Because the javascript application itself has to be able to trust it, as it may be used for data transformation of data from third parties (e.g. inserting text provided by a chat service into a web page) that could enable vulnerabilities (e.g. cookie stealing, XSS) if it worked incorrectly. OK, it sounds unlikely that such a problem will surface at this point, but it isn't impossible,.
There's an amateur technologist in NZ who made his own pulsejet powered GPS-guided cruise missiles. The technology isn't hard, and I'm constantly amazed no terrorist group has yet replicated it.
I say again, you are purely assuming, with no actual FACTS, that the machine will give false positives on "laundry detergent and makeup". While I agree that it is likely to give false positives, the rate at which it does so and the substances which cause it are unknown to those of us on slashdot. My point is that one should not be all upset about false positives until such time that real FACTS about them are available. Once can be concerned that there may be false positives, but one should not state categorically that "Laundry detergent and makeup can actually give a false positive" without those actual FACTS.
Ok, here's a fact for you. I don't knw what the problem with laundry detergent is, but a rather large number of cosmetic items (mostly nail varnishes) are produced from nitrocellulose, a high explosive. It is physically impossible to detect molecules of nitrocellulose from an explosive device without also detecting the ones that are used in nail varnish (and the lacquer on many guitars, and in wart removers, and in the plastic backing on some brands of playing cards). If it is sensitive enough to be useful, it will detect false positives because the false positives are actually caused by presence of the same substance in similar quantities to what they would have to be looking for.
The situation is ridiculous enough that I was hoping that someone would smack this down with some hard evidence to the contrary. I'm still waiting/hoping.
GGP's example is a late binding mechanism. You can build on it using the pImpl pattern to achieve "protection and hiding of state-process". Local retention is just a design issue, anyway, and "messaging" is somewhat ambiguous in this context (is a function call a message? perhaps. but if not, C++, Java, et al are not supporting OOP either).
Gnutella uses SHA1 to identify files in search results, and only uses TTH to verify downloaded chunks during downloading. SHA1 is usually used for the final file verification, hence the fact that you can occasionally end up with a file that looks good while it's downloading but is rejected after it finishes: you got given the wrong TTH when you requested it after connecting to a client and requesting a file by SHA1.
From their truecrypt-encrypted hard disk on a single machine in a secure location. Internet-connected, of course, but one presumes it's firewalled. Still, you may get lucky trying to exploit bugs in their network handling code when they randomly connect to your machine to see if it has data they're looking for. They don't sound competent from their description of how the system works.
Suggests ACS were just scraping IPs from the tracker without validating they actually had the data. Trackers often have large proportions of stale addresses.
No, I don't think it is a typo. The author doesn't understand public key cryptography, which is startling as the system appears to rely on it as its guarantee of the validity of the evidence chain.
The document contains a number of dubious claims of the effects of its cryptography, including the notion that a key embedded in the software and used for signing the evidence as it is discovered is a secret key, and that the process of signing cannot be replicated without using the software because only the software has the secret key. This is, of course, utter bollocks. Any key that the software has access to can be accessed by the operator of the software by examining the software's executable files or using a debugger.
"Only the IPTRACKER program is able to create valid data"
Let me sit down with that computer unobserved for a few hours, and I'll create some valid data for you.
The author also doesn't understand the P2P networks the program connects to. To quote some stuff that stands out to me as wrong:
"Gnutella 2 works mostly like the original Gnutella network with a similar connection system"
Not really. The architectures are utterly different (G2 connects the user to 2-3 supernodes with thousands of connections each, whereas Gnutella connects to a much larger number of smaller nodes; G2 searches by examining only clients immediately connected to the supernodes queried, so the client directly queries all supernodes, whereas Gnutella broadcasts queries across the network and relays search results back to the originator).
"A Partial File Sharing function was implemented which divides files into parts. It's possible to download these parts from different knots instead of downloading the whole file from one knot."
Original Gnutella supported this. The feature called "Partial File Sharing" in G2 allows downloading of files that have not yet been completely downloaded by the source.
He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question.
The 'random' method is a valid GUID generation algorithm, defined by the relevant RFCs. It basically consists of picking random bits, and packing them with an indicator that the GUID was generated randomly. It is entirely possible (although extremely unlikely in absence of failures in the random number generation algorithm) for two identical GUIDs to be produced.
