Back in the day there was this cool little program called Webforia Organizer. I somehow wound up on the Beta team for it and got to use it extensively. This program was really cool, it clipped pages, kept local copies, was searchable, etc. I loved it. Unfortunately, it was built on IE 5, but then again, Firefox wasn't released back then...
Apparently Webforia went out of business some time ago and the software no longer works.. I believe it had limited functionality with IE 6, but not enough to make it worthwhile.. No clue if it would even work with IE 7...
I still have my copies... I really wish it worked. I had amassed a huge database of research that's basically useless now.. (although, since it clipped them as web pages, I supposed I can, technically, view them... But the names were based off GUIDs, so identifying the pages is a little rough...)
As the saying goes, "you can't legislate stupidity." Parents are increasingly irresponsible and clueless when it comes to what their children say and do. And the government is happily "helping" out those poor, overworked, overstressed parents by enacting legislation to make it so they don't actually have to be a parent. Instead, all the blame lands on the kids and the parents can continue on in blissful ignorance.
We're having trouble with my 10-year-old stepson because he feels we're being unfair because we won't let him have games rated T-for-Teen, or have his own cell phone. He rails at us because we won't simply let him go where he wants, when he wants, and we won't continuously feed his bad habits. He constantly tells us how "other kids' parents don't do this," to which my standard reply is "I don't care what other parents do." Wow.. I feel your pain.. I've had the same exact problem with my stepson.
And I don't, because I see how other parents let their children push them around, guilt them into buying them things, browbeat them when they don't get what they want. And these people cave in! Again, worry not. The government will pass another bill to protect those parents..
But again, that's what they decide to do. Parents will do stupid things and while you can make those things illegal, you can't make people not do them. Parents have to decide for themselves that buying these games for their children are a bad idea. I agree completely. From my point of view, I'm aware of what my child can and cannot handle. For instance, games rated T, for the most part, are ok for him. However, he does not have the responsibility to handle a Cell phone. Likewise, R-Rated movies, within certain limits, are something I don't mind him watching, but having free reign to come and go as he pleases is not something I think he's ready for.
Parents who are involved with their children know the limits of those children. Those types of parents can handle making decisions based on that knowledge. Laws such as the proposed law to ban sales of M rated games to minors are nothing but a mere annoyance to a good parent. I have no problem going and buying a game for my son if I'm aware of the content and I don't see a problem with it. So if they do restrict sales, that's not a problem for me as long as it's a retailer restriction. Once good old uncle sam starts telling me what I can and cannot let my son play, then I've got a problem.
I don't see these types of laws as bad until they start infringing on my rights as a parent and an adult.
If somebody's ISP is blindly rejecting mails due to nothing more than a positive Spamhaus hit then that's the fault of the ISP! This is like discussing religion or OS preference...
What would you have ISPs do to stop spam? Spamassassin, properly tuned, does a decent job, but it doesn't solve the underlying problem. If an ISP allows *every* incoming connection and relies on spamassassin to detect and mark mail, then they have to ensure that there is sufficient storage for the spam. In most cases, the amount of spam incoming to a system is over ten times more than normal mail.
Using something like spamhaus helps out considerably because it does block a lot. Unfortunately, like every single other system out there, it has flaws. As with other approaches, the goal is to find a happy medium of sorts. The result is, however, that you can't please them all.
I've spent quite a bit of time on spam prevention for my own server and it's definitely not easy. I have about 5 tiers of spam detection at this point and, while it's catching about 99% of the spam, some still gets through. As a technically savvy user, I can deal with this and the level of detail required. For the normal ISP user, however, it's a different story. They don't have the technical know-how to tune their mail filters, nor do they generally have any interest in doing so.
So, until someone comes up with the perfect filtering system (which the spammers will likely adjust to within a few days), there's not much else to do. Personally, I don't have the time or money to deal with every single incoming spam and blocking some based on a well-known RBL is fine for me.
Cisco patches are more recent, and Nortel only just released patches a couple weeks ago.. So there are companies waiting till the bitter end to make the changes...
