They are, but it's still dreadfully common. Same with passwords. My bank (of all things!) doesn't accept non-alphanumeric characters in passwords. It's completely retarded and makes me wonder whether they might be completely incompetent when it comes to preventing SQL-injection. Or any kind of security, for that matter. And for banks, that's kind of serious.
I am suddenly reminded of websites that refuse to accept arbitrary octet sequences like "INSERT" "SELECT" "UPDATE" "DELETE" "DROP" "GRANT" "ALTER" "CREATE" "TRUNCATE" "EXEC" "CLUSTER" "VACUUM" "DECLARE" "SET" "--"
"/*" "@@" "CURSOR" "FETCH" "BEGIN" "END" "KILL" "OPEN" "TABLE"
As any part of an e-mail address, password, or other profile information.
And think that is the best way to prevent SQL injection........ really??
Sites that do it right are sites like Slashdot. No restriction against using those words in a comment (obviously)
Many websites don't accept the plus in the email address field.
Phone / e-mail the webmaster to complain about that.
Special characters in the user portion of e-mail addresses are perfectly valid.
Websites have no business deciding what usernames are acceptable, only your e-mail provider does.
I've encountered several sites that do not allow a + in the email address, or come even remotely close to implementing the RFC.
Those (several) sites then are clearly broken; clear violation of the robustness principal as well.
Basically, (anything)@example.com
Is valid; providing the contents of (Anything) are recognized by (example.com) SMTP servers.
There may be some quoting of special characters such as spaces required in (anything),
required when using the e-mail address over SMTP; however, the web server's SMTP client should take care of adding any quoting special characters required for SMTP protocol, if the user did not provide it.
You can even set e-mail filtering rules to attach different labels based on what TAG the message was sent to,
or discard messages if a suitable TAG is not present.
He'd be pretty easy to throw in a locker or chain to a women's bathroom stall in-between class. The possibilities are endless and hilarious.
His bot would be, BUT... I don't think the school officials would think that too funny.
There is that issue that since the bot is equipped with a camera, he could also be recording any evil attempted against it.
The perpetrator would have to keep really quiet, as their voice would otherwise identify them as present at the scene;
during switching between classes, there would likely to be witnesses who could be seen on camera shortly before and questioned;
translation: they can't taunt him, identify themselves, or do many of the things that give bullies pleasure,
because the availability of the camera seeing the bully or seeing at least one witness is almost assured.
Staff are likely to be keeping an eye on it.
And the bot has no need to go to places like bathroom stalls, where someone might try to jump it.
So I don't see what Google has a right to bitch about when it is the user that chose to share THEIR searches with Bing and that frankly isn't Google's no matter how much they like to treat user's data as their own property.
You're wrong... the search terms are the user's data.
The choice of links that Google displays in response to the search terms are Google's data.
The choice of links that a user clicks on when presented with search results are a combination of Google and the User's data,
but mostly Google's data.
Bing wouldn't have anything useful to gather, if they did not look at Google's search result output.
And correlate user keywords entered with choices from Google's data.
I get the impression that he's a nice enough guy - if he's on one or two hundred thousand a year I'm sure he's free from worries about money and can afford various shiny luxuries
Well, $600 a day is $156,000 a year; $219,000, if he works weekends,
assuming he could keep it up.
Obviously he wouldn't want to work weekends with such a boring job... and there is this issue that, he could not guarantee getting that much, before the lottery company noticed, closed the loophole, and tried to sue for their $$ back.
But that is a million after 8 years, just doing it on his own, assuming he can keep it up that long, without the lottery co. patching the hole.
The fact remains, that if he hired some help, he could indeed potentially do much better.
Apparently he is happier with the glory and respect of being the guy who discovered the hole in the system
and did not cheat it; instead of defeating it, he is revealing it, obviously solely for the purposes of fame,
and to prevent anyone else from doing it.
If you couldn't make decent money exploiting the bug, then there'd be no point in trying so much to get the big bad lottery companies to fix it; who apparently feel playing intelligently and discovering fair ways to get an edge in the game is against some rule of the lottery that nobody can ever win (except by pure chance, and at the dismal rate pre-determined for winning).
Not when you can just give them smartphones with the software to do the job installed on them. You can even setup the application to stop working if you do not get paid.
Don't you think the clerk at the store would start getting suspicious, when
10 people walk in with smart phones and start rooting through the
scratch off tickets, typing numbers on the front of the tickets,
or taking pictures of tickets?
If we estimate 220 working days a year this means he makes more than 132,000 a year. Seems like either he makes quite a bit or he needs to think bigger. Get 10 people all doing this and have him take 50% of the profits.
That would require revealing his methods to more people, which would be sure to make them useless eventually,
as "those 10 people" are not going to be able to keep quiet about the exploit.
