Names of companies and branded products are usually capitalized anyway, title or not.
Yeah, but consider that Apple sells computers whose file systems are case-insensitive. So even if you distinguish "apple falling" from "Apple falling", Apple's lawyers probably won't.
(This fact has sufficed to exclude Apple servers for several projects that I've worked on. We decided it was OK to develop stuff on OS X, but porting stuff to OS X from any other system can be full of gotchas because of file-name confusion. It's amazing how often this can trip you up, and how long it can take to track down the source of the bizarre behavior. And stuff that came from another caseless system, e.g. MS Windows, doesn't do much better, because the rules for confusing characters are subtly different. Thus, OS X and Windows both also munge file names with Unicode "combined characters", but they seem to do it slightly differently. But this is probably off-topic here, where we should only be discussing "apples", not "Apple's". Outside of Windows and OS X, there's a difference.;-)
I had hoped any reader would have read the previous sentence: IE runs exclusively on M$ Windoz.all.flavors operating systems
Hey, you're not only making the mistake of expecting/. readers to have read the (entire) f'ing article; you're expecting them to remember the sentence previous to the one they're now reading!
You need to find a forum with readers able to do all that.
Maybe the "libraries pay more" meme arose as a misunderstanding of the fact that libraries tend to buy hard-cover copies when available, and those always cost more than paperbacks. It makes sense for a library to do this, since paperbacks don't survive too many readings; they're designed to be semi-disposable.
Funny thing; I just finished writing another reply in which I mentioned the publishers' opposition to public libraries in the early 1800s. So now I suppose that one or the other (or both) of us will be modded "redundant".;-)
Maybe it's time to also bring up the very early history of copyright, which was invented primarily to limit the publication of bibles and other religious texts to only "approved" publishers. The purpose wasn't monetary; it was to prevent publication of documents opposed by the officially-approved religion, by limiting the publishing to officially-approved publishers. It was also to control the distribution, so that only members of the approved priesthood could access the texts. The rest of the population was intentionally kept illiterate, so that the priesthood could be the only religious authorities.
So things could be worse. The "Intellectual Property" people could be actively campaigning against literacy. They could be pushing for laws banning access by "the masses" to their products. They could get laws passed making it illegal to teach your children to read. People like them have done such things in the past. Such things were among the real reasons that the legal concept of copyright was originally developed.
I've read a few histories of the development of public libraries, mostly in the 1800s, and the authors generally mentioned the opposition from the publishers. After a few decades, publishers started figuring out that sales were better in areas with public libraries, and slowly learned to accept the idea.
This has also been mentioned in the various articles on the 20th-century battles over "Intellectual Property". They generally have included long lists of all the technical advances in sound-recording equipment. Every new technology has been attacked by the recording industry on the grounds that it makes it easy for people to make free copies rather than buying from the publisher. Eventually the companies realize that they're selling even more to the users of the new technology, so they back off, only to do the same thing with the next new device.
The battle to block free access to books in public libraries was merely an early example of the same phenomenon. Today we see an article written from such a viewpoint as obvious satire. Back in 1820, it wasn't satire. It was a serious effort to warn the literate public about the dangers of providing literature and education free to the great unwashed masses.
(Note that in the early 1800s, it was widely illegal in the US to teach a negro - or sometimes any non-white person - to read. This gives you a clue to how bad it was back then.)
I believe you'll find that libraries now tend to delete all records after the books are returned, so a search warrant is useless. Hence the publishers can't even find out who the evil 'borrowers' might be.
Didn't this practice start just a few years ago, when the US Government started asking libraries for their borrowing records? I suppose it shows that the librarians are on our side, though I'd guess some people might see it differently.
The government can still demand a list of everyone with a library card, but that's probably not very useful information. About all it tells you is who in the area might be literate. That might make you suspect in some social circles, but probably not to government agencies. (After all, government employees need to be able to read and fill out forms.)
Don't give them any ideas. The copyright circus is stupid enough already.
Too late. The publishing industry has been thinking and talking along this line for a long time already. There's a conventional statistic among publishers, to the effect that every book sold is read by four people. This is usually mentioned in a context that makes it clear that there's a problem. Often they don't bother mentioning how this multi-person readership happens, but it doesn't take much questioning to learn: libraries. And the point is always that the publishers are "losing" 3/4 of their potential sales to the multi-reader "problem".
One of the reasons that a lot of publishers have developed an interest in e-books is that they see it as a way of limiting readership. After all, people won't much loan out their e-readers, and so far, few libraries have experimented with supplying electronic copies of books to their members.
(I wonder why this is? Are they such Luddites? Or are they just ignorant of the technology? Or perhaps they don't see a way to collect overdue fines.;-)
More to the point, IE doesn't run on MacOSX; BSD.any.flavor; *nix.any.flavor IE runs exclusively on M$ Windoz.all.flavors operating systems
IE6 just provides the easiest port of entry for bad guys into anyone's box, than any other version of IE.
Emphasis mine. There seems to be a bit of a contradiction there. IE6 can't provide a port of entry on this Macbook Pro or the two linux boxes on the shelves next to my desk, because I don't run any version of IE on any of these machines. It only provides a point of entry if you're running MS Windows and some version of IE. (Too bad/. won't let you go back and edit your text slightly so that readers don't get distracted by this error.;-)
M$ to claim that IE8 is the most secure browser out there is like saying cigarettes cure lung cancer.
