Well, if the government makes a buck it's because they found out and started a proceeding that's part of public record.
Where you're absolutely right is that we want to offer incentives for not covering things up and for sharing enough information to improve security in general. The aviation industry does this right: they publish accident reports, whereas Intuit is keeping quiet about what kind of vulnerability they had.
We are off the Milankovitch trend. Basic physics says that industrial CO2 should raise temperatures, so why is it hard to accept that pushing on the accelerator makes the car go faster?
>but also that our warming forecasts for the year 2040 are somehow more reliable than the weatherman's forecast for next week.
It will be a cold day in July before I take that argument seriously.
The average temperature in July is much more reliably known than the small-scale noise of tomorrow's weather.
The climate in Saudi Arabia is a lot easier to predict than the weather.
The people who keep bringing weather forecasts into the discussion have known all their lives to plan for cold and snow in winter, rain in the spring, and sunlight in the summer. They're not actually confused about the difference between climate and weather.
>alarmist climatologists are batting at exactly 0%. Why should I believe them now?
Are you referring to the fact that the previous IPCC report was wrong about sea level increases? They *underestimated* them. Or are you pulling out the old line about a cooling scare in the 70s? Here's a bibliography of scientific literature on climate from the 1970s.
A reasoned discussion has to be based on facts, and it has to use reason.
Quick question to ask yourself: what new information, if it were to be discovered, would change your mind? If you can't think of any, you're not engaging in reason. A climatologist would say "well, if someone found a previously unknown negative feedback mechanism with a time constant such that it hasn't taken effect yet, then we'd all have to lower our temperature forecasts".
Other quick question: what do you think is the baseline temperature increase from a doubling of CO2? If you think it's less than 2 Celsius, on what facts do you base that assessment?
If you don't like proposed policy measures, the response of reason is to propose different ones (build fission plants? Roll with the punches?) instead of pretending the scientific data is a conspiracy by people you hate.
Quick question: have you ever known a working scientist? Political party members get promoted for going along. Scientists only get PhDs, promotions, and tenure from publishing _new_ information.
That is true today, but development tools were cruder when Hungarian notation came into being, and sometimes you just want to spread a printout over the floor anyway.
>There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan.
Not on today's OSes and architectures, but those aren't the only possibilities.
Moving away from the assumption that software is trustable would be a great start. Why does my web browser have authority to overwrite my hosts file, just because I do and I'm the one logged in while it's running? Why does my email client have authority to launch executables?
Operating systems that enforce per-program restrictions do have a terrible record of being hard to use, and eventually someone will tell downloaders "remove jumper J4 to disable mandatory access control so you can install our dancing cursors.
Yes, I got one from NewEgg. The pinouts on a CF card are pretty close to IDE already. There are adapters that will connect your CF card to either a desktop IDE interface or to a laptop one, they have pins for both on the same card.
And it doesn't matter if you expose any one of those talking points as bogus(*), because two more will be invented for the next edition of the next radio talk show.
Even if democracy didn't trump trade secrets, the commercial interests of the vendors are safe. If a competitor steals their precious source code, well, the competitor has to publish too and will get caught.
If I'm reading the Fortify paper right (I'm in a noisy environment), they say that your proposal will work. The attack is a variation on CSRF, so a similar solution (shared secret nonce) applies.
Things like this are why I have fun in security. Leveraging execute-only access to code into read access to data is a nifty hack.
>First, some web apps parse JSON notation by feeding it into JavaScript's "eval" [json.org]. Now that was dumb. Some JSON support code "filters" the incoming data before the EVAL, but the most popular implementation missed filtering something and left a hole.
Isn't this the same lesson that led to giving up on suid shell scripts? Try to "filter" input to a rich general-purpose language and you always miss something. Especially when the language can be tweaked at runtime, be it with an IFS environment variable or a prototype redefinition.
My first reaction on hearing about JSON was that nobody in their right mind would ever use it.
