My understanding of the way slashdot is setup is that the main web server caches the frontpage and the story pages. This is to reduce load on the database as these are the most frequently accessed pages. They are updated periodically, like once a minute or so.
When the database goes down, obviously slashdot can no longer do dynamic queries and so all you get are the cached pages. So you get into this situation, where most of the links don't work, you can't post, you can't moderate, and so forth. All you can do is view the cached main pages and the parent story pages.
It's been mentioned various times by the slashdot folks that their MySQL database requires frequent rebooting. They've never gone into much detail as to why, but it appears to happen at least once a day from what I've seen of the frequence of the website "breaking" and only displaying the cached content.
"The Objective is to punish verndors that are purposefully or recklessly insecure."
You obviously missed the point. Sun and RedHat are just as reckless at releasing insecure software as Microsoft. Perhaps even moreso in the case of RedHat as they are just blindly redistributing stuff others wrote and have no input in the design.
You might get what you wish for, but you may not like it.
I can see your point. But consider it has a fallout... If you thought using free software in business was hard now, it'd be absolutely impossible after such a bill was passed.
This is a tough one. I've always been rather upset that software includes a disclaimer that says they are not responsible for whether or not the software works. I think that's bullshit. But, on the other hand, am I willing to pay more to get that disclaimer taken away? That's another part of the reality. If companies are more financially responsible, the prices are going to go up. That's what has happened in every other industry, for example automobiles, private planes, etc.
Maybe that's a side effect of a maturing industry. But it also means the small mom & pop shops(aka Free Software) is going to die. Funny thing is that usually big businesses push for these regulations for exactly this reason. It's pretty easy for a company like GM to pay to follow all the government safety regulations on cars. It's difficult for a new startup who has to build all that testing and reporting infrastructure from scratch.
So today I get a vulnerability announcement from RedHat. Seems Apache will expose files if you install certain mod_* packages. Isn't this a flaw in the design of the mod plugins?
Shouldn't this have been caught before release? Who do I get to go after, since Apache is free? Should RedHat pay the penalty since they shipped the product? Or the Apache developers?
Obviously we need some penalty, otherwise they will not have an incentive to make their software safe.
Furthermore you need to define "reasonable and prudent". You rely a lot upon 20/20 hindsight, but could you have predicted the 9/11 attack? I'll bet you can now, but could you on 9/10?
There was another interesting article on a related topic:
http://news.cnet.com/news/0-1003-201-7943716-0.h tm l
It's a new book from Harvard Business titled "The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail". It talks about disruptive technologies. Linus Torvalds made a comment about how Sun is inbreeding, which I think is related to this author's idea.
I've long held the opinion that companies that think a lawsuit is their best option are on their way to nowhereland. Hayes, Apple, Lotus, Rambus, etc. Sometimes the company learns(Apple) and drops the lawsuits and begins working on new product ideas, but usually they end up getting passed over in the market space.
Take Lotus for example, they sued Borland over 1-2-3 compatibility. In the meantime while they are fighting, Microsoft pushes forward with Excel and grabs all the market.
Sun, right now, is fighting wars on multiple fronts and not really realizing it. They view Microsoft as their chief threat, but are losing most of their marketshare to AIX and Linux. But how is Sun responding? Well they sue Microsoft, and they say IBM doesn't know anything about computers. Meanwhile they ignore Linux under the premise of "the enemy of my enemy is my friend".
Will they wake up(as Apple did) or will they face oblivion? Unless the management get's shaken up(i.e. lose McNealy), I see them facing oblivion in a few years time.
What Microsoft party line? I've been to the presentation to developers and while they have discussed that, the primary motivating factor has been the multiple website authentication.
10 websites is still too many to keep track of, made worse by the fact that each has bizarre limitations that make it impossible to use the same ID. Or in many cases even a secure password(what do you mean max of 8 chars?)
It is a problem that does exist for many people. Maybe it is not a problem for you, but then guess what? I'm not interested in selling you a golf cart if you don't golf. Duh.
