The XSS mentioned requires the use of phishing techniques...
To you and everybody else who keeps thinking this somehow discredits the article:
The only reason he needed to "phish" was that this site had a maxlength on the relevant textbox. Other sites won't. Many sites can be directly exploited. The phishing in this case shows that maxlength is not an adequate security mechanism (duh), not that phishing is required in general to exploit sites.
Moreover, I'm pretty sure that if he was a bit more clever, or a bit lucky, he could have skipped that too. We don't know what site he was working on, but I wouldn't be surprised that he could have written an exploit that sent out code that used Javascript to strip off the maxlength parameter, loaded in his exploit code, and then proceeded onward, all without user intervention.
Have you not been reading the news? Phishing works all the time! If you have a large enough site, the odds of at least one of your users falling for it approaches 100%. If you're basing your security on "not being phished", it's not even worth calling "security".
Thirdly, is simple abuse of a poorly designed web application.
Your average web application is poorly designed. I've found XSS in commercial apps, but they do tend to converge on security. Eventually. But even names as prestigious as Oracle have had XSS flaws.
The problem is that all of these flaws are of a kind; if you don't escape your user's input correctly when sending it back into the user's HTML page, it's a good guess that you also send the user's values into the database unescaped, or that you'll happily run uploaded PHP content unescaped. It's really all the same error, so they tend to all show up at once. And they do, often.
Pointing out that XSS can only be done on poorly designed sites is really a tautology. The fact is, there's a lot of them, and I hope this article will open some eyes about how serious that poor design can be.
This is a complicated topic, and I don't have a pat answer. But let me give you two of the counterpoints:
Corporate users can't do that; they need to test the patches first. Obviously, "corporate" users could then get an option to not auto-download the patches. But the corporations aren't conservative about patching because they like to drag their feet; technically it's easy to roll out a patch in a matter of hours, even minutes for small ones that don't require a reboot. The problem is that patches aren't perfect, and they will tend to break computers that used to work, and programs that used to work. Worst case scenario they can even destroy data.
Corporations have trouble because they may well have thousands of configurations they need to support, so even if 1% of them fail, it's a major problem. Still, imagine if Microsoft forces a patch out, and they cause the machines that have Quicken version 6.3532 build 4 to completely destroy all financial records on their next startup. (Or even just render them unreadable, since we're assuming non-technical users.) Imagine the liability issues, which, frankly, probably terrify the executives at Microsoft already when they issue a patch. Forcing the patches on users makes those issues even worse.
If Microsoft has the ability to force your machine to run an update, they literally own your machine. They can make it do anything, and you can't stop them. Already the activation stuff has caused some issues, and I've basically bailed on Windows as a result and consider it a good reason for everybody else to bail, too. The computer needs to belong to you, not your corporate overlords. (The term "corporate overlord" in this case is used without sarcasm, because at least in computing terms, they really are.)
I think the problem boils down to the fact that it may not be possible to run a general-purpose computer in an incredibly hostile environment without a high degree of operator skill, and people in general, quite justifiably, do not wish to attain this high degree of skill, just so they can safely surf the web, send email, and use IM. Until a completely secure computer is built, or at least a far more secure one, I'm not sure what can be done about this.
The worst part is, none of what I've said here contradicts anything you've said. It's all in play at once? So, which side dominates, and under what circumstances? I really couldn't tell you. However, I would think the empirical evidence at the moment is in your favor. But is the only/best solution really to cede control over your computer to Microsoft (which are the people who got you into this situation in the first place)?
At least Open Source doesn't have that issue; since nobody is in charge and nobody is making money by controlling your computer (DRM, etc), the conflict of interest involved in creating a security situation where what seems to be the best solution is deeding your computer over to the same people doesn't come into play.
Expanding on Hesiod's point, if you can manage to avoid threatening to kill the rest of us for disagreeing with you, you'll find that most people aren't going to label you a terrorist.
If, on the other hand, you have a belief set where you think you do have the right or the need to make that threat... well, you would be a terrorist and the system would be correct to so label you!
I'm not going to sit here and tell you that nobody has been falsely labelled a terrorist lately, but I will tell you the number is very very small, they've mostly been border-line cases not "random schmoes", for the most part the consequences for such people have been minor, and a lot of people seem to manage advocating all sorts of things, including overthrowing the current Administration (also known as "voting for a Democrat to be President") without spending time in jail for it. Even very mainstream people; when's the last time CNN ran something, anything complimentary to President Bush? 9/12/2001?
If true repression were in place, it would not look like Barlow filing a lawsuit and some protesters getting put on the do-not-fly list. It would look like, you know, a dictatorship, like in China, where even posting something on the internet "anonymously" against the current government is completely literally taking your life into your hands. Here, people talk like they are taking their life into their hands, but they sure as hell don't act like it, because if you really believed you were taking your life into your hands, you don't run around on every site you can find posting this stuff with enough information for anybody (let alone the government) to find out who you are with maybe two minute's searching. Or at least, such people would be mysteriously "filtered out" of consideration. Clearly, that's not happening.
(And no amount of whining in reply to this post can make it true. Unless you actually fear for your life contradicting me, you'll only further prove my point. And personally, I find it's easy to type "I fear for my life as a result of my beliefs."... like that. It doesn't make it true, and I really won't believe it even if you claim it. (Feel free to try to convince others, of course.))
From my understanding, once you change a couple of "riffs" in the song, it becomes a different song and therefore is not subject to copyright.
Your understanding needs to grow to include the concept of derivative work.
Believe me, I am well aware the current copyright system has some major conceptual holes in it (most of which even the Slashdot community really hasn't gotten to noticing yet) and the shit has only begun to hit the fan. But the system is not so broken that they would fail to notice such an obvious hole that would allow you to basically strip copyright protection from whatever you want with minimal effort.
Just because I am correcting you on this point should not be interpreted as an endorsement of the entire existing system, or as anything other than, simply, a correction on how you understand the current system.
I'm going to hazard a guess that if I got a +5 on Slashdot goring what used to be a very sacred ox (the benefits of XUL), and then you posted this question basically begging for someone to justify that XUL will become something in the future, and you got 0 answers after ~15 hours (not even one contradicting me), that the ferver is dead. The set of people who would post that message is probably still non-zero, but it used to be you couldn't spit without hitting one on Slashdot.
