1. Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers. It would not be so hard to make the object's origin follow the same rules)
Yes, but doing so would break almost every existing flash deployment in existence. Users upgrading to the new version would be unable to use somewhere over half of all the flash sites out there, thus word would get out very quickly that they shouldn't upgrade, because the new version of flash is "broken".
2. Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.
Plausible, but bare in mind that through years upon years of flash not caring about content type, there are probably significant numbers of misconfigured servers that either serve flash objects as application/octet-stream or as some random but incorrect type. Because nothing complains about it, nobody will ever have fixed these. This isn't as serious for compatibility as suggestion 1, but the same outcome will still happen: users won't upgrade because the release will be generally labelled as "broken".
3. Implement a signing policy, so that unsigned flash objects are not given permission to access the server.
Will break all existing deployments. See problem of solution 1.
4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)
Will break existing deployments that rely on the current behaviour. This would, I believe, include embedded youtube videos. See problem of solution 1.
Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.
Note that it is the server administrators themselves that are vulnerable, not the users per se -- what can be broken by this is the security of those administrators' web sites. As such, it is better that _they_ have the burden of fixing this, rather than the users have the inconvenience of stuff not working right.
Of course it's for Adobe to fix. Flash has no business trying to execute content that the web server has said is image/gif or image/jpeg.
Right. Of course they can't fix that without breaking their plugin completely, because I bet you somewhere in the region of 50% of sites that serve flash use the wrong content type header for it. Nobody wants to release an upgrade that'll only serve to piss their users off, which is what such an upgrade would be.
This is not CSS. This is the same as allowing people to upload any javascript to your site and the embedding it in your webpage for users to run.
A more accurate analogy is allowing people to upload HTML pages and serving them unmodified whenever requested. No embedding is required.
Plus, it's worth noting that the only security violated here is _the security of the site that is hosting the file_. Sure, this could be a problem for social networking sites and the like, but it's not like they haven't had their share of similar javascript-related issues in the past. It's what happens when you put different user's own content all on the same domain, simply because the security model of browsers is not designed to cope with that.
If you can write an SWF that can be executed to compromise a website, despite the fact that it looks like, acts like, and in fact is a valid MS Word document, I'd call that a problem.
You can, but the problem is that word is too trusting in what it accepts, and not caused by flash. The file will clearly have SWF headers at the start of it, and is thus easy to filter, and no _real_ word document should ever have that. It happens that MS Word will open it, but is that particularly relevant?
Even at that, though, how do we expect Bob, who lives 10 miles from town, to eat if he has to walk, in the middle of Winter to get his food?
By some other method of transport? I used to cycle 10 miles to work every day, even in the middle of winter, and I'm not exactly the fittest person you've ever met. Unless Bob is physically disabled in some fashion (and if he is, I'd guess there's some kind of assistance he can get, e.g. a charity that will do his shopping for him if he can't get into town) he should be able to do this too.
They appeared linked at the oral argument, though. Roberts in particular suggested that if they struck down business-method patents but kept software patents, then companies could just implement their business method in some sort of business software, and patent it that way, rendering the fix pointless.
A ruling that the required innovation in a software patent must be of an implementation-level technical detail, rather than in terms of the general purpose of the software, would close that loophole. Then you can't patent "a computer program to buy things cheap and sell them at a higher price", but would have to patent (e.g.) some detail of how you determine what are cheap things or something like that, and that detail would have to be non-obvious.
If I had to use a reliable webhost, it would cost me, what, $50/mo?
There are plenty of reliable hosts that cost much less than that. Even here in the UK, where hosting is generally more expensive than in the US, I only pay £15/month (about $25) for a virtual machine with root access. If I was willing to live without root, I could get it for £10. I've had less than an hour of downtime over the last year. I don't know how reliable dreamhost is, but I'd say this system is certainly reliable enough for the application you describe.
We considered VMware, but they didn't have the admin expertise in-house, and I forget what the license cost was, but that was an issue, too.
The license cost of vmware server 2 is $0. Sure, the more advanced system (vmware infrastructure) can get expensive, but I doubt there'd be much point with such a small cluster.
Imagine he amount of stuff you could (unreliably) store on a hard disk if massive de-duplication was built into the drive electronics. It could even do this quietly in the background.
Not as good as installing extra processing power in your machine and doing it in the OS. Honestly. The primary advantage here isn't actually the saving of disk space. Nobody really cares about that too much.
