You're obviously not getting a lot of love from the slashdot crowd for asserting that MS is less hostile to FOSS than it used to be. I think realistically it's a mixed bag.
I would also point out that Bill Gates himself is not completely hostile to free information. For instance, the Bill and Melinda Gates Foundation helped to fund the creation of this physics textbook, which is under a CC-BY license.
What Glee released is not a "cover." It actually samples his recording.
And Coulton's version isn't just a cover either. If you listen to the Sir Mix-a-Lot version and then to the Coulton version, Coulton's puts the lyrics to a melody that wasn't there in the original rap song. Coulton owns the copyright of this melody.
however there is also significant variation from the log-log line-of-best-fit; the r^2 is around 0.8
An R^2 value of 0.8 is actually pretty low. And looking at the graph, it's really only three points, even though it looks like a hundred points. They have one big blob for phytoplankton, one for trees, and a third blob in the middle for everything else. This is really not that impressive. If you throw three baseballs in a microwave and observe the resulting random positions, they will often come pretty close to lying on a single line (which is what the R^2 measures).
Within each blob, the correlation looks like it's essentially zero, e.g., it doesn't seem to be true that big trees live longer than small trees.
For almost 2 years I'll been volunteering for a branch of Freegeek and in that tyme I've installed Ubuntu 10.04 on hundreds of PCs and most of the installs have been fine. So I don't know where you get LTS hasn't worked out well or that Ubuntu's quality is crap. You may not like the DE, Canonical, or how Ubuntu is run but that's different than saying the distro is crap.
Here's a list of bugs that I've personally experienced starting with jaunty:
I've tried using LTS on some machines, but it hasn't worked out well. The trouble with it is that Ubuntu's quality is crap, and that applies to LTS releases just as much as non-LTS. For instance, they started gratuitously breaking sound with Jaunty, and as of Precise it's still broken on some machines I use. When important stuff is randomly broken in an LTS release, you end up upgrading to a non-LTS to see if they've fixed the bug.
The root problem is that Ubuntu is more interested in random, useless crap like Unity and ALSA than they are in just fixing bugs and making something that works. Rolling releases won't make that any better or worse. You'll get the bug fixes sooner, but you'll also get new bugs sooner.
mysql --version # I'm running 5.0, am supposed to upgrade to mysql 5.2 or later to run mariadb 5.2 mysql_upgrade -p # upgrades me to 5.1, no 5.2 available; will just try installing mariadb 5.2 and see if it works mysqldump -u root -p --all-databases > whole_database.sql # shouldn't be needed, but just in case mysqladmin -u root -p shutdown apt-get remove mysql-server
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db cat/etc/issue # tells me I'm running debian 6.0, which is squeeze, http://en.wikipedia.org/wiki/Debian#Release_history # use this web ui to generate text to put in sources.list # https://downloads.mariadb.org/mariadb/repositories/ cat >/etc/apt/sources.list.d/MariaDB.list #...cut and paste into this newly created file apt-get update apt-get install mariadb-server mysql -u root -p # still called mysql for compatibility, but it comes up and identifies itself as mariadb show databases; # all still there, no need to restore from backup
The mysql binary, etc., are all still named the same thing for compatibility, so, e.g., there's no need to change the cron jobs that back up my database.
The Wikipedia article is much better than the Byte article. (Do people still read Byte? I don't remember seeing it since the 80's.)
One thing that seems a little different from Y2K is that this bug seems to be prevalent in a lot of embedded systems. To me that seems harder to test than a desktop system. On a desktop system, you can just set the time to Dec. 31, 2037, let it roll over, and test as much stuff as possible to see if it broke. You can't do that with a car or an airliner.
The crappy little superficial one-page MIT Technology Review article has a link to another, similarly crappy article on the same site, but if you click through one more layer you actually get to this much more substantial piece in the New Yorker.
Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code.
Total nonsense. This is like saying that people get electrocuted by their toasters, and people get electrocuted repairing downed power lines, so toasters are just as dangerous as downed power lines. Toasters are safe by design. So is the java applet sandbox.
The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.
Plenty of people are still using java applets. I use them. They're commonly used in medicine, banking, and law offices.
Or are you claiming that the version of the browser plugin "made by Oracle" is the only one broken? If so, could you explain what you're basing that claim on? As far as I know, groups like IcedTea use Oracle's code extensively, and all of these bugs are likely to be present in all implementations of the Java 7 applet sandbox.