Yeah, there are tons of anti-psychotics prescribed when most people just need a cheap harmless dose of lithium. A simple metal salt that costs a few cents.
Erm. Lithium is a *horrible* drug. Yes, it's cheap. But it has horrible side effects, even in comparison to most antipsychotics. And it is nowhere near as effective in actual cases of psychosis (although it works adequately for other conditions). I certainly wouldn't describe it as "harmless".
If I never hear about Lipitor maybe I never bother getting a cholesterol screening and then die of heart disease at 37 instead of going to my doctor at 35 and saying, "Hey, I heard about this Lipitor thing and that men from age 35 should have cholesterol screenings."
Promoting preventative health care should be the responsibility of:
1. The government. It's a public health issue, they have a mandate to improve public health. 2. Your doctor. He should know your history well enough to know if you're likely to have issues and suggest screening for problems where there is a significant risk. 3. Your health insurance provider. Catching a serious issue early could save them large amounts of money, so they have good incentives to make sure you have every check-up that has a realistic chance of helping you.
It's not necessarily wasteful if it grows the budget by more than it costs.
It doesn't. All it does is redistribute it to the companies that spend the most on marketing. You're looking at it from the perspective of just one company: you have to consider the entire market as a whole. People will still buy drugs. They'll still want the best drugs available, which often means the expensive ones they're currently buying -- or similar drugs from competitors. They'll still have the same budget. It's effectively a zero-sum game.
Without the huge marketing budgets the money would flow to the supplier who provided the best quality drugs. Marketing perverts this: no drug company can afford to not spend similar amounts to their competitors on it, because if they didn't the doctors wouldn't know as much about their drugs as their competitors', and would prescribe the competitors' drugs in their place. If all the pharma companies suddenly stopped marketing their drugs, doctors would have to do a little more work to find out about new drugs, but (1) the cost of patient care would drop considerably and (2) there would be more money to reinvest in R&D.
The relevant question is whether your game is a derivative work of the art, that is did the details of the available artwork have any influence over your code as you wrote it? If so, then there's certainly grounds to believe that you would have to release your code under GPL if the artwork is GPL. Otherwise, not so much. The details of how you load it are irrelevant, it's what you do with it that counts.
I had a quick look at it a couple of days ago, and it seems to require you to resort to trial and error from the very first step. I figured I had better things to do with my life.
Key aspects of safety around pulsed transmitters that have very high peak power but moderate average power: 1) Don't walk through the fucking beam! (Although I know of an engineer that determined he would be within OSHA limits if he kept exposure to 30 seconds per 6 minutes at a range of 20+ feet occasionally...) 2) Humans don't arc. Shit that will instantly sizzlefry electronics will do nothing to a human if it's a low duty cycle pulse.
Another way to read this is: Duty cycle is very important when dealing with human safety. So that leads to the question: What is the transmit power of these smart meters? What is the duty cycle? The article claiming they are "unsafe" has zero data on these crucial parameters.
1W. 50 millisecond bursts, frequency of which may vary due to mesh networking load, but should be such that overall 'on' time is less than 4%. (Data from here: http://www.ccst.us/publications/2011/2011smartA.pdf)
Seriously, did you ever think there was any doubt that this would come out into the well-known-to-be-safe range?
UK has a similar criminal copyright infringement law to the US; in this case the charge would be "infringing the right to "make available" copies to the public (either in the course of a business, or to an extent prejudicial to the copyright owner)"
It logs a warning and continues executing. This is not the same thing as failing loudly, for which purpose I would suggest throwing an exception (which PHP has supported for many years now).
The PHP manual doesn't say that it will return 0, it says that it will return a formatted version of the $number input. When that input variable isn't a float as the function expects, exactly what is the function supposed to return?
The PHP manual says that strings are automatically converted to numbers when required by context. It further states that strings that do not begin with a digit are converted to 0. I'd say it's supposed to return "0", given these specifications in the manual.
The documentation clearly states it takes a float, if you pass in a string (empty or not) you are relying on how that string is treated by PHP.