And as for you last jab. Nice try. Can't discuss a thing from a rational logical manner, resort to name calling. Is that how you are going to win people over to your argument? Call them stupid?
It's obvious to me, anyway, that confusing yourself with a rational, intelligent person was your first mistake.
"We do not need a centralized personal information system."
We're not talking about a centralized personal information system. We're talking about a authentication mechanism.
Different thing and you are confusing the issue.
Passport operates partly as both, it's authentication and it also has ties into personal information storage. But you don't have to store personal info on it. In fact there are numerous warnings, questions and so forth about this... it's really pretty straight forward.
But what is clear is there is obviously a need for a centralized authentication mechanism. People are frustrated and tired of trying to manage 50 different username/password combo's just to register for services.
That's what Passport provides. The Liberty Alliance is providing the not-made-by-Microsoft alternative.
I think if you'd actually bother to take the time to understand what either of these offer you would go "Hey cool, yeah I can see a need for that!" I know that's my general feeling. Granted, I have concerns, but I have the same exact concerns with the way things work without these mechanisms and probably even moreso with the way they are today.
How does the music industry steal billions from themselves?
I mean come on, I think the idea of copy protection on CDs is absolutely ridiculous, but this kind of knee jerk moronicism(*) only helps to fuel Noam Zur's point that we're a fringe group.
Especially when you then go on to prove his second point that you also are a pirate yourself.
Personally I'm just going to be pissed off if I can't play CD's in my computer, period. It's a vital part of my ability to sustain the atmosphere of the cubicle farm I live in at work.
So actually yes, I'm going go be buying some of these CDs and returning them with complaints.
(*) By proxy of President GW Bush, as an American I have the right to make up words as I see fit.
Microsoft is using 128-bit DESX encryption for EFS. What is DESX? It's a strengthened version of DES created by RSA Laboratories.
http://www.rsa.com/rsalabs/faq/3-2-7.html
As far as the back doors are concerned. If it's your own machine you have nothing to worry about because only you would know the backdoor. However for a corporation the administrative back door is regarded as a must-have feature in case an employee is fired, dies, leaves the company, whatever.
Why are Linux users so bloody ignorant?
Re:NEWS: 2600 has lost the appeal in the DVD case.
on
Wu-ftpd Remote Root Hole
·
· Score: 1, Offtopic
It doesn't appear that this Felton thing was a countersuit. He claims to have been threatened by the RIAA, but when countered they denied ever threatening him.
Rather the request to the judge was simply for a statement saying he had a right to publish his research.
The Judge response was "Look you bafoon, quit wasting my time."
Now if Felton had published his research, and the RIAA had sued him. Then there would have been a case to fight.
Gary McGraw must be a troll as well. He even mentioned this in a book he wrote.
What's open source's role in the security-by-obscurity debate?
Open-source software is neither more nor less secure than closed-source software. And the whole issue of whether open source is more secure is a red herring. We have a chapter in the book about it. Security by obscurity doesn't work. But just because you have your source code sitting around in public doesn't mean someone's going to do a free security review on it, either, which is what the open-source guys think. That's wrong.
What was most memorable about the original Doom was it's multiplayer mode. But even more memorable was the really poorly written network code which caused all machines on a public LAN to slow down(or lockup) if a Doom game was started. As I recall it used entirely broadcast packets, and this caused every computer to try to identify if they were meant for it.
At most universities Doom was outlawed from the public computing labs, similarly at most corporations.
It was quite the controversy, and they had to release a patch(or new version?) that included better networking code within a month or two.
I remember all of them. Do you remember Osborne, Wordstar and Kaypro?
Even so, what the other poster says is correct. The computer market in that time was boring and incredibly frustrating.
"The dominance of MS in the software market will, I'm sure, be cited someday in economics textbooks as a classic case of market failure through the application of unfair and predatory business practises. "
Just like the same thing is said today of General Motors?
Oh wait. Damn there goes that argument of yours.
I think what amazes me is people like yourself who apparently lived through those early days of the PC, and actually still yearn for that crap.