I don't own a cell phone. Various online services such as google keep badgering my to associate my account with a cell phone number. I can't, don't want to, and don't need to. Their desire to do this is a desire for their own convenience, not mine. If some other user writes his google password on a post-it and then loses the post-it, google wants a method by which it's easy for google to retain the guy as a customer by giving the guy back his password. They want to do this with zero labor cost to them. They don't want to do it by email because if the guy's forgotten his gmail password he can't access his gmail. All of this has to do with what google wants, not with what I want.
TFA says, "Passwords are a cheap and easy way to authenticate web surfers, but they're not secure enough for today's internet, and they never will be," with a link to this article by someone named Mat Honan. Honan says:
You have a secret that can ruin your life. It's not a well-kept secret, either. Just a simple string of characters--maybe six of them if you're careless, 16 if you're cautious--that can reveal everything about you. Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked.
Um, no. I don't use the same password for all these different things. Anyone who does is a fool. And no, I don't post naked pictures of myself online, with or without password protection.
No matter how complex, no matter how unique, your passwords can no longer protect you. Look around. Leaks and dumps--hackers breaking into computer systems and releasing lists of usernames and passwords on the open web--are now regular occurrences.
No. This guy obviously has no clue. Web sites typically store a hash of your password, not the password itself. And if you don't reuse the same password for multiple important accounts, there are no major ramifications from having your password for, say, facebook released into the wild, because it's not the same as your password for your bank account, etc. If someone uses a single password for every single account they have, then they're asking for trouble. That's their problem, not mine, and it's not a generic problem with passwords, it's a specific problem with the insecure way those people use passwords.
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust--seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well--but the three accounts were linked, so once the hackers had conned their way into one, they had them all.
What the hell does he mean by "linked?" This makes no sense.
Imagine that I want to get into your email. Let's say you're on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that's easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.
If AOL does this, then AOL is a bunch of idiots. This has nothing to do with the security of passwords in general.
How do our online passwords fall? In every imaginable way: They're guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger, or reset completely by conning a company's customer support department.
Your password can't be guessed or cracked by brute force if you pick a good password. It can't be "lifted from a password dump" if whoever you have the account with stores it in hashed form. If it's being stolen through a keylogger on your computer, then you have a bigger problem than the insecurity of your gmail account. Social engineering methods are the hardest to protect against, but the damage is mitigated if you don't reuse the same password for multiple high-stakes accounts
What I like is that it cuts down on the effort required to manage different projects. The 14 projects that I now have on github all used to have different makefiles used for building tarballs and posting them publicly. Each used to have a web page saying stuff like "the current version is 3.1.5," which had to be edited when I put out a new version. Now all of that stuff is automatic. I just do a git tag and a git push, and bam, it's there. I had material on the individual web pages which is now in each project's README.md file on github. When I want to change it, I just edit README.md, and then next time I do a push, it'll be there on github.
It's a shame that github's web interface isn't 100% open source, but many parts of it are (e.g., https://github.com/github/linguist ), and there is no major vendor lock-in, either. They're just hosting my git repo. If I fall out of love with them, I still have my repo and can just host it somewhere else.
In this context, the meaning of violating causality is this. Let events A and B be such that motion at greater than c is necessary to get from one to the other. Then there exist frames in which A occurs before B, and also frames in which B occurs before A.
If you want to have an observer, you have to have a frame of reference for that observer. Having such a frame of reference means that you have to be able to define some way of converting from that frame into other frames, such as frames that are not FTL relative to the stars. Various people, going back at least as far as 1986, have worked out a way of extending the usual Lorentz transformations so that they connect frames that have relative velocities greater than c. Suppose you have two frames A and B that are moving relative to one another at a speed greater than c. Alice is an observer in frame A, Bob in B. What ends up happening is that Alice says she's made of bradyons (particles that go slower than c), and she sees Bob as being made out of tachyons. But Bob sees himself as being made of bradyons and Alice of tachyons. Also, what Alice perceives to be a time axis Bob says is a spatial one, and what Alice says is space Bob says is time. This final part is the one that makes it not work in 3+1 dimensions. There is no mathematically consistent way to carry the whole thing through if the number of time and space dimensions isn't equal.
Einstein did modify it. The resulting theory is called General Relativity.
And every time we use GPS, we're using a tool that would not work at all without general relativity.
The equations of Special Relativity are used in experimental high energy physics all the time quite successfully.
And even so, theorists were very enthusiastic about trying to modify SR accomodate the superluminal neutrino results from 2011. Unfortunately those results turned out to be due to a loose cable.
The slashdot summary is totally inaccurate. It makes it sound as though the paper calculates what would be seen by an observer going faster than c relative to the stars, but actually the paper calculates what would be seen by an observer going at v=0.9999995c.