The project continues, I know, but I think the evangelism and the hope amongst the general population has passed. I know they are building their XUL runtime, with the goal of separating out Firefox and Thunderbird and Sunbird and the other things currently based on XUL so they can all share a runtime instead of requiring one customized copy of the (large) backend per app, and theoretically other things could run on it, but that's probably about it for XUL for a while.
Meanwhile, the real widget platforms like GTK and QT are growing ever more powerful capabilities, and you can attach Python or Perl or Ruby or a number of other things to those platforms, all of which are better than Javascript right now for large programming projects, and all of which are better than C or C++ for GUI application development in the general case. (Javascript is better than most people think, but it's missing some key features for app development right now, like namespaces, a threading model, and a few other things.) By the time Mozilla gets to where they want to go, I'll bet QT is basically there, only with everything else QT can do, too. (Take a look at their API sometime, even if you aren't interested in a QT app at the moment, or the GTK API. What you can do with those things is amazing.)
Yes, but the programs that use this don't use just the key distribution. First, they also use the time the keystrokes occur, which is reasonably random.
Second, you can measure "how random" something is (for suitable definitions of "random") by measuring its "entropy", which is a measure of how many "random" bits is in a given input. The entropy of English text is 1.1 to 1.6 bits per character, which means to safely obtain a 128 bit key from a bit of English text you need almost as many characters as you want bits. "Smashing on the keyboard's" randomness will probably vary even more, from perhaps as low as ~.5 if you smash poorly to 2.5-3 if you smash "randomly", but you also get the entropy from the timing information, which if you use a very-high-resolution clock contributes several bits itself.
So, basically, this "statistical analysis" problem is extremely well known, and very well quantified, down to the fractional number of bits of randomness that you can extract from a bit of text. Since these fractional bits can just be added together (four "English text characters" at 1.5 bits apiece gives you 6 strongly-"random" bits), the solution turns out to be very simple: Smash on the keyboard longer, until you've got at least as much entropy as you have bits. Voila, a strongly-random key suitable for almost all purposes. (It probably is suitable for all purposes, but taking a key from radioactive decay has the advantage of letting you know the key is random, whereas with this technique you can only be "very, very, very sure".)
Handled properly, it's not a problem.
Many, if not most, modern systems will also maintain an "entropy pool" at the OS level, which uses interrupt timings and other such events to feed the pool, which can then be drawn on by programs in lieu of reading the keyboard directly. This works nicely, and among the inputs used is keyboard and mouse events.
The nice thing about the entropy pool is the input can really come from anywhere. It doesn't have to be totally random to contribute, it just can't be totally predictable.
XUL, if you are speaking of XUL proper, just isn't that useful to make it worth toasting 90% of your audience. XUL is basically just some more widgets than what you get in HTML, highly focused on writing a browser. Anything you see in Mozilla or Firefox is XUL, so you can see a lot of the extra widgets just by poking around in the "preferences" dialog or looking at the browser's basic interface (menus, location bar, etc).
Mind what I'm saying; I'm not saying real menus or a real tree widget isn't useful; I'm saying they haven't made it worth cutting out the IE chunk of your audience. I'd love to see the W3C standardize a tree widget into (X)HTML, but that seems unlikely right now.
The behavior of XUL is specified with Javascript, and that's indistinguishable from how conventional HTML pages already have the full power of Javascript.
So, the only part of the traditional XUL platform left is XBL, which A: doesn't appeal to your average "cowboy" coder anyhow because they can fully understand the costs of using XBL but can't see the benefits and B: Has basically missed the window where it could impact anything because it's been buggy as all hell for a long time, to the point where even if they fix it a lot of us wouldn't notice. Basically, it works for writing a browser but my experience is that the minute you step outside of that domain, all hell breaks loose. Granted, that experience is from 2005, but it didn't materially differ from my experience in 2000 (no typo).
If you get down to the real causes, I think the basic problem with XUL/XBL etc. is that while it had promise in theory, it brought a lot of baggage into developing even simple applications (you need to understand XML, because XUL and XBL are based on it, plus you need to understand XUL and XBL itself, then you have to understand Javascript, DOM, and to really use XUL/XBL you also need RDF which is another can of worms entirely, and finally it was buggy and implemented just enough to write Mozilla in it and not much more), but it really doesn't offer a significant advantage over, well, much of anything else, really. Having tried to make XUL actually do something several times now, I'd rather develop in Visual Basic. Pre-dot-Net. And I say that as someone who really doesn't like Visual Basic. Basically, six+ years after starting to develop this stack and the advantages are still theoretical; the only existing apps, as near as I can tell, require full-time teams to fix up the Mozilla core in conjunction with the team actually writing the app, and that's just stupid when you've got so many great choices already available to you, from Visual Basic all the way to my preferred Python+wxWidgets (or PyGTK, or PyQt, or heck, even the Tk interface). By the time you get to the point where you are skilled enough programmer to master the stack of Mozilla technologies, you are aware of better choices.
Including just sucking it up and going pure HTML, which is what I ended up doing, writing my own XBL-esque technology to help me. And I've noticed a number of the Javascript libraries like Dojo share the same basic Widget design as my library, so even the majority of advantages of XBL are available in conventional HTML now with readily available open-source libraries, again, leaving what's left not worth it. (Especially if you count the XBL bugs.)
So, the basic problem with XUL, considered as a whole stack, is that the costs are staggering and the benefits very, very marginal. As a result, it's basically dead; there's never a case where XUL is a better solution than either pure HTML or a real app.
If you could build a Cyc-like database simply by feeding it a large amount of more-or-less unstructured text, then the Cyc project wouldn't have been necessary in the first place.
Two, what's going to be the Next Big Thing in the minimum-wage kitchen.
I expect fast food restaurants to mutate into fully robotic kiosks over the next 10 to 15 years. I don't expect it to happen overnight; it'll be incremental. But already the first tiny signs are showing; this story is one, and I'm starting to see low-level robotics appear in the fast-food restaurants themselves. They're starting to play with the ordering mechanisms for the kiosk, too.
Eventually you get down to just one employee who is basically a security guard, janitor, and front-line customer support ("oh, sorry your sandwich is screwed up sir, here's a refund/new sandwich)", and is armed with a phone number to call when anything unexpectedly goes wrong.
I think this is probably technically feasible even with just the technology of today, so it's just a matter of decreasing prices and actually developing it. I would expect the big fast food restaurants to have teams researching this by now.