The main advantage is that if two processes have two files with identical blocks in them, and map those files into memory (or just read them so they're cached), if they're deduped you'll end up with both processes having copy-on-write references to the same memory block. The big win here is in saving RAM, not disk space. And that requires the OS to understand and be aware that the deduplication has happened.
I looked at EC2 for raw processing power earlier this year (my company needs to train a lot of neural nets) and it just isn't worth it, unless you only need the power short term. A high-performance EC2 node gives you 8 cores running at (very roughly) the equivalent of a 2GHz P4, and costs $0.68/hr == about $460 per month, which is only a little less than what an equivalent box (probably a 2.83GHz Core 2 Quad or similar) would cost you. Put power to run that box down at about $0.05 per hour and you can build your own local cluster of equivalent performance for around the same amount of money as you'll save in your first month and a half of operation.
The fact that it's a reasonably safe bet, based on the fact that there are people who will fuck anything they are even remotely biologically compatible with...?
When was the last time you heard of someone crashing their car due to mechanical failure, in or out of warranty?
A school friend lost her parents in a crash caused by their car's steering column collapsing thus leaving the car uncontrollable.
My other example isn't a crash but very nearly could have been: my parents driving fast on mountainous roads on a hot day, suddenly found they had no brakes. Brake fluid had overheated and boiled, leaving them without any hydraulics.
Both cases were out of warranty, although the latter could just have easily happened within as it's a basic flaw in the design of the vehicle: the brake fluid is not actively cooled, so if overused on a hot day it will eventually boil.
The classic example is that hitting a brick wall at 100km/h is the same as being dropped nose-first off a 10 story building.
Just wanted to check this out:
100kmh^-1 = 27.78 ms^-1.
To calculate speed of dropping off 10 story building, we assume 2.5 metres per story (which is about average here in the UK), and use the equation v^2 = u^2 + 2as where initial velocity u = 0, acceleration a = g ~= 10ms^-2, and displacement s = 25m, so v^2 ~= 500 m^2s^-2 => v = about 22ms^-1
Yeah, if anything coming off the building is a little slower, especially as we haven't accounted for drag which will slow the acceleration down a little.
Linux in total represents less then.93% of the Desktop market. Ubuntu a fraction of that.
Source? Error bars? ".93%" sounds way too precise for the likely accuracy of any such figures, which are usually incredibly biased in one direction or the other.
Besides, of course it's a fraction of the Linux total, but I'd be willing to wager it's quite a _big_ fraction. Every system I've ever seen in a high-street shop with Linux preinstalled comes with Ubuntu. The PC I'm running on at the moment came with Ubuntu (Dapper Drake) preinstalled (although I wiped it and installed XP...). Ubuntu is the distribution used by most netbook vendors. Almost all of my Linux-using friends are on Ubuntu, especially the less technical ones. My guess is Ubuntu has something like 95+% of the desktop Linux market by now.
Quite the contrary, the people who think that just because they don't like the price or don't want to spend the money that they can have somebody else's time and effort anyway is immoral.
If I copy something that an artist produced, it doesn't cost that artist either time or effort. The time and effort has already been spent, they have no way of getting it back.
The only possibility is that they might get payment in compensation for it. As long as anything I do does not affect their chance of getting this compensation, I see no possible way in which it can be immoral. Therefore, as long as I can be sure that I am not going to pay for a copy, I see no way that making my own copy is immoral.
If you believe otherwise, can you explain why?
You're right; stealing is the most money-efficient way for you to get something. In fact it's the most money-efficient way for anybody to get anything. Yet we've decided as a society that it's not only illegal but immoral. I wonder why that is? Could it be that the only way it doesn't collapse in on itself is when as few people as possible are doing it? And you're advocating doing that as efficient for a society?
What the OP is advocating is not stealing. Stealing involves somebody losing something; it is a zero sum game: for one person to gain, another must lose. Unauthorised copying is not: one person can gain while nobody else loses. This is an essential difference that means your entire analogy is basically worthless.
It has been true since the formation of modern societies. Laws and punishments for theft are always among the first that socities create.
Here's a legal definition of theft: "the wrongful or willful taking of money or property belonging to someone else with intent to deprive the owner of its use or benefit either temporarily or permanently". Can I ask in the case being discussed, what money or property has somebody been deprived of wrongfully? Please note that you cannot be deprived of something that you never had a right to have in the first place. Unauthorised copying is not theft. The two are totally different concepts, and while laws against theft are, as you say, usually among the first that societies create, it is worth noting that unauthorised copying was not a crime anywhere until only around 300 years ago.