Assuming it's even easy to find 10 people who are good enough with memory and mathematics to execute the exploit.
I would say reliably using the flaw to find winning tickets requires a level of intelligence slightly higher than the average person.
The problem is that for any *good* translation of man pages to HTML, you'll need to autodetect links in the text. Same goes for pretty printers that start with any text-based format. In the modern Internet, there is simply no place for URLs that aren't links.
If you decide to use an 'autodetection' tool or 'pretty printer', then you have to live with false positives, or fix your pretty printer to not recognize them, by special casing or suitable rules.
Too bad nobody actually has the guts to do that. Take everything allocated to Egypt and give it to someone else. If they complain, just say "You shut down the Internet in your country, you obviously didn't want them anymore."
That could be reasonable... however, the RIR community that has the power to make that decision is AfriNIC.
They won't consider it due to the permanent damage it would cause.
If Egypt permanently disconnects,
and if they revoked the IP addresses, they would be available for further assignments in the African region, but I don't think there is that much demand for IP space in that region, so the result is the IPs would sit unused for 1-2 years, probably.
Y2K was perfectly legitimate. It was only through heroic efforts that programmers were able to overcome years of managerial negligence and get the changes made in a knick of time.
When you do things right, people won't be sure you've done anything at all. -- God, (Futurama, 2002)
automated link checkers on them because every man page that mentions "http://www.example.com" anywhere in it is going to contain "broken" links because of the redirect.
If you have a link to www.example.com then it is by definition a broken link.
You should never link to example.com.
It is perfectly fine to mention the domain name in the text of documentation while using it as an example (that's what it is for in the first place); that mention should not be hyperlinked to example.com however.
Translation: fix the documentation. Type it as a non-link (plaintext domain name).
Yes, I'm sure every thief out there is perfectly aware of this.
They can be made aware of this quite easily. Someone has to explain the fingerprint scanning technology to the car buyer audience, before people can use it.
The thieves will definitely figure out about that, as well as any mechanism(s) for defeating the scanner and starting the car manually
Don't go overboard from the correct statement of "mass and weight are not the same thing" to "mass and weight are unrelated"
They are unrelated in that you cannot determine weight from mass or mass from weight alone; if you weigh an object once and then weigh another object at a later time, somewhere else, a change in weight does not imply a linear change in mass.
It is similar to the concept that the voltage of electric circuits in general is not uniquely dependent upon the amperage through the conductor. It is possible to build a circuit with a voltage of choice at any amperage desired. A difference in voltage measurement measured later in a different circuit does not necessarily mean the amperage is different.
You need further details about the measurement environment.
For example, if you know the object is near earth's surface, you can calculate a pretty good approximation of mass from its weight.
You have a linear relationship Only under a very special condition (constant force of gravity)
If the weight is non-zero, you can use a relative comparison between weights of known mass in order to determine the mass of an object with unknown mass.
Otherwise they are independent, that is the general and more common case.
Is the IANA really so poor that they can't afford a VM running apache on bsd in order to appropriately handle these requests?
You're forgetting that the IANA function is something that the US government contracts ICANN to perform. The less money they spend, the greater the contracter (ICANN)'s $$$.
It won't break your program, but it might break your example. I've seen HTTP tutorials that show using telnet to connect to example.com, and getting a response.
Then they have not understood RFC 2606.
These names are reserved for use as example domains in documentation.
If there is any page at those addresses, then it is a coincidence.
There is no assurance that IANA will provide these domains as resolvable in any form.
The domains are reserved, that doesn't indicate the name will (or will not) resolve.
Who the hell is going to buy a car that you can't loan to someone on short notice? This idea is utterly ridiculous.
Most people already cannot just do that. Personal auto insurance policies commonly prohibit loaning your car to someone on short notice; you have to notify the insurance company in advance, which is only possible during certain hours, and if you fail to do so, there is no liability (or other) coverage for the vehicle. And it is illegal for a car to be operated when not covered by insurance
I dunno. I couldn't get my 78 year old Dad to use a FREE Roomba Robot Vacuum Cleaner or a FREE Tom Tom GPS. But he has 5 AOL accounts.
Someone bought the Roomba and GPS for him, so he doesn't appreciate their value.
AOL accounts are worthless, so their value is easy to appreciate
They are, but it's still dreadfully common. Same with passwords. My bank (of all things!) doesn't accept non-alphanumeric characters in passwords. It's completely retarded and makes me wonder whether they might be completely incompetent when it comes to preventing SQL-injection. Or any kind of security, for that matter. And for banks, that's kind of serious.
I am suddenly reminded of websites that refuse to accept arbitrary octet sequences like "INSERT" "SELECT" "UPDATE" "DELETE" "DROP" "GRANT" "ALTER" "CREATE" "TRUNCATE" "EXEC" "CLUSTER" "VACUUM" "DECLARE" "SET" "--" "/*" "@@" "CURSOR" "FETCH" "BEGIN" "END" "KILL" "OPEN" "TABLE"
As any part of an e-mail address, password, or other profile information.