Yes, but the way it is treated seems to violate the way the documentation says it will be treated. This section of the manual states that strings will automatically convert to floats where the conversion is required by context. This section states that when a string that does not begin with a digit is converted to a numeric type, the result is 0.
Should an empty string be formatted as 0? I could imagine a situation where an empty string is returned by some other method because a value was not found in a DB, not because the value was 0. In that case formatting as 0 would be wrong. Lack of knowing a value doesn't make it 0, it makes it an unknown.
I completely agree, yet this is not how PHP is documented to work. Now, I consider the specified automatic conversion between strings and numbers to be a design flaw of the language, but as long as it is documented that empty strings are autoconverted to zero when context requires it, this should be what actually happens.
How about contributing to PHP and fixing what you're bitching about instead of, well, bitching about it? You know, it's open-source and all.
Because the problem is fundamental. It's the core language design, the way the standard libraries work, the way the core development team think. You can't fix it without turning it into an entirely different language developed by an entirely different team. You might as well start from scratch.
That would be a valid point if shoplifting were just a harmless passtime. However, since it's a crime why not fine them 100 times the cost of what they stole? It might teach them not to do it again.
Reasonable enough. So prosecute it as a crime.
The company in question, however, are neither the police nor the Crown Prosecution Service, so doing this is not their responsibility. If they want the kids in question prosecuted for shoplifting, they should get these bodies involved. They don't want to -- they prefer their nice little scam where they bully them into handing over large sums of money for security guards' time (when the security guard would have been there whether or not the individual offence took place), the cost of security cameras (when the security cameras were paid for before the offence took place) and "administrative costs" (that amount to a portion of the salary of a person who would have been paid whether or not he were dealing with the offence). It's racketeering, plain and simple. Find somebody who is unlikely to complain to the law about your practices (because they've been doing illegal stuff themselves) and squeeze them for every penny you think they're good for (and how much money do you think the average 15 year old girl is good for?).
Slashdot Mirror
Because the javascript application itself has to be able to trust it, as it may be used for data transformation of data from third parties (e.g. inserting text provided by a chat service into a web page) that could enable vulnerabilities (e.g. cookie stealing, XSS) if it worked incorrectly. OK, it sounds unlikely that such a problem will surface at this point, but it isn't impossible,.
There's an amateur technologist in NZ who made his own pulsejet powered GPS-guided cruise missiles. The technology isn't hard, and I'm constantly amazed no terrorist group has yet replicated it.
I say again, you are purely assuming, with no actual FACTS, that the machine will give false positives on "laundry detergent and makeup". While I agree that it is likely to give false positives, the rate at which it does so and the substances which cause it are unknown to those of us on slashdot. My point is that one should not be all upset about false positives until such time that real FACTS about them are available. Once can be concerned that there may be false positives, but one should not state categorically that "Laundry detergent and makeup can actually give a false positive" without those actual FACTS.
Ok, here's a fact for you. I don't knw what the problem with laundry detergent is, but a rather large number of cosmetic items (mostly nail varnishes) are produced from nitrocellulose, a high explosive. It is physically impossible to detect molecules of nitrocellulose from an explosive device without also detecting the ones that are used in nail varnish (and the lacquer on many guitars, and in wart removers, and in the plastic backing on some brands of playing cards). If it is sensitive enough to be useful, it will detect false positives because the false positives are actually caused by presence of the same substance in similar quantities to what they would have to be looking for.
The situation is ridiculous enough that I was hoping that someone would smack this down with some hard evidence to the contrary. I'm still waiting/hoping.
Sorry. Absolutely true. See: http://www.hoax-slayer.com/khas-khas-poppy-seed-warning.shtml
Misbehaving clients can report incorrect addresses to trackers. Some trackers don't validate the data supplied to them.
GGP's example is a late binding mechanism. You can build on it using the pImpl pattern to achieve "protection and hiding of state-process". Local retention is just a design issue, anyway, and "messaging" is somewhat ambiguous in this context (is a function call a message? perhaps. but if not, C++, Java, et al are not supporting OOP either).
Gnutella uses SHA1 to identify files in search results, and only uses TTH to verify downloaded chunks during downloading. SHA1 is usually used for the final file verification, hence the fact that you can occasionally end up with a file that looks good while it's downloading but is rejected after it finishes: you got given the wrong TTH when you requested it after connecting to a client and requesting a file by SHA1.