"Is there a single product (game console, entertainment device or otherwise) that can play mp3s, read and write CDR, CDRW, DVD, DVD-ROM/RAM/RW and any other format? No. It is much better business sense to force the consumer to buy a couple of different devices than one do-it all device."
Well you could always go out and buy a Pioneer DVR-A03 and install it into a small personal computer. The drive reads and writes CDR, CDRW, DVD-R, DVD-RW.
The drives are getting cheaper, now down around $450.
I don't think your complaint is terribly valid. People don't want single purpose speciality devices. But they are willing to buy an add-on to a personal computer like what Pioneer sells, which then makes you capable of doing what you ask.
I think the same is true with software.
As a company you do the best you can with the technology available, understanding that you need to be able to bring your product in under a certain price point. If Pioneer charged $5,000 for their drive, I would not buy it. At $450 I am going to consider it. At $200 I would have already bought one.
Actually you are onto something that I've been thinking about for quite a few years.
I agree that success is a communal thing. You succeed a lot by who you know and how to leverage that. If you've ever worked in a financial firm, you'd see an interesting phenomena amongst stock analysts, researchers, etc. They are all family members, friends, or they know someone that knows someone. It is very communal, obviously.
However, I don't agree with the conspiracy theory. I do think Wall Street is threatened by a technologist communal society, but not in the way you think. They're threatened by it because it may mean IT staff can demand salaries comparable to other areas.
I don't believe that Wall Street sabotaged anything. The Bubble existed not because of Wall Street but because of a bunch of schmucks looking for get rich quick. They weren't financial geniuses, they weren't geeks, they were schmucks. If you were paying attention, all the top financial people in the country were warning about the bubble. Greenspan, Buffet, etc. Even Ballmer warned against it.
You don't get rich off a bubble, or over inflating stock values. That happened when the schmucks tried to take over the knowledge of the geeks and get rich quick. Doesn't happen, won't happen. It takes long hard work, like Microsoft, like Dell, etc.
But still, I like your idea. I like the idea of making sure that people in IT further the communal society by looking out for one another.
But I don't see it happening. There seems to be this tendency of geeks to cut each other down. I guess I look at people like Richard Stallman as a prime example of this. When people left the MIT AI lab to take their ideas and capitalize on them, what did he do? He worked to sabotage them and what they were doing. The whole FSF is based largely in part on sabotaging the ability of some geeks in this world to capitalize on their knowledge.
Anyway, I think you have come to an interesting conclusion. I like that, and I think it should be a goal of ours. But one of the keys to success really is not sabotaging others or believing in conspiracy theories, but learning how to work with them to get what you want.
If you were smart, you could have used those schmucks with the internet bubble to your own gain. Unfortunately I wasn't smart enough.:)
That's the secret behind successful companies like Microsoft. It's not an evil empire, it's not a conspiracy. Their goal is to partner up with people in order to attain what they want. If both sides get what they want, it's called a successful business relationship.
If you follow incidents.org, those linux worms have been a pretty big headache. There's still a lot of linux boxes out there scanning for BIND and so forth.
Heh. Well, it was a rather simple point. This other fool doesn't seem to understand the difference between hacking and programming. He's obviously never had to release code to a production environment and suffer the wrath of users complaining about the lack of testing.
What's surprising is he still thinks he is right. Sigh, well quality control is something you learn with experience I guess.
Actually yes I did ask you to provide a ruleset, you simply ignored that and went off on a rant about urlscan.
Now I would like to know if you believe that your function will match properly 100% of all valid URL requests that the client might wish to perform?
It doesn't appear that way to me. The most obvious right off the bat being that you missed https requests.
Again the point, which you appear to be missing is that while this is not impossible, it's obviously not as ludicrously easy as you think it is. Yes, you've thrown together a neat hack... now you push this out to your customers and they'll come screaming at you as to why they can't get to their favorite website. The other solution of actually fixing the problem that's being exploited may very well be easier, and most certainly easier to test.