Can someone please explain to me why it has taken so long to get these patches out? From an OS level, isn't this simply a tzdata patch? (Not sure what the equivalent on Windows is).. This doesn't seem like such a huge issue to me. If the logic of the higher level programs is hard coded, then it's hardly the fault of the OS to deal with that.
I've been watching people here at work going crazy as they realize that every router, switch, server, and voice switch in the network needs to be updated by next week. And the patches for most of these devices *JUST* came out last week! That's hardly time to test! I guess we blindly jump into the fray and hope that the vendor got it right the first time, eh?
*sigh* This was known about a while ago. August 8, 2005 is when the bill was passed. That's a year and a half ago! Long enough that patches should have been out for months now. Apparently we learned nothing from Y2K...
Ever read the manufacturer's fine print on how they determine MTBF? Last time I did (yeah, it was over a year ago,) it read: "8 hour a day usage." Drives that are on 24/7 get HOT, and heat leads to mechanical failure.
MTTF, no? MTBF would indicate a fixable system.
Yeah, but there has to be a plateau to the heat curve at some point. It's not as if the heat just keeps going up and up.. I would think that the constant on/off each day, causing expansion and contraction of the parts as they heat and cool, would cause much more wear over time. Leaving it on 24/7 in a well ventilated and cooled system should, I would think, keep the drives running better.
Where are the majority of the failures anyway? In the mechanical components or on the disk platters themselves? ie, is this mechanical wear causing failures, or a breakdown of the chemicals used to coat the drive platters?
So what rights does this guy have? Can he sue himself for plagarism? I mean there's definitely prior art there.. Personally, I think he stands to gain from this blatant rip off of his previous work.
Sarcasm aside, I actually found this requirement a bit odd as well. What purpose would it serve to have an AP above each row? How much traffic are we talking about? I'm actually quite curious about the thought process that brought all of this about...
Google apparently doesn't cache the picture, but it does have a cache of the original page where it showed the description and price for the keys. The actual picture was preserved by bradblog.
My original submission has a link to both the new Diebold page for the electronic key, as well as the Google cache version with the original description. I guess the editors didn't like my links.:)
But, as stated in TFA, DRM isn't about piracy, it's about squeezing every red cent out of the end-user. Want it as a ringtone? CHA-CHING! How about playing it on the PC? CHA-CHING! MP3 Player? CHA-CHING!
They're gonna lose an awful lot of CHA-CHINGs if they use a watermark instead.. Jesus, this is a step backwards... I'm waiting for the **AA to realize they can sell the cover art, lyrics, etc as separate items and charge even more...
Ok, so you bout the music track.. Wanna buy the lyrics now? How about the bass and guitar parts?
Seriously though, I would definitely be more interested in an unencumbered format with a simple watermark than I am in the DRM crap that exists now.. I used to have an Audible account, which I loved. Problem is, after I downloaded the DRM encrusted file, I had to spend hours running it through a convertor to get an OGG file that I could use on my iRiver.. Seems iRiver has no interest in the Audible DRM format.. No piracy interest at all, I just want to be able to listen to the damn thing!
SPF is only effective if everyone uses it. It's pretty much that simple. Problems with forwards and mailing lists aside, SPF seems to work pretty well. I've been using it for a while now and I like it.
As for what to do... It's a tough call. You're being affected by a "Joe Job" [http://en.wikipedia.org/wiki/Joe_job].. Defending against this is not the easiest thing in the world. Filtering is probably the only route you can go right now. you should be able to filter based on the subject and To: address, looking for MAILER-DAEMON messages to the users being affected. That's how I would deal with it to begin... Then perhaps limiting SMTP from the outside world, prioritizing local user traffic. That should calm the server down a little.
For the record, every mail server I've worked on has been set up to reject. I learned a long time about that bounces and double bounces can easily kill a server. Great idea in theory, but the low-lifes on the net make good ideas regretful..
HEY DUMBASS! DONT LET GO OF THE FUCKING CONTROLLER!
Seriously.. Are people THAT stupid?
Unfortunately, the fact that Nintendo started the strap replacement program will hurt rather than help them I think. Admission of guilt, blah blah..