From their truecrypt-encrypted hard disk on a single machine in a secure location. Internet-connected, of course, but one presumes it's firewalled. Still, you may get lucky trying to exploit bugs in their network handling code when they randomly connect to your machine to see if it has data they're looking for. They don't sound competent from their description of how the system works.
Suggests ACS were just scraping IPs from the tracker without validating they actually had the data. Trackers often have large proportions of stale addresses.
No, I don't think it is a typo. The author doesn't understand public key cryptography, which is startling as the system appears to rely on it as its guarantee of the validity of the evidence chain.
The document contains a number of dubious claims of the effects of its cryptography, including the notion that a key embedded in the software and used for signing the evidence as it is discovered is a secret key, and that the process of signing cannot be replicated without using the software because only the software has the secret key. This is, of course, utter bollocks. Any key that the software has access to can be accessed by the operator of the software by examining the software's executable files or using a debugger.
"Only the IPTRACKER program is able to create valid data"
Let me sit down with that computer unobserved for a few hours, and I'll create some valid data for you.
The author also doesn't understand the P2P networks the program connects to. To quote some stuff that stands out to me as wrong:
"Gnutella 2 works mostly like the original Gnutella network with a similar connection system"
Not really. The architectures are utterly different (G2 connects the user to 2-3 supernodes with thousands of connections each, whereas Gnutella connects to a much larger number of smaller nodes; G2 searches by examining only clients immediately connected to the supernodes queried, so the client directly queries all supernodes, whereas Gnutella broadcasts queries across the network and relays search results back to the originator).
"A Partial File Sharing function was implemented which divides files into parts. It's possible to download these parts from different knots instead of downloading the whole file from one knot."
Original Gnutella supported this. The feature called "Partial File Sharing" in G2 allows downloading of files that have not yet been completely downloaded by the source.
He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question.
The 'random' method is a valid GUID generation algorithm, defined by the relevant RFCs. It basically consists of picking random bits, and packing them with an indicator that the GUID was generated randomly. It is entirely possible (although extremely unlikely in absence of failures in the random number generation algorithm) for two identical GUIDs to be produced.
Yeah, there are tons of anti-psychotics prescribed when most people just need a cheap harmless dose of lithium. A simple metal salt that costs a few cents.
Erm. Lithium is a *horrible* drug. Yes, it's cheap. But it has horrible side effects, even in comparison to most antipsychotics. And it is nowhere near as effective in actual cases of psychosis (although it works adequately for other conditions). I certainly wouldn't describe it as "harmless".
If I never hear about Lipitor maybe I never bother getting a cholesterol screening and then die of heart disease at 37 instead of going to my doctor at 35 and saying, "Hey, I heard about this Lipitor thing and that men from age 35 should have cholesterol screenings."
Promoting preventative health care should be the responsibility of:
1. The government. It's a public health issue, they have a mandate to improve public health.
2. Your doctor. He should know your history well enough to know if you're likely to have issues and suggest screening for problems where there is a significant risk.
3. Your health insurance provider. Catching a serious issue early could save them large amounts of money, so they have good incentives to make sure you have every check-up that has a realistic chance of helping you.
It's not necessarily wasteful if it grows the budget by more than it costs.
It doesn't. All it does is redistribute it to the companies that spend the most on marketing. You're looking at it from the perspective of just one company: you have to consider the entire market as a whole. People will still buy drugs. They'll still want the best drugs available, which often means the expensive ones they're currently buying -- or similar drugs from competitors. They'll still have the same budget. It's effectively a zero-sum game.
Without the huge marketing budgets the money would flow to the supplier who provided the best quality drugs. Marketing perverts this: no drug company can afford to not spend similar amounts to their competitors on it, because if they didn't the doctors wouldn't know as much about their drugs as their competitors', and would prescribe the competitors' drugs in their place. If all the pharma companies suddenly stopped marketing their drugs, doctors would have to do a little more work to find out about new drugs, but (1) the cost of patient care would drop considerably and (2) there would be more money to reinvest in R&D.
