If GreaseMonkey does nothing more than teach programmers not to trust anything that happens on the client side, it will still advance application security by leaps and bounds.
If there is one single thing that is responsible for layer 7 vulnerabilities more than any other, it is the shameful amount of trust placed on client-side data. Even developers that take the trouble of writing client-side validation scripts or put sensitive data in session cookies are still missing the big picture.
It may be decades before real-world security concepts are actually taught in an academic setting. So many developers learn their development habits from "Google school" that having this type of tool out there should help make it painfully obvious how much Web programming is not like traditional client-server application programming.
The comments on Games topics are historically very limited. I think that when the new topics were divided up, they didn't automatically include this one in the preferences. Hence, any slashdotter that hasn't updated preferences won't even see the articles.
What's even funnier is that IIRC the hijackers all had legit IDs, which were legitimately obtained.
You are close. They all had legitimate IDs, but not all were legitimately obtained. And the next time, they will all have legitimate Real-IDs, and again not all will be legitimately obtained.
Right on about the illusion of security - that makes things even less secure.
An in-depth article on the definition of fascism. A bit of an odd source for this kind of political discussion, but hard to argue the merits of the essay.
1) There's nothing in state motor vehicle licensing databases that a federal investigator can't get to anyway
If the FBI can already get access to these data, why do we need a new system?
2) A consistent set of standards by which people (notably, of course, immigrants - legal or not) need to prove who they are before they get an item as enabling (in terms of access, banking, and so on) as a driver's license is.... well, not crazy, or draconian, or anything other than reasonable.
If a system is flawed, who cares if it is internally consistent? How is making the system national going to decrease fraud? How is increasing the value of a forgeable credential going to eliminate the black market that thrives primarily due to the value of obtaining that credential? If a national ID card obtained in the heart of NYC is just as good as one obtained in rural Iowa, why would a criminal bother paying New York prices for a fake when it costs half as much to bribe they guy in the heartland?
Sure, the system sounds reasonable, but it really doesn't stand up under any kind of serious analysis.
How about making a more persuasive case that we should let some states issue official IDs (which are then honored in other states) without worrying about who the person actually is? Tough sell? Yes, it is... and is why you don't see our representatives acting like it's an inherently bad idea to smooth out the discrepancies in the process.
Which states issue official IDs without worrying who the person actually is? Your argument is beginning to look like a tough sell. How about making a persuasive case that a national system is better than the one we have now?
Streamlining and further validating the process will save money, lives, and time. The downside would be... let's see, a situation where it's harder for liars to get mainstream IDs?
Assuming (and this is a rather bold assumption) for the moment that implementing a national ID would actually streamline and bring about further validation of the ID issuing process, how does it save money, lives, and time? In fact, what government process ever saves money, lives, and time?
Yes, there are some good things about a national ID card. I don't think you've hit on any of them.
You also seem to be ignoring several important downsides.
1) National mandates erode states' rights. 2) The infrastructure required to implement this system is a colossal boondoggle.
You don't even have to put on your tin-foil hat to agree that those reasons alone are enough to at least force a little debate. Yet unfortunately we don't see our representatives acting like it is a good idea to examine these issues in the process of rubber-stamping this into law.
IMHO, The name is quite lame for a company that hasn't anything to do with an official mission assigned by the French government (it has nothing especially French, except its nationality and location). This name is misleading.
Hell, even its name isn't especially French. All the adjectives are in the wrong order. Should be something like L'équipe de Réponse d'Incident de Securité Français. ERISF?
I did a similar analysis several weeks ago on a scam targeted at US Bank customers. Interestingly, the machine used to host the scam page was also in South Korea. Looks like we are seeing the ugly side of that country's broadband initiative.
That scam I got two weeks ago was the straw that finally broke IE's back. I switched to Mozilla and haven't looked back. FireFox completely eliminated the functionality of the scam, first because it blocked a popup window, and second because it actually handled the URL correctly.
IE has a bug in how it handles URLs for image maps. If you put an <A> tag around an image, but make an image map on top of that image, IE displays the URL for the anchor tag, not the map. However, when you click on the image (if the map covers the whole image), you will be taken to the map location instead. FireFox renders this correctly.
It's really amazing how much work goes into these scams. The scam page popped up a window with no title which also happened to be too large to fit on most screens. Then the page automatically redirected the original browser window to the US Bank Web site. Using IE, the scammer's dotted quad was only visible in a URL bar for the time it took to pull down the page from South Korea (which was probably longer than the scammer would have liked). There was even a fake connection secured icon on the information form. The form page itself used JavaScript to keep itself on top until the user actually filled out all the form fields, even if you tried to close the window!