But let's get real. If you're stupid enough to let go of the damn thing, then you deserve to have your stuff broke. It's not a REAL football/bowling ball/racket/etc.. You *REALLY* don't need to swing it that hard..
I'd love to see a study on the amount of force required to break the strap. Seriously.
In every other language I've ever programmed in, it was relatively easy to figure out where the variables came from. In PHP there's a chance that a configuration setting is going to have the ability to change that. I'm sorry but that's bad design.
Err.. Huh? I understand register globals and I know how dangerous it is. But I'm not quite sure about your other statement.. How could you not know where the variables come from? You are declaring them first, right? register_globals doesn't overwrite an existing variable, it will only create the variable if it does not exist..
Right from the PHP manual : "Always validate your user data and initialize your variables!" Seems to be pretty sound advice to me...
Who on earth thought that register_globals was a good idea? And why on earth do most of the popular third party apps still insist on using them???
Agreed. register_globals, at the time, was probably created to make web apps easier to write. Remember, this was prior to security being a huge issue on the net. In retrospect, I'm sure many people, the developers included, think this was a bad move.
As for why it's still used, I can't answer that. Personally, I do what I can to make sure it doesn't impact my code. I refuse to use it and refuse to run any software that requires it to be enabled.
I've been using PHP for years, and I read all the stuff, yet I'm finding new problems with my own code just from reading some of the stuff in this thread. I think a switch to something better is long over due.
To each his own. I like PHP. It's definitely not a C or a C++, but it's great for what it does... I prefer PHP for simple web programming, perl for server scripting, and C++ for heavy duty programming.
What you outlined is a pretty good list of potential issues, but any security conscious programmer should be checking for these anyways. I only seriously started programming in PHP last year, but I believe I've gotten up to speed pretty quickly. I started my own open source project (http://phptodo.sf.net/) and I've been endeavoring to improve it since.
Yes, input validation is a difficult task, but I think it's just as difficult in other languages as well. And as for inconsistencies in the API, who really trusts that all functions act alike anyways? At the very least, you write the code the way you think it will work, then test the hell out of it. If you find something not acting right, you investigate. I always have the PHP manual handy when I'm coding. The tidbits of info in the comments alone are extremely valuable.
I've become a big fan of PHP because of the speed in which I can build a simple application and the ease of putting it up on the web. That's not to say that I don't deal with the security side, but for internal applications I will put together a quick system to "get by" until I can improve it. The initial "out the door" bit is important when we're dealing with short deadlines..:)
Overall I'm pretty impressed with PHP. I'm still coding in the 4.x world, but even without the advanced OOP features I'm still having fun.:)
Uhh.. I'm not sure what exactly you're doing wrong, but I send tons of email on a daily basis and it doesn't get marked as spam. That includes emails with attachments, photos, embedded html, and even words like sex, free, and mortgage.
I own my own domain, I run my own mail server. I use spamassassin for email filtering and I've gotten it up to about 99% effectiveness with less than 1% false positives. In fact, of the 150,000-200,000+ messages I received this year alone (conservative estimate), only 5 or so of them were legitimate emails that were marked as spam. I do have a whitelist, but that list only contains a list of servers from which I receive logs.
I spend approximately 1 hour a month (usually less) updating spamassassin. I think it's working pretty well at this point. In fact, even without the extra image parsers for OCX I'm still blocking most of the image spam. It's really not that difficult to develop a spam tagging/blocking system that gets 99% accuracy with the current set of OSS utilities out there..
It's not enough that many e-mail providers drop useful attachments and scan so intrusively into them that I need to encrypt them if I want the e-mail delivered.
It gets better.. Some mail servers detect encrypted attachments and drop those as well because some virii were using encrypted payloads..:)
The logic is likely similar to the Amazon "people who bought this item also bought..." logic.. it's statistically correct since they're using real numbers, but just proves that statistics aren't always accurate..
I must say, I concur. Big fan of Stephen King's works, the Dark Tower especially, and also of Terry Pratchett. I would have checked myself, but when you see things like this...
Come back soon. We're letting people back in slowly, as we recover from being Slashdotted.