There is also basically nothing new in this paper. The effects they describe (relativistic aberration and Doppler shifts) have been well understood for a long time. ANU has made a nice educational video showing these effects.
The question of how things would look if you could go faster than c relative to the stars is a whole different issue. Special relativity doesn't forbid relative motion faster than c, but it puts a bunch of constraints on it: (1) it can't be achieved by a continuous process of acceleration from velocities less than c; (2) if it exists, it violates causality; and (3) although special relativity is consistent with the existence of faster-than-light particles (tachyons), it is not consistent with the existence of faster-than-light observers in a universe with 3 spatial dimensions and 1 time dimension, a.k.a. 3+1 dimensions. Result #3 (no tachyonic observers in 3+1 dimensions) has been known for a long time, but it seems to keep getting rediscovered.
There are unfortunately lots of problems with noscript.
Noscript is incompatible with flashblock.
Noscript's codebase has a reputation for being a mess.
I stopped using noscript in 2009, because of a variety of issues related to their attempts to maximize ad impressions on their site. It does extremely frequent updates, sending you to its home page every time. It is possible to defeat this, about:config, if you set noscript.firstRunRedirection to false. In May 2009, they got in some kind of a war with adblock: http://news.slashdot.org/article.pl?sid=09/05/01/236248&art_pos=1 They were modifying the behavior of adblock, and some of the code of noscript was obfuscated. In general, the behavior of the noscript developers seems irresponsible, sneaky, and deceptive. I don't want to fix a security problem on my machine by installing software written by people who behave... kind of in the same scummy way as the people I was trying to protect myself from in the first place.
Is the problem with OpenJDK or just Oracle Java? Doesn't OpenJDK have a reasonable patch procedure? Why don't all the corps that are tied to Java apps fund the development of an OpenJDK port/plugin for Windows and leave Oracle to run their own Java ghetto?
I don't know that much about how these projects are actually organized. I could be wrong, but it sounds to me like basically a PHB at Oracle decrees that a certain feature should be added to java, even though it's ill-advised from a security-design point of view; then code monkeys at Oracle implement it; then people out in the OSS world (the project that used to be GNU classpath? IcedTea? OpenJDK?) import the code into their own implementation, which is really the same code-base with just a few IP-encumbered parts replaced with open-source work-alikes. AFAIK the present security hole was present in every implementation of java 1.7 for the last 6 months, not just windows implementations or implementations downloaded directly from oracle.
If anyone has deeper insight into how all this is organized, it would be great to hear from them.
PDF is simply a wrapper for a program written in Postscript
Not true. Postscript is a Turing-complete language. PDF is basically a redesign of postscript that, among other changes, makes it into a Turing-incomplete language. This makes PDF inherently more secure than Postscript.
The security flaws that keep popping up in Adobe Reader are not holes in PDF itself, they're holes in other features that were added on later, such as the ability of recent versions of PDF to embed javascript. By default, AR will execute javascript that's embedded in pdf files. This is both a privacy (people can track readers) and a security issue (more than one stack overflow bug has been discovered that's related to js). To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
Better yet, simply don't use AR as your PDF plugin in your browser. On linux, Evince is pretty good.
The situation with PDF is actually closely analogous to the one with java applets. Both technologies were designed with security in mind, and are inherently possible to implement straightforwardly in a secure way. Both are open specs that are freely implementable without paying patent royalties. In both cases, the evolution of the spec is currently being guided by an evil corporation that doesn't care about security. The main difference is that in the case of PDF, the relevant read/write functionality exists in multiple completely independent implementations, whereas for java, there is no full reimplementation by anyone besides sun/oracle, only implementations that use almost all of oracle's code and replace portions that weren't freely available.
To paraphrase a well known saying, I think it's time for the internet to start seeing oracle as damage and route around it.
One really simple thing that seems needed, and that should be extremely simple to do, would be a whitelist/blacklist plugin for java applets in firefox. The vast majority of java applet users are probably people who work in a bank, a law practice, or a medical office and only ever need to use a single applet. They need an option where they can blacklist all java applets by default, but allow applets from medicalrecords.com or whatever. These folks can't just disable the java plugin completely. Setting plugins.click_to_play to true is also a solution, but it breaks sites that use flash, and it doesn't protect the business against an office worker who clicks on stuff without thinking. (I tried setting this flag on my desktop box at home, and was too much of a nuisance. This is what I have flashblock for, and flashblock does the job better.)
