses tried to make the best of their situations instead of creating better ones.
The internet lets people connect to information when they want. Is it any wonder that many choose to find structured news - international, financial, weather, sports - through a portal site where it can always be found, and where it is expected to be up to date, rather than looking through a newspaper or waiting for the TV or radio news? I'm not sure this says as much about the internet as about the traditional media.
The real story with the internet is not that the greater part of society continues to make little effort to create and look after their own interests, but that those who don't want to be bored and boring have access to a world of information without needing a major budget.
So only 80% go to websites the repiort categorized as "other" each month. What else is new. Here's the real question: how many experience some of the breadth of the web every week, or every day? How many of them regularly did something similar before the web?
Yes, people who gain some experiance use the web as a tool, rather than just surfing around, but it is the most multivalent information tool civilization has ever had. Lest anyone forget, even the most mainstream of portal sites offers access to a greater variety of information than the 11:00 news ever did. And any story that piques interest can be researched right then.
You don't have to be an activist, or interested in dissent from the conventional, or a Noam Chomsky disciple, to simply want to know more about your skills, your field, your hobbies, your interests, than any portal site will have prepackaged.
It was, after all, people who got really interested in things the mainstream didn't have available who created Yahoo and Hotmail and Amazon. However much big media money enters the web sphere, however much big media pressures the
More importantly, for the individual, there's effectively an infinite number of paths ahead at any time, paths to involvement and challenge or at least customized distraction. Meanwhile, just like always, most people most of the time are bored or tired enough to consider buying what big media is selling a fair trade. Face it, for almost all of us it is a fair trade at least a bit of the time. But really, which is the big story here?
In some ways this looks like more of the same tempest in a teacup about commercial identity and framed content, and if that's all it was, who'd care? It's not like I ever spend time at framed sites. There's another issue lurking here, though: the appropriate use of the appropriate technology, whether it be sophisticated systems or just the right contract language, to channel the flow of money from listeners to the correct artists.
That is, after all, the whole purpose of performing rights associations - to provide the service of collecting revenues for their members. They are a bit like governments that way: *everyone* complains when overhead and administration costs rise, the fair shares that everyone wants add up to more money than there is coming in, and no matter how the policies are set, they can never, in the real world, be completely fair or accurate. And it's the small fry who can't afford to lobby and are considered hard to count that tend to get proportionately less of the revenue.
OK, so the system can never be perfect. But can't it get better?
When you buy a CD, the correspondences are exact. Aside from overhead, the correct artists and publishing companies get all of the performing rights fees collected from the maker of the CD.
Concert performances fall in the same category. A fee gets paid based on headcount, and the bulk of that revenue goes to those actually responsible for the selections of music heard at that concert.
In radio, the correspondences are less exact. Each radio station pays blanket fees, and is also periodically audited in the simplest possible way: a list is made of every piece of music paid during a period of time. Those lists are the basis for the apportionment of revenues collected from the radio stations. This could never be perfect, and the artists that could most use just a bit more income are the very ones who tend to disappear in the statistical noise, but the system works, and it could always be incrementally improved.
But what ASCAP is trying to do here seems to be to collect more money from additional parties who have no possible way of providing useful data for the apportionment of that revenue.
Ability to pay disregarded, it is quite apparent that most people will willingly pay reasonable fees to listen to the music they prefer. CDs are bought and sold at a more-than-reasonable price, while listeners catch as catch can for any music that they don't prefer to buy at a premium of 1000% or more than the composers and performers will get paid.
It's easy to envision the administrative nightmare that would arise if performing rights tried to collect accurately and directly from each listener for each piece of music enjoyed or endured. Reductio ad absurdum, compromises must be made.
But can't we do better than this? After all, regardless of whether a link to an internet radio station appears to be part of another site or not, music that gets to a listener came from the radio station, not the site providing the link - regardless of all other considerations. The station can presumably provide the straight goods on what music was played and how many were listening (at least on average). Rest assured that all countable listeners, regardless of how they came to listen to that station, will be included in the formula for the amount the station must hand over.
If I read the Wired article right, what ASCAP is doing here is the equivalent of double taxation.
Before trying to collect twice for the same listener, perhaps it makes more sense to collect from those that proxy streaming media. They serve actual *additional* listeners, and besides, they are the most of the ones that get a good enough signal to bother listening nowadays.
OK, for the purpose of discussion let's assume that all the @Home customers are wanting from their internet service is fast web browsing. Let's do some math. The internetnews.com article says that downstream speeds of up to 3 Mbit/s will remain unchanged. So let's divide 128K into 3M: the outgoing traffic associated with full use of the downstream connection would be some 23 times smaller.
Have you ever, while browsing the web, seen outgoing bytes less that one twentieth of incoming bytes? I never have. One to ten, maybe one to twelve is realistic. With modern browsers, more than just the URL is added the TCP header with each HTTP GET request. Yes, for the second and subsequent incoming packets of each connection, nothing much more than an ACK needs to be sent, but the average outgoing packet is still going to be closer to 100 than 50 bytes.
Let's do another calculation: let's divide that factor of 23 and a bit into a typical incoming packet of 1500 bytes. That comes to exactly 64 bytes. Considering that the IP header for each packet is normally 20 bytes, and the TCP header is another 20, that doesn't leave much room for HTTP payload before the 128K upstream cap would start to limit the rate at which downstream traffic can be requested and acknowledged.
About the only kind of web access that would be immune to slowdowns under a 20-to-one ratio policy would be large file downloads, but we were talking about web *browsing*, were't we?
The conclusion of this exercise? Let's look at it this way: Of course ftp servers etc. would slow things down - if outgoing bandwith is clogged, incoming traffic will need to wait for the acknowledgements of already-received packets to get out, and new requests to get out. That much is elementary. From an egalitarian perspective, capping everyone at a "reasonable" outgoing data rate will have the desired effect of allowing everyone to get their due share of the inbound data. But from a selfish perspective, a 128Kbit/s cap on outbound data will cut my incoming data rate from 3 Mbit/s to something more like half that. A cap of 256Kbit would be large enough to create almost no practical limitation on web browsing speed, and very little effect on the cost of providing service.
So why is the cap at 128, not 256? Here's my guess, and this is only a guess: 256Kbit/s would
still be enough to make it "worth the while" for those who want to flout the AUP and run a server from home.
If I'd installed it first on my main machine, I'd never have noticed. On the old 486 where I install s/w that I need to document for tech support, it's painfully obvious that IE5 looks faster than it really is.
Yes, IE5 is much faster putting something up on the screen when you hit the back button, but if you immediately try to scroll down, there's still a wait. It looks like IE5 caches a bitmap of the last window, and remembers where the hotspots are, but if you want to click on something that is outside the "viewport," you still have to wait for the re-render -- delayed a little more by the re-draw.
That's not faster, that's just craftier. Arguably, with the mix of machines out there it's the right thing to do. Just call it what it is.