The relevant question is whether your game is a derivative work of the art, that is did the details of the available artwork have any influence over your code as you wrote it? If so, then there's certainly grounds to believe that you would have to release your code under GPL if the artwork is GPL. Otherwise, not so much. The details of how you load it are irrelevant, it's what you do with it that counts.
I had a quick look at it a couple of days ago, and it seems to require you to resort to trial and error from the very first step. I figured I had better things to do with my life.
Key aspects of safety around pulsed transmitters that have very high peak power but moderate average power:
1) Don't walk through the fucking beam! (Although I know of an engineer that determined he would be within OSHA limits if he kept exposure to 30 seconds per 6 minutes at a range of 20+ feet occasionally...)
2) Humans don't arc. Shit that will instantly sizzlefry electronics will do nothing to a human if it's a low duty cycle pulse.
Another way to read this is: Duty cycle is very important when dealing with human safety. So that leads to the question: What is the transmit power of these smart meters? What is the duty cycle? The article claiming they are "unsafe" has zero data on these crucial parameters.
1W. 50 millisecond bursts, frequency of which may vary due to mesh networking load, but should be such that overall 'on' time is less than 4%. (Data from here: http://www.ccst.us/publications/2011/2011smartA.pdf)
Seriously, did you ever think there was any doubt that this would come out into the well-known-to-be-safe range?
UK has a similar criminal copyright infringement law to the US; in this case the charge would be "infringing the right to "make available" copies to the public (either in the course of a business, or to an extent prejudicial to the copyright owner)"
And, by my understanding, that question is actually still to be resolved, and will be resolved by the appeals court.
It logs a warning and continues executing. This is not the same thing as failing loudly, for which purpose I would suggest throwing an exception (which PHP has supported for many years now).
The PHP manual doesn't say that it will return 0, it says that it will return a formatted version of the $number input. When that input variable isn't a float as the function expects, exactly what is the function supposed to return?
The PHP manual says that strings are automatically converted to numbers when required by context. It further states that strings that do not begin with a digit are converted to 0. I'd say it's supposed to return "0", given these specifications in the manual.
The documentation clearly states it takes a float, if you pass in a string (empty or not) you are relying on how that string is treated by PHP.
Yes, but the way it is treated seems to violate the way the documentation says it will be treated. This section of the manual states that strings will automatically convert to floats where the conversion is required by context. This section states that when a string that does not begin with a digit is converted to a numeric type, the result is 0.
Should an empty string be formatted as 0? I could imagine a situation where an empty string is returned by some other method because a value was not found in a DB, not because the value was 0. In that case formatting as 0 would be wrong. Lack of knowing a value doesn't make it 0, it makes it an unknown.
I completely agree, yet this is not how PHP is documented to work. Now, I consider the specified automatic conversion between strings and numbers to be a design flaw of the language, but as long as it is documented that empty strings are autoconverted to zero when context requires it, this should be what actually happens.
How about contributing to PHP and fixing what you're bitching about instead of, well, bitching about it? You know, it's open-source and all.
Because the problem is fundamental. It's the core language design, the way the standard libraries work, the way the core development team think. You can't fix it without turning it into an entirely different language developed by an entirely different team. You might as well start from scratch.
Wine was originally WINdows Emulator, but they changed it for at least two obvious reasons.
One of which hinges on a misunderstanding of the meaning of the word "emulator"
That would be a valid point if shoplifting were just a harmless passtime. However, since it's a crime why not fine them 100 times the cost of what they stole? It might teach them not to do it again.
Reasonable enough. So prosecute it as a crime.
The company in question, however, are neither the police nor the Crown Prosecution Service, so doing this is not their responsibility. If they want the kids in question prosecuted for shoplifting, they should get these bodies involved. They don't want to -- they prefer their nice little scam where they bully them into handing over large sums of money for security guards' time (when the security guard would have been there whether or not the individual offence took place), the cost of security cameras (when the security cameras were paid for before the offence took place) and "administrative costs" (that amount to a portion of the salary of a person who would have been paid whether or not he were dealing with the offence). It's racketeering, plain and simple. Find somebody who is unlikely to complain to the law about your practices (because they've been doing illegal stuff themselves) and squeeze them for every penny you think they're good for (and how much money do you think the average 15 year old girl is good for?).