If you'll permit another pet peeve, the "same origin policy" is already a broken design. First, the same domain doesn't mean the same origin in a world where you can change your DNS record (search on "DNS pinning" for attacks and countermeasures). Second, same site doesn't mean same level of trust. The login page at myspace.com is not security-equivalent to myspace.com/~phisher, and the result was a password-theft incident.
>Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole...
OpenBSD took code auditing as far as human beings could take it and then decided that privilege separation was necessary. It's not the same thing as IE 7 on Vista's "protected mode", but it follows the same principle of limiting privileges of code that doesn't need them. OpenBSD did both, and there's evidence that Microsoft is doing both.
My compass through the hype about Windows security is to look at what kind of code the bugs are in. Newer code seems to be genuinely cleaner, and some of the worst bugs (the whole series of WMF vulnerabilities for example) have been in code old enough to drink legally.
High rates of atmospheric absorption mean that Mother Nature is making your network cellular for you. This would be great technology for meshes, because the node three hops away simply can't interfere with you. Sub-mile ranges are also entirely useful for point-to-point links in dense areas. If you had a meeting in Bangkok with someone a mile away, you'd really prefer a broadband video conference over driving a mile in Bangkok traffic.
Coins, money, checks and stock certificates have all been forged. One option would have been blaming the victims. Instead the industries involved developed anti-forgery technology and deployed it.
Today email is being forged for criminal gain. The anti-forgery technology already exists. Paypal is negotiating with their business partners to get it deployed.
We all benefit from closing off easy opportunities for crime. Blaming the victim doesn't work very well in the case of a pharming attack anyway.
>The influence of lobbyists and the nice gifts they bring matters much more than any pathetic constituent.
Two possible reasons for this, both curable by voter action.
First possibility, the politician cares more about booze and hookers in the short term than about getting reelected to get more booze and hookers in his next term. Voters can fix that every time someone's term comes up.
Second possibility, the lobbyist gifts actually influence elections. In the US, literal vote-buying is rare. Politicians want money for their campaigns so they can buy TV ads. Voters can fix that problem too, by ignoring TV campaign ads and by talking politics with their friends to drown out the campaign ads ("Joe, Joe, who do you think is going to be good for your family? Are you going to believe me, or some ad agency from New York?").
When somebody does a bad job it's their fault. When you can fire them and you don't it's your fault.
>They even did a hatchet job on reputation of the citizen who started and pushed the $30 car tab movement, Tim Eyman.
When "they" found out that Eyman pocketed fifty thousand of contributions, should "they" have refrained from asking him about it? When he denied it, should "they" have taken his word for it? When it was proven, should "they" have carefully covered it up?
How on earth is telling people where their money is going a "hatchet job"?
"This area has an abundance of wealth solely based on the lack of government regulation in the software and computer industry. The wealth however is often transfered back to the state to fund needless and sometimes competing programs (Monorail/Light Rail) and there is a huge amount of waste. Those who think they are "entitled" will eventually ruin this state and destroy its fortune.
It's kinda ironic to think that "more government" is the answer to the common ills of prosperity that was caused by something that government couldn't figure out how to regulate in the first place.. "
Microsoft started in New Mexico.
Microsoft moved to Washington because it was too hard to find educated workers in New Mexico.
That prosperity, in other words, was caused by government-funded education.
Slashdot Mirror
>She wasn't covert
Her neighbors were "stunned" to hear she was CIA.
It's a mistake to believe lies. It is wrong to pass them along.
Well, if the government makes a buck it's because they found out and started a proceeding that's part of public record.
Where you're absolutely right is that we want to offer incentives for not covering things up and for sharing enough information to improve security in general. The aviation industry does this right: they publish accident reports, whereas Intuit is keeping quiet about what kind of vulnerability they had.
Wikireturns! People can collaborate on filing them.