100% of spam comes from spammers, so at most 100% of spam could be eliminated in this way. The reason why spam happens is because it's profitable. It's because someone is selling something and paying the spammer to advertise it. It doesn't just randomly spawn from infected hosts.
I agree that it is interesting how spam is being distributed currently, but that's just because it's the easiest way. While I agree that eliminating insecure Windows machines is a desirable goal, the fact that spam comes from these machines is only a symptom, not a cause of the problem.
I agree with you about the implausibility of the deus ex machina gunk impurity that killed the machines. I was willing to suspend disbelief on that one.
I disagree about the amount of processing power/memory that these things would need, however. I find it very easy to believe that a simple set of behavioral patterns when applied to a group of organisms acting together can generate very complex behavior. After all, a human is just a collection of very simple cells, albeit with a complex rule set for behavior encoded in our DNA. Think about work done with cellular automata - very simple rules yield very complex patterns and behavior.
Some of the behavior was a bit of a stretch, I agree. Especially given the time scale during which this evolution took place (roughly a week). But Crichton is by no means far off with his interpretations of what the technology could be capable of. If nothing else, the hyperbole reinforces his arguments about how out of control modern scientific research has become.
I remember reading the first few chapters of this book in the airport about the husband suspecting the wife of cheating. That was some of the most depressing reading I have ever done. Crichton really did a brilliant job of abusing us with the same emotional torture the main character was feeling. I found it an odd departure from his normal bash-the-scientists-the-whole-way style. That gut-wrenching feeling hung around for me the entire time I was reading.
Re:Will the priests be able to...
on
SimChurch
·
· Score: 1
As long as you're being a grammar Nazi, you shouldn't connect two complete sentences with a comma. That should read:
You shouldn't split an infinitive; it's just bad grammar.
Re:Organists Behaving Badly
on
SimChurch
·
· Score: 1
Of course, there is the Simpsons episode where the organist plays Inna-Gadda-Da-Vida (in the Garden of Eden?). Could this be a tribute to a tribute?
Bob may be a better artist than you know. Remember, Van Gogh's paintings didn't command a premium during his lifetime.
Bob Ross died of cancer July 4th, 1995.
These two statements seem contradictory to me:
I can recognize quality programming even if it does not appeal to my particular interests.
You can't get a fair picture, period. If you don't subscribe to channel X, how will you judge its value?
I'd guess your argument here is that you recognize quality programming as you flip past it on the way to other channels, which wouldn't be possible under the subscription model. I think you are making the assumption that people will somehow forget about the channels they used to consider quality programming once the change is made. In the short term at least, I don't think this argument is valid.
In the long term, you are probably correct that people will have no way to have a "test run" of a channel before they subscribe (there might be a marketable angle to this somehow, like the 'free sample' concept). But compare that to everything else we buy. How do you know what soda to buy or what restaurant to choose if you don't have first-hand knowledge of that product beforehand? Are you saying that none of the advertising models, including free advertising such as word of mouth and people trying out products paid for by someone else, are applicable to cable programming?
You watch an hour of programming per month from one of five niche channels (A,B,C,D, and E). Since, on any given month, there's a one-in-five chance that you'll watch something on each individual channel, you elect not to pay for any of them in the a la carte model. All five go under. You don't get to see the programming from any of them. That didn't serve your needs, tastes, or reflect your budget.
Again, you are assuming that those channels will be priced in such a way that you aren't willing to pay for them in the amount you watch them. What if those are the only 5 channels you watch and the sum total of their subscription fees is less than what you pay for the tens of other channels bundled together the way they are now? The a la carte model in this example exactly serves your tastes (you get all the shows you watch) and reflects your budget (actually paying less for what you get). I can understand how you could see this model not fitting your needs, as you have been arguing that you have a need for alternative quality programming to exist, which might not necessarily happen in this example. But again, if you're paying less for your cable, you can fulfill that need by contributing the difference to the channels that you want to survive.
But you have to show that bundling harms consumers, which has not been done to my satisfaction.
I thought my interpretation of the Radio Shack example showed how bundling harms consumers. In one case the consumer did not get what he wanted and in another case the consumer paid more than he should have and got something he didn't want. What is unsatisfactory about that example?
Slashdot Mirror
Hah. Guess I should have checked my sources.
Well, he is John Seminal, after all. He had to have earned the name from something.
I'm a scarab, you insensitive clod!
Mod the parent up.
If GreaseMonkey does nothing more than teach programmers not to trust anything that happens on the client side, it will still advance application security by leaps and bounds.
