At best what Amazon is doing is like a friend who's been given a key to your house coming in, taking books, and leaving what they think the book is worth on the table.
Interesting analogy. But it's actually more like you bought a house, and didn't realize that the broker kept a copy of the keys. The broker then went into your house, took things, and left money in their place. It'd be especially fun if the broker took things that "belong" with the house, such as the refrigerator or furnace or water heater or bathroom fixtures; that would give a better parallel than if the goods were purchased from a different seller.
If this sort of things is upheld by the courts, it could make for an interesting legal precedent.
Why does an author need copyright protecttion after he's dead?
Perhaps to delay the author's death?
For example, there are probably a number of publishers and movie studios who would consider the price of a hit man just a minor business expense, if the death of J.K.Rowling would put all the Harry Potter stories in the Public Domain.
(If you think this is facetious or a troll, do a bit of reading on how the "free market" in non-Soviet Russian has worked for the past couple of decades. Businessmen there routinely surround themselves with bodyguards when out in public.)
However, there is no way at all that MySQL will be allowed to acquire features that will let it compete with Oracle.
It's likely that a lot of MySQL users will consider this a feature. There's a niche for a simple, basic DB that's fairly fast and has a small footprint. If you don't actually need those advanced features that PostgreSQL and Oracle provide, there's no reason to pay for them (with money or memory or slower speed).
It's sorta like how the makers of word-processor software would love to eliminate the use of plain text, so we all have to pay them to use formatting features even when we don't need them. So far, they haven't succeeded at this, and it's fairly obvious (even to managment) why. There's no reason the same reasoning shouldn't be applied to databases.
In fact, I've worked on a few projects in which the management eventually gave up on the fancy database version, because our "preliminary test" setup that used the unix filesystem did everything that was needed, was an order of magnitude faster, required no memory other than the usual libc and kernel filesystem drivers. Why pay good money for a system that doesn't do anything extra, needs more resources, and costs more?
Of course, as the DB and WP folks know, there's a good market for their products. Some customers do need their extra capabilities. And I suppose it's no surprise that they would also push their products for situations where they aren't needed. More income is better than less, after all, even if it means conning customers into buying things that they don't need.
Even though I know it won't be enough, Mythbusters shined a laser at the moon. Of course any committed moon hoaxer will say 'hey you just faked the computer output' to that I would say
Well, I wouldn't. I'd prefer to point out that, as with most scientific and/or engineering data, you don't have to depend on some remote authority to verify this. Lasers are for sale lots of places, and it's quite within the capabilities of a "backyard scientist" to set up and perform their own test of the claim. The positions of the reflectors on the moon are published, and google can find them for you. You can design your own experiment to test the existence of the reflectors, and publish your results.
Of course, for a debunker's results to be accepted, you would have to publish a detailed description of your experimental setup, to convince other skeptics that you haven't faked your tests or biased them to produce failure. But that's a routine part os the scientific process.
There's actually nothing wrong with skepticism in scientific circles. It's fairly common, and generally approved. But the skeptics are expected to follow the generally accepted methods, including making their results reproducible by others. The reason the "moon hoax" crowd isn't generally respected is that they haven't done a good job of this.
Very often, the best approach to dealing with assorted skeptics is to just treat their claims seriously. This involves asking them for details of the work they've done to reach their conclusion, and reporting what happens when you attempt to duplicate their work. This is why, for example, the "cold fusion" reports were treated as pseudo-science. It would have been marvelous if they had been corect. But people did seriously attempt to replicate the results, and found that they couldn't.
Everybody knows that it won't be limited to child porn. They just need some reminders. Point at how every other country that has head down this road, has failed to limit their filters to child porn,...
This story did come along just a couple of days after it was revealed that the Chinese "Green Wall" porn filter flagged such things as an image of Garfield the Cat as porn, along with such images as a piece of roast pork and the face of Johnny Depp. OK; I'll admit that the last one is getting close.
And lest we try to claim that this was due to the primitive nature of Chinese computing, we should take a good look at the results of such filters in countries that have been in the business longer. Thus, here in the US, there have been things like the repeated blocking of breast-cancer support forums.