We are off the Milankovitch trend. Basic physics says that industrial CO2 should raise temperatures, so why is it hard to accept that pushing on the accelerator makes the car go faster?
>but also that our warming forecasts for the year 2040 are somehow more reliable than the weatherman's forecast for next week.
It will be a cold day in July before I take that argument seriously.
The average temperature in July is much more reliably known than the small-scale noise of tomorrow's weather.
The climate in Saudi Arabia is a lot easier to predict than the weather.
The people who keep bringing weather forecasts into the discussion have known all their lives to plan for cold and snow in winter, rain in the spring, and sunlight in the summer. They're not actually confused about the difference between climate and weather.
>alarmist climatologists are batting at exactly 0%. Why should I believe them now?
Are you referring to the fact that the previous IPCC report was wrong about sea level increases? They *underestimated* them. Or are you pulling out the old line about a cooling scare in the 70s? Here's a bibliography of scientific literature on climate from the 1970s.
A reasoned discussion has to be based on facts, and it has to use reason.
Quick question to ask yourself: what new information, if it were to be discovered, would change your mind? If you can't think of any, you're not engaging in reason. A climatologist would say "well, if someone found a previously unknown negative feedback mechanism with a time constant such that it hasn't taken effect yet, then we'd all have to lower our temperature forecasts".
Other quick question: what do you think is the baseline temperature increase from a doubling of CO2? If you think it's less than 2 Celsius, on what facts do you base that assessment?
If you don't like proposed policy measures, the response of reason is to propose different ones (build fission plants? Roll with the punches?) instead of pretending the scientific data is a conspiracy by people you hate.
Quick question: have you ever known a working scientist? Political party members get promoted for going along. Scientists only get PhDs, promotions, and tenure from publishing _new_ information.
>any competent IDE will give you for free.
That is true today, but development tools were cruder when Hungarian notation came into being, and sometimes you just want to spread a printout over the floor anyway.
>There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan.
Not on today's OSes and architectures, but those aren't the only possibilities.
Moving away from the assumption that software is trustable would be a great start. Why does my web browser have authority to overwrite my hosts file, just because I do and I'm the one logged in while it's running? Why does my email client have authority to launch executables?
Operating systems that enforce per-program restrictions do have a terrible record of being hard to use, and eventually someone will tell downloaders "remove jumper J4 to disable mandatory access control so you can install our dancing cursors.
Yes, I got one from NewEgg. The pinouts on a CF card are pretty close to IDE already. There are adapters that will connect your CF card to either a desktop IDE interface or to a laptop one, they have pins for both on the same card.
At least it's IIS 6, according to NetCraft.
http://www.securiteam.com/windowsntfocus/5XP0515L5 W.html
Here's what the sun has been doing since we first got accurate exo-atmospheric measurements:a d.html
http://www.ngdc.noaa.gov/stp/SOLAR/IRRADIANCE/irr
And it doesn't matter if you expose any one of those talking points as bogus(*), because two more will be invented for the next edition of the next radio talk show.
(*) Volcanoes, for instance. Here's the actual numbers on human and volcanic emissions of CO2.
Even if democracy didn't trump trade secrets, the commercial interests of the vendors are safe. If a competitor steals their precious source code, well, the competitor has to publish too and will get caught.
If I'm reading the Fortify paper right (I'm in a noisy environment), they say that your proposal will work. The attack is a variation on CSRF, so a similar solution (shared secret nonce) applies.
Things like this are why I have fun in security. Leveraging execute-only access to code into read access to data is a nifty hack.
>First, some web apps parse JSON notation by feeding it into JavaScript's "eval" [json.org]. Now that was dumb. Some JSON support code "filters" the incoming data before the EVAL, but the most popular implementation missed filtering something and left a hole.
Isn't this the same lesson that led to giving up on suid shell scripts? Try to "filter" input to a rich general-purpose language and you always miss something. Especially when the language can be tweaked at runtime, be it with an IFS environment variable or a prototype redefinition.