The culture of the elite is supposed to portray the best traits of humanity, its noblest and worthiest virtues, its most beautiful aspirations, and the perfection of taste. One might contrast this with the culture of the "proles", which tends to glorify mediocrity and small aspirations, encouraging its consumers to adhere to a "steady-state" life of simple wants, of "living for today", of thinking as little as possible, and generally enjoying what they have.
So you would agree that by this definition, quite a lot of "pop" culture is actually "highbrow"?
I personally haven't got a problem with any particular definition, actually, as long as you're not trying to slip other, irrelevant connotations in the backdoor. This is a fine definition, but it's very often going to run counter to what most people think of "highbrow", as there is a lot of "pop" culture that would meet that definition (even some of the "trashiest" stuff), and a lot of modern art that is antithetical to that definition as it positively revels in the degradation of Man, especially his noblest virtues. If you stick with it consistently, then that's great.
(By the way, I'm assuming the closest thing to a definition the author gave, dealing with "history, science, technology, politics, music, art, religion, diplomacy, family, manners, love, death, duty, sorrow, revenge, depression, and joy" isn't what he really means by "highbrow" because there are umpteen bajillion good games that deal with each of those, and I'm hoping and praying the author isn't ignorant of all of them, because many of them are quite mainstream. I'm pretty sure the author is invoking just the vague meaning in his head, and just put this here to try to rationalize it, poorly.)
This is a pointless article... but I'm probably not saying that for the reason why you think I'm saying that.
The problem is that "highbrow" is not defined. Classical music, perhaps the definitive example of "highbrow", was actually the pop music of the time; it enjoyed widespread popularity amoung all classes. One can profitably argue that this is because it had no real competition from 100 genres like today and it was about the only real music available of any kind beyond folk songs, but it was still popular music.
Is highbrow merely a synonym for "pretentious and boring"? I can't find it in me to cry about "pretentious and boring" not being well represented in gaming.
Is highbrow something like "acquired taste"?
Is highbrow "difficult to understand"?
Depending on how you really define what you're talking about, the answers vary widely. In the absense of such a definition, this essay is simply content-free, alluding to some vague idea in your head that may or may not resemble some vague idea in the author's head, which may or may not actually correspond to reality in any particular sense. It may make you feel warm and fuzzy to say something insightful like "we need highbrow games", but that's the totality of the value of the statement: warm fuzzies.
In that case, I doubt a lawsuit will be necessary; Google will just fix the listing and probably try to figure out why they were listed in the first place.
But more likely, those that serve everyone will continue to dominate.
I agree. Ultimately, this is why I think the "Long Tail" stuff is more sociology than business plan; starting a business with the express purpose of serving the Long Tail is still setting yourself up for failure. What will happen is that Amazon will use the power of the Internet and computers to eat your space, and you won't have the resource to fight them or do any better.
It's good sociology, and it's worth thinking and talking about, but as usual, trying to directly harness the sociology for business purposes is easier said then done. Usually the people who manage it do it in an unpredictable way, and you only realize after the fact that they harnessed a trend, and all the people who tried deliberately simply fail.
The most important defense to an action for defamation is "truth", which is an absolute defense to an action for defamation. - Defamation: Libel and Slander Law at ExpertLaw
To win this lawsuit, the malware providers are going to have to prove that they don't do exactly what Google says they do, which is going to be challenging.
Some borderline cases might slip through; I seem to recall Gatorsoft (maybe as Claria?) getting an exemption from some anti-spyware software/lists by claiming that the user installed their products for the features (like automated form-filling) and were 'clearly' notified about the other aspects of the software, but even catching the totally sleazy operators would be a major win. (And odds are Google would still find some verbiage to apply to even this edge case even if they were sued.)
People in general really have a problem with subtle points. If there isn't an "A IS GOOD, B IS BAD" in there somewhere, they'll simply convert the point into an "A IS GOOD, B IS BAD" point, and to hell with understanding what's actually being said.
The aspect of the "long tail" argument that I think makes sense is not that there will no more hits. In fact, the entire Long Tail argument is really predicated from the get-go that the popularity distribution will remain the same, albeit possibly with a scaled-down top end. (But even a hit that is 25% of the best hit of today would still be a big hit.) The point is that there is an untapped "long tail" that it is now possible to reach economically. The tail has always been there, but it has been difficult to make serving it work economically.
There will still be people who deal only in hits, it's just that there will also be people who deal only in the tail, and the latter may become very large, too, perhaps even Amazon-sized, whereas before this was essentially impossible.
Converting this into a "THERE WILL BE NO MORE HITS (BAD!), ONLY THE LONG TAIL (GOOD!)" is really missing the point entirely, and arguing against that is arguing against a strawman as far as I am concerned. (Of course, arguing against a person who is actually saying that means isn't a strawman.) The ratio may change, in fact I think it will change, but due to network effects, there will always be bona-fide hits.
Do you think they could out-perform white blood cells?
Artificial nanobots don't need to "out-perform" white blood cells, because we'll still have white blood cells.
What they can do is fill in holes in the immune system, which is far from perfect. Any cancer that kills a person was clearly not caught by the immune system. A nanobot might be specifically tasked with killing that cancer, and it will do a better job that the human immune system.
However, I doubt "a robot" of any kind will be the nanotech solution to that problem. I expect an artificially-constructed wrapper will be keyed to some unique aspect of the cancer cells, causing the wrapper to unwrap only when near (or, if we're really good, in) the cancer cells, releasing perfectly normal poisons into or near the cancer cells, killing only the cancer cells with minimal collateral damage. In fact, I expect our children or grandchildren to consider the era where we pumped the body full of drugs and just sort of hope that some of the drugs affect, say, the liver without causing too many side effects elsewhere to be the dark ages of pharmacology, in much the same way we view the times before anti-biotics.
The more I think about it, the more I disagree that we're all going to have a lot of little robots running around in our body, as I have yet to come up with a task where a general purpose robot is the best solution. And the robots are significantly more complex than special-purpose wrappers delivering custom-order drugs and chemicals; by the time we can build those robots, I'm going to want those robots to be my body, not fixing up my meat-bag. (Sorry, body.)