Of course, the real issue is the imposition of government censorship via a scare campaign about something that hardly has an Internet presence at all. But that won't convince the people that most need convincing, because the politicians themselves probably aren't much concerned with such trivia. So we should be on the lookout for fun absurd stories about the things that the NZ filters actually block.
One way of fighting such things is to publicly point out how stupid they are in practice, making the politicians look stupid for supporting such things. I mean, how can you respect a system that thinks we don't have the right to see Garfield comics? Yeah; I know; it stopped being funny 30 years ago. But that makes it look even dumber that the government has been spending its time (and our money) implementing something that blocks it because the software can't tell Garfield from kiddie porn. Or is that kitty porn?
(And why are they spelled "kiddie" and "kitty"? That's what firefox's spell checker insists is right.;-)
Re:C is the only starting language
on
Hello World!
·
· Score: 1
And don't say your programs have no bugs. That only means you never found them.
One of my favorite examples of this is the fact that (as various people over the years have discovered), the original "Hello world!" program in the C bible has a subtle bug.
It can be fun to challenge people to find it. My favorite clue to get them even more puzzled is to tell them that the bug doesn't affect the behavior of the "Hello world!" program itself; it affects the behavior of other nearby programs.
I read somewhere NASA plans to de-orbit the ISS in 2016 due to budgetary concerns... You probably read it here on slashdot. In my FF tab showing the/. main page, it's three stories higher on the screen. TFA for that one references a couple of news publications' stories on the topic.
(Yeah, I read that one earlier than this one, too. They both appeared on my screen at the same time. I guess I was busy and didn't refresh/. for over two hours.;-)
I'm willing to open my mind. Does your team have a site on the humans' World Wide Web?
Actually, some of us do. I have a personal web site that includes a FAQ that describes my job as a sort of "field worker", an anthropologist visiting Earth to collect information about human society. I occasionally get nice messages from others who turn out to be human, saying that they're doing something similar. I also get occasional email from human nut cases with the usual incoherent rambling. That's interesting, too; it's part of the "human condition", and goes into the records. But so far no contact from any government agency. All the stories about secret government contact with aliens seem to be just fiction. You'd think that some of them would want to make contact, but even when we write openly about our activities, it doesn't happen.
I see no evidence that any intelligence other than human can compose original, coherent posts to an online forum.
You just go on thinking that way; it makes life very easy for us visiting aliens. We can move about doing our jobs, mostly documenting and studying this primitive newcomer species, without the need to take extraordinary precautions against being "discovered". Yes, a few humans do realize what we are, but when they try to tell the rest, they're just treated as insane or stupid. The majority uses the same circular reasoning: They've never seen an intelligent creature that wasn't human, so anything that shows intelligence above some minimal threshold is classified as human. This provides additional evidence to the "only humans are intelligent" belief.
Actually, your descendants will thank you for your obliviousness. You aren't keeping very good records of your own history, as you can easily see by trying to learn about the lives of 99% of the humans who lived only a century ago. Going back 1000 years, you can't even name more than 99% of them. But we have the data, for the use of your descendants when they wise up and realize they want to know about it. And now with the advent of computerized record keeping, your records are even more fragile; the data on the development of computers themselves only a few decades ago is now nearly inaccessible due to near-total loss of the (mostly) computerized records. But again, since we find it so easy to pass for human, we've collected most of that information, for the education of your descendants.
Oh, and good luck identifying the gateways to the galactic network, where we've backup up the data and made it available to the galaxy's historians. You probably also believe that all the computers on the Internet were built by humans, because there's nothing else intelligent enough to build such things. We won't feel insulted if you mistake our comm devices for those made in China or Malaysia; honest, we won't. Again, it makes life easy for us.
And we can even write about it openly in forums like this. I'll probably get a "funny" moderation, and nobody here (except my colleagues) will believe it for a second. If you are one of the few humans who does believe, it doesn't matter, because the rest will consider you stupid or insane.
Privacy policies can't violate data protection laws.
