The point at the end of the article cannot be overstated; noone can steal from you what you do not have. In desktop terms; don't be afraid of the Delete button!
I'm rapidly strengthening my belief that this will not be the only company (large or small) to go through this - that many, many other companies are probably having the same done to them *right now* and don't even know it!
This is a really crappy situation; it shouldn't have happened and frankly the entry points described here are a result of negligence plain and simple! But its hard; its hard to manage a large organisation and to enforce correct and watertight procedures; security is a hard concept, one of continuous cat and mouse - but played out in your mind - hoping to God never in reality.
Everything gets more complex, and things are more often set up and run by muppets. There will be many more of these:(
actually in all seriousness, about 1%-2% of people from what I've seen.
(I write/manage an online survey system that runs across various UK retail sites - thats the proportion of double-hits to a POST form submit we see - we do compensate for it of course, but its handy to log...)
yes- tabs should remain as the tab character, no converting to spaces or anything like that.
but it IS important how many characters that is *displayed* as and it is important that developers are consistent about it; because lining up blocks of code, or '//' style comments on the ends of lines (e.g. on the lists of member variables at the start of the class) does depend on the tab width; what lines up ok at tab=4 does not line up ok at tab=2
I really like the repository-scoped version number; basically because it lets me say things like '..fixed in r5436' or 'developed in r5401 thru r5411' - and thats all the information anyone needs to know exactly what changed and when. no more info required.
no, you *assume* that those problems have no correlation with browsers used.
I would argue the opposite - users who are perhaps more 'experienced' are perhaps more likely to have these extra security programs or more restricted cookie settings, and that group probably overlaps a lot with the 'early adopter' group who are trying out Firefox.
anyhow, calculating error bounds in the commonly-accepted way depends mostly on a *random sample*, and a bit on knowing the *population size*. a random sample it clearly isn't (biased selection of sites), and the population size is an estimate anyway.
this is true - and their sites seem to be the firmly in the home-user market; where PCs are more up to date and users more open to trying out alternatives.
seriously, we do the same thing in the UK, but mostly with retail sites (B&Q, Comet, H Samuel, etc) and there are soooo many things that cause inaccuracies!
firstly, the monitors are clientside - so depending on where in the host page they live, howmany images there are on the page, how fast the user's connection is and how long they spend on a page you may or may not even register a hit.
then misconfigured caches can hided it before it gets you your logging server (but there are ways around that).
but for tracking unique users (rather than pageviews), you need cookies as well:
- some peopl have cookies turned off
- some people have cookies demoted to session-only
- some people clear their cookies periodically (e.g. they've been looking at pr0n and dont want their missus to know)
- some people use 'security' software that strips cookies and/or rewrites page content on the fly.
its a mess. numbers are never accurate and its impossible to accurately determine how inaccurate they are!
but they're right - there is a consistent and significant move toward Firefox
But having said that - it has just been Christmas, and there does seem to be a big difference between home computers and business PCs (home = more up to date, more Firefix, work = older, no alternative browsers)
we're actually seeing a *decline* in firefox figures post-Xmas, but hoping that will change!
this sounds very interesting, but I'm having trouble working out how this would work (probably not helped by the wine on this New Year's Eve before going out).
do you have any references to this other thread with more info?
but I don't think it's a reason for more MS-bashing and more IE-bashing for another hole in an old version of a browser. Newer versions are not vulnerable and people are deploying the newer versions at a substantial rate.
Yes it is [yet another] vulnerability, but it's not another 'all IE users get rooted' one.
<nitpicking> - the article says IE6 - so presumably not IE 5 and earlier; so the vulnerable portion is 50% rather than 70%. </nitpicking>
Over 30% of web traffic is from XP SP2 now (UK traffic at least).*
SP2 is meant to stop this kind of stuff happening. People are installing SP2.
This is good, and a step forward - in a few weeks it's looking like it'll be over 50%.
I don't mean to winge, but pre-SP2 security holes don't seem newsworthy to me...
(* the company I work for runs tracking/surveying code on lots of UK commercial/retail web sites - we're seeing 3-5% per week increase in SP2 traffic, last week it went over 30% of total traffic)
hmm, I dont think it'd be easy though to navigate to track 576 of my special playlist. Let alone remember what track 576 is or where my other favourite song is now..
granted the playlists can be longer than fits on a CD, but I still think its pretty useless.
Personally I'd much rather just have a line-in socket on my existing car stereo and use a regular cable (instead of the crappy cassette adaptors)
All this effort my ass - I was really ready to be impressed with this but so far as I can see the adaptor just makes the iPod pretend to be a five disc changer.
Thats right, you get your five 'BMW playlists' and thats it - you cannot play anything else; just those five lists. Why not just burn those lists to CD and be done with it...
Doesn't sound impressive to me at all. Maybe I just had my hopes too high with it being 'integrated' - like maybe there would have been a dupe of the iPod display in the dash on the satellite navigation or something, but no, it just pretends to be a CD changer. Sod that.