Any stream that mplayer can play, it can rip the audio track out of. You want something like 'mplayer -ao pcm:file=yourfilename.wav -vo null ' and the track you want to rip (usually 'dvd://1'). At that point you will have a.wav file, which you can convert to whatever you want. -ao says to write out to a file, and -vo null says not to try to play the video, which allows the ripping to run at full drive speed, instead of at video-speed.
Note that getting non-sanctioned DVD players on windows can be a pain; I'm sure there's a Linux LiveCD with mplayer on it, if you're using windows. This is likely to be easier than trying to set up windows and mplayer to do this.
Hire a professional (or become one)
on
Managing Site Growth?
·
· Score: 4, Insightful
What is the best way for a low-income, non-professional, but enthusiastic web designer/administrator like myself to manage site growth as it leaves the realm of just-for-fun?
Unfortunately, the only answers are either hire a professional, or become one.
"Scalable" and "customized" are two things that when put together simply require a professional. And quite a lot of people calling themselves "professional" can't handle it, either.
Now, by "professional" I don't necessarily mean a degreed guy who makes at least $X thousand a year with Y years of experience. What I mean is, you're stepping into the domain where you can't hardly acquire the experience and skills necessary with anything less than full dedication usually brought on by having a job in the relevant domain.
There is, however, one other possibility for you to consider. If you analyze your needs and the available packages for your type of website, you may find that you can drop the "customized" aspect of it, if you can find a project close enough to your needs to require only minimal customization, perhaps even no actual code customization. Then you just need to import the data, and you will presumably have satisfied yourself that this package can meet your performance needs.
If the website you are referring to is the "OmniNerd" site you have a link to, then I would imagine this should be feasible. There are a lot of "news" packages, free and otherwise, and at least on first blush I don't see anything particularly unique about it. It looks an awful lot like slash, although from what I've heard that's not the easiest thing to customize. (slash hackers feel free to comment.)
Really, there's no excuse nowadays to start a new web framework from scratch, and your first impulse if your hack-job is starting to come apart at the seams should be to change to one of the umpteen bajillion tested, performant frameworks. Depending on your skill levels, which you did anything but talk up, you may even be missing basic pieces like caching, which is pretty important on a site like that. Non-professionals should not attempt to write website caching routines. Unless you want to go insane. (It's not that it's hard to write... it's that it's hard to get correct, and debugging cache problems are close to sheer hell.)
Your IS department is on crack. There are so many already-open-source LCMSs that it's like writing your own text editor... stop already and start with something else. We don't need another half-assed text editor, we don't need another half-assed web framework, we don't need another half-assed MP3 player, and we don't need another half-assed LCMS.
Disclaimer: I've worked on LON-CAPA, but I mean that in general. Pick up one of the existing ones and extend it. I don't know if any are in Java, but I wouldn't be surprised, and given the bonus of picking up megabytes of tested, documented, working code, it'd be worth a language switch anyhow.
As much as I'd like to believe this, 98% percent of the case is who can throw more money at it.
I'm as cynical as the next guy, but honestly, the system isn't that corrupt. If it were, the US would look more like Mexico or an African country.
"But the US is as corrupt as an African country!" - no it isn't. Rhetoric isn't evidence. Believing it in the face of all evidence to the contrary is not wisdom. "Rampant corruption around every corner" and "world's largest economy" do not go together.
It is still true that this can be expensive, but prior art is a damn good defense if you can show it, and all that's left is for Blackboard to wrangle about whether something really is prior art, which still puts them in the position of limiting their own patent, even if they get to keep it. And patent holders are afraid of prior art claims because they can lose the entire patent, not just the case.
If they have prior art, I wouldn't be at all surprised Blackboard starts going after other people instead. Although, they were by no means the first to get into this domain and I bet they find a lot of people have prior art. I know the LCMS I've worked on, right around the time of filing, LON-CAPA, had a lot of those things already, in many cases superior to what was being patented. (LON-CAPA is the stereo-typical open-source project, positively dripping with power but still a little weak on the user-interface side.)
My PS2 has the worst interface, but you hit the button and bam there it is, in all of its craptacular glory.
I'll admit I haven't used any $500 DVD players, but in 2006 even the crappiest, lowest-level players shouldn't be slower than a commodore 64 drawing to the screen.
I would expect your MythTV box to be the best; it's a computer. It's got power to spare; you might even be doing software encoding and decoding because you can afford to. Most or all dedicated DVD players off-load that to a dedicated chip.
I've heard that even loading the TiVo with 32MB more RAM makes a significant difference, but it's a soldering job, not a "pop it in the socket" job. But what it probably needs is about five times the processor, too.
One of the reviews mentions the menus are even slower on Blu-ray than they are on DVDs, routinely taking two or three seconds for even the simplest of operations.
The reviewer said something to the effect of DVD being OK, but I disagree. Every DVD menu that I've ever seen on any player already trends towards the slow side. I understand taking a moment to load new content, but what's up with taking a second to register the pressing of the "up" or "down" button?
Why, in 2006, does every piece of consumer electronics feel (and often look) like it's being powered by a Nintendo Entertainment System, with some sort of auto-delay-on-input circuit added for extra measure? I understood it in 1996, but ten years later and if anything it's worse; every generation seems to get slower and slower. My TiVo Series 2 is actually a little slower than my Series 1, which I thought was impossible. My Comcast cable box when I tried it last year had multi-second response times for everything. My cell phone can't seem to do anything in less than half a second, except input text. For every DVD player I've ever seen (except the PS2), you can see it drawing the menus and stuff to the screen. Come on! You can't draw text to the text in less than half-a-second? My Commodore 64 seemed to manage that feat, even when running in BASIC!
I realize that not all consumer electronics are going to act as snappy as my computer, but must it feel like I'm doing everything over the web with a 9600 dial-up connection?
Depends on what you're doing. For example, if you run IIS, your log files (by default; you can change this) are in %WINDIR%\Sytem32\LogFiles.
I'd like to see the flash available as a separate partition that I can directly access and manange, because then it would be a big win for the Linux way of doing things. Except for my Portage dir (which I could symlink in from another directory), 1GB is enough to hold all of/usr, and I'd probably toss/boot and/etc/ in there too, leaving just my personal files and/var on the disk. (Assuming I can access this flash as a separate partition.) Bump it up to 2GB and I know I could fit my entire OS on it, easily, with only a few minutes fiddling. Turn down the logging sensitivity (it is just a laptop after all) and that would eliminate a major reason to spin up the drive. (Or set a small limit on the log size and leave them on the flash; a laptop's log isn't going to reach the flash writing limit in this century.)