*hangs head*
Well, one can't always predict when one will become slashdotted... And preventing such an occurance isn't something that is likely high on anyones list... While I would like to believe that every site I've worked on is worthy of placement on the slashdot front page, I can't justify the cost and time to harden the server in such an event..:)
I tossed Stephen King's "The Dark Tower" in there to see what I might not like to read and to my surprise the result was a great deal of Terry Pratchett.. Of course, like many others, I love Pratchett and I've read most of the Discworld series...
I was going to toss Pratchett in there and see if King was the result, but with the slashdotting of the site, I think that will have to wait..
I must remind myself to never get listed on the frontpage of slashdot...
Slashdot Mirror
You lose at slashdot!
Lose? I think not.. He's taken the slashdot evolution to the next level and doesn't even bother to read the summary..
Back in the day there was this cool little program called Webforia Organizer. I somehow wound up on the Beta team for it and got to use it extensively. This program was really cool, it clipped pages, kept local copies, was searchable, etc. I loved it. Unfortunately, it was built on IE 5, but then again, Firefox wasn't released back then...
Apparently Webforia went out of business some time ago and the software no longer works.. I believe it had limited functionality with IE 6, but not enough to make it worthwhile.. No clue if it would even work with IE 7...
I still have my copies... I really wish it worked. I had amassed a huge database of research that's basically useless now.. (although, since it clipped them as web pages, I supposed I can, technically, view them... But the names were based off GUIDs, so identifying the pages is a little rough...)
Bullcrap. I live in Pennsylvania and that's still chump change!
...
Must be nice.. I live in Pa and I'd love to have a extra $16k
And in 50 years when flying cars are in use (har) you'll be really sorry you wasted all that money on the bridge to nowhere.
*sigh* Great.. Thanks for reminding me that the year 2000 came and went and I still don't have a flying car..
Dammit.. All that therapy, gone to waste.
I'm surprised noone was hurt in this blaze... 2:30am on a Friday? That's prime development time..
Parents who are involved with their children know the limits of those children. Those types of parents can handle making decisions based on that knowledge. Laws such as the proposed law to ban sales of M rated games to minors are nothing but a mere annoyance to a good parent. I have no problem going and buying a game for my son if I'm aware of the content and I don't see a problem with it. So if they do restrict sales, that's not a problem for me as long as it's a retailer restriction. Once good old uncle sam starts telling me what I can and cannot let my son play, then I've got a problem.
I don't see these types of laws as bad until they start infringing on my rights as a parent and an adult.
What would you have ISPs do to stop spam? Spamassassin, properly tuned, does a decent job, but it doesn't solve the underlying problem. If an ISP allows *every* incoming connection and relies on spamassassin to detect and mark mail, then they have to ensure that there is sufficient storage for the spam. In most cases, the amount of spam incoming to a system is over ten times more than normal mail.
Using something like spamhaus helps out considerably because it does block a lot. Unfortunately, like every single other system out there, it has flaws. As with other approaches, the goal is to find a happy medium of sorts. The result is, however, that you can't please them all.
I've spent quite a bit of time on spam prevention for my own server and it's definitely not easy. I have about 5 tiers of spam detection at this point and, while it's catching about 99% of the spam, some still gets through. As a technically savvy user, I can deal with this and the level of detail required. For the normal ISP user, however, it's a different story. They don't have the technical know-how to tune their mail filters, nor do they generally have any interest in doing so.
So, until someone comes up with the perfect filtering system (which the spammers will likely adjust to within a few days), there's not much else to do. Personally, I don't have the time or money to deal with every single incoming spam and blocking some based on a well-known RBL is fine for me.
Cisco patches are more recent, and Nortel only just released patches a couple weeks ago.. So there are companies waiting till the bitter end to make the changes...
Can someone please explain to me why it has taken so long to get these patches out? From an OS level, isn't this simply a tzdata patch? (Not sure what the equivalent on Windows is).. This doesn't seem like such a huge issue to me. If the logic of the higher level programs is hard coded, then it's hardly the fault of the OS to deal with that.
...
I've been watching people here at work going crazy as they realize that every router, switch, server, and voice switch in the network needs to be updated by next week. And the patches for most of these devices *JUST* came out last week! That's hardly time to test! I guess we blindly jump into the fray and hope that the vendor got it right the first time, eh?