My first reaction on hearing about JSON was that nobody in their right mind would ever use it.
If you'll permit another pet peeve, the "same origin policy" is already a broken design. First, the same domain doesn't mean the same origin in a world where you can change your DNS record (search on "DNS pinning" for attacks and countermeasures). Second, same site doesn't mean same level of trust. The login page at myspace.com is not security-equivalent to myspace.com/~phisher, and the result was a password-theft incident.
and reboot one of them with Knoppix in the CD drive.
The problem is people who don't believe in objective reality.
Such people are dangerous everywhere but are outright toxic when allowed to tamper with the results of fieldwork.
People who substitute goodfact for realfact and own propaganda machines are inimical to democracy.
>Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole...
OpenBSD took code auditing as far as human beings could take it and then decided that privilege separation was necessary. It's not the same thing as IE 7 on Vista's "protected mode", but it follows the same principle of limiting privileges of code that doesn't need them. OpenBSD did both, and there's evidence that Microsoft is doing both.
My compass through the hype about Windows security is to look at what kind of code the bugs are in. Newer code seems to be genuinely cleaner, and some of the worst bugs (the whole series of WMF vulnerabilities for example) have been in code old enough to drink legally.
High rates of atmospheric absorption mean that Mother Nature is making your network cellular for you. This would be great technology for meshes, because the node three hops away simply can't interfere with you. Sub-mile ranges are also entirely useful for point-to-point links in dense areas. If you had a meeting in Bangkok with someone a mile away, you'd really prefer a broadband video conference over driving a mile in Bangkok traffic.
Microsoft's advisory claims that IE7 in protected mode isn't vulnerable.
Coins, money, checks and stock certificates have all been forged. One option would have been blaming the victims. Instead the industries involved developed anti-forgery technology and deployed it.
Today email is being forged for criminal gain. The anti-forgery technology already exists. Paypal is negotiating with their business partners to get it deployed.
We all benefit from closing off easy opportunities for crime. Blaming the victim doesn't work very well in the case of a pharming attack anyway.
>The influence of lobbyists and the nice gifts they bring matters much more than any pathetic constituent.
Two possible reasons for this, both curable by voter action.
First possibility, the politician cares more about booze and hookers in the short term than about getting reelected to get more booze and hookers in his next term. Voters can fix that every time someone's term comes up.
Second possibility, the lobbyist gifts actually influence elections. In the US, literal vote-buying is rare. Politicians want money for their campaigns so they can buy TV ads. Voters can fix that problem too, by ignoring TV campaign ads and by talking politics with their friends to drown out the campaign ads ("Joe, Joe, who do you think is going to be good for your family? Are you going to believe me, or some ad agency from New York?").
When somebody does a bad job it's their fault. When you can fire them and you don't it's your fault.
Article I, Section 9:
"No tax or duty shall be laid on articles exported from any state."
>They even did a hatchet job on reputation of the citizen who started and pushed the $30 car tab movement, Tim Eyman.
When "they" found out that Eyman pocketed fifty thousand of contributions, should "they" have refrained from asking him about it? When he denied it, should "they" have taken his word for it? When it was proven, should "they" have carefully covered it up?
How on earth is telling people where their money is going a "hatchet job"?
"This area has an abundance of wealth solely based on the lack of government regulation in the software and computer industry. The wealth however is often transfered back to the state to fund needless and sometimes competing programs (Monorail/Light Rail) and there is a huge amount of waste. Those who think they are "entitled" will eventually ruin this state and destroy its fortune.
It's kinda ironic to think that "more government" is the answer to the common ills of prosperity that was caused by something that government couldn't figure out how to regulate in the first place..
"
Microsoft started in New Mexico.
Microsoft moved to Washington because it was too hard to find educated workers in New Mexico.
That prosperity, in other words, was caused by government-funded education.