You see, I didn't make any assumptions. I knew exactly the kind of hack programmer you were from your attempt to describe the task as simple without fully appreciating the scope or the possible consequences of a badly defined ruleset.
"What about the practice of throwing flawed software out freely on the Internet without regard to how it might be used? "
Open Source developers do this every day. What should we do about it? Execute them?
Microsoft's point is entirely valid.
This isn't to say your point isn't valid as well, but I'd like to know what you expect to be done about it. At least Microsoft is offering suggestions.
Uhh, you obviously didn't understand the point of URLScan. I was using that as an example of the complexity of URL filters, in this particular case building a ruleset for a known quantity takes a reasonable amount of work, you are suggesting building a ruleset for an unknown quantity.
As far as qualifying that statement, I thought it was fairly obvious from my response. I asked you to provide a ruleset for parsing valid URL strings. Just some simple perl regular expressions would do.
Wouldn't you think that the fact that you can't do so in 5 minutes might point to the fact that the task of building a URL validator into the browser may be a bit more than a days work? That's only a small part of the analysis piece, you still have to validate it, codify it and then test the additional code against a rather large matrix of current browser versions and environments.
The point is, the feature you suggested is far more complicated than you think it is. That's not to say it's impossible, which seems to confuse you.
I read the article. The difference is, I happen to know a tiny bit about programming, and you obviously don't.
Please do tell me. What is your rule set for identifying whether a URL request is legitimate or not?
Have you taken a look at the URLScan utility for IIS? It does what you talk about. It's also highly configurable because there is no way for Microsoft to know in advance what might be a legitimate URL request to your web server.
Now how do you expect to build a rule set for determining for the client what constitutes a valid URL?
Never mind, it's obvious you don't know the first thing about software development.
My understanding of the way slashdot is setup is that the main web server caches the frontpage and the story pages. This is to reduce load on the database as these are the most frequently accessed pages. They are updated periodically, like once a minute or so.
When the database goes down, obviously slashdot can no longer do dynamic queries and so all you get are the cached pages. So you get into this situation, where most of the links don't work, you can't post, you can't moderate, and so forth. All you can do is view the cached main pages and the parent story pages.
It's been mentioned various times by the slashdot folks that their MySQL database requires frequent rebooting. They've never gone into much detail as to why, but it appears to happen at least once a day from what I've seen of the frequence of the website "breaking" and only displaying the cached content.
"The Objective is to punish verndors that are purposefully or recklessly insecure."
You obviously missed the point. Sun and RedHat are just as reckless at releasing insecure software as Microsoft. Perhaps even moreso in the case of RedHat as they are just blindly redistributing stuff others wrote and have no input in the design.
You might get what you wish for, but you may not like it.
I can see your point. But consider it has a fallout... If you thought using free software in business was hard now, it'd be absolutely impossible after such a bill was passed.
This is a tough one. I've always been rather upset that software includes a disclaimer that says they are not responsible for whether or not the software works. I think that's bullshit. But, on the other hand, am I willing to pay more to get that disclaimer taken away? That's another part of the reality. If companies are more financially responsible, the prices are going to go up. That's what has happened in every other industry, for example automobiles, private planes, etc.
Maybe that's a side effect of a maturing industry. But it also means the small mom & pop shops(aka Free Software) is going to die. Funny thing is that usually big businesses push for these regulations for exactly this reason. It's pretty easy for a company like GM to pay to follow all the government safety regulations on cars. It's difficult for a new startup who has to build all that testing and reporting infrastructure from scratch.
So today I get a vulnerability announcement from RedHat. Seems Apache will expose files if you install certain mod_* packages. Isn't this a flaw in the design of the mod plugins?
Shouldn't this have been caught before release? Who do I get to go after, since Apache is free? Should RedHat pay the penalty since they shipped the product? Or the Apache developers?
Obviously we need some penalty, otherwise they will not have an incentive to make their software safe.
Furthermore you need to define "reasonable and prudent". You rely a lot upon 20/20 hindsight, but could you have predicted the 9/11 attack? I'll bet you can now, but could you on 9/10?