And think that is the best way to prevent SQL injection.... .... really??
Sites that do it right are sites like Slashdot. No restriction against using those words in a comment (obviously)
Many websites don't accept the plus in the email address field.
Phone / e-mail the webmaster to complain about that.
Special characters in the user portion of e-mail addresses are perfectly valid. Websites have no business deciding what usernames are acceptable, only your e-mail provider does.
Unfortunately, it still exposes your primary address. Whereas it seems that the reasoning behind this Hotmail feature is primarily privacy.
So make the primary address a quick trip to /dev/null or a rarely read junk folder
Only set mail filtering rules to accept messages sent to +addresses you want
I've encountered several sites that do not allow a + in the email address, or come even remotely close to implementing the RFC.
Those (several) sites then are clearly broken; clear violation of the robustness principal as well.
Basically, (anything)@example.com
Is valid; providing the contents of (Anything) are recognized by (example.com) SMTP servers.
There may be some quoting of special characters such as spaces required in (anything), required when using the e-mail address over SMTP; however, the web server's SMTP client should take care of adding any quoting special characters required for SMTP protocol, if the user did not provide it.
Google already has something like this.
username+TAG@gmail.com
You can even set e-mail filtering rules to attach different labels based on what TAG the message was sent to, or discard messages if a suitable TAG is not present.
He'd be pretty easy to throw in a locker or chain to a women's bathroom stall in-between class. The possibilities are endless and hilarious.
His bot would be, BUT... I don't think the school officials would think that too funny.
There is that issue that since the bot is equipped with a camera, he could also be recording any evil attempted against it. The perpetrator would have to keep really quiet, as their voice would otherwise identify them as present at the scene; during switching between classes, there would likely to be witnesses who could be seen on camera shortly before and questioned; translation: they can't taunt him, identify themselves, or do many of the things that give bullies pleasure, because the availability of the camera seeing the bully or seeing at least one witness is almost assured.
Staff are likely to be keeping an eye on it.
And the bot has no need to go to places like bathroom stalls, where someone might try to jump it.
When a man page contains a URL, that URL is expected to be a valid URL, not a redirect.
First of all, this is wrong.
When a man page contains an EXAMPLE URL, it is intended as an example address for explanatory purposes, not a valid link to be followed.
Second of all, a URL to a redirect is still a valid link. A redirect is not an error.
So I don't see what Google has a right to bitch about when it is the user that chose to share THEIR searches with Bing and that frankly isn't Google's no matter how much they like to treat user's data as their own property.
You're wrong... the search terms are the user's data.
The choice of links that Google displays in response to the search terms are Google's data.
The choice of links that a user clicks on when presented with search results are a combination of Google and the User's data, but mostly Google's data.
Bing wouldn't have anything useful to gather, if they did not look at Google's search result output. And correlate user keywords entered with choices from Google's data.
I get the impression that he's a nice enough guy - if he's on one or two hundred thousand a year I'm sure he's free from worries about money and can afford various shiny luxuries
Well, $600 a day is $156,000 a year; $219,000, if he works weekends, assuming he could keep it up.
Obviously he wouldn't want to work weekends with such a boring job... and there is this issue that, he could not guarantee getting that much, before the lottery company noticed, closed the loophole, and tried to sue for their $$ back.
But that is a million after 8 years, just doing it on his own, assuming he can keep it up that long, without the lottery co. patching the hole.
The fact remains, that if he hired some help, he could indeed potentially do much better. Apparently he is happier with the glory and respect of being the guy who discovered the hole in the system and did not cheat it; instead of defeating it, he is revealing it, obviously solely for the purposes of fame, and to prevent anyone else from doing it.
If you couldn't make decent money exploiting the bug, then there'd be no point in trying so much to get the big bad lottery companies to fix it; who apparently feel playing intelligently and discovering fair ways to get an edge in the game is against some rule of the lottery that nobody can ever win (except by pure chance, and at the dismal rate pre-determined for winning).
Not when you can just give them smartphones with the software to do the job installed on them. You can even setup the application to stop working if you do not get paid.
Don't you think the clerk at the store would start getting suspicious, when 10 people walk in with smart phones and start rooting through the scratch off tickets, typing numbers on the front of the tickets, or taking pictures of tickets?
If we estimate 220 working days a year this means he makes more than 132,000 a year. Seems like either he makes quite a bit or he needs to think bigger. Get 10 people all doing this and have him take 50% of the profits.
That would require revealing his methods to more people, which would be sure to make them useless eventually, as "those 10 people" are not going to be able to keep quiet about the exploit.
Assuming it's even easy to find 10 people who are good enough with memory and mathematics to execute the exploit.