(not flaming Apple, I love my Powerbook, I love my iPod , I love iTMS, I want to want a BMW and integrate my iPod with it, but this is shite...)
Ok, according to a human translation of the original (french) article from the macrumors site, the 0.80 goes to "writers, performers, producers and labels"
Ambiguous and second-hand info admittedly, but could be worse...
How is the online music in Europe already crowded? I'm dying to buy music online (show of support, cant be arsed to go to the shops, etc...) and I can't find anywhere...
Ok as of now there's Napster, but thats no use on a Mac or with an iPod. MyCokeMusic.com is apparently around but I'm buggered if I can get the site to work (yes, even on IE6 on WinXP)
Everyone I've spoken to who buys from CD Wow these days says there are loads of problems getting a delivery from them - since they were banned from importing CDs from Asia (or wherever it was) and have to source them from within Europe now.
Of course that might have improved, noone I know carried on trying with them...
According to MacRumors.com the iTMS Europe will have songs for 1.29 Euros - but that includes a 19.5% sales tax. The [fixed] amount to be given to artists is 0.80 euro.
Yes, more expensive than iTMS USA, but the USA price doesnt include a sales tax - apparently in states where there is a sales tax that is added on top.
Actually not true - Safari (and others), while not trying to be clever about it, actually block popups that aren't directly linked to something you do.
So, clicking on a button where the window.open() is called from the onClick handler will work. window.open()s in onLoad handlers et al will not work.
At least, thats the way my Safari works (1.1 on Panther).
Although also, in my experience, Mozilla gets it perfect - no naughty popups but ones that I want to happen (even window.open()s in bare script executed as the page loads) somehow manage it - and no popups that I don't want!?!
Slashdot Mirror
all bets are off for the data on that hardware
still no excuse for the kiosk being able to access data from the rest of the network!
hmm.
</doom_and_gloom>
The point at the end of the article cannot be overstated; noone can steal from you what you do not have. In desktop terms; don't be afraid of the Delete button!
I'm rapidly strengthening my belief that this will not be the only company (large or small) to go through this - that many, many other companies are probably having the same done to them *right now* and don't even know it!
:(
This is a really crappy situation; it shouldn't have happened and frankly the entry points described here are a result of negligence plain and simple! But its hard; its hard to manage a large organisation and to enforce correct and watertight procedures; security is a hard concept, one of continuous cat and mouse - but played out in your mind - hoping to God never in reality.
Everything gets more complex, and things are more often set up and run by muppets. There will be many more of these
gah, they *already do*!
? index=570
They've always had Opera and the version in the useragent string - they just have the MSIE bit in there as well.
this fools the lame IE-only stuff, but lets any sensible software detect that really it is Opera.
more info here: http://www.opera.com/support/search/supsearch.dml
actually in all seriousness, about 1%-2% of people from what I've seen.
(I write/manage an online survey system that runs across various UK retail sites - thats the proportion of double-hits to a POST form submit we see - we do compensate for it of course, but its handy to log...)
I'm seeing a lot of comments about AOL ignoring this here, but this page seems to suggest differently:
http://dns.info.aol.com/time.shtml
not sure what they mean by 'cached by recursion' - but I guess that just means normal operation...
hmm, I agree but I disagree.
yes- tabs should remain as the tab character, no converting to spaces or anything like that.
but it IS important how many characters that is *displayed* as and it is important that developers are consistent about it; because lining up blocks of code, or '//' style comments on the ends of lines (e.g. on the lists of member variables at the start of the class) does depend on the tab width; what lines up ok at tab=4 does not line up ok at tab=2
just thought I'd jump in with my 2 cents worth...
I really like the repository-scoped version number; basically because it lets me say things like '..fixed in r5436' or 'developed in r5401 thru r5411' - and thats all the information anyone needs to know exactly what changed and when. no more info required.
no, you *assume* that those problems have no correlation with browsers used.
I would argue the opposite - users who are perhaps more 'experienced' are perhaps more likely to have these extra security programs or more restricted cookie settings, and that group probably overlaps a lot with the 'early adopter' group who are trying out Firefox.
anyhow, calculating error bounds in the commonly-accepted way depends mostly on a *random sample*, and a bit on knowing the *population size*. a random sample it clearly isn't (biased selection of sites), and the population size is an estimate anyway.
this is true - and their sites seem to be the firmly in the home-user market; where PCs are more up to date and users more open to trying out alternatives.
business/work PCs aren't moving so quickly.
the margin of error will be huge!
seriously, we do the same thing in the UK, but mostly with retail sites (B&Q, Comet, H Samuel, etc) and there are soooo many things that cause inaccuracies!
firstly, the monitors are clientside - so depending on where in the host page they live, howmany images there are on the page, how fast the user's connection is and how long they spend on a page you may or may not even register a hit.
then misconfigured caches can hided it before it gets you your logging server (but there are ways around that).
but for tracking unique users (rather than pageviews), you need cookies as well:
- some peopl have cookies turned off
- some people have cookies demoted to session-only
- some people clear their cookies periodically (e.g. they've been looking at pr0n and dont want their missus to know)
- some people use 'security' software that strips cookies and/or rewrites page content on the fly.
its a mess. numbers are never accurate and its impossible to accurately determine how inaccurate they are!
but they're right - there is a consistent and significant move toward Firefox
But having said that - it has just been Christmas, and there does seem to be a big difference between home computers and business PCs (home = more up to date, more Firefix, work = older, no alternative browsers)
we're actually seeing a *decline* in firefox figures post-Xmas, but hoping that will change!