Actually, it would be a better simile if you were to say that a particular brand of low-tar cigarettes cures cancer. As far as I know, no tobacco company has actually claimed this in their ads, though I've seen some ads that contain "weasel words" that will imply that to most listeners.
In any case, MS seems to have admitted that the hole is in all versions of IE, so it would really be more like the tobacco company admitting that their cigarettes might (in rare cases) cause cancer, but their low-tar brand will cause fewer cancers.
OTOH, someone has already posted a pretty good automotive analogy, so I won't do that.
They admitted they were powerless to solve their own problems without help from their victims.
Heh. It's another "damned if you do; damned if you don't" scenario. Usually, people criticise Microsoft for developing software without bothering to consult or test with actual customers. Now we have a manager of a MS dev group that actually does communicate (though not exactly with "customers"), and acts on what they say, so he's criticised for needing help from his "victims".
Ya can't win that game.
But the fact is that if you're developing server-side web software, you need to test it against real-world sites, not just the toy sites you've set up in your lab. And we all know the "Sourcerer's Apprentice" sort of bug that produces a runaway test that tries to do something as many times as it can per second until it's killed. Good testers will be on the lookout for such events, but it's understandable that they might fail occasionally
Among web developers, MS does have a bit of a reputation for hitting your new site with a flood of requests, trying to extract everything that you have (even the content of your "tmp" directory which your robots.txt file says to ignore). There are lots of small sites that block MS address ranges for just this reason.
It should be considered good news that there's at least one MS manager who understands all this, and is willing to talk to the "victims" and fix the problems. Now if they could fix the next-level problem, that this sort of thing happens repeatedly and their corporate culture seems to have no way to prevent it from happening again.
As said below, never ascribe to malice that which can be adequately explained by stupidity. (Insert lame joke about MSFT being full of stupidity here).
Yeah, though this particular sort of stupidity has been going on for a long time, and not just at Microsoft (though they seem to be the worst culprit).
I run a couple of sites that, among other things, has links to return the "content" in a list of different formats (GIF, PNG, PS, PDF,...). Periodically, the servers get bogged down by search sites hitting them many times per second, trying to get every file in every format. The worst cases seem to come from microsoft.com and msn.com, though it happens with other search sites, too. Actually, the first attempts I saw at "deep search" like this came from googlebots around 10 years ago, though they quickly backed off and haven't been a serious problem since then. MS-origin "attacks" of this sort have been happening every few months, for nearly a decade.
I've generally handled them with a couple of techniques. One is to check the logs for successive requests from the same address, and insert sleep() calls with progressively longer sleeps as more messages arrive. The code prefixes the "content" with a comment explaining what's happening, in case a human investigates.
Another technique is to look for series of "give me this in all your output formats" requests, verify that it's a search bot, and add the address to a "banned" list of sites that simply get a message explaining why they aren't getting what they asked for, plus an email address if they want to get in contact. So far nobody at any search site has ever used that address. I did once get a response from a guy who was studying sites with such multi-format data, for a school project, to see how the various output formats compared in size and information content. I took his address off the banned list, and suggested that he add a couple-second delay between requests, and he finished his project a few days later.
I suspect that the googlebot folks may have read my explanation of the delays and added code to spread their requests out over time, since that's what their bots seem to do now. But I never heard from them. They must have gotten complaints (and bans) from lots of web sites when they started doing this, so they probably realized quickly that they should add code to prevent such flooding of sites.
I agree the GUI on Android is still not as good. It feels less polished especially on the browser.
It's funny that people would says this, because in our house my wife has an iPhone and I have a G1. Although she loves the iPhone, she agrees that its "Safari" browser is crappy, and she tries to avoid using it. I've been testing a bunch of web stuff on both phones, trying to make "mobile" pages that work well on both of them, and I've followed a lot of online discussions of problems with their browsers. Most of the problems are on the iPhone, and people don't seem to be coming up with solutions.
One major problem is that it's difficult to make pages that fit properly on the screen. All too often, Safari formats the page for a window much larger than the iPhone's screen, so you have to laboriously scroll left and right to read it. You can use the "pinch" to shrink it, but then the text becomes tiny and unreadable. People have found a "meta name=viewport" tag that lets you specify the pixel width, but this only works for the portrait layout; rotating the phone causes the page to be embiggened so there's not much on the screen. Nobody seems to know how to tell the iPhone's browser to do the usual line wrapping to fit the screen. The G1's browser does a very good job of formatting for the screen, and rotating to the other layout causes everything to be reformatted to fit.
Another problem is that both of them like to re-fetch pages when you back up (which on the iPhone doesn't always seem possible, but sometimes you can). If the page invoked a CGI on the server, it's repeated, which is often something you don't want to do. Thus, if you back up to a slashdot comment submission, it repeats the submission. On some sites, this triggers a redirect to an error page, with the result that you can't back up past that point at all. You have to close the "window" and open a new one. On many sites, this loses any session you might have established. These problems exist on both phones, but the iPhone seems to be worse, and often won't let you back up at all, for reasons we don't understand. The G1's "back button" seems to always work, though sometimes the previous page isn't displayed unless you do a refresh.
Actually, the real problem with testing for smartphones is that every one is different, so you need a whole stack of them, and the contracts get rather expensive. A real web-testing setup for phones would cost you thousands of dollars per month for the service. Sometimes you can swap the SIM cards around, but not often due to the providers' "locking" measures that tend to reject unapproved phones. So don't expect the Web to work smoothly on the majority of phones for a rather long time...