Another helpful step would be to make it easier for people to find out which versions of java they have on their computers and easier for them to avoid unsafe versions. On my ubuntu box, managing this is a total mess. If I do "java -version", it tells me I'm running java 1.6, which would be immune to this vulnerability. But if I check inside the directory/usr/lib/jvm , it turns out I actually have 1.5, 1.6, and 1.7 all installed. Well, which one is firefox using? I get zero results from dpkg --get-selections icedtea . In firefox, doing tools:add-ons:plugins tells me I have IcedTea-Web 1.2, which tells me nothing about the java version. Typing about:plugins in the url bar shows me literally two dozen version numbers. Googling turns up somebody's test app at http://javatester.org/version.html , but (a) how do I know this guy isn't a black hat, and (b) even if that showed I was currently running 1.6, what happens if a future apt-get upgrade bumps me into 1.7?
The final thing that should really happen IMO is that the OSS community should get off the java upgrade treadmill. The IcedTea project should designate some version such as 1.6 as a high-security, stable version and focus some real effort on making that version secure. Distros should stop packaging 1.7+ until the dust settles -- and if that take a couple of years, who the heck cares? Hell, I wouldn't care if it took a decade, or forever.
I see a lot of posts saying, "I don't need java applets. None of the web sites I visit use java applets. We should use this an an opportunity to let java applets die. Die, applets, die die!"
There are a lot of problems with this simplistic response.
One problem is that a lot of people are using java applets to do things that are important to them. Applets are widely used in the medical industry. I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics. (Warning, car analogy coming up.) Just because you don't drive a Honda Fit, that doesn't mean it's OK to tell every owner of a Honda Fit that they aren't allowed to drive it anymore.
The other problem is that you have to consider the alternatives.
Javascript is in many ways a nice little language. However, it's a disaster because of the lack of a standardized DOM, and it simply doesn't have the necessary facilities to do all the things that a java applet can do.
Flash is essentially proprietary, has been designed in a chaotic way, and is a frequent vector for malware, comparable to java applets and adobe reader.
Silverlight is only viable on Windows.
Java applets, warts and all, have some important advantages because of the design of java. Java was designed to be extremely portable. Java (unlike flash and javascript) was intended from the start to be a good general-purpose programming language. Java and java applets were vastly overhyped back in the 90's, but java applets are in fact an important and useful web technology that some people need and want. The problem seems to be that an important and useful web technology has fallen under the control of a corporation that is irresponsible about security.
Thanks for the suggestion, but I tried OSRM, and it seemed just as bad as yournavigation.org, if not worse. (I wanted to do a side-by-side comparison, but yournavigation apparently isn't working right now due to hosting problems.) As with yournavigation, OSRM breaks the route down into a large number of microscopic parts. Also, when I asked it for directions to 4926 W. Rosecrans Avenue, Hawthorne, CA, it inexplicably changed my request to a request for directions to South Tajauta Avenue, Los Angeles, CA, which is a completely different place. The blue route is also invisible overlaid on top of blue freeways.
The clickers, which are expensive for students, were never needed in the first place. The people who pioneered this teaching technique started by having students raise hands to vote. They observed that some students were reluctant to be embarrassed in front of their peers by raising their hands for a choice that might be wrong, so they handed out large cardboard cards with letters ABCD on them. Students held up the card so only the professor could see. Worked great. The clickers are a waste of money for students, and the extra functionality they make possible is extremely minimal in proportion to the cost.
The idea of only supporting students' tablets is silly. It may be true at the University of Spoiled Children that basically everyone owns a laptop or tablet and brings it to school, but I assure you that that's not true at the community college where I teach. My students are generall extremely cheap and extremely broke. The projector works great. It's up at the front of the room where everyone can see it. If I need to point to it, I can pick up a meter stick and point. If I depend on students to have tablets, then at any given time some big percentage of them will be off task for a variety of reasons: don't own one, didn't bring it to school, dead batteries, using it to play games, doesn't have the right browser plugin, doesn't have enough resolution, wifi isn't working,...
Slashdot Mirror
This isn't Bill Gates' Microsoft.
You're obviously not getting a lot of love from the slashdot crowd for asserting that MS is less hostile to FOSS than it used to be. I think realistically it's a mixed bag.
I would also point out that Bill Gates himself is not completely hostile to free information. For instance, the Bill and Melinda Gates Foundation helped to fund the creation of this physics textbook, which is under a CC-BY license.
What Glee released is not a "cover." It actually samples his recording.