The problem with your attitude is that without someone ultimately paying for the development time and everything else that goes with it what you steal wouldn't exist in the first place.
Yes, but if he wasn't going to pay for it anyway, why doees it make any difference to anyone whether he copies it or not? It doesn't.
BTW: "steal" means "the wrongful or willful taking of money or property belonging to someone else with intent to deprive the owner of its use or benefit either temporarily or permanently" (source). As in this case nobody is deprived of the use or benefit of anything (whether temporarily or permanently), it isn't stealing.
In Word, View>FullScreen (Alt-V,U). This will get rid of status bar, menu bar, window borders and everything so you see just the page.
Yes, but most of the editing tools are lost completely. You have to change the settings away from default to be even able to enter text, but there are no editing controls available, e.g. no way of selecting a different style for the text you're editing. There also doesn't seem to be a way to customize the minimal toolbar that is present.
You can put all the toolbars and menus wherever you want, horizontally at the top or vertically at the side.
I don't see any options to do this. How do you do it?
They did the experiment with the rat cells some time ago, now they are starting to work with human cells - the article states this clearly
Yes, but the summary doesn't. The summary says they have _done_ it. "They're now using a line of human brain neurons to control robots." No, they're working on plans and beginning experiments by which they hope, at some point in the future, to use human neurons to control robots.
(Q: Is it a "brain neuron" if it's cultured in vitro?)
Slashdot Mirror
1. Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers. It would not be so hard to make the object's origin follow the same rules)
Yes, but doing so would break almost every existing flash deployment in existence. Users upgrading to the new version would be unable to use somewhere over half of all the flash sites out there, thus word would get out very quickly that they shouldn't upgrade, because the new version of flash is "broken".
2. Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.
Plausible, but bare in mind that through years upon years of flash not caring about content type, there are probably significant numbers of misconfigured servers that either serve flash objects as application/octet-stream or as some random but incorrect type. Because nothing complains about it, nobody will ever have fixed these. This isn't as serious for compatibility as suggestion 1, but the same outcome will still happen: users won't upgrade because the release will be generally labelled as "broken".
3. Implement a signing policy, so that unsigned flash objects are not given permission to access the server.
Will break all existing deployments. See problem of solution 1.
4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)
Will break existing deployments that rely on the current behaviour. This would, I believe, include embedded youtube videos. See problem of solution 1.
Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.
Note that it is the server administrators themselves that are vulnerable, not the users per se -- what can be broken by this is the security of those administrators' web sites. As such, it is better that _they_ have the burden of fixing this, rather than the users have the inconvenience of stuff not working right.
Of course it's for Adobe to fix. Flash has no business trying to execute content that the web server has said is image/gif or image/jpeg.
Right. Of course they can't fix that without breaking their plugin completely, because I bet you somewhere in the region of 50% of sites that serve flash use the wrong content type header for it. Nobody wants to release an upgrade that'll only serve to piss their users off, which is what such an upgrade would be.
This is not CSS. This is the same as allowing people to upload any javascript to your site and the embedding it in your webpage for users to run.
A more accurate analogy is allowing people to upload HTML pages and serving them unmodified whenever requested. No embedding is required.
Plus, it's worth noting that the only security violated here is _the security of the site that is hosting the file_. Sure, this could be a problem for social networking sites and the like, but it's not like they haven't had their share of similar javascript-related issues in the past. It's what happens when you put different user's own content all on the same domain, simply because the security model of browsers is not designed to cope with that.
If you can write an SWF that can be executed to compromise a website, despite the fact that it looks like, acts like, and in fact is a valid MS Word document, I'd call that a problem.
You can, but the problem is that word is too trusting in what it accepts, and not caused by flash. The file will clearly have SWF headers at the start of it, and is thus easy to filter, and no _real_ word document should ever have that. It happens that MS Word will open it, but is that particularly relevant?
Even at that, though, how do we expect Bob, who lives 10 miles from town, to eat if he has to walk, in the middle of Winter to get his food?
By some other method of transport? I used to cycle 10 miles to work every day, even in the middle of winter, and I'm not exactly the fittest person you've ever met. Unless Bob is physically disabled in some fashion (and if he is, I'd guess there's some kind of assistance he can get, e.g. a charity that will do his shopping for him if he can't get into town) he should be able to do this too.