The browser on my G1 has an explicit "Accept cookies" setting, so the answer is "sometimes".;-) This is, of course, typical behavior in most browsers. There's also the usual "Clear all cookie data" item in the Settings menu. But it does mean that you can't simply rely on cookies working. As with things like javascript, the person running the browser can disable cookies.
Add to the mix the useragent, ip, proxy info and (hash of an) internal identifier == unique id.
Or you could do as I've seen some sites do, and which I've done on occasion: Generate a unique "session id" which is passed to the client in various ways such as a "hidden" input variable or as part of URLs in links, to be passed back to the server in subsequent requests. This is no more difficult than a cookie to spoof by a man-in-the-middle such as an ISP.
An exploit that works on a 9 year old version of the browser... is hardly newsworthy anymore. What *is* newsworthy however, is why exactly Google of all people are still using it ?
Oh, I dunno; I've been doing some testing against IE6 lately. My motive is fairly trivial. I'm developing some Web stuff for an organization (which one doesn't matter here), and I did a bit of a survey to find out what browsers their people are using. IE6 turned up fairly high on the list. I've also sent announcements around to them inviting them to try out what I have running, and I collected the HTTP_USER_AGENT strings from all their requests from my server log. IE6 came up fairly high on that list, too.
So I have a copy of Windows, NT as a guest OS in a partition on my wife's Macbook Pro, and it has IE6 installed for testing. It's a pretty awful browser, but the customer's people are using it, so I try to at least make sure that everything is readable for them, if not always pretty. IE6 is why I eliminated frames from the prototypes.
It's "interesting" that the top browsers in this list are FF 3.5, IE8 and IE6. Chrome is rapidly sneaking up on them, though. Guess I'll have to install it, too.
(There are also a couple of people in the organization who aren't Web users because they don't have a computer. Can you imagine that?;-)
I even think mobiles generate their own UNIQUE identification code which can be used too for the mobile version of facebook.
So where might my code find this?
I just checked what my apache server tells a CGI program of mine when I connect from my cell phone. The only ID string I see is
HTTP_USER_AGENT: "Mozilla/5.0 (Linux; U; Android 1.6; en-us; T-Mobile G1 Build/DRC83) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1"
I can easily tell what kind of phone this is. So can my code, which sends the "Mobile" version of pages to my phone. (That's what I'm testing, actually.) But I don't find anything passed telling my code which of the millions of G1 phones this is. I also tested it with my wife's iPhone, and found the same things. My code gets a HTTP_USER_AGENT string that contains "iPhone", but nothing like a serial number or other unique identifier anywhere.
IP address doesn't work. Sometimes they both send the same IP address. OTOH, successive requests from either of them often come in from different IP addresses. These addresses are presumably associated with several nearby cell towers that our phones can "see". During the last few minutes, the only address I saw from them was 208.54.90.77 (m4d5a36d0.tmodns.net), but both get several other addresses at other times.
So if there are several iPhones or G1 phones all contacting my server at about the same time, how would my code tell them apart? Do you have a link to a page that explains how to do this?
....that if you really need data to be secure, end to end security is the only way to go.
If you dig around in any archives related to the topic of computer security, you'll find this comment all over the place, and in the earliest documents you can find. It's well understood that if you rely on a lower "comm" layer for security, the people in charge of that layer have full access to everything you send or receive.
This is why so many security people tend to just snicker at network-level security features. They explain why this is purely a waste of cpu cycles (and sometimes also bandwidth), because you have to provide your own security at the top level anyway. But hardly anyone ever listens to them.
Some have argued that the lower-level security doesn't hurt, and may add some security in cases where the end users didn't do the job. But others reply that, in practice, it does hurt, because it tricks many users into believing that "the system" provides security, so they don't have to. We're starting to see the effects of this now, with the growing reports of ISPs and other comm companies intentionally violating their users' privacy. And again, the security experts just snicker, because it's exactly what they were warning us about decades ago.
Several security experts said they had not heard of a case like this,...
But I, as a just random user of some commercial... websites have several times over the years requested information about my account and orders - and seen instead somebody else's information.... I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.
And here we have a nice summary of how the legal (and political) system gets it all wrong. They often set up laws that punish the victims who report such problems. The result is that the victims stop reporting problems. The law-enforcement people and the politicians can then say that (reported) violations have decreased, so the laws must be effective.
It's an old story. It's especially common in the software business, where people who merely make inquiries about security-related problems are commonly classified as "hackers". So the people who want to solve the problems learn to keep very quiet. In forums like this, we see people asking "Why is it all so bad?" A good part of the answer is that the smart people have decided to not get involved, because they value their own freedom.
It's also the story behind the frequent attempts to shut down the sites that collect "file sharing" information. You'd think that the copyright owners would welcome such sites, as they help finger the copyright violators. But instead, they sue the owners of the sites that point to the violators.
"Punish the messenger" seems to be a natural human reaction to news about things we don't like. And "If we don't know about it, it's not happening."
Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.
Some recent testing of web sites on the iPhone and G1 phone have also shown that using the client's IP address as part of the "session" information simply doesn't work. With both of these phones, successive HTTP requests from a single phone often come from different IP addresses. In the tests I did, the set of IP addresses was small (2 to 4), and I suspect that it might have something to do with being in contact with several cell towers. The phones appear to be "NATted" behind several different addresses. So from the client's viewpoint, a session that depends on the IP address appears to work intermittently.