Well, no, but the companies who write those policies can and do.
Company policies are written (or at least vetted) by lawyers who make sure that a policy doesn't contain a blatantly illegal clause. But if you think that companies never violate their own written policies, I have a very nice bridge to sell you out in San Francisco. Such policies are PR documents; they have little effect on the company's actual behavior, except toward customers with the financial leverage to take them to court.
You don't like the idea that a company might violate its written policy? OK, sue them.
(And note that in this case, we're talking about a not-yet-written policy of some unknown company that purchases VIP's assets. Good luck trying to get them to cooperate. Or getting a court to enforce VIP's policy on the new owner.)
Oh, you know; pings from lots of different addresses. That's a "DDoS" attack, y'know.
(Yeah, I know; the military security guys aren't that dumb. But many of their superiors are, and they have a strong incentive to play up such things. That's how you get funding, after all.)
We've had a portable GPS gadget (from Garmin) that we use in our cars for about 6 years now, and we now have a couple of cell phones (an iPhone and an Android G1) now with GPS, so we've gotten some idea how well the known problems with GPS have been debugged in recent years. The answer is that GPS just isn't ready for prime time.
One of my favorite anecdotes about the older one (which is actually still the best) was when I was driving south on a street a couple of towns away, and noticed that the GPS map showed me about a block north of where I actually was, and headed north. I pressed the button that switches to the number display, and sure enough, it said I was headed north at something like 50 mph, well over the speed limit. I switched back to the map, and after a few seconds, the "you are here" icon was at my current position, aimed south. I switched back to the numbers, and it said I was headed south - at over 250 mph!.
One thing that obviously bogus speed implies is that it thought I had reversed direction and travelled over the 2 blocks or so at high speed. So I switched to the "trip" display, and sure enough, it showed that I'd travelled nearly a mile so far on this trip, although I was only about half a mile south of my starting point. It had added up the backtracking as I switched direction twice, and included the extra 3 blocks or so in the trip, with the 3rd time over that block at high speed.
I've mentioned this before, in online discussions of proposals to use GPS trip records as court evidence. I've also looked at the trip records in a few friends' GPS gadgets, and all of them have shown similar wild driving. When you consider it as court evidence, it seems pretty clear that this sort of thing would simply disqualify the GPS records as valid evidence, since it would be obvious to anyone (even a judge) that the car simply can't perform the maneuvers that the GPS claims it did.
When it comes to mere mileage reports, however, I'd guess that it could be a lot harder to get the records thrown out. We're talking about bean counters here, not courts of law, and their approach would be to politely listen to you, then put the GPS data into their database as-is.
But it's possible that appeals could lead to rejection of the GPS data. Thus, a few days ago while driving somewhere nearby, my wife and I found that our GPS phones both reported our positions as around 100 miles away from where we were. The G1, for example, said that we were driving about 20 miles east of Cape Cod. After a while, it showed us at close to our correct position. Presumably that little (and wet) detour was done at around Mach 4 or 5, since that's the speed we'd need to travel from our position to the outer Cape in the second or so that the GPS said we did it in. And, as with the older GPS, our trip records did show that we made that detour, adding 200 miles or so to the trip of maybe 3 miles.
The iPhone showed a similar detail, but it had us driving on land on a road in the western part of the state, which was a place that the car actually could have been (except for taking only a second or two to get there).
Anyway, I sorta have the feeling that when the GPS trip record shows a car as driving along out in the ocean, that just might be the evidence that will get all its data dismissed as bogus.
GPS is useful for some things. It's a long way from being useful for official records of where the GPS gadget has actually been. And the behavior of commercial GPS gadgets hasn't improved in this regard over the last 5 or 6 years. They still show wild, instantaneous changes of position and physically impossible speeds for part of some trips. If there are exceptions, nobody I know has one. This is easy to show by just mentioning some of the funny data in ours, and listening while others regale listeners with their similar stories. As a gadget that's good at what it does, these occasional flukes are just funny. As the source of official data that we'll be charged for (in court or invoi
One of my favorite examples of "popular" misuse of technical scientific terms is the way the media uses "quantum" with a meaning almost opposite to its scientific meaning. For example, a while ago I read a news article claiming a "quantum leap in income" for a certain company in the past year. My immediate thought was "The company's income was $0.01 more than the previous year, and it's a news story?" After all, the quantum of the US's monetary system is the penny, $0.01.