And Coulton's version isn't just a cover either. If you listen to the Sir Mix-a-Lot version and then to the Coulton version, Coulton's puts the lyrics to a melody that wasn't there in the original rap song. Coulton owns the copyright of this melody.
however there is also significant variation from the log-log line-of-best-fit; the r^2 is around 0.8
An R^2 value of 0.8 is actually pretty low. And looking at the graph, it's really only three points, even though it looks like a hundred points. They have one big blob for phytoplankton, one for trees, and a third blob in the middle for everything else. This is really not that impressive. If you throw three baseballs in a microwave and observe the resulting random positions, they will often come pretty close to lying on a single line (which is what the R^2 measures).
Within each blob, the correlation looks like it's essentially zero, e.g., it doesn't seem to be true that big trees live longer than small trees.
For almost 2 years I'll been volunteering for a branch of Freegeek and in that tyme I've installed Ubuntu 10.04 on hundreds of PCs and most of the installs have been fine. So I don't know where you get LTS hasn't worked out well or that Ubuntu's quality is crap. You may not like the DE, Canonical, or how Ubuntu is run but that's different than saying the distro is crap.
Here's a list of bugs that I've personally experienced starting with jaunty:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/369822
https://bugs.launchpad.net/ubuntu/+source/alsa-utils/+bug/449783
https://bugs.launchpad.net/ubuntu/+source/xsplash/+bug/504403
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/504947
https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/501692
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/422536
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers/+bug/561049
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/561040
https://bugs.launchpad.net/ubuntu/+source/command-not-found/+bug/561046
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579300
https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648
Here's a list of hardware I own on which sound input worked in older versions of ubuntu, but is broken in oneiric:
HP Compaq DC5800 Microtower Intel Core 2 Duo E6550 2.33GHz 2GB 160GB DVD-Rom
1.7 GHz AMD Sempron, 512 MB ram, 38 GB hdd
HP XW4400 Workstation Intel Core 2 DUO E6300 1.86GHz 250GB 1GB CD-RW/ DVD
HP Compaq D330 uT Intel Pentium 4 2.66GHZ 80GB HDD 1GB DDR Desktop PC
I'm glad you're having such good luck with the quality of ubuntu. I'm not.
Sorry, I should have said PulseAudio, not ALSA.
I've tried using LTS on some machines, but it hasn't worked out well. The trouble with it is that Ubuntu's quality is crap, and that applies to LTS releases just as much as non-LTS. For instance, they started gratuitously breaking sound with Jaunty, and as of Precise it's still broken on some machines I use. When important stuff is randomly broken in an LTS release, you end up upgrading to a non-LTS to see if they've fixed the bug.
The root problem is that Ubuntu is more interested in random, useless crap like Unity and ALSA than they are in just fixing bugs and making something that works. Rolling releases won't make that any better or worse. You'll get the bug fixes sooner, but you'll also get new bugs sooner.
Here's what worked for me on debian. See https://kb.askmonty.org/en/how-can-i-upgrade-from-mysql-to-mariadb/
Now install MariaDB.
https://kb.askmonty.org/en/installing-mariadb-deb-files/
The mysql binary, etc., are all still named the same thing for compatibility, so, e.g., there's no need to change the cron jobs that back up my database.
The Wikipedia article is much better than the Byte article. (Do people still read Byte? I don't remember seeing it since the 80's.)
One thing that seems a little different from Y2K is that this bug seems to be prevalent in a lot of embedded systems. To me that seems harder to test than a desktop system. On a desktop system, you can just set the time to Dec. 31, 2037, let it roll over, and test as much stuff as possible to see if it broke. You can't do that with a car or an airliner.
The crappy little superficial one-page MIT Technology Review article has a link to another, similarly crappy article on the same site, but if you click through one more layer you actually get to this much more substantial piece in the New Yorker.
Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code.
Total nonsense. This is like saying that people get electrocuted by their toasters, and people get electrocuted repairing downed power lines, so toasters are just as dangerous as downed power lines. Toasters are safe by design. So is the java applet sandbox.
The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.
Plenty of people are still using java applets. I use them. They're commonly used in medicine, banking, and law offices.
Or are you claiming that the version of the browser plugin "made by Oracle" is the only one broken? If so, could you explain what you're basing that claim on? As far as I know, groups like IcedTea use Oracle's code extensively, and all of these bugs are likely to be present in all implementations of the Java 7 applet sandbox.