Just making a point...
Naw, I'll let these guys say it. :)
There was another interesting article on a related topic:h tm l
http://news.cnet.com/news/0-1003-201-7943716-0.
It's a new book from Harvard Business titled "The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail". It talks about disruptive technologies. Linus Torvalds made a comment about how Sun is inbreeding, which I think is related to this author's idea.
I've long held the opinion that companies that think a lawsuit is their best option are on their way to nowhereland. Hayes, Apple, Lotus, Rambus, etc. Sometimes the company learns(Apple) and drops the lawsuits and begins working on new product ideas, but usually they end up getting passed over in the market space.
Take Lotus for example, they sued Borland over 1-2-3 compatibility. In the meantime while they are fighting, Microsoft pushes forward with Excel and grabs all the market.
Sun, right now, is fighting wars on multiple fronts and not really realizing it. They view Microsoft as their chief threat, but are losing most of their marketshare to AIX and Linux. But how is Sun responding? Well they sue Microsoft, and they say IBM doesn't know anything about computers. Meanwhile they ignore Linux under the premise of "the enemy of my enemy is my friend".
Will they wake up(as Apple did) or will they face oblivion? Unless the management get's shaken up(i.e. lose McNealy), I see them facing oblivion in a few years time.
What Microsoft party line? I've been to the presentation to developers and while they have discussed that, the primary motivating factor has been the multiple website authentication.
10 websites is still too many to keep track of, made worse by the fact that each has bizarre limitations that make it impossible to use the same ID. Or in many cases even a secure password(what do you mean max of 8 chars?)
It is a problem that does exist for many people. Maybe it is not a problem for you, but then guess what? I'm not interested in selling you a golf cart if you don't golf. Duh.
And as for you last jab. Nice try. Can't discuss a thing from a rational logical manner, resort to name calling. Is that how you are going to win people over to your argument? Call them stupid?
It's obvious to me, anyway, that confusing yourself with a rational, intelligent person was your first mistake.
"We do not need a centralized personal information system."
We're not talking about a centralized personal information system. We're talking about a authentication mechanism.
Different thing and you are confusing the issue.
Passport operates partly as both, it's authentication and it also has ties into personal information storage. But you don't have to store personal info on it. In fact there are numerous warnings, questions and so forth about this... it's really pretty straight forward.
But what is clear is there is obviously a need for a centralized authentication mechanism. People are frustrated and tired of trying to manage 50 different username/password combo's just to register for services.
That's what Passport provides. The Liberty Alliance is providing the not-made-by-Microsoft alternative.
I think if you'd actually bother to take the time to understand what either of these offer you would go "Hey cool, yeah I can see a need for that!" I know that's my general feeling. Granted, I have concerns, but I have the same exact concerns with the way things work without these mechanisms and probably even moreso with the way they are today.
How does the music industry steal billions from themselves?
I mean come on, I think the idea of copy protection on CDs is absolutely ridiculous, but this kind of knee jerk moronicism(*) only helps to fuel Noam Zur's point that we're a fringe group.
Especially when you then go on to prove his second point that you also are a pirate yourself.
Personally I'm just going to be pissed off if I can't play CD's in my computer, period. It's a vital part of my ability to sustain the atmosphere of the cubicle farm I live in at work.
So actually yes, I'm going go be buying some of these CDs and returning them with complaints.
(*) By proxy of President GW Bush, as an American I have the right to make up words as I see fit.
Or how about a better link, one that explains the issue and how and why it may not be a problem:
l
http://www.safenetworks.com/Windows/syskey2.htm
Basically the way they "hacked" EFS was to reset the user password, and Microsoft already has a mechanism to prevent this, if needed.
Wrong. EFS does not use 56-bit DES you idiot.