It's yet another argument in favor of IPv6, except that the phone companies and ISPs don't seem to be at all interested in going that way.
If a poor kid borrows books from a library those are not lost sales--the kid didn't have money for the books anyway. No sales are lost.
And note that this was one of the primary reasons that public libraries were established. The intent was to bring books to "the masses" who mostly had no access to any sort of literature. The publishers weren't happy with the idea at the time, though they eventually learned to live with it. In the long run, a literate population that liked to read was in the publishers' long-term interest.
It's not hard to see the same anti-educational view in the objections to internet sharing. There's a strong sense that what publishers want is an end to my access to anything that I haven't first paid for. Of course, this means that I'd have no way of judging beforehand whether I want to read (or view or listen to) something; I'd just have to buy it, and in the 99% case that I don't actually like it, I can discard it. They're not just against my getting information on authors, musicians, etc. from a public library. They want an end to all sharing among friends or acquaintances, so we'd have no way of knowing if we like something without first paying for it.
Maybe we need to be bringing up the public libraries more in the growing debates over "sharing" online. It would benefit us all (and probably the producers, too), if there were an open and legal online equivalent to public libraries. Also, we should try to make it clear that introducing friends to things we like by sharing is still as legal as it was a few decades ago. Otherwise we'll lose a lot of what the supporters of public libraries and the "public domain" fought to establish in past centuries.
We don't really want to go back to the day when most of the public was intentionally kept illiterate and ignorant of most "culture". And we don't want to go forward to a system in which we can never discover whether we like something unless we've first paid for it. This is what the publishers and recording companies are pushing for.
I prefer Google myself, but the instant they tell me I can't use a specific browser is the instant I start using someone else. Its already annoying enough that they put the retarded 'try chrome' on the main page if you aren't using Chrome.
So where do you see this? I just pointed firefox at google.com, and the page it's displaying doesn't seem to contain the string "chrom" anywhere that FF's search widget can find it. I also pointed Safari at google,com, and the resulting page doesn't contain "chrom" anywhere.
Could they have spotted your comment, and deleted the references to chrome for a day or two? I'll have to check them again in a few days...
Dunno if I'd call the G1's screen "shitty". But I did have to learn to touch buttons slightly above where they seemed to be, if I want them to work. I still tend to get the button below the one I'm aiming at with some probability.
My wife has an iPhone, and I've done a bit of comparing. I'd say that both have screens that are a bit too sensitive. I've verified (by shining a light from the side) that I don't actually have to touch either's screen to activate something. That probably explains why, on both of them, I'm constantly "touching" something that I didn't intend to touch, and then I have to figure out how to get back to where I was.
The G1's little nipple-like joystick actually helps here a bit. It lets me move the current position around the screen, and scroll, without accidentally touching the screen and activating some button. Now if there were a way to push ("click") it without also getting a motion of some sort before the click takes effect...
Another approach might be that of the general winners in the iterated Prisoner's Dilemma game contests. The simplest stable winning strategy has turned out to be what is called "tit for tat", in which you're a nice guy and cooperate the first time you face a new opponent; thereafter, you do to them what they did to you the last time. In the long run, crowds of players using this strategy tend to collect all of the game's rewards.
With the current topic, you'd express it as giving a company advanced notice the first time you find a security issue with a product, and only make a public release after talking to them (or trying to) for a few months. If they respond reasonably, you do the same thing next time. If they ignore you, then the next time you release your find without notifying them (and maybe send them a note explaining why you did that).
One useful thing about this strategy is that you only need to remember the most recent incident for each company. It is interesting that in the periodic contests pitting strategies against each other, the general winner is a strategy with a fairly low memory requirement.
Of course, IANAGT (I Am Not A Game Theorist), and I can't tell you whether this result actually applies in the security-bug scenario. Maybe there are some game theorists here who can tell us.
The main complexity is the need to recognize previous opponents. This might be tricky, since it's really not the company that responds or doesn't. It's actually (groups of) specific people working for that company. From the outside, it can be difficult to learn who actually decides how to handle a bug report, and you could easily end up "punishing" a group who were trying to cooperate but were ordered by a superior to ignore you.
Yeah, I'd agree. But it's easy to understand how someone might get frustrated and say "The hell with them; I'm just gonna release the information from now on."
... that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible.
Well, how I read it is more like "Hey, we've tried notifying these turkeys a dozen times or more, and every time, they stonewalled us. I'm fed up with them, and I'm not going to waste my time any more. I'm just going right to the public release, which their history shows is the only way to get any action."
Maybe this isn't the "responsible" thing to do, but it's certainly understandable that a frustrated customer might feel this way. And at this point, "responsible" becomes merely a weak value judgement whose effect mostly is to delay the correction of problems.
Perhaps what we should suggest is starting off with a nice long "advanced notice" period with a vendor, 2 or 3 months. Each time they fail to act within that window, you decrease it slightly for the next bug you report. With time, this might stabilize on a reliable period for that vendor. Of course, this only works if you have a long-term business relationship with that vendor. In many cases, people are likely to give up long before the asymptote is reached.
Has anyone proposed a "responsible release" heuristic like this, that adjusts the public-release time to the vendor's previous behavior? I haven't read of any, but I haven't read everything on the topic.
Slashdot Mirror
Names of companies and branded products are usually capitalized anyway, title or not.