I don't own a cell phone. Various online services such as google keep badgering my to associate my account with a cell phone number. I can't, don't want to, and don't need to. Their desire to do this is a desire for their own convenience, not mine. If some other user writes his google password on a post-it and then loses the post-it, google wants a method by which it's easy for google to retain the guy as a customer by giving the guy back his password. They want to do this with zero labor cost to them. They don't want to do it by email because if the guy's forgotten his gmail password he can't access his gmail. All of this has to do with what google wants, not with what I want.
TFA says, "Passwords are a cheap and easy way to authenticate web surfers, but they're not secure enough for today's internet, and they never will be," with a link to this article by someone named Mat Honan. Honan says:
You have a secret that can ruin your life. It's not a well-kept secret, either. Just a simple string of characters--maybe six of them if you're careless, 16 if you're cautious--that can reveal everything about you. Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked.
Um, no. I don't use the same password for all these different things. Anyone who does is a fool. And no, I don't post naked pictures of myself online, with or without password protection.
No matter how complex, no matter how unique, your passwords can no longer protect you. Look around. Leaks and dumps--hackers breaking into computer systems and releasing lists of usernames and passwords on the open web--are now regular occurrences.
No. This guy obviously has no clue. Web sites typically store a hash of your password, not the password itself. And if you don't reuse the same password for multiple important accounts, there are no major ramifications from having your password for, say, facebook released into the wild, because it's not the same as your password for your bank account, etc. If someone uses a single password for every single account they have, then they're asking for trouble. That's their problem, not mine, and it's not a generic problem with passwords, it's a specific problem with the insecure way those people use passwords.
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust--seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well--but the three accounts were linked, so once the hackers had conned their way into one, they had them all.
What the hell does he mean by "linked?" This makes no sense.
Imagine that I want to get into your email. Let's say you're on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that's easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.
If AOL does this, then AOL is a bunch of idiots. This has nothing to do with the security of passwords in general.
How do our online passwords fall? In every imaginable way: They're guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger, or reset completely by conning a company's customer support department.
Your password can't be guessed or cracked by brute force if you pick a good password. It can't be "lifted from a password dump" if whoever you have the account with stores it in hashed form. If it's being stolen through a keylogger on your computer, then you have a bigger problem than the insecurity of your gmail account. Social engineering methods are the hardest to protect against, but the damage is mitigated if you don't reuse the same password for multiple high-stakes accounts
What I like is that it cuts down on the effort required to manage different projects. The 14 projects that I now have on github all used to have different makefiles used for building tarballs and posting them publicly. Each used to have a web page saying stuff like "the current version is 3.1.5," which had to be edited when I put out a new version. Now all of that stuff is automatic. I just do a git tag and a git push, and bam, it's there. I had material on the individual web pages which is now in each project's README.md file on github. When I want to change it, I just edit README.md, and then next time I do a push, it'll be there on github.
It's a shame that github's web interface isn't 100% open source, but many parts of it are (e.g., https://github.com/github/linguist ), and there is no major vendor lock-in, either. They're just hosting my git repo. If I fall out of love with them, I still have my repo and can just host it somewhere else.
I'm not sure it is possible to violate causality.
In this context, the meaning of violating causality is this. Let events A and B be such that motion at greater than c is necessary to get from one to the other. Then there exist frames in which A occurs before B, and also frames in which B occurs before A.
Oops, I actually gave the wrong reference. The correct one is this:
Vieira, An Introduction to the Theory of Tachyons, 2011, http://arxiv.org/abs/1112.4187
If you want to have an observer, you have to have a frame of reference for that observer. Having such a frame of reference means that you have to be able to define some way of converting from that frame into other frames, such as frames that are not FTL relative to the stars. Various people, going back at least as far as 1986, have worked out a way of extending the usual Lorentz transformations so that they connect frames that have relative velocities greater than c. Suppose you have two frames A and B that are moving relative to one another at a speed greater than c. Alice is an observer in frame A, Bob in B. What ends up happening is that Alice says she's made of bradyons (particles that go slower than c), and she sees Bob as being made out of tachyons. But Bob sees himself as being made of bradyons and Alice of tachyons. Also, what Alice perceives to be a time axis Bob says is a spatial one, and what Alice says is space Bob says is time. This final part is the one that makes it not work in 3+1 dimensions. There is no mathematically consistent way to carry the whole thing through if the number of time and space dimensions isn't equal.
Einstein did modify it. The resulting theory is called General Relativity.
And every time we use GPS, we're using a tool that would not work at all without general relativity.
The equations of Special Relativity are used in experimental high energy physics all the time quite successfully.
And even so, theorists were very enthusiastic about trying to modify SR accomodate the superluminal neutrino results from 2011. Unfortunately those results turned out to be due to a loose cable.