Microsoft is using 128-bit DESX encryption for EFS. What is DESX? It's a strengthened version of DES created by RSA Laboratories.
http://www.rsa.com/rsalabs/faq/3-2-7.html
As far as the back doors are concerned. If it's your own machine you have nothing to worry about because only you would know the backdoor. However for a corporation the administrative back door is regarded as a must-have feature in case an employee is fired, dies, leaves the company, whatever.
Why are Linux users so bloody ignorant?
It doesn't appear that this Felton thing was a countersuit. He claims to have been threatened by the RIAA, but when countered they denied ever threatening him.
Rather the request to the judge was simply for a statement saying he had a right to publish his research.
The Judge response was "Look you bafoon, quit wasting my time."
Now if Felton had published his research, and the RIAA had sued him. Then there would have been a case to fight.
That's really the whole point of that one.
Gary McGraw must be a troll as well. He even mentioned this in a book he wrote.
What's open source's role in the security-by-obscurity debate?
Open-source software is neither more nor less secure than closed-source software. And the whole issue of whether open source is more secure is a red herring. We have a chapter in the book about it. Security by obscurity doesn't work. But just because you have your source code sitting around in public doesn't mean someone's going to do a free security review on it, either, which is what the open-source guys think. That's wrong.
What was most memorable about the original Doom was it's multiplayer mode. But even more memorable was the really poorly written network code which caused all machines on a public LAN to slow down(or lockup) if a Doom game was started. As I recall it used entirely broadcast packets, and this caused every computer to try to identify if they were meant for it.
At most universities Doom was outlawed from the public computing labs, similarly at most corporations.
It was quite the controversy, and they had to release a patch(or new version?) that included better networking code within a month or two.
"Remember Altos? Eagle? Lotus? DBase II? Apple?"
I remember all of them. Do you remember Osborne, Wordstar and Kaypro?
Even so, what the other poster says is correct. The computer market in that time was boring and incredibly frustrating.
"The dominance of MS in the software market will, I'm sure, be cited someday in economics textbooks as a classic case of market failure through the application of unfair and predatory business practises. "
Just like the same thing is said today of General Motors?
Oh wait. Damn there goes that argument of yours.
I think what amazes me is people like yourself who apparently lived through those early days of the PC, and actually still yearn for that crap.
*blech*
"Is there a single product (game console, entertainment device or otherwise) that can play mp3s, read and write CDR, CDRW, DVD, DVD-ROM/RAM/RW and any other format? No. It is much better business sense to force the consumer to buy a couple of different devices than one do-it all device."
Well you could always go out and buy a Pioneer DVR-A03 and install it into a small personal computer. The drive reads and writes CDR, CDRW, DVD-R, DVD-RW.
The drives are getting cheaper, now down around $450.
I don't think your complaint is terribly valid. People don't want single purpose speciality devices. But they are willing to buy an add-on to a personal computer like what Pioneer sells, which then makes you capable of doing what you ask.
I think the same is true with software.
As a company you do the best you can with the technology available, understanding that you need to be able to bring your product in under a certain price point. If Pioneer charged $5,000 for their drive, I would not buy it. At $450 I am going to consider it. At $200 I would have already bought one.
Actually you are onto something that I've been thinking about for quite a few years.
:)
I agree that success is a communal thing. You succeed a lot by who you know and how to leverage that. If you've ever worked in a financial firm, you'd see an interesting phenomena amongst stock analysts, researchers, etc. They are all family members, friends, or they know someone that knows someone. It is very communal, obviously.
However, I don't agree with the conspiracy theory. I do think Wall Street is threatened by a technologist communal society, but not in the way you think. They're threatened by it because it may mean IT staff can demand salaries comparable to other areas.
I don't believe that Wall Street sabotaged anything. The Bubble existed not because of Wall Street but because of a bunch of schmucks looking for get rich quick. They weren't financial geniuses, they weren't geeks, they were schmucks. If you were paying attention, all the top financial people in the country were warning about the bubble. Greenspan, Buffet, etc. Even Ballmer warned against it.
You don't get rich off a bubble, or over inflating stock values. That happened when the schmucks tried to take over the knowledge of the geeks and get rich quick. Doesn't happen, won't happen. It takes long hard work, like Microsoft, like Dell, etc.