Yeah, but consider that Apple sells computers whose file systems are case-insensitive. So even if you distinguish "apple falling" from "Apple falling", Apple's lawyers probably won't.
(This fact has sufficed to exclude Apple servers for several projects that I've worked on. We decided it was OK to develop stuff on OS X, but porting stuff to OS X from any other system can be full of gotchas because of file-name confusion. It's amazing how often this can trip you up, and how long it can take to track down the source of the bizarre behavior. And stuff that came from another caseless system, e.g. MS Windows, doesn't do much better, because the rules for confusing characters are subtly different. Thus, OS X and Windows both also munge file names with Unicode "combined characters", but they seem to do it slightly differently. But this is probably off-topic here, where we should only be discussing "apples", not "Apple's". Outside of Windows and OS X, there's a difference. ;-)
I had hoped any reader would have read the previous sentence: IE runs exclusively on M$ Windoz.all.flavors operating systems
Hey, you're not only making the mistake of expecting /. readers to have read the (entire) f'ing article; you're expecting them to remember the sentence previous to the one they're now reading!
You need to find a forum with readers able to do all that.
Maybe the "libraries pay more" meme arose as a misunderstanding of the fact that libraries tend to buy hard-cover copies when available, and those always cost more than paperbacks. It makes sense for a library to do this, since paperbacks don't survive too many readings; they're designed to be semi-disposable.
Funny thing; I just finished writing another reply in which I mentioned the publishers' opposition to public libraries in the early 1800s. So now I suppose that one or the other (or both) of us will be modded "redundant". ;-)
Maybe it's time to also bring up the very early history of copyright, which was invented primarily to limit the publication of bibles and other religious texts to only "approved" publishers. The purpose wasn't monetary; it was to prevent publication of documents opposed by the officially-approved religion, by limiting the publishing to officially-approved publishers. It was also to control the distribution, so that only members of the approved priesthood could access the texts. The rest of the population was intentionally kept illiterate, so that the priesthood could be the only religious authorities.
So things could be worse. The "Intellectual Property" people could be actively campaigning against literacy. They could be pushing for laws banning access by "the masses" to their products. They could get laws passed making it illegal to teach your children to read. People like them have done such things in the past. Such things were among the real reasons that the legal concept of copyright was originally developed.
I've read a few histories of the development of public libraries, mostly in the 1800s, and the authors generally mentioned the opposition from the publishers. After a few decades, publishers started figuring out that sales were better in areas with public libraries, and slowly learned to accept the idea.
This has also been mentioned in the various articles on the 20th-century battles over "Intellectual Property". They generally have included long lists of all the technical advances in sound-recording equipment. Every new technology has been attacked by the recording industry on the grounds that it makes it easy for people to make free copies rather than buying from the publisher. Eventually the companies realize that they're selling even more to the users of the new technology, so they back off, only to do the same thing with the next new device.
The battle to block free access to books in public libraries was merely an early example of the same phenomenon. Today we see an article written from such a viewpoint as obvious satire. Back in 1820, it wasn't satire. It was a serious effort to warn the literate public about the dangers of providing literature and education free to the great unwashed masses.
(Note that in the early 1800s, it was widely illegal in the US to teach a negro - or sometimes any non-white person - to read. This gives you a clue to how bad it was back then.)
I believe you'll find that libraries now tend to delete all records after the books are returned, so a search warrant is useless. Hence the publishers can't even find out who the evil 'borrowers' might be.
Didn't this practice start just a few years ago, when the US Government started asking libraries for their borrowing records? I suppose it shows that the librarians are on our side, though I'd guess some people might see it differently.
The government can still demand a list of everyone with a library card, but that's probably not very useful information. About all it tells you is who in the area might be literate. That might make you suspect in some social circles, but probably not to government agencies. (After all, government employees need to be able to read and fill out forms.)
I am irked by the phrase "advanced projective mathematics." This to me is a red flag warning me of some business school BS coming up.
I suspect that this was part of the satire. (But I could be wrong.)
Don't give them any ideas.
The copyright circus is stupid enough already.
Too late. The publishing industry has been thinking and talking along this line for a long time already. There's a conventional statistic among publishers, to the effect that every book sold is read by four people. This is usually mentioned in a context that makes it clear that there's a problem. Often they don't bother mentioning how this multi-person readership happens, but it doesn't take much questioning to learn: libraries. And the point is always that the publishers are "losing" 3/4 of their potential sales to the multi-reader "problem".
One of the reasons that a lot of publishers have developed an interest in e-books is that they see it as a way of limiting readership. After all, people won't much loan out their e-readers, and so far, few libraries have experimented with supplying electronic copies of books to their members.
(I wonder why this is? Are they such Luddites? Or are they just ignorant of the technology? Or perhaps they don't see a way to collect overdue fines. ;-)
More to the point, IE doesn't run on MacOSX; BSD.any.flavor; *nix.any.flavor
IE runs exclusively on M$ Windoz.all.flavors operating systems
IE6 just provides the easiest port of entry for bad guys into anyone's box, than any other version of IE.
Emphasis mine. There seems to be a bit of a contradiction there. IE6 can't provide a port of entry on this Macbook Pro or the two linux boxes on the shelves next to my desk, because I don't run any version of IE on any of these machines. It only provides a point of entry if you're running MS Windows and some version of IE. (Too bad /. won't let you go back and edit your text slightly so that readers don't get distracted by this error. ;-)
M$ to claim that IE8 is the most secure browser out there is like saying cigarettes cure lung cancer.