If there is one single thing that is responsible for layer 7 vulnerabilities more than any other, it is the shameful amount of trust placed on client-side data. Even developers that take the trouble of writing client-side validation scripts or put sensitive data in session cookies are still missing the big picture.
It may be decades before real-world security concepts are actually taught in an academic setting. So many developers learn their development habits from "Google school" that having this type of tool out there should help make it painfully obvious how much Web programming is not like traditional client-server application programming.
The comments on Games topics are historically very limited. I think that when the new topics were divided up, they didn't automatically include this one in the preferences. Hence, any slashdotter that hasn't updated preferences won't even see the articles.
What's even funnier is that IIRC the hijackers all had legit IDs, which were legitimately obtained.
You are close. They all had legitimate IDs, but not all were legitimately obtained. And the next time, they will all have legitimate Real-IDs, and again not all will be legitimately obtained.
Right on about the illusion of security - that makes things even less secure.
An in-depth article on the definition of fascism. A bit of an odd source for this kind of political discussion, but hard to argue the merits of the essay.
1) There's nothing in state motor vehicle licensing databases that a federal investigator can't get to anyway
If the FBI can already get access to these data, why do we need a new system?
2) A consistent set of standards by which people (notably, of course, immigrants - legal or not) need to prove who they are before they get an item as enabling (in terms of access, banking, and so on) as a driver's license is.... well, not crazy, or draconian, or anything other than reasonable.
If a system is flawed, who cares if it is internally consistent? How is making the system national going to decrease fraud? How is increasing the value of a forgeable credential going to eliminate the black market that thrives primarily due to the value of obtaining that credential? If a national ID card obtained in the heart of NYC is just as good as one obtained in rural Iowa, why would a criminal bother paying New York prices for a fake when it costs half as much to bribe they guy in the heartland?
Sure, the system sounds reasonable, but it really doesn't stand up under any kind of serious analysis.
How about making a more persuasive case that we should let some states issue official IDs (which are then honored in other states) without worrying about who the person actually is? Tough sell? Yes, it is... and is why you don't see our representatives acting like it's an inherently bad idea to smooth out the discrepancies in the process.
Which states issue official IDs without worrying who the person actually is? Your argument is beginning to look like a tough sell. How about making a persuasive case that a national system is better than the one we have now?
Streamlining and further validating the process will save money, lives, and time. The downside would be... let's see, a situation where it's harder for liars to get mainstream IDs?
Assuming (and this is a rather bold assumption) for the moment that implementing a national ID would actually streamline and bring about further validation of the ID issuing process, how does it save money, lives, and time? In fact, what government process ever saves money, lives, and time?
Yes, there are some good things about a national ID card. I don't think you've hit on any of them.
You also seem to be ignoring several important downsides.
1) National mandates erode states' rights.
2) The infrastructure required to implement this system is a colossal boondoggle.
You don't even have to put on your tin-foil hat to agree that those reasons alone are enough to at least force a little debate. Yet unfortunately we don't see our representatives acting like it is a good idea to examine these issues in the process of rubber-stamping this into law.
How ironic. Wasn't it Wired that exposed Stephen Glass as a fraud in the first place?
This thread is great! Two sets of identical posts in a row, all modded up! Wake up mods!
IMHO, The name is quite lame for a company that hasn't anything to do with an official mission assigned by the French government (it has nothing especially French, except its nationality and location). This name is misleading.
Hell, even its name isn't especially French. All the adjectives are in the wrong order. Should be something like L'équipe de Réponse d'Incident de Securité Français. ERISF?
It looks like a hacker alias, but it really stands for French Security Incident Response Team. Exploit description cached here.
I can't believe I just clicked on an image link to the .cx TLD. Not even a moment's hesitation. goatse has been away for too long!
I did a similar analysis several weeks ago on a scam targeted at US Bank customers. Interestingly, the machine used to host the scam page was also in South Korea. Looks like we are seeing the ugly side of that country's broadband initiative.
That scam I got two weeks ago was the straw that finally broke IE's back. I switched to Mozilla and haven't looked back. FireFox completely eliminated the functionality of the scam, first because it blocked a popup window, and second because it actually handled the URL correctly.
IE has a bug in how it handles URLs for image maps. If you put an <A> tag around an image, but make an image map on top of that image, IE displays the URL for the anchor tag, not the map. However, when you click on the image (if the map covers the whole image), you will be taken to the map location instead. FireFox renders this correctly.