But of course the writer meant a very large increase. The curious thing here is the question of how the media adopted the term "quantum", which basically means the smallest change possible, and uses it to describe very large changes. It's easy to understand why they might not understand the actual technical definition as physicists use it, but how they could get the magnitude so wrong is a real mystery.
It turns out in this case that there's usually a clue as to which meaning is being used. A physicist would write "quantum jump", while journalists usually write "quantum leap". Why this change was made is also a linguistic mystery, but it helps decode what people are writing. If a physicist said he'd had a quantum jump in income, it probably would mean that his/her paycheck had increased by $.01 (or the equivalent in the local currency), and it might be written with a smiley. A journalist would read this and write an article stating that physicists in general are seeing a large increase ("quantum leap") in income.
Examples like this are useful to explain how hopeless it is. Physicists aren't about to change their definition of "quantum" to match the media's misuse of the term, and journalists aren't about to change their definition of an impressive-sounding technical term just because their definition isn't the same as the physicists' definition (which the journalists can't understand). So we just have to live with it.
The computer industry has lots of similar situations. Probably the funniest is the way that computer geeks still use "hacker" as a compliment, despite the media using it to mean "computer criminal". This term isn't as critical to computing as "quantum" is to physics, of course, so the two definitions of "hacker" are mostly just the basic of some geek humor.
But we computer geeks have seen enough of this sort of thing to realize that it's a hopeless situation. So more and more, we take the physicists' approach, and just continue to use terms with their technical meaning in private. The only real problem is in forums like this, that are sorta halfway houses between the technical field and the general population. In such surroundings, it can be tricky getting across which of the various possible meanings you're using. The term "theory" is one of the most common cases, since the techies here tend to use it in its scientific sense, and then are taken aback by the evidence that others read it in its media/political/religious sense.
Note the difference between your definition and mine. My definition (shared by everyone else) involves three computers:
Actually, that's not shared by quite everyone else. I just followed the link in another post, to the cgisecurity.com site's FAQ. I should perhaps remark that I was rather embarrassed to read some of what's there. But note that it's from a company that is clearly pushing itself as an expert on web security.
If you read the "What is Cross Site Scripting?" section, you'll probably have a hard time pointing to anything that mentions three or more computers. I don't read that anywhere in the paragraph. Later on, there are a couple of sketchy example that would probably involve three machines, but even then, it's not clear that that's a critical detail. What does seem clear is that they aren't presenting a 3-machine setup as a significant part of what they're defining.
Also, the string "sandbox" doesn't occur in their FAQ. In fact, not even "san" was found by firefox. So their definition doesn't require 3 machines or a sandbox.
Actually, their "definition" is rather remarkable for its vagueness. I suspect that this page was written (or more likely, re-written) by marketers and/or tech writers who don't understand the topic, and probably don't care to. But that's beside the point, because this is the FAQ on "Cross Site Scripting" [their capitalization] of a company whose business is web security. What they have on that page is what they present to visitors as how they understand and define the topic.
This is yet another entry in my list of incompatible definitions of the phrase at hand. I think that the phrase has been co-opted by the marketers, sorta like "virus" and "hacker" and other scary-sounding technical terms. So, while we can talk about it all we like, chances are that the folks reading slashdot all have their own definitions, most of which are as confused as this one. And we'd have a lot of trouble finding two definitions that are even close to the same, even from people presenting themselves as web-security experts.
It reminds me of Bertrand Russell's famous description of mathematics as a subject in which "we never know what we're talking about nor whether what we're saying is true". That's a fun quote to bring up when people are discussing whether Computer Science is a branch of mathematics. If it really were, then we CS types should be happy to embrace (and extend) Russell's characterization.