BBC World is the commercial arm of the BBC - responsible for selling (and making money from!) BBC-produced content outside of the UK:
www.bbcworld.com
(although the website is more about one specific channel)
this sounds very interesting, but I'm having trouble working out how this would work (probably not helped by the wine on this New Year's Eve before going out).
do you have any references to this other thread with more info?
The thing that's troubling me about all this is that if Valve acutally put this 'warezed' version online then surely it isn't warez at all..
I mean, they uploaded for everyone else to copy. Freely. With no EULA presumably.
Surely if Valve put it online then it's not illegal to download/use it and the worst they can do is ban you from Steam?
grr. ok point taken.
but I don't think it's a reason for more MS-bashing and more IE-bashing for another hole in an old version of a browser. Newer versions are not vulnerable and people are deploying the newer versions at a substantial rate.
Yes it is [yet another] vulnerability, but it's not another 'all IE users get rooted' one.
<nitpicking> - the article says IE6 - so presumably not IE 5 and earlier; so the vulnerable portion is 50% rather than 70%. </nitpicking>
Over 30% of web traffic is from XP SP2 now (UK traffic at least).*
SP2 is meant to stop this kind of stuff happening. People are installing SP2.
This is good, and a step forward - in a few weeks it's looking like it'll be over 50%.
I don't mean to winge, but pre-SP2 security holes don't seem newsworthy to me...
(* the company I work for runs tracking/surveying code on lots of UK commercial/retail web sites - we're seeing 3-5% per week increase in SP2 traffic, last week it went over 30% of total traffic)
hmm, I dont think it'd be easy though to navigate to track 576 of my special playlist. Let alone remember what track 576 is or where my other favourite song is now..
granted the playlists can be longer than fits on a CD, but I still think its pretty useless.
Personally I'd much rather just have a line-in socket on my existing car stereo and use a regular cable (instead of the crappy cassette adaptors)
All this effort my ass - I was really ready to be impressed with this but so far as I can see the adaptor just makes the iPod pretend to be a five disc changer.
Thats right, you get your five 'BMW playlists' and thats it - you cannot play anything else; just those five lists. Why not just burn those lists to CD and be done with it...
Doesn't sound impressive to me at all. Maybe I just had my hopes too high with it being 'integrated' - like maybe there would have been a dupe of the iPod display in the dash on the satellite navigation or something, but no, it just pretends to be a CD changer. Sod that.
(not flaming Apple, I love my Powerbook, I love my iPod , I love iTMS, I want to want a BMW and integrate my iPod with it, but this is shite...)
According to the macrumors.com article here, iTMS Europe is coming mid-June for France "and other countries", here's hoping that includes the UK!
Ok, according to a human translation of the original (french) article from the macrumors site, the 0.80 goes to "writers, performers, producers and labels"
Ambiguous and second-hand info admittedly, but could be worse...
How is the online music in Europe already crowded? I'm dying to buy music online (show of support, cant be arsed to go to the shops, etc...) and I can't find anywhere...
Ok as of now there's Napster, but thats no use on a Mac or with an iPod. MyCokeMusic.com is apparently around but I'm buggered if I can get the site to work (yes, even on IE6 on WinXP)
Where do you buy from?
Everyone I've spoken to who buys from CD Wow these days says there are loads of problems getting a delivery from them - since they were banned from importing CDs from Asia (or wherever it was) and have to source them from within Europe now.
Of course that might have improved, noone I know carried on trying with them...
According to MacRumors.com the iTMS Europe will have songs for 1.29 Euros - but that includes a 19.5% sales tax. The [fixed] amount to be given to artists is 0.80 euro.
Yes, more expensive than iTMS USA, but the USA price doesnt include a sales tax - apparently in states where there is a sales tax that is added on top.
More info here
Actually not true - Safari (and others), while not trying to be clever about it, actually block popups that aren't directly linked to something you do.
So, clicking on a button where the window.open() is called from the onClick handler will work. window.open()s in onLoad handlers et al will not work.
At least, thats the way my Safari works (1.1 on Panther).
Although also, in my experience, Mozilla gets it perfect - no naughty popups but ones that I want to happen (even window.open()s in bare script executed as the page loads) somehow manage it - and no popups that I don't want!?!
I thought it was a bit strange too - kinda why it stuck in my head. I'll try to find out (in case its just my head making it up...)