I don't have a MacOSX machine, but they may be as clean too. I know they have an Application folder system that nicely isolates the application from your user data, but I don't know if they casually scatter logs around the system. Somehow I doubt it, but I don't know.
Unfortunately, the odds of this are low because Windows would stink this plan up, as you explain, and of course if it doesn't work with Windows it doesn't work. Plus it might require protocol work. (Although perhaps there is hope; maybe if you poke it right, a drive could present itself either as one drive that uses the Flash as a transparent cache, or as two drives, one flash, one conventional hard drive. If the SATA protocol could deal with that, which I have no idea about (I know SCSI can), that wouldn't take much extra work from the hard drive manufacturor, and server-type people might appreciate that finer grained control even in Windows, too.)
Slashdot Mirror
- The only reason he needed to "phish" was that this site had a maxlength on the relevant textbox. Other sites won't. Many sites can be directly exploited. The phishing in this case shows that maxlength is not an adequate security mechanism (duh), not that phishing is required in general to exploit sites.
- Have you not been reading the news? Phishing works all the time! If you have a large enough site, the odds of at least one of your users falling for it approaches 100%. If you're basing your security on "not being phished", it's not even worth calling "security".
Your average web application is poorly designed. I've found XSS in commercial apps, but they do tend to converge on security. Eventually. But even names as prestigious as Oracle have had XSS flaws.Moreover, I'm pretty sure that if he was a bit more clever, or a bit lucky, he could have skipped that too. We don't know what site he was working on, but I wouldn't be surprised that he could have written an exploit that sent out code that used Javascript to strip off the maxlength parameter, loaded in his exploit code, and then proceeded onward, all without user intervention.
The problem is that all of these flaws are of a kind; if you don't escape your user's input correctly when sending it back into the user's HTML page, it's a good guess that you also send the user's values into the database unescaped, or that you'll happily run uploaded PHP content unescaped. It's really all the same error, so they tend to all show up at once. And they do, often.
Pointing out that XSS can only be done on poorly designed sites is really a tautology. The fact is, there's a lot of them, and I hope this article will open some eyes about how serious that poor design can be.
- Corporate users can't do that; they need to test the patches first. Obviously, "corporate" users could then get an option to not auto-download the patches. But the corporations aren't conservative about patching because they like to drag their feet; technically it's easy to roll out a patch in a matter of hours, even minutes for small ones that don't require a reboot. The problem is that patches aren't perfect, and they will tend to break computers that used to work, and programs that used to work. Worst case scenario they can even destroy data.
- If Microsoft has the ability to force your machine to run an update, they literally own your machine. They can make it do anything, and you can't stop them. Already the activation stuff has caused some issues, and I've basically bailed on Windows as a result and consider it a good reason for everybody else to bail, too. The computer needs to belong to you, not your corporate overlords. (The term "corporate overlord" in this case is used without sarcasm, because at least in computing terms, they really are.)
I think the problem boils down to the fact that it may not be possible to run a general-purpose computer in an incredibly hostile environment without a high degree of operator skill, and people in general, quite justifiably, do not wish to attain this high degree of skill, just so they can safely surf the web, send email, and use IM. Until a completely secure computer is built, or at least a far more secure one, I'm not sure what can be done about this.Corporations have trouble because they may well have thousands of configurations they need to support, so even if 1% of them fail, it's a major problem. Still, imagine if Microsoft forces a patch out, and they cause the machines that have Quicken version 6.3532 build 4 to completely destroy all financial records on their next startup. (Or even just render them unreadable, since we're assuming non-technical users.) Imagine the liability issues, which, frankly, probably terrify the executives at Microsoft already when they issue a patch. Forcing the patches on users makes those issues even worse.
The worst part is, none of what I've said here contradicts anything you've said. It's all in play at once? So, which side dominates, and under what circumstances? I really couldn't tell you. However, I would think the empirical evidence at the moment is in your favor. But is the only/best solution really to cede control over your computer to Microsoft (which are the people who got you into this situation in the first place)?
At least Open Source doesn't have that issue; since nobody is in charge and nobody is making money by controlling your computer (DRM, etc), the conflict of interest involved in creating a security situation where what seems to be the best solution is deeding your computer over to the same people doesn't come into play.
Expanding on Hesiod's point, if you can manage to avoid threatening to kill the rest of us for disagreeing with you, you'll find that most people aren't going to label you a terrorist.
If, on the other hand, you have a belief set where you think you do have the right or the need to make that threat... well, you would be a terrorist and the system would be correct to so label you!
I'm not going to sit here and tell you that nobody has been falsely labelled a terrorist lately, but I will tell you the number is very very small, they've mostly been border-line cases not "random schmoes", for the most part the consequences for such people have been minor, and a lot of people seem to manage advocating all sorts of things, including overthrowing the current Administration (also known as "voting for a Democrat to be President") without spending time in jail for it. Even very mainstream people; when's the last time CNN ran something, anything complimentary to President Bush? 9/12/2001?
If true repression were in place, it would not look like Barlow filing a lawsuit and some protesters getting put on the do-not-fly list. It would look like, you know, a dictatorship, like in China, where even posting something on the internet "anonymously" against the current government is completely literally taking your life into your hands. Here, people talk like they are taking their life into their hands, but they sure as hell don't act like it, because if you really believed you were taking your life into your hands, you don't run around on every site you can find posting this stuff with enough information for anybody (let alone the government) to find out who you are with maybe two minute's searching. Or at least, such people would be mysteriously "filtered out" of consideration. Clearly, that's not happening.
(And no amount of whining in reply to this post can make it true. Unless you actually fear for your life contradicting me, you'll only further prove my point. And personally, I find it's easy to type "I fear for my life as a result of my beliefs."... like that. It doesn't make it true, and I really won't believe it even if you claim it. (Feel free to try to convince others, of course.))
Believe me, I am well aware the current copyright system has some major conceptual holes in it (most of which even the Slashdot community really hasn't gotten to noticing yet) and the shit has only begun to hit the fan. But the system is not so broken that they would fail to notice such an obvious hole that would allow you to basically strip copyright protection from whatever you want with minimal effort.
Just because I am correcting you on this point should not be interpreted as an endorsement of the entire existing system, or as anything other than, simply, a correction on how you understand the current system.