The slashdot summary is totally inaccurate. It makes it sound as though the paper calculates what would be seen by an observer going faster than c relative to the stars, but actually the paper calculates what would be seen by an observer going at v=0.9999995c.
There is also basically nothing new in this paper. The effects they describe (relativistic aberration and Doppler shifts) have been well understood for a long time. ANU has made a nice educational video showing these effects.
The question of how things would look if you could go faster than c relative to the stars is a whole different issue. Special relativity doesn't forbid relative motion faster than c, but it puts a bunch of constraints on it: (1) it can't be achieved by a continuous process of acceleration from velocities less than c; (2) if it exists, it violates causality; and (3) although special relativity is consistent with the existence of faster-than-light particles (tachyons), it is not consistent with the existence of faster-than-light observers in a universe with 3 spatial dimensions and 1 time dimension, a.k.a. 3+1 dimensions. Result #3 (no tachyonic observers in 3+1 dimensions) has been known for a long time, but it seems to keep getting rediscovered.
http://noscript.net/faq#qa1_3
http://forums.mozillazine.org/viewtopic.php?p=1586359&highlight=flashblock+noscript#1586359
http://flashblock.mozdev.org/faq.html#fbNojavascript
But anyway I think the real problem with noscript is the untrustworthy behavior of its author.
There are unfortunately lots of problems with noscript.
Noscript is incompatible with flashblock.
Noscript's codebase has a reputation for being a mess.
I stopped using noscript in 2009, because of a variety of issues related to their attempts to maximize ad impressions on their site. It does extremely frequent updates, sending you to its home page every time. It is possible to defeat this, about:config, if you set noscript.firstRunRedirection to false. In May 2009, they got in some kind of a war with adblock: http://news.slashdot.org/article.pl?sid=09/05/01/236248&art_pos=1 They were modifying the behavior of adblock, and some of the code of noscript was obfuscated. In general, the behavior of the noscript developers seems irresponsible, sneaky, and deceptive. I don't want to fix a security problem on my machine by installing software written by people who behave ... kind of in the same scummy way as the people I was trying to protect myself from in the first place.
Is the problem with OpenJDK or just Oracle Java?
Doesn't OpenJDK have a reasonable patch procedure?
Why don't all the corps that are tied to Java apps fund the development of an OpenJDK port/plugin for Windows and leave Oracle to run their own Java ghetto?
I don't know that much about how these projects are actually organized. I could be wrong, but it sounds to me like basically a PHB at Oracle decrees that a certain feature should be added to java, even though it's ill-advised from a security-design point of view; then code monkeys at Oracle implement it; then people out in the OSS world (the project that used to be GNU classpath? IcedTea? OpenJDK?) import the code into their own implementation, which is really the same code-base with just a few IP-encumbered parts replaced with open-source work-alikes. AFAIK the present security hole was present in every implementation of java 1.7 for the last 6 months, not just windows implementations or implementations downloaded directly from oracle.
If anyone has deeper insight into how all this is organized, it would be great to hear from them.
PDF is simply a wrapper for a program written in Postscript
Not true. Postscript is a Turing-complete language. PDF is basically a redesign of postscript that, among other changes, makes it into a Turing-incomplete language. This makes PDF inherently more secure than Postscript.
The security flaws that keep popping up in Adobe Reader are not holes in PDF itself, they're holes in other features that were added on later, such as the ability of recent versions of PDF to embed javascript. By default, AR will execute javascript that's embedded in pdf files. This is both a privacy (people can track readers) and a security issue (more than one stack overflow bug has been discovered that's related to js). To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
Better yet, simply don't use AR as your PDF plugin in your browser. On linux, Evince is pretty good.
The situation with PDF is actually closely analogous to the one with java applets. Both technologies were designed with security in mind, and are inherently possible to implement straightforwardly in a secure way. Both are open specs that are freely implementable without paying patent royalties. In both cases, the evolution of the spec is currently being guided by an evil corporation that doesn't care about security. The main difference is that in the case of PDF, the relevant read/write functionality exists in multiple completely independent implementations, whereas for java, there is no full reimplementation by anyone besides sun/oracle, only implementations that use almost all of oracle's code and replace portions that weren't freely available.
To paraphrase a well known saying, I think it's time for the internet to start seeing oracle as damage and route around it.