Actually, it would be a better simile if you were to say that a particular brand of low-tar cigarettes cures cancer. As far as I know, no tobacco company has actually claimed this in their ads, though I've seen some ads that contain "weasel words" that will imply that to most listeners.
In any case, MS seems to have admitted that the hole is in all versions of IE, so it would really be more like the tobacco company admitting that their cigarettes might (in rare cases) cause cancer, but their low-tar brand will cause fewer cancers.
OTOH, someone has already posted a pretty good automotive analogy, so I won't do that.
RIGHT!
They admitted they were powerless to solve their own problems without help from their victims.
Heh. It's another "damned if you do; damned if you don't" scenario. Usually, people criticise Microsoft for developing software without bothering to consult or test with actual customers. Now we have a manager of a MS dev group that actually does communicate (though not exactly with "customers"), and acts on what they say, so he's criticised for needing help from his "victims".
Ya can't win that game.
But the fact is that if you're developing server-side web software, you need to test it against real-world sites, not just the toy sites you've set up in your lab. And we all know the "Sourcerer's Apprentice" sort of bug that produces a runaway test that tries to do something as many times as it can per second until it's killed. Good testers will be on the lookout for such events, but it's understandable that they might fail occasionally
Among web developers, MS does have a bit of a reputation for hitting your new site with a flood of requests, trying to extract everything that you have (even the content of your "tmp" directory which your robots.txt file says to ignore). There are lots of small sites that block MS address ranges for just this reason.
It should be considered good news that there's at least one MS manager who understands all this, and is willing to talk to the "victims" and fix the problems. Now if they could fix the next-level problem, that this sort of thing happens repeatedly and their corporate culture seems to have no way to prevent it from happening again.
As said below, never ascribe to malice that which can be adequately explained by stupidity. (Insert lame joke about MSFT being full of stupidity here).
Yeah, though this particular sort of stupidity has been going on for a long time, and not just at Microsoft (though they seem to be the worst culprit).
I run a couple of sites that, among other things, has links to return the "content" in a list of different formats (GIF, PNG, PS, PDF, ...). Periodically, the servers get bogged down by search sites hitting them many times per second, trying to get every file in every format. The worst cases seem to come from microsoft.com and msn.com, though it happens with other search sites, too. Actually, the first attempts I saw at "deep search" like this came from googlebots around 10 years ago, though they quickly backed off and haven't been a serious problem since then. MS-origin "attacks" of this sort have been happening every few months, for nearly a decade.
I've generally handled them with a couple of techniques. One is to check the logs for successive requests from the same address, and insert sleep() calls with progressively longer sleeps as more messages arrive. The code prefixes the "content" with a comment explaining what's happening, in case a human investigates.
Another technique is to look for series of "give me this in all your output formats" requests, verify that it's a search bot, and add the address to a "banned" list of sites that simply get a message explaining why they aren't getting what they asked for, plus an email address if they want to get in contact. So far nobody at any search site has ever used that address. I did once get a response from a guy who was studying sites with such multi-format data, for a school project, to see how the various output formats compared in size and information content. I took his address off the banned list, and suggested that he add a couple-second delay between requests, and he finished his project a few days later.
I suspect that the googlebot folks may have read my explanation of the delays and added code to spread their requests out over time, since that's what their bots seem to do now. But I never heard from them. They must have gotten complaints (and bans) from lots of web sites when they started doing this, so they probably realized quickly that they should add code to prevent such flooding of sites.
I agree the GUI on Android is still not as good. It feels less polished especially on the browser.
It's funny that people would says this, because in our house my wife has an iPhone and I have a G1. Although she loves the iPhone, she agrees that its "Safari" browser is crappy, and she tries to avoid using it. I've been testing a bunch of web stuff on both phones, trying to make "mobile" pages that work well on both of them, and I've followed a lot of online discussions of problems with their browsers. Most of the problems are on the iPhone, and people don't seem to be coming up with solutions.
One major problem is that it's difficult to make pages that fit properly on the screen. All too often, Safari formats the page for a window much larger than the iPhone's screen, so you have to laboriously scroll left and right to read it. You can use the "pinch" to shrink it, but then the text becomes tiny and unreadable. People have found a "meta name=viewport" tag that lets you specify the pixel width, but this only works for the portrait layout; rotating the phone causes the page to be embiggened so there's not much on the screen. Nobody seems to know how to tell the iPhone's browser to do the usual line wrapping to fit the screen. The G1's browser does a very good job of formatting for the screen, and rotating to the other layout causes everything to be reformatted to fit.
Another problem is that both of them like to re-fetch pages when you back up (which on the iPhone doesn't always seem possible, but sometimes you can). If the page invoked a CGI on the server, it's repeated, which is often something you don't want to do. Thus, if you back up to a slashdot comment submission, it repeats the submission. On some sites, this triggers a redirect to an error page, with the result that you can't back up past that point at all. You have to close the "window" and open a new one. On many sites, this loses any session you might have established. These problems exist on both phones, but the iPhone seems to be worse, and often won't let you back up at all, for reasons we don't understand. The G1's "back button" seems to always work, though sometimes the previous page isn't displayed unless you do a refresh.