It's really amazing how much work goes into these scams. The scam page popped up a window with no title which also happened to be too large to fit on most screens. Then the page automatically redirected the original browser window to the US Bank Web site. Using IE, the scammer's dotted quad was only visible in a URL bar for the time it took to pull down the page from South Korea (which was probably longer than the scammer would have liked). There was even a fake connection secured icon on the information form. The form page itself used JavaScript to keep itself on top until the user actually filled out all the form fields, even if you tried to close the window!
Some more realistic numbers:
100% of spam comes from spammers, so at most 100% of spam could be eliminated in this way. The reason why spam happens is because it's profitable. It's because someone is selling something and paying the spammer to advertise it. It doesn't just randomly spawn from infected hosts.
I agree that it is interesting how spam is being distributed currently, but that's just because it's the easiest way. While I agree that eliminating insecure Windows machines is a desirable goal, the fact that spam comes from these machines is only a symptom, not a cause of the problem.
If it wasn't for the karma hit, I would have modded you troll just for the humor factor.
You would have gotten my +1 Funny if you had said they ought to be enough for any body, instead.
I agree with you about the implausibility of the deus ex machina gunk impurity that killed the machines. I was willing to suspend disbelief on that one.
I disagree about the amount of processing power/memory that these things would need, however. I find it very easy to believe that a simple set of behavioral patterns when applied to a group of organisms acting together can generate very complex behavior. After all, a human is just a collection of very simple cells, albeit with a complex rule set for behavior encoded in our DNA. Think about work done with cellular automata - very simple rules yield very complex patterns and behavior.
Some of the behavior was a bit of a stretch, I agree. Especially given the time scale during which this evolution took place (roughly a week). But Crichton is by no means far off with his interpretations of what the technology could be capable of. If nothing else, the hyperbole reinforces his arguments about how out of control modern scientific research has become.
I remember reading the first few chapters of this book in the airport about the husband suspecting the wife of cheating. That was some of the most depressing reading I have ever done. Crichton really did a brilliant job of abusing us with the same emotional torture the main character was feeling. I found it an odd departure from his normal bash-the-scientists-the-whole-way style. That gut-wrenching feeling hung around for me the entire time I was reading.
As long as you're being a grammar Nazi, you shouldn't connect two complete sentences with a comma. That should read:
You shouldn't split an infinitive; it's just bad grammar.
Of course, there is the Simpsons episode where the organist plays Inna-Gadda-Da-Vida (in the Garden of Eden?). Could this be a tribute to a tribute?
Bob Ross died of cancer July 4th, 1995.
These two statements seem contradictory to me:I'd guess your argument here is that you recognize quality programming as you flip past it on the way to other channels, which wouldn't be possible under the subscription model. I think you are making the assumption that people will somehow forget about the channels they used to consider quality programming once the change is made. In the short term at least, I don't think this argument is valid.
In the long term, you are probably correct that people will have no way to have a "test run" of a channel before they subscribe (there might be a marketable angle to this somehow, like the 'free sample' concept). But compare that to everything else we buy. How do you know what soda to buy or what restaurant to choose if you don't have first-hand knowledge of that product beforehand? Are you saying that none of the advertising models, including free advertising such as word of mouth and people trying out products paid for by someone else, are applicable to cable programming?
You watch an hour of programming per month from one of five niche channels (A,B,C,D, and E). Since, on any given month, there's a one-in-five chance that you'll watch something on each individual channel, you elect not to pay for any of them in the a la carte model. All five go under. You don't get to see the programming from any of them. That didn't serve your needs, tastes, or reflect your budget.
Again, you are assuming that those channels will be priced in such a way that you aren't willing to pay for them in the amount you watch them. What if those are the only 5 channels you watch and the sum total of their subscription fees is less than what you pay for the tens of other channels bundled together the way they are now? The a la carte model in this example exactly serves your tastes (you get all the shows you watch) and reflects your budget (actually paying less for what you get). I can understand how you could see this model not fitting your needs, as you have been arguing that you have a need for alternative quality programming to exist, which might not necessarily happen in this example. But again, if you're paying less for your cable, you can fulfill that need by contributing the difference to the channels that you want to survive.
But you have to show that bundling harms consumers, which has not been done to my satisfaction.
I thought my interpretation of the Radio Shack example showed how bundling harms consumers. In one case the consumer did not get what he wanted and in another case the consumer paid more than he should have and got something he didn't want. What is unsatisfactory about that example?
If she's nerdy enough to play with a 2600, she's probably nerdy enough to read slashdot.
Step 3: Sell WinCE devices to hunters along with "homeless hunting" licenses.
Step 4: Profit!!!
Yeap, dating is easy. Always stick to the BASICs.
Wouldn't that be more applicable to the oven?
MMMMMMMM, pi(e).