*sigh* This was known about a while ago. August 8, 2005 is when the bill was passed. That's a year and a half ago! Long enough that patches should have been out for months now. Apparently we learned nothing from Y2K
*sigh*
Ever read the manufacturer's fine print on how they determine MTBF? Last time I did (yeah, it was over a year ago,) it read: "8 hour a day usage." Drives that are on 24/7 get HOT, and heat leads to mechanical failure.
MTTF, no? MTBF would indicate a fixable system.
Yeah, but there has to be a plateau to the heat curve at some point. It's not as if the heat just keeps going up and up.. I would think that the constant on/off each day, causing expansion and contraction of the parts as they heat and cool, would cause much more wear over time. Leaving it on 24/7 in a well ventilated and cooled system should, I would think, keep the drives running better.
Where are the majority of the failures anyway? In the mechanical components or on the disk platters themselves? ie, is this mechanical wear causing failures, or a breakdown of the chemicals used to coat the drive platters?
So what rights does this guy have? Can he sue himself for plagarism? I mean there's definitely prior art there.. Personally, I think he stands to gain from this blatant rip off of his previous work.
Sarcasm aside, I actually found this requirement a bit odd as well. What purpose would it serve to have an AP above each row? How much traffic are we talking about? I'm actually quite curious about the thought process that brought all of this about...
Two words: Google Cache?
:)
Google apparently doesn't cache the picture, but it does have a cache of the original page where it showed the description and price for the keys. The actual picture was preserved by bradblog.
My original submission has a link to both the new Diebold page for the electronic key, as well as the Google cache version with the original description. I guess the editors didn't like my links.
But, as stated in TFA, DRM isn't about piracy, it's about squeezing every red cent out of the end-user. Want it as a ringtone? CHA-CHING! How about playing it on the PC? CHA-CHING! MP3 Player? CHA-CHING!
They're gonna lose an awful lot of CHA-CHINGs if they use a watermark instead.. Jesus, this is a step backwards... I'm waiting for the **AA to realize they can sell the cover art, lyrics, etc as separate items and charge even more...
Ok, so you bout the music track.. Wanna buy the lyrics now? How about the bass and guitar parts?
Seriously though, I would definitely be more interested in an unencumbered format with a simple watermark than I am in the DRM crap that exists now.. I used to have an Audible account, which I loved. Problem is, after I downloaded the DRM encrusted file, I had to spend hours running it through a convertor to get an OGG file that I could use on my iRiver.. Seems iRiver has no interest in the Audible DRM format.. No piracy interest at all, I just want to be able to listen to the damn thing!
SPF is only effective if everyone uses it. It's pretty much that simple. Problems with forwards and mailing lists aside, SPF seems to work pretty well. I've been using it for a while now and I like it.
.. Defending against this is not the easiest thing in the world. Filtering is probably the only route you can go right now. you should be able to filter based on the subject and To: address, looking for MAILER-DAEMON messages to the users being affected. That's how I would deal with it to begin ... Then perhaps limiting SMTP from the outside world, prioritizing local user traffic. That should calm the server down a little.
As for what to do... It's a tough call. You're being affected by a "Joe Job" [http://en.wikipedia.org/wiki/Joe_job]
For the record, every mail server I've worked on has been set up to reject. I learned a long time about that bounces and double bounces can easily kill a server. Great idea in theory, but the low-lifes on the net make good ideas regretful..
HEY DUMBASS! DONT LET GO OF THE FUCKING CONTROLLER!
..
Seriously.. Are people THAT stupid?
Unfortunately, the fact that Nintendo started the strap replacement program will hurt rather than help them I think. Admission of guilt, blah blah
But let's get real. If you're stupid enough to let go of the damn thing, then you deserve to have your stuff broke. It's not a REAL football/bowling ball/racket/etc.. You *REALLY* don't need to swing it that hard..
I'd love to see a study on the amount of force required to break the strap. Seriously.
In every other language I've ever programmed in, it was relatively easy to figure out where the variables came from. In PHP there's a chance that a configuration setting is going to have the ability to change that. I'm sorry but that's bad design.