Actually, the real problem with testing for smartphones is that every one is different, so you need a whole stack of them, and the contracts get rather expensive. A real web-testing setup for phones would cost you thousands of dollars per month for the service. Sometimes you can swap the SIM cards around, but not often due to the providers' "locking" measures that tend to reject unapproved phones. So don't expect the Web to work smoothly on the majority of phones for a rather long time ...
do these things remember cookies ?
The browser on my G1 has an explicit "Accept cookies" setting, so the answer is "sometimes". ;-) This is, of course, typical behavior in most browsers. There's also the usual "Clear all cookie data" item in the Settings menu. But it does mean that you can't simply rely on cookies working. As with things like javascript, the person running the browser can disable cookies.
Add to the mix the useragent, ip, proxy info and (hash of an) internal identifier == unique id.
Or you could do as I've seen some sites do, and which I've done on occasion: Generate a unique "session id" which is passed to the client in various ways such as a "hidden" input variable or as part of URLs in links, to be passed back to the server in subsequent requests. This is no more difficult than a cookie to spoof by a man-in-the-middle such as an ISP.
But that's where https comes in ...
An exploit that works on a 9 year old version of the browser ... is hardly newsworthy anymore. What *is* newsworthy however, is why exactly Google of all people are still using it ?
Oh, I dunno; I've been doing some testing against IE6 lately. My motive is fairly trivial. I'm developing some Web stuff for an organization (which one doesn't matter here), and I did a bit of a survey to find out what browsers their people are using. IE6 turned up fairly high on the list. I've also sent announcements around to them inviting them to try out what I have running, and I collected the HTTP_USER_AGENT strings from all their requests from my server log. IE6 came up fairly high on that list, too.
So I have a copy of Windows, NT as a guest OS in a partition on my wife's Macbook Pro, and it has IE6 installed for testing. It's a pretty awful browser, but the customer's people are using it, so I try to at least make sure that everything is readable for them, if not always pretty. IE6 is why I eliminated frames from the prototypes.
It's "interesting" that the top browsers in this list are FF 3.5, IE8 and IE6. Chrome is rapidly sneaking up on them, though. Guess I'll have to install it, too.
(There are also a couple of people in the organization who aren't Web users because they don't have a computer. Can you imagine that? ;-)
I even think mobiles generate their own UNIQUE identification code which can be used too for the mobile version of facebook.
So where might my code find this?
I just checked what my apache server tells a CGI program of mine when I connect from my cell phone. The only ID string I see is
HTTP_USER_AGENT: "Mozilla/5.0 (Linux; U; Android 1.6; en-us; T-Mobile G1 Build/DRC83) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1"
I can easily tell what kind of phone this is. So can my code, which sends the "Mobile" version of pages to my phone. (That's what I'm testing, actually.) But I don't find anything passed telling my code which of the millions of G1 phones this is. I also tested it with my wife's iPhone, and found the same things. My code gets a HTTP_USER_AGENT string that contains "iPhone", but nothing like a serial number or other unique identifier anywhere.
IP address doesn't work. Sometimes they both send the same IP address. OTOH, successive requests from either of them often come in from different IP addresses. These addresses are presumably associated with several nearby cell towers that our phones can "see". During the last few minutes, the only address I saw from them was 208.54.90.77 (m4d5a36d0.tmodns.net), but both get several other addresses at other times.
So if there are several iPhones or G1 phones all contacting my server at about the same time, how would my code tell them apart? Do you have a link to a page that explains how to do this?
....that if you really need data to be secure, end to end security is the only way to go.
If you dig around in any archives related to the topic of computer security, you'll find this comment all over the place, and in the earliest documents you can find. It's well understood that if you rely on a lower "comm" layer for security, the people in charge of that layer have full access to everything you send or receive.
This is why so many security people tend to just snicker at network-level security features. They explain why this is purely a waste of cpu cycles (and sometimes also bandwidth), because you have to provide your own security at the top level anyway. But hardly anyone ever listens to them.
Some have argued that the lower-level security doesn't hurt, and may add some security in cases where the end users didn't do the job. But others reply that, in practice, it does hurt, because it tricks many users into believing that "the system" provides security, so they don't have to. We're starting to see the effects of this now, with the growing reports of ISPs and other comm companies intentionally violating their users' privacy. And again, the security experts just snicker, because it's exactly what they were warning us about decades ago.
And here we have a nice summary of how the legal (and political) system gets it all wrong. They often set up laws that punish the victims who report such problems. The result is that the victims stop reporting problems. The law-enforcement people and the politicians can then say that (reported) violations have decreased, so the laws must be effective.
It's an old story. It's especially common in the software business, where people who merely make inquiries about security-related problems are commonly classified as "hackers". So the people who want to solve the problems learn to keep very quiet. In forums like this, we see people asking "Why is it all so bad?" A good part of the answer is that the smart people have decided to not get involved, because they value their own freedom.
It's also the story behind the frequent attempts to shut down the sites that collect "file sharing" information. You'd think that the copyright owners would welcome such sites, as they help finger the copyright violators. But instead, they sue the owners of the sites that point to the violators.
"Punish the messenger" seems to be a natural human reaction to news about things we don't like. And "If we don't know about it, it's not happening."
Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.
Some recent testing of web sites on the iPhone and G1 phone have also shown that using the client's IP address as part of the "session" information simply doesn't work. With both of these phones, successive HTTP requests from a single phone often come from different IP addresses. In the tests I did, the set of IP addresses was small (2 to 4), and I suspect that it might have something to do with being in contact with several cell towers. The phones appear to be "NATted" behind several different addresses. So from the client's viewpoint, a session that depends on the IP address appears to work intermittently.