I'm going to hazard a guess that if I got a +5 on Slashdot goring what used to be a very sacred ox (the benefits of XUL), and then you posted this question basically begging for someone to justify that XUL will become something in the future, and you got 0 answers after ~15 hours (not even one contradicting me), that the ferver is dead. The set of people who would post that message is probably still non-zero, but it used to be you couldn't spit without hitting one on Slashdot.
The project continues, I know, but I think the evangelism and the hope amongst the general population has passed. I know they are building their XUL runtime, with the goal of separating out Firefox and Thunderbird and Sunbird and the other things currently based on XUL so they can all share a runtime instead of requiring one customized copy of the (large) backend per app, and theoretically other things could run on it, but that's probably about it for XUL for a while.
Meanwhile, the real widget platforms like GTK and QT are growing ever more powerful capabilities, and you can attach Python or Perl or Ruby or a number of other things to those platforms, all of which are better than Javascript right now for large programming projects, and all of which are better than C or C++ for GUI application development in the general case. (Javascript is better than most people think, but it's missing some key features for app development right now, like namespaces, a threading model, and a few other things.) By the time Mozilla gets to where they want to go, I'll bet QT is basically there, only with everything else QT can do, too. (Take a look at their API sometime, even if you aren't interested in a QT app at the moment, or the GTK API. What you can do with those things is amazing.)
Yes, but the programs that use this don't use just the key distribution. First, they also use the time the keystrokes occur, which is reasonably random.
Second, you can measure "how random" something is (for suitable definitions of "random") by measuring its "entropy", which is a measure of how many "random" bits is in a given input. The entropy of English text is 1.1 to 1.6 bits per character, which means to safely obtain a 128 bit key from a bit of English text you need almost as many characters as you want bits. "Smashing on the keyboard's" randomness will probably vary even more, from perhaps as low as ~.5 if you smash poorly to 2.5-3 if you smash "randomly", but you also get the entropy from the timing information, which if you use a very-high-resolution clock contributes several bits itself.
So, basically, this "statistical analysis" problem is extremely well known, and very well quantified, down to the fractional number of bits of randomness that you can extract from a bit of text. Since these fractional bits can just be added together (four "English text characters" at 1.5 bits apiece gives you 6 strongly-"random" bits), the solution turns out to be very simple: Smash on the keyboard longer, until you've got at least as much entropy as you have bits. Voila, a strongly-random key suitable for almost all purposes. (It probably is suitable for all purposes, but taking a key from radioactive decay has the advantage of letting you know the key is random, whereas with this technique you can only be "very, very, very sure".)
Handled properly, it's not a problem.
Many, if not most, modern systems will also maintain an "entropy pool" at the OS level, which uses interrupt timings and other such events to feed the pool, which can then be drawn on by programs in lieu of reading the keyboard directly. This works nicely, and among the inputs used is keyboard and mouse events.
The nice thing about the entropy pool is the input can really come from anywhere. It doesn't have to be totally random to contribute, it just can't be totally predictable.
XUL, if you are speaking of XUL proper, just isn't that useful to make it worth toasting 90% of your audience. XUL is basically just some more widgets than what you get in HTML, highly focused on writing a browser. Anything you see in Mozilla or Firefox is XUL, so you can see a lot of the extra widgets just by poking around in the "preferences" dialog or looking at the browser's basic interface (menus, location bar, etc).
Mind what I'm saying; I'm not saying real menus or a real tree widget isn't useful; I'm saying they haven't made it worth cutting out the IE chunk of your audience. I'd love to see the W3C standardize a tree widget into (X)HTML, but that seems unlikely right now.
The behavior of XUL is specified with Javascript, and that's indistinguishable from how conventional HTML pages already have the full power of Javascript.
So, the only part of the traditional XUL platform left is XBL, which A: doesn't appeal to your average "cowboy" coder anyhow because they can fully understand the costs of using XBL but can't see the benefits and B: Has basically missed the window where it could impact anything because it's been buggy as all hell for a long time, to the point where even if they fix it a lot of us wouldn't notice. Basically, it works for writing a browser but my experience is that the minute you step outside of that domain, all hell breaks loose. Granted, that experience is from 2005, but it didn't materially differ from my experience in 2000 (no typo).
If you get down to the real causes, I think the basic problem with XUL/XBL etc. is that while it had promise in theory, it brought a lot of baggage into developing even simple applications (you need to understand XML, because XUL and XBL are based on it, plus you need to understand XUL and XBL itself, then you have to understand Javascript, DOM, and to really use XUL/XBL you also need RDF which is another can of worms entirely, and finally it was buggy and implemented just enough to write Mozilla in it and not much more), but it really doesn't offer a significant advantage over, well, much of anything else, really. Having tried to make XUL actually do something several times now, I'd rather develop in Visual Basic. Pre-dot-Net. And I say that as someone who really doesn't like Visual Basic. Basically, six+ years after starting to develop this stack and the advantages are still theoretical; the only existing apps, as near as I can tell, require full-time teams to fix up the Mozilla core in conjunction with the team actually writing the app, and that's just stupid when you've got so many great choices already available to you, from Visual Basic all the way to my preferred Python+wxWidgets (or PyGTK, or PyQt, or heck, even the Tk interface). By the time you get to the point where you are skilled enough programmer to master the stack of Mozilla technologies, you are aware of better choices.
Including just sucking it up and going pure HTML, which is what I ended up doing, writing my own XBL-esque technology to help me. And I've noticed a number of the Javascript libraries like Dojo share the same basic Widget design as my library, so even the majority of advantages of XBL are available in conventional HTML now with readily available open-source libraries, again, leaving what's left not worth it. (Especially if you count the XBL bugs.)
So, the basic problem with XUL, considered as a whole stack, is that the costs are staggering and the benefits very, very marginal. As a result, it's basically dead; there's never a case where XUL is a better solution than either pure HTML or a real app.
If you could build a Cyc-like database simply by feeding it a large amount of more-or-less unstructured text, then the Cyc project wouldn't have been necessary in the first place.
Two, what's going to be the Next Big Thing in the minimum-wage kitchen.
I expect fast food restaurants to mutate into fully robotic kiosks over the next 10 to 15 years. I don't expect it to happen overnight; it'll be incremental. But already the first tiny signs are showing; this story is one, and I'm starting to see low-level robotics appear in the fast-food restaurants themselves. They're starting to play with the ordering mechanisms for the kiosk, too.