"Sotomayor wondered if speed-dating could be patentable"
Surely you mean Speed Dating(R)?
They appeared linked at the oral argument, though. Roberts in particular suggested that if they struck down business-method patents but kept software patents, then companies could just implement their business method in some sort of business software, and patent it that way, rendering the fix pointless.
A ruling that the required innovation in a software patent must be of an implementation-level technical detail, rather than in terms of the general purpose of the software, would close that loophole. Then you can't patent "a computer program to buy things cheap and sell them at a higher price", but would have to patent (e.g.) some detail of how you determine what are cheap things or something like that, and that detail would have to be non-obvious.
Then why are we talking about it in relation to a file system?
Because the RAM you save is either in file cache or in pages of mmap'd files, and it's a process in the file system that saves it.
If I had to use a reliable webhost, it would cost me, what, $50/mo?
There are plenty of reliable hosts that cost much less than that. Even here in the UK, where hosting is generally more expensive than in the US, I only pay £15/month (about $25) for a virtual machine with root access. If I was willing to live without root, I could get it for £10. I've had less than an hour of downtime over the last year. I don't know how reliable dreamhost is, but I'd say this system is certainly reliable enough for the application you describe.
We considered VMware, but they didn't have the admin expertise in-house, and I forget what the license cost was, but that was an issue, too.
The license cost of vmware server 2 is $0. Sure, the more advanced system (vmware infrastructure) can get expensive, but I doubt there'd be much point with such a small cluster.
Imagine he amount of stuff you could (unreliably) store on a hard disk if massive de-duplication was built into the drive electronics. It could even do this quietly in the background.
Not as good as installing extra processing power in your machine and doing it in the OS. Honestly. The primary advantage here isn't actually the saving of disk space. Nobody really cares about that too much.
The main advantage is that if two processes have two files with identical blocks in them, and map those files into memory (or just read them so they're cached), if they're deduped you'll end up with both processes having copy-on-write references to the same memory block. The big win here is in saving RAM, not disk space. And that requires the OS to understand and be aware that the deduplication has happened.
I looked at EC2 for raw processing power earlier this year (my company needs to train a lot of neural nets) and it just isn't worth it, unless you only need the power short term. A high-performance EC2 node gives you 8 cores running at (very roughly) the equivalent of a 2GHz P4, and costs $0.68/hr == about $460 per month, which is only a little less than what an equivalent box (probably a 2.83GHz Core 2 Quad or similar) would cost you. Put power to run that box down at about $0.05 per hour and you can build your own local cluster of equivalent performance for around the same amount of money as you'll save in your first month and a half of operation.
Incidentally, why not capitalize Bible, just like one would capitalize Romeo and Juliet or Tom Sawyer or any other book?
Because most books are known by a title (like those you quote) rather than a word that means "book".
"I'm sure that they had sex"
What evidence?
The fact that it's a reasonably safe bet, based on the fact that there are people who will fuck anything they are even remotely biologically compatible with...?
When was the last time you heard of someone crashing their car due to mechanical failure, in or out of warranty?
A school friend lost her parents in a crash caused by their car's steering column collapsing thus leaving the car uncontrollable.
My other example isn't a crash but very nearly could have been: my parents driving fast on mountainous roads on a hot day, suddenly found they had no brakes. Brake fluid had overheated and boiled, leaving them without any hydraulics.
Both cases were out of warranty, although the latter could just have easily happened within as it's a basic flaw in the design of the vehicle: the brake fluid is not actively cooled, so if overused on a hot day it will eventually boil.
The classic example is that hitting a brick wall at 100km/h is the same as being dropped nose-first off a 10 story building.
Just wanted to check this out:
100kmh^-1 = 27.78 ms^-1.
To calculate speed of dropping off 10 story building, we assume 2.5 metres per story (which is about average here in the UK), and use the equation v^2 = u^2 + 2as where initial velocity u = 0, acceleration a = g ~= 10ms^-2, and displacement s = 25m, so v^2 ~= 500 m^2s^-2 => v = about 22ms^-1
Yeah, if anything coming off the building is a little slower, especially as we haven't accounted for drag which will slow the acceleration down a little.
Dvorak is an idiot, trying to get publicity for his stupid views
Yeah. What kind of moron makes a martini with vodka?!
"Longhorn"*
*What kind of jackass names an operating system after a cow??