One really simple thing that seems needed, and that should be extremely simple to do, would be a whitelist/blacklist plugin for java applets in firefox. The vast majority of java applet users are probably people who work in a bank, a law practice, or a medical office and only ever need to use a single applet. They need an option where they can blacklist all java applets by default, but allow applets from medicalrecords.com or whatever. These folks can't just disable the java plugin completely. Setting plugins.click_to_play to true is also a solution, but it breaks sites that use flash, and it doesn't protect the business against an office worker who clicks on stuff without thinking. (I tried setting this flag on my desktop box at home, and was too much of a nuisance. This is what I have flashblock for, and flashblock does the job better.)
Another helpful step would be to make it easier for people to find out which versions of java they have on their computers and easier for them to avoid unsafe versions. On my ubuntu box, managing this is a total mess. If I do "java -version", it tells me I'm running java 1.6, which would be immune to this vulnerability. But if I check inside the directory /usr/lib/jvm , it turns out I actually have 1.5, 1.6, and 1.7 all installed. Well, which one is firefox using? I get zero results from dpkg --get-selections icedtea . In firefox, doing tools:add-ons:plugins tells me I have IcedTea-Web 1.2, which tells me nothing about the java version. Typing about:plugins in the url bar shows me literally two dozen version numbers. Googling turns up somebody's test app at http://javatester.org/version.html , but (a) how do I know this guy isn't a black hat, and (b) even if that showed I was currently running 1.6, what happens if a future apt-get upgrade bumps me into 1.7?
The final thing that should really happen IMO is that the OSS community should get off the java upgrade treadmill. The IcedTea project should designate some version such as 1.6 as a high-security, stable version and focus some real effort on making that version secure. Distros should stop packaging 1.7+ until the dust settles -- and if that take a couple of years, who the heck cares? Hell, I wouldn't care if it took a decade, or forever.
I see a lot of posts saying, "I don't need java applets. None of the web sites I visit use java applets. We should use this an an opportunity to let java applets die. Die, applets, die die!"
There are a lot of problems with this simplistic response.
One problem is that a lot of people are using java applets to do things that are important to them. Applets are widely used in the medical industry. I teach physics for a living, and there are several educational applets, written by other people, that I use to demonstrate ideas about thermodynamics. (Warning, car analogy coming up.) Just because you don't drive a Honda Fit, that doesn't mean it's OK to tell every owner of a Honda Fit that they aren't allowed to drive it anymore.
The other problem is that you have to consider the alternatives.
Javascript is in many ways a nice little language. However, it's a disaster because of the lack of a standardized DOM, and it simply doesn't have the necessary facilities to do all the things that a java applet can do.
Flash is essentially proprietary, has been designed in a chaotic way, and is a frequent vector for malware, comparable to java applets and adobe reader.
Silverlight is only viable on Windows.
Java applets, warts and all, have some important advantages because of the design of java. Java was designed to be extremely portable. Java (unlike flash and javascript) was intended from the start to be a good general-purpose programming language. Java and java applets were vastly overhyped back in the 90's, but java applets are in fact an important and useful web technology that some people need and want. The problem seems to be that an important and useful web technology has fallen under the control of a corporation that is irresponsible about security.
Thanks for the suggestion, but I tried OSRM, and it seemed just as bad as yournavigation.org, if not worse. (I wanted to do a side-by-side comparison, but yournavigation apparently isn't working right now due to hosting problems.) As with yournavigation, OSRM breaks the route down into a large number of microscopic parts. Also, when I asked it for directions to 4926 W. Rosecrans Avenue, Hawthorne, CA, it inexplicably changed my request to a request for directions to South Tajauta Avenue, Los Angeles, CA, which is a completely different place. The blue route is also invisible overlaid on top of blue freeways.
I'm a college professor.
The clickers, which are expensive for students, were never needed in the first place. The people who pioneered this teaching technique started by having students raise hands to vote. They observed that some students were reluctant to be embarrassed in front of their peers by raising their hands for a choice that might be wrong, so they handed out large cardboard cards with letters ABCD on them. Students held up the card so only the professor could see. Worked great. The clickers are a waste of money for students, and the extra functionality they make possible is extremely minimal in proportion to the cost.
The idea of only supporting students' tablets is silly. It may be true at the University of Spoiled Children that basically everyone owns a laptop or tablet and brings it to school, but I assure you that that's not true at the community college where I teach. My students are generall extremely cheap and extremely broke. The projector works great. It's up at the front of the room where everyone can see it. If I need to point to it, I can pick up a meter stick and point. If I depend on students to have tablets, then at any given time some big percentage of them will be off task for a variety of reasons: don't own one, didn't bring it to school, dead batteries, using it to play games, doesn't have the right browser plugin, doesn't have enough resolution, wifi isn't working, ...