Eventually you get down to just one employee who is basically a security guard, janitor, and front-line customer support ("oh, sorry your sandwich is screwed up sir, here's a refund/new sandwich)", and is armed with a phone number to call when anything unexpectedly goes wrong.
I think this is probably technically feasible even with just the technology of today, so it's just a matter of decreasing prices and actually developing it. I would expect the big fast food restaurants to have teams researching this by now.
The culture of the elite is supposed to portray the best traits of humanity, its noblest and worthiest virtues, its most beautiful aspirations, and the perfection of taste. One might contrast this with the culture of the "proles", which tends to glorify mediocrity and small aspirations, encouraging its consumers to adhere to a "steady-state" life of simple wants, of "living for today", of thinking as little as possible, and generally enjoying what they have.
So you would agree that by this definition, quite a lot of "pop" culture is actually "highbrow"?
I personally haven't got a problem with any particular definition, actually, as long as you're not trying to slip other, irrelevant connotations in the backdoor. This is a fine definition, but it's very often going to run counter to what most people think of "highbrow", as there is a lot of "pop" culture that would meet that definition (even some of the "trashiest" stuff), and a lot of modern art that is antithetical to that definition as it positively revels in the degradation of Man, especially his noblest virtues. If you stick with it consistently, then that's great.
(By the way, I'm assuming the closest thing to a definition the author gave, dealing with "history, science, technology, politics, music, art, religion, diplomacy, family, manners, love, death, duty, sorrow, revenge, depression, and joy" isn't what he really means by "highbrow" because there are umpteen bajillion good games that deal with each of those, and I'm hoping and praying the author isn't ignorant of all of them, because many of them are quite mainstream. I'm pretty sure the author is invoking just the vague meaning in his head, and just put this here to try to rationalize it, poorly.)
This is a pointless article... but I'm probably not saying that for the reason why you think I'm saying that.
The problem is that "highbrow" is not defined. Classical music, perhaps the definitive example of "highbrow", was actually the pop music of the time; it enjoyed widespread popularity amoung all classes. One can profitably argue that this is because it had no real competition from 100 genres like today and it was about the only real music available of any kind beyond folk songs, but it was still popular music.
Is highbrow merely a synonym for "pretentious and boring"? I can't find it in me to cry about "pretentious and boring" not being well represented in gaming.
Is highbrow something like "acquired taste"?
Is highbrow "difficult to understand"?
Depending on how you really define what you're talking about, the answers vary widely. In the absense of such a definition, this essay is simply content-free, alluding to some vague idea in your head that may or may not resemble some vague idea in the author's head, which may or may not actually correspond to reality in any particular sense. It may make you feel warm and fuzzy to say something insightful like "we need highbrow games", but that's the totality of the value of the statement: warm fuzzies.
In that case, I doubt a lawsuit will be necessary; Google will just fix the listing and probably try to figure out why they were listed in the first place.
But more likely, those that serve everyone will continue to dominate.
I agree. Ultimately, this is why I think the "Long Tail" stuff is more sociology than business plan; starting a business with the express purpose of serving the Long Tail is still setting yourself up for failure. What will happen is that Amazon will use the power of the Internet and computers to eat your space, and you won't have the resource to fight them or do any better.
It's good sociology, and it's worth thinking and talking about, but as usual, trying to directly harness the sociology for business purposes is easier said then done. Usually the people who manage it do it in an unpredictable way, and you only realize after the fact that they harnessed a trend, and all the people who tried deliberately simply fail.
Some borderline cases might slip through; I seem to recall Gatorsoft (maybe as Claria?) getting an exemption from some anti-spyware software/lists by claiming that the user installed their products for the features (like automated form-filling) and were 'clearly' notified about the other aspects of the software, but even catching the totally sleazy operators would be a major win. (And odds are Google would still find some verbiage to apply to even this edge case even if they were sued.)
People in general really have a problem with subtle points. If there isn't an "A IS GOOD, B IS BAD" in there somewhere, they'll simply convert the point into an "A IS GOOD, B IS BAD" point, and to hell with understanding what's actually being said.
The aspect of the "long tail" argument that I think makes sense is not that there will no more hits. In fact, the entire Long Tail argument is really predicated from the get-go that the popularity distribution will remain the same, albeit possibly with a scaled-down top end. (But even a hit that is 25% of the best hit of today would still be a big hit.) The point is that there is an untapped "long tail" that it is now possible to reach economically. The tail has always been there, but it has been difficult to make serving it work economically.
There will still be people who deal only in hits, it's just that there will also be people who deal only in the tail, and the latter may become very large, too, perhaps even Amazon-sized, whereas before this was essentially impossible.
Converting this into a "THERE WILL BE NO MORE HITS (BAD!), ONLY THE LONG TAIL (GOOD!)" is really missing the point entirely, and arguing against that is arguing against a strawman as far as I am concerned. (Of course, arguing against a person who is actually saying that means isn't a strawman.) The ratio may change, in fact I think it will change, but due to network effects, there will always be bona-fide hits.
Do you think they could out-perform white blood cells?
Artificial nanobots don't need to "out-perform" white blood cells, because we'll still have white blood cells.
What they can do is fill in holes in the immune system, which is far from perfect. Any cancer that kills a person was clearly not caught by the immune system. A nanobot might be specifically tasked with killing that cancer, and it will do a better job that the human immune system.
However, I doubt "a robot" of any kind will be the nanotech solution to that problem. I expect an artificially-constructed wrapper will be keyed to some unique aspect of the cancer cells, causing the wrapper to unwrap only when near (or, if we're really good, in) the cancer cells, releasing perfectly normal poisons into or near the cancer cells, killing only the cancer cells with minimal collateral damage. In fact, I expect our children or grandchildren to consider the era where we pumped the body full of drugs and just sort of hope that some of the drugs affect, say, the liver without causing too many side effects elsewhere to be the dark ages of pharmacology, in much the same way we view the times before anti-biotics.
The more I think about it, the more I disagree that we're all going to have a lot of little robots running around in our body, as I have yet to come up with a task where a general purpose robot is the best solution. And the robots are significantly more complex than special-purpose wrappers delivering custom-order drugs and chemicals; by the time we can build those robots, I'm going to want those robots to be my body, not fixing up my meat-bag. (Sorry, body.)