Actually, I believe it was named after a restaurant. Now, naming a restaurant after a cow, that sounds much more sensible...
Karmic Koala is fine, but I just can't wait for Masterbating Monkey to be released!
Ah, it seems that like me, you are planning on skipping Leprous Lemur.
Linux in total represents less then .93% of the Desktop market. Ubuntu a fraction of that.
Source? Error bars? ".93%" sounds way too precise for the likely accuracy of any such figures, which are usually incredibly biased in one direction or the other.
Besides, of course it's a fraction of the Linux total, but I'd be willing to wager it's quite a _big_ fraction. Every system I've ever seen in a high-street shop with Linux preinstalled comes with Ubuntu. The PC I'm running on at the moment came with Ubuntu (Dapper Drake) preinstalled (although I wiped it and installed XP...). Ubuntu is the distribution used by most netbook vendors. Almost all of my Linux-using friends are on Ubuntu, especially the less technical ones. My guess is Ubuntu has something like 95+% of the desktop Linux market by now.
Quite the contrary, the people who think that just because they don't like the price or don't want to spend the money that they can have somebody else's time and effort anyway is immoral.
If I copy something that an artist produced, it doesn't cost that artist either time or effort. The time and effort has already been spent, they have no way of getting it back.
The only possibility is that they might get payment in compensation for it. As long as anything I do does not affect their chance of getting this compensation, I see no possible way in which it can be immoral. Therefore, as long as I can be sure that I am not going to pay for a copy, I see no way that making my own copy is immoral.
If you believe otherwise, can you explain why?
You're right; stealing is the most money-efficient way for you to get something. In fact it's the most money-efficient way for anybody to get anything. Yet we've decided as a society that it's not only illegal but immoral. I wonder why that is? Could it be that the only way it doesn't collapse in on itself is when as few people as possible are doing it? And you're advocating doing that as efficient for a society?
What the OP is advocating is not stealing. Stealing involves somebody losing something; it is a zero sum game: for one person to gain, another must lose. Unauthorised copying is not: one person can gain while nobody else loses. This is an essential difference that means your entire analogy is basically worthless.
It has been true since the formation of modern societies. Laws and punishments for theft are always among the first that socities create.
Here's a legal definition of theft: "the wrongful or willful taking of money or property belonging to someone else with intent to deprive the owner of its use or benefit either temporarily or permanently". Can I ask in the case being discussed, what money or property has somebody been deprived of wrongfully? Please note that you cannot be deprived of something that you never had a right to have in the first place. Unauthorised copying is not theft. The two are totally different concepts, and while laws against theft are, as you say, usually among the first that societies create, it is worth noting that unauthorised copying was not a crime anywhere until only around 300 years ago.
The problem with your attitude is that without someone ultimately paying for the development time and everything else that goes with it what you steal wouldn't exist in the first place.
Yes, but if he wasn't going to pay for it anyway, why doees it make any difference to anyone whether he copies it or not? It doesn't.
BTW: "steal" means "the wrongful or willful taking of money or property belonging to someone else with intent to deprive the owner of its use or benefit either temporarily or permanently" (source). As in this case nobody is deprived of the use or benefit of anything (whether temporarily or permanently), it isn't stealing.
In Word, View>FullScreen (Alt-V,U). This will get rid of status bar, menu bar, window borders and everything so you see just the page.
Yes, but most of the editing tools are lost completely. You have to change the settings away from default to be even able to enter text, but there are no editing controls available, e.g. no way of selecting a different style for the text you're editing. There also doesn't seem to be a way to customize the minimal toolbar that is present.
You can put all the toolbars and menus wherever you want, horizontally at the top or vertically at the side.
I don't see any options to do this. How do you do it?
... because the result of comparing anything to NULL with = is always NULL, obviously.
Except in MySQL, when it isn't.
So its true, MySQL still doesn't support Transaction rollbacks.
Yeah, it does. The sale isn't committed yet.
The sad part is, Penny Arcade wasn't funny then and still isn't now!
I dunno. I thought "inverse nippomatics" was at least amusing...
They did the experiment with the rat cells some time ago, now they are starting to work with human cells - the article states this clearly
Yes, but the summary doesn't. The summary says they have _done_ it. "They're now using a line of human brain neurons to control robots." No, they're working on plans and beginning experiments by which they hope, at some point in the future, to use human neurons to control robots.
(Q: Is it a "brain neuron" if it's cultured in vitro?)