Ah; I see! I'm not running my browsers in any sort of "sandbox", so obviously cross-site scripting can't affect me.
Right?
This is how most people would understand your explanation, after all.;-)
And I suppose I sorta intended my comments as a "troll". That is, I was trying to prod people into explaining what they were talking about, rather than just using vaguely-defined phrases without explaining them. To most people, such prodding is trolling. As I said, I've collected a lot of purported definitions of "cross-site scripting", and what stand out to me is that no two of them are compatible. Maybe yours is the right one; I can't tell. What makes you the authority whose definition should be used against the other purported authorities who give incompatibile definitions? Ordinarily I don't question people's credentials here, but where there are competing authorities criticising me (implicitly or explicitly), I think it's a reasonable thing to do.
If this is trolling, so be it. What I see is the conventional arrogance of the self-described security experts who (often quite intentionally) write so that not even ordinary computer geeks can get a clear idea of what they're warning us against. So I'm probably violating all sorts of security rules or guidelines, as are the rest of the computer-using public, but it's because the security folks are (often quite intentionally) keeping us ignorant.
What a lot of us would like to read is a good way of telling whether we're doing the wrong thing, and how to do it right. In this case, since the definition of the purported dangers apparently requires that I be running my browser in a "sandbox", and I'm obviously not doing that, it would be reasonable for me to ignore the issue as not being relevant to me. I'm fairly sure this isn't the correct conclusion, but that's the skeptical computer geek in me talking. If I read the discussion wearing my "mere human" hat, I have to dismiss it as an obscure technical thing that doesn't apply to me or my computers.
Just for yuks, when I reached a resting point in what I was doing, I decided to kill off Firefox and restart it, clicking on the "Restore Previous Session" button when it appeared. Before killing it, the numbers on this Macbook Pro with 4 GB memory were RSIZE=338MB, VSIZE=1.95GB. After restarting and letting the windows stabilize, the numbers are now RSIZE=190MB, VSIZE=1.15GB. Those differences (RSIZE=148MB, VSIZE=.80GB) seem to me to be fairly indicative of a memory-management problem of some sort. But of course I don't know much about the inner details.
Is it really flamebait to say that humans are the most likely cause of biodiversity downfall?
No; it's only considered flamebait in political/religious circles.;-)
In scientific circles, it's conventional to attribute most of the current extinction event to human activity. Thus, we don't really know when humans first arrived in the Americas, and there are estimates at high as 30,000 years ago for the first. However, it does seem fairly clear that humans were rare on those continents before about 12,000 years ago, when there was a huge increase in the human population. At the same time, large numbers of large animal species went extinct. Some of those would have died out anyway, but the mass extinction is generally attributed to humans. After all, if you introduce a new major predator, you'd expect that the sort of prey it likes (large, meaty critters in this case) would start to disappear.
So the human-caused extinction has long been the default hypothesis. There are other possibilities, but if you want to argue for them, you should have some pretty good evidence, and such evidence doesn't seem to exist. Death at the hands of a new, powerful predator is just too reasonable to be dismissed without evidence, and it quite properly the primary hypothesis when there is evidence of such a predator. And, unlike in political discussions, there is rather little scientific argument about this. Rather, there are lots of scientists looking for evidence wherever they can find it. Other contributing factors have been reported, but so far nothing much that seriously challenges the primary hypothesis.
(Actually, there is a good recent example of the opposite process. Starting about 500 years ago, there was a mass extinction of humans in the Americas. It is common to attribute this to the introduction of a different human subspecies that had better weapons. But we have the evidence, and it shows that weaponry was a minor factor in the extinction, and only in the eastern coastal areas. It turns out that most of the people in the interior died from the diseases that the new humans unknowingly brought along, long before the newcomers reached the interior. Both groups of people attributed the plagues to acts of various gods, since neither had any understanding of microorganisms at the time. It wasn't until the 1800s that "germs" were understood, and the newcomers started using biological warfare in a controlled fashion against the original inhabitants. This produced a second extinction event, but it was much smaller than the one in the 1500s.)
(And it'll be interesting to see whether this gets any "flamebait" mods. There's gotta be at least a few people who'll read it that way. I've already got both "flamebait" and "insightful" for one post; now I'm trying for "flamebait" + ("informative" || "insightful") + "funny".;-)
How about calling them hypotheses? Let's reserve "theory" for something that actually has solid evidence.
That would go over well in a scientific forum. OTOH, in the mass media and the general population, "theory" is used the same way that scientists use "hypothesis", for a guess that's consistent with known data but hasn't been tested.
So the question is: Is slashdot a scientific or a general-reader forum? The best answer is "both". There are lots of techie geeks here; there are lots of non-techie readers with an interest in tech stuff. So we get what you'd expect: Different people use the terminology differently, and most of them can't be bothered to make their definitions clear.
I get as annoyed as others here at the frequent blatant disregard for the proper scientific terminology. But I remind myself that this isn't really a scientific forum; it's a general-reader forum with an emphasis on techological issues. So getting our terminological act together here is probably hopeless. A large fraction of the readers don't understand such issues. And a small fraction are actively opposed to correct terminology. All this is quite normal for a mixed-level forum such as this. And we need such forums to get better information out to the public than the mass media can provide.
Still, it probably doesn't hurt to occasionally point out the technical definition of a term, for the benefit of non-tech readers who are amenable to such details. In this case, we could just point out that in scientific circles, "theory" refers to a hypothesis that has been fairly thoroughly tested, has passed the tests, and is generally accepted as the best explanation we have at present. Something that explains all known data but hasn't been tested much isn't a "theory"; it's a "hypothesis".
We have good theories of cloud formation in low-level weather phenomena. For clouds at higher altitudes (>10 or 20 km), we mostly have hypotheses. People have done a lot of mathematical modelling, which is interesting but doesn't qualify as scientific testing, so the results aren't proper (scientific) theories yet. But to the mass media, they are theories, since the media is using a different dictionary.
I can't seem to fun FF without at least 100MB of physical memory, but I never see the sum of physical and virtual go over 600MB
Hmmm... I'm using a Macbook Pro at the moment, and according to the Activity Monitor window, Firefox is currently using RSIZE=338.62MB and VSIZE=1.37GB. This is with 7 windows with 25 tabs open, plus the "Library" (i.e., bookmarks) window. This seems about normal We also have a smaller, 5-year-old Mac Powerbook with only 1 GB of memory (vs the 4 GB on this machine), and FF there typically shows numbers about half as large. It's a lot slower there, of course.
I've noticed that the RSIZE and VSIZE numbers rarely seem to have any discernable correlation with what FF is doing. I've also found that if I "kill -9" (force quit) the firefox process, restart it, and tell it to restore the previous windows, it usually uses only about half as much memory as it used before it was killed. This tells me something about its memory wastage, I suppose. But it doesn't really tell me much that's usable, since it usually balloons back up in a fairly short time.
I do have some evidence that part of the problem is that memory expands permanently if I download any sort of "active" page. A page with flash is the really visible culprit, and I have flashblock installed. Still, there are some sites I'd like to look at that use flash in a useful way, so sometimes I enable flash for them. Then I watch to see whether it has ballooned up. Every few days I kill it and restart it, to get the memory back.
It does seem likely that FF has little if any control over memory usage by plugins such as video viewers. They are really separate pieces of software, with minimal interaction with the main program. They are "black boxes" as far as FF itself is concerned, and FF would have little if any control over the way they use memory.
Well, yeah; I've done lots of web scripting, and I get all that. I've even written demos of the dangers, usually to try to impress on others (such as managers) why it's a potential threat to users. This hasn't usually been too successful, as shown by the fact that those people usually continue to run their browsers with scripting enabled.
My question wasn't about how you write web scripts. My question is why you'd add a modifier like "cross-site" to it. Defining it as a script on one machine (the server) which runs on another machine (the client) adds no information, because that's how almost all web scripting works. I added "almost" because there is the special case of a developer testing web stuff by accessing it from a browser on the same machine, something I do all the time, but which isn't the usual use of a web browser. In the other 99.999% of the cases of "scripting" with a browser, the code is downloaded from a remote server and run by the browser. So adding an adjective that describes this case isn't imparting any addition information to the usual case. It does mislead readers who think you're talking about some dangerous special case.
To use the canonical automobile analogy: It's as if auto companies were to start talking about "road-drivable vehicles" as if this were some special feature. Yes, there are off-road vehicles. But "road-drivable" is the usual, default use of an auto, so adding an adjective for that case is at best silly, and at worst confusing to the reader, since it's an attempt to convince them that there's something special about the vehicles you're talking about. Imagine a claim that "Road-drivable vehicles are a threat because they can collide with your car or pedestrians and cause injuries." Well, yeah; as if anyone with a grain of sense didn't know that. The "road-drivable" modifier is nonsense, because it's describing the normal use of most vehicles, not some special sort of vehicle. And buying an off-road vehicle doesn't lessen the danger, especially if you drive it on a road.
Since the normal use of scripts with web browsers is to copy a script from the server to the browser and run it on the client's machine with data from both machines, adding a modifier that just says that two sites are involved is the same sort of silliness. It's adding an adjective that describes the usual, default case, which at best is just a waste of syllables. At worst, it misleads the reader by implying that you're talking about some mysterious special case. This isn't a spurious objection; reading discussions about the topic make it clear that most people don't understand that all scripting in web pages is a potential threat (just as all vehicles on a highway are a potential threat). This is why most people with a grain of sense run browsers that include NoScript or some similar capability such as turning scripting off entirely.
The problem with the above auto analogy, of course, is that most people understand that other vehicles on the road are a threat. But most people don't understand that downloading code from another site and running it is a threat to their computer. Their ignorance isn't helped by using any empty adjective when talking about "scripting" (another word that most people couldn't define). The way to help them is to get across the fact that all downloaded code is a threat, so they should make sure that any "scripting" tools that do that are disabled. The danger doesn't come from some special thing called "cross-site scripting"; that's just weasel wording designed to obscure the fact that all downloaded code is the same sort of threat.
Anyway, I'm still looking for a definition of "cross-site scripting" that explains why people are using that phrase rather than just "scripts". Or maybe just "code", since any web page that sends executable code is exactly the same sort of threat (if the client's browser is configured to run it).
So is there an official definition of "Cross-Site Scripting" somewhere? Since that phrase started to be used in scary security stories a few years ago, I've been collecting the definitions that various stories provide, and I've been a bit disappointed. Mostly, they aren't even "definitions", in the usual dictionary sense of the term. I.e., I can't use most of the purported "definitions" to decide whether what I'm looking at is an instance of the phrase. And in general, no two stories or sites seem to use similar definitions (when they actually give definitions at all).
My impression is that "Cross-Site Scripting" is an empty scare phrase that really just means "anything involving two different machines and a script -- whatever that may be".
So has some official organization defined the phrase? If so, what makes them an authority? And is there some way that I can tell when someone is using the official definition (if such exists), or should I just continue to view the phrase as an attempt to scare readers without actually informing them about the problem?
I note that the definition associated with TFA isn't actually a definition. And several other postings here have linked to sites that also give ambiguous non-definition definitions.
It sure seems there's something being talked about here, but it seems to suffer from the usual problem with security authorities, that they view me as an idiot who doesn't need to be informed about the subject matter; I only need to be scared (presumably so that I'll pay them to fix something that they've carefully made sure I can't understand clearly).
I'd think that security is an area where you'd want to be careful with your definitions and terminology. But apparently I'm wrong.
Lenovo boffins have decided the time is right to install larger Delete and Escape keys on their updated ThinkPad laptop T400s range. While it is a small change, it is fairly radical to tinker with an area of hardware which has been largely unchanged since the 19th century.
So can someone provide a list of 19th-century keyboards (i.e., typewriters) that had Delete or Escape keys?
Inquiring minds want to know about this bit of history...
(I've long wanted a bigger ESC key that's easier to hit, and I suppose most vi users would say the same thing.;-)