Be careful not to jump into the air too suddenly; you may be struck by high-velocity understatement.
Any stream that mplayer can play, it can rip the audio track out of. You want something like 'mplayer -ao pcm:file=yourfilename.wav -vo null ' and the track you want to rip (usually 'dvd://1'). At that point you will have a .wav file, which you can convert to whatever you want. -ao says to write out to a file, and -vo null says not to try to play the video, which allows the ripping to run at full drive speed, instead of at video-speed.
Note that getting non-sanctioned DVD players on windows can be a pain; I'm sure there's a Linux LiveCD with mplayer on it, if you're using windows. This is likely to be easier than trying to set up windows and mplayer to do this.
"Scalable" and "customized" are two things that when put together simply require a professional. And quite a lot of people calling themselves "professional" can't handle it, either.
Now, by "professional" I don't necessarily mean a degreed guy who makes at least $X thousand a year with Y years of experience. What I mean is, you're stepping into the domain where you can't hardly acquire the experience and skills necessary with anything less than full dedication usually brought on by having a job in the relevant domain.
There is, however, one other possibility for you to consider. If you analyze your needs and the available packages for your type of website, you may find that you can drop the "customized" aspect of it, if you can find a project close enough to your needs to require only minimal customization, perhaps even no actual code customization. Then you just need to import the data, and you will presumably have satisfied yourself that this package can meet your performance needs.
If the website you are referring to is the "OmniNerd" site you have a link to, then I would imagine this should be feasible. There are a lot of "news" packages, free and otherwise, and at least on first blush I don't see anything particularly unique about it. It looks an awful lot like slash, although from what I've heard that's not the easiest thing to customize. (slash hackers feel free to comment.)
Really, there's no excuse nowadays to start a new web framework from scratch, and your first impulse if your hack-job is starting to come apart at the seams should be to change to one of the umpteen bajillion tested, performant frameworks. Depending on your skill levels, which you did anything but talk up, you may even be missing basic pieces like caching, which is pretty important on a site like that. Non-professionals should not attempt to write website caching routines. Unless you want to go insane. (It's not that it's hard to write... it's that it's hard to get correct, and debugging cache problems are close to sheer hell.)
Your IS department is on crack. There are so many already-open-source LCMSs that it's like writing your own text editor... stop already and start with something else. We don't need another half-assed text editor, we don't need another half-assed web framework, we don't need another half-assed MP3 player, and we don't need another half-assed LCMS.
Disclaimer: I've worked on LON-CAPA, but I mean that in general. Pick up one of the existing ones and extend it. I don't know if any are in Java, but I wouldn't be surprised, and given the bonus of picking up megabytes of tested, documented, working code, it'd be worth a language switch anyhow.
As much as I'd like to believe this, 98% percent of the case is who can throw more money at it.
I'm as cynical as the next guy, but honestly, the system isn't that corrupt. If it were, the US would look more like Mexico or an African country.
"But the US is as corrupt as an African country!" - no it isn't. Rhetoric isn't evidence. Believing it in the face of all evidence to the contrary is not wisdom. "Rampant corruption around every corner" and "world's largest economy" do not go together.
It is still true that this can be expensive, but prior art is a damn good defense if you can show it, and all that's left is for Blackboard to wrangle about whether something really is prior art, which still puts them in the position of limiting their own patent, even if they get to keep it. And patent holders are afraid of prior art claims because they can lose the entire patent, not just the case.
If they have prior art, I wouldn't be at all surprised Blackboard starts going after other people instead. Although, they were by no means the first to get into this domain and I bet they find a lot of people have prior art. I know the LCMS I've worked on, right around the time of filing, LON-CAPA, had a lot of those things already, in many cases superior to what was being patented. (LON-CAPA is the stereo-typical open-source project, positively dripping with power but still a little weak on the user-interface side.)
My PS2 has the worst interface, but you hit the button and bam there it is, in all of its craptacular glory.
I'll admit I haven't used any $500 DVD players, but in 2006 even the crappiest, lowest-level players shouldn't be slower than a commodore 64 drawing to the screen.
I would expect your MythTV box to be the best; it's a computer. It's got power to spare; you might even be doing software encoding and decoding because you can afford to. Most or all dedicated DVD players off-load that to a dedicated chip.
I've heard that even loading the TiVo with 32MB more RAM makes a significant difference, but it's a soldering job, not a "pop it in the socket" job. But what it probably needs is about five times the processor, too.
One of the reviews mentions the menus are even slower on Blu-ray than they are on DVDs, routinely taking two or three seconds for even the simplest of operations.
The reviewer said something to the effect of DVD being OK, but I disagree. Every DVD menu that I've ever seen on any player already trends towards the slow side. I understand taking a moment to load new content, but what's up with taking a second to register the pressing of the "up" or "down" button?
Why, in 2006, does every piece of consumer electronics feel (and often look) like it's being powered by a Nintendo Entertainment System, with some sort of auto-delay-on-input circuit added for extra measure? I understood it in 1996, but ten years later and if anything it's worse; every generation seems to get slower and slower. My TiVo Series 2 is actually a little slower than my Series 1, which I thought was impossible. My Comcast cable box when I tried it last year had multi-second response times for everything. My cell phone can't seem to do anything in less than half a second, except input text. For every DVD player I've ever seen (except the PS2), you can see it drawing the menus and stuff to the screen. Come on! You can't draw text to the text in less than half-a-second? My Commodore 64 seemed to manage that feat, even when running in BASIC!
I realize that not all consumer electronics are going to act as snappy as my computer, but must it feel like I'm doing everything over the web with a 9600 dial-up connection?
I don't have a MacOSX machine, but they may be as clean too. I know they have an Application folder system that nicely isolates the application from your user data, but I don't know if they casually scatter logs around the system. Somehow I doubt it, but I don't know.
Unfortunately, the odds of this are low because Windows would stink this plan up, as you explain, and of course if it doesn't work with Windows it doesn't work. Plus it might require protocol work. (Although perhaps there is hope; maybe if you poke it right, a drive could present itself either as one drive that uses the Flash as a transparent cache, or as two drives, one flash, one conventional hard drive. If the SATA protocol could deal with that, which I have no idea about (I know SCSI can), that wouldn't take much extra work from the hard drive manufacturor, and server-type people might appreciate that finer grained control even in Windows, too.)