I would say reliably using the flaw to find winning tickets requires a level of intelligence slightly higher than the average person.
I'll bet his tune would be a bit different if he were unemployed.
However... if "$600 a day" is chump change to him, then he must be a really good statistician.
I wonder by what definition he doesn't consider himself already rich?
I have never once even seen a detection problem that required blacklisting a specific URL.
Now you have.
Wouldn't it be better to do it anyways? AfriNIC could give them IPv6 addresses, and Egypt could get back online when they are ready.
It would be better to do so, if it looks like Egypt will be disconnected for an extended period.
If Egypt is disconnected for 30 days or more, then the RIR should start asking questions. And prepare to take measures to reclaim IPs.
Longer than 60 days, then IP revokation/usage review should definitely start.
The problem is that for any *good* translation of man pages to HTML, you'll need to autodetect links in the text. Same goes for pretty printers that start with any text-based format. In the modern Internet, there is simply no place for URLs that aren't links.
If you decide to use an 'autodetection' tool or 'pretty printer', then you have to live with false positives, or fix your pretty printer to not recognize them, by special casing or suitable rules.
Just.because.you.have.some.words.with.a.few.dots.in.between.them.does.not.mean.it.is.actually.a.link.period.even.if.it.ends.with.com.
Too bad nobody actually has the guts to do that. Take everything allocated to Egypt and give it to someone else. If they complain, just say "You shut down the Internet in your country, you obviously didn't want them anymore."
That could be reasonable... however, the RIR community that has the power to make that decision is AfriNIC. They won't consider it due to the permanent damage it would cause.
If Egypt permanently disconnects, and if they revoked the IP addresses, they would be available for further assignments in the African region, but I don't think there is that much demand for IP space in that region, so the result is the IPs would sit unused for 1-2 years, probably.
Y2K was perfectly legitimate. It was only through heroic efforts that programmers were able to overcome years of managerial negligence and get the changes made in a knick of time.
When you do things right, people won't be sure you've done anything at all. -- God, (Futurama, 2002)
automated link checkers on them because every man page that mentions "http://www.example.com" anywhere in it is going to contain "broken" links because of the redirect.
If you have a link to www.example.com then it is by definition a broken link.
You should never link to example.com.
It is perfectly fine to mention the domain name in the text of documentation while using it as an example (that's what it is for in the first place); that mention should not be hyperlinked to example.com however.
Translation: fix the documentation. Type it as a non-link (plaintext domain name).
Yes, I'm sure every thief out there is perfectly aware of this.
They can be made aware of this quite easily. Someone has to explain the fingerprint scanning technology to the car buyer audience, before people can use it.
The thieves will definitely figure out about that, as well as any mechanism(s) for defeating the scanner and starting the car manually
Don't go overboard from the correct statement of "mass and weight are not the same thing" to "mass and weight are unrelated"
They are unrelated in that you cannot determine weight from mass or mass from weight alone; if you weigh an object once and then weigh another object at a later time, somewhere else, a change in weight does not imply a linear change in mass.
It is similar to the concept that the voltage of electric circuits in general is not uniquely dependent upon the amperage through the conductor. It is possible to build a circuit with a voltage of choice at any amperage desired. A difference in voltage measurement measured later in a different circuit does not necessarily mean the amperage is different.
You need further details about the measurement environment.
For example, if you know the object is near earth's surface, you can calculate a pretty good approximation of mass from its weight. You have a linear relationship Only under a very special condition (constant force of gravity)
If the weight is non-zero, you can use a relative comparison between weights of known mass in order to determine the mass of an object with unknown mass.
Otherwise they are independent, that is the general and more common case.
Is the IANA really so poor that they can't afford a VM running apache on bsd in order to appropriately handle these requests?
You're forgetting that the IANA function is something that the US government contracts ICANN to perform. The less money they spend, the greater the contracter (ICANN)'s $$$.
It won't break your program, but it might break your example. I've seen HTTP tutorials that show using telnet to connect to example.com, and getting a response.
Then they have not understood RFC 2606.
These names are reserved for use as example domains in documentation.
If there is any page at those addresses, then it is a coincidence. There is no assurance that IANA will provide these domains as resolvable in any form. The domains are reserved, that doesn't indicate the name will (or will not) resolve.
Who the hell is going to buy a car that you can't loan to someone on short notice? This idea is utterly ridiculous.
Most people already cannot just do that. Personal auto insurance policies commonly prohibit loaning your car to someone on short notice; you have to notify the insurance company in advance, which is only possible during certain hours, and if you fail to do so, there is no liability (or other) coverage for the vehicle. And it is illegal for a car to be operated when not covered by insurance
Such a definition is ultimately circular. The volume of water depends on pressure, which itself has a mass component.
So base the standard on a volume of water added to a vacuum?