Err.. Huh? I understand register globals and I know how dangerous it is. But I'm not quite sure about your other statement.. How could you not know where the variables come from? You are declaring them first, right? register_globals doesn't overwrite an existing variable, it will only create the variable if it does not exist..
Right from the PHP manual : "Always validate your user data and initialize your variables!" Seems to be pretty sound advice to me...
Who on earth thought that register_globals was a good idea? And why on earth do most of the popular third party apps still insist on using them???
Agreed. register_globals, at the time, was probably created to make web apps easier to write. Remember, this was prior to security being a huge issue on the net. In retrospect, I'm sure many people, the developers included, think this was a bad move.
As for why it's still used, I can't answer that. Personally, I do what I can to make sure it doesn't impact my code. I refuse to use it and refuse to run any software that requires it to be enabled.
I've been using PHP for years, and I read all the stuff, yet I'm finding new problems with my own code just from reading some of the stuff in this thread. I think a switch to something better is long over due.
To each his own. I like PHP. It's definitely not a C or a C++, but it's great for what it does... I prefer PHP for simple web programming, perl for server scripting, and C++ for heavy duty programming.
What you outlined is a pretty good list of potential issues, but any security conscious programmer should be checking for these anyways. I only seriously started programming in PHP last year, but I believe I've gotten up to speed pretty quickly. I started my own open source project (http://phptodo.sf.net/) and I've been endeavoring to improve it since.
:)
:)
Yes, input validation is a difficult task, but I think it's just as difficult in other languages as well. And as for inconsistencies in the API, who really trusts that all functions act alike anyways? At the very least, you write the code the way you think it will work, then test the hell out of it. If you find something not acting right, you investigate. I always have the PHP manual handy when I'm coding. The tidbits of info in the comments alone are extremely valuable.
I've become a big fan of PHP because of the speed in which I can build a simple application and the ease of putting it up on the web. That's not to say that I don't deal with the security side, but for internal applications I will put together a quick system to "get by" until I can improve it. The initial "out the door" bit is important when we're dealing with short deadlines..
Overall I'm pretty impressed with PHP. I'm still coding in the 4.x world, but even without the advanced OOP features I'm still having fun.
Shouldn't it be something like 'Nothing to see here. Please move it along.' ? 42 bytes.. The ultimate answer...
Uhh.. I'm not sure what exactly you're doing wrong, but I send tons of email on a daily basis and it doesn't get marked as spam. That includes emails with attachments, photos, embedded html, and even words like sex, free, and mortgage.
I own my own domain, I run my own mail server. I use spamassassin for email filtering and I've gotten it up to about 99% effectiveness with less than 1% false positives. In fact, of the 150,000-200,000+ messages I received this year alone (conservative estimate), only 5 or so of them were legitimate emails that were marked as spam. I do have a whitelist, but that list only contains a list of servers from which I receive logs.
I spend approximately 1 hour a month (usually less) updating spamassassin. I think it's working pretty well at this point. In fact, even without the extra image parsers for OCX I'm still blocking most of the image spam. It's really not that difficult to develop a spam tagging/blocking system that gets 99% accuracy with the current set of OSS utilities out there..
It gets better.. Some mail servers detect encrypted attachments and drop those as well because some virii were using encrypted payloads..
The logic is likely similar to the Amazon "people who bought this item also bought..." logic.. it's statistically correct since they're using real numbers, but just proves that statistics aren't always accurate..
Well, one can't always predict when one will become slashdotted... And preventing such an occurance isn't something that is likely high on anyones list... While I would like to believe that every site I've worked on is worthy of placement on the slashdot front page, I can't justify the cost and time to harden the server in such an event..
I tossed Stephen King's "The Dark Tower" in there to see what I might not like to read and to my surprise the result was a great deal of Terry Pratchett.. Of course, like many others, I love Pratchett and I've read most of the Discworld series...
I was going to toss Pratchett in there and see if King was the result, but with the slashdotting of the site, I think that will have to wait..
I must remind myself to never get listed on the frontpage of slashdot...
Are you sure you don't have a leaky bucket? I hear those are troublesome too...