It's yet another argument in favor of IPv6, except that the phone companies and ISPs don't seem to be at all interested in going that way.
If a poor kid borrows books from a library those are not lost sales--the kid didn't have money for the books anyway. No sales are lost.
And note that this was one of the primary reasons that public libraries were established. The intent was to bring books to "the masses" who mostly had no access to any sort of literature. The publishers weren't happy with the idea at the time, though they eventually learned to live with it. In the long run, a literate population that liked to read was in the publishers' long-term interest.
It's not hard to see the same anti-educational view in the objections to internet sharing. There's a strong sense that what publishers want is an end to my access to anything that I haven't first paid for. Of course, this means that I'd have no way of judging beforehand whether I want to read (or view or listen to) something; I'd just have to buy it, and in the 99% case that I don't actually like it, I can discard it. They're not just against my getting information on authors, musicians, etc. from a public library. They want an end to all sharing among friends or acquaintances, so we'd have no way of knowing if we like something without first paying for it.
Maybe we need to be bringing up the public libraries more in the growing debates over "sharing" online. It would benefit us all (and probably the producers, too), if there were an open and legal online equivalent to public libraries. Also, we should try to make it clear that introducing friends to things we like by sharing is still as legal as it was a few decades ago. Otherwise we'll lose a lot of what the supporters of public libraries and the "public domain" fought to establish in past centuries.
We don't really want to go back to the day when most of the public was intentionally kept illiterate and ignorant of most "culture". And we don't want to go forward to a system in which we can never discover whether we like something unless we've first paid for it. This is what the publishers and recording companies are pushing for.
I prefer Google myself, but the instant they tell me I can't use a specific browser is the instant I start using someone else. Its already annoying enough that they put the retarded 'try chrome' on the main page if you aren't using Chrome.
So where do you see this? I just pointed firefox at google.com, and the page it's displaying doesn't seem to contain the string "chrom" anywhere that FF's search widget can find it. I also pointed Safari at google,com, and the resulting page doesn't contain "chrom" anywhere.
Could they have spotted your comment, and deleted the references to chrome for a day or two? I'll have to check them again in a few days ...
Dunno if I'd call the G1's screen "shitty". But I did have to learn to touch buttons slightly above where they seemed to be, if I want them to work. I still tend to get the button below the one I'm aiming at with some probability.
My wife has an iPhone, and I've done a bit of comparing. I'd say that both have screens that are a bit too sensitive. I've verified (by shining a light from the side) that I don't actually have to touch either's screen to activate something. That probably explains why, on both of them, I'm constantly "touching" something that I didn't intend to touch, and then I have to figure out how to get back to where I was.
The G1's little nipple-like joystick actually helps here a bit. It lets me move the current position around the screen, and scroll, without accidentally touching the screen and activating some button. Now if there were a way to push ("click") it without also getting a motion of some sort before the click takes effect ...
Another approach might be that of the general winners in the iterated Prisoner's Dilemma game contests. The simplest stable winning strategy has turned out to be what is called "tit for tat", in which you're a nice guy and cooperate the first time you face a new opponent; thereafter, you do to them what they did to you the last time. In the long run, crowds of players using this strategy tend to collect all of the game's rewards.
With the current topic, you'd express it as giving a company advanced notice the first time you find a security issue with a product, and only make a public release after talking to them (or trying to) for a few months. If they respond reasonably, you do the same thing next time. If they ignore you, then the next time you release your find without notifying them (and maybe send them a note explaining why you did that).
One useful thing about this strategy is that you only need to remember the most recent incident for each company. It is interesting that in the periodic contests pitting strategies against each other, the general winner is a strategy with a fairly low memory requirement.
Of course, IANAGT (I Am Not A Game Theorist), and I can't tell you whether this result actually applies in the security-bug scenario. Maybe there are some game theorists here who can tell us.
The main complexity is the need to recognize previous opponents. This might be tricky, since it's really not the company that responds or doesn't. It's actually (groups of) specific people working for that company. From the outside, it can be difficult to learn who actually decides how to handle a bug report, and you could easily end up "punishing" a group who were trying to cooperate but were ordered by a superior to ignore you.
Yeah, I'd agree. But it's easy to understand how someone might get frustrated and say "The hell with them; I'm just gonna release the information from now on."
... that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible.
Well, how I read it is more like "Hey, we've tried notifying these turkeys a dozen times or more, and every time, they stonewalled us. I'm fed up with them, and I'm not going to waste my time any more. I'm just going right to the public release, which their history shows is the only way to get any action."
Maybe this isn't the "responsible" thing to do, but it's certainly understandable that a frustrated customer might feel this way. And at this point, "responsible" becomes merely a weak value judgement whose effect mostly is to delay the correction of problems.
Perhaps what we should suggest is starting off with a nice long "advanced notice" period with a vendor, 2 or 3 months. Each time they fail to act within that window, you decrease it slightly for the next bug you report. With time, this might stabilize on a reliable period for that vendor. Of course, this only works if you have a long-term business relationship with that vendor. In many cases, people are likely to give up long before the asymptote is reached.
Has anyone proposed a "responsible release" heuristic like this, that adjusts the public-release time to the vendor's previous behavior? I haven't read of any, but I haven't read everything on the topic.