But still, I like your idea. I like the idea of making sure that people in IT further the communal society by looking out for one another.
But I don't see it happening. There seems to be this tendency of geeks to cut each other down. I guess I look at people like Richard Stallman as a prime example of this. When people left the MIT AI lab to take their ideas and capitalize on them, what did he do? He worked to sabotage them and what they were doing. The whole FSF is based largely in part on sabotaging the ability of some geeks in this world to capitalize on their knowledge.
Anyway, I think you have come to an interesting conclusion. I like that, and I think it should be a goal of ours. But one of the keys to success really is not sabotaging others or believing in conspiracy theories, but learning how to work with them to get what you want.
If you were smart, you could have used those schmucks with the internet bubble to your own gain. Unfortunately I wasn't smart enough.
That's the secret behind successful companies like Microsoft. It's not an evil empire, it's not a conspiracy. Their goal is to partner up with people in order to attain what they want. If both sides get what they want, it's called a successful business relationship.
If you follow incidents.org, those linux worms have been a pretty big headache. There's still a lot of linux boxes out there scanning for BIND and so forth.
Heh. Well, it was a rather simple point. This other fool doesn't seem to understand the difference between hacking and programming. He's obviously never had to release code to a production environment and suffer the wrath of users complaining about the lack of testing.
What's surprising is he still thinks he is right. Sigh, well quality control is something you learn with experience I guess.
Actually yes I did ask you to provide a ruleset, you simply ignored that and went off on a rant about urlscan.
Now I would like to know if you believe that your function will match properly 100% of all valid URL requests that the client might wish to perform?
It doesn't appear that way to me. The most obvious right off the bat being that you missed https requests.
Again the point, which you appear to be missing is that while this is not impossible, it's obviously not as ludicrously easy as you think it is. Yes, you've thrown together a neat hack... now you push this out to your customers and they'll come screaming at you as to why they can't get to their favorite website. The other solution of actually fixing the problem that's being exploited may very well be easier, and most certainly easier to test.
You see, I didn't make any assumptions. I knew exactly the kind of hack programmer you were from your attempt to describe the task as simple without fully appreciating the scope or the possible consequences of a badly defined ruleset.
Better luck next time.
Ahh good.
Then Microsoft is off the hook. I'm glad we've settled this and no longer have to read these ridiculously biased slashdot stories.
"What about the practice of throwing flawed software out freely on the Internet without regard to how it might be used? "
Open Source developers do this every day. What should we do about it? Execute them?
Microsoft's point is entirely valid.
This isn't to say your point isn't valid as well, but I'd like to know what you expect to be done about it. At least Microsoft is offering suggestions.
Uhh, you obviously didn't understand the point of URLScan. I was using that as an example of the complexity of URL filters, in this particular case building a ruleset for a known quantity takes a reasonable amount of work, you are suggesting building a ruleset for an unknown quantity.
As far as qualifying that statement, I thought it was fairly obvious from my response. I asked you to provide a ruleset for parsing valid URL strings. Just some simple perl regular expressions would do.
Wouldn't you think that the fact that you can't do so in 5 minutes might point to the fact that the task of building a URL validator into the browser may be a bit more than a days work? That's only a small part of the analysis piece, you still have to validate it, codify it and then test the additional code against a rather large matrix of current browser versions and environments.
The point is, the feature you suggested is far more complicated than you think it is. That's not to say it's impossible, which seems to confuse you.
I read the article. The difference is, I happen to know a tiny bit about programming, and you obviously don't.
It's ironic they didn't make the website idiot proof?
Please do tell me. What is your rule set for identifying whether a URL request is legitimate or not?
Have you taken a look at the URLScan utility for IIS? It does what you talk about. It's also highly configurable because there is no way for Microsoft to know in advance what might be a legitimate URL request to your web server.
Now how do you expect to build a rule set for determining for the client what constitutes a valid URL?
Never mind, it's obvious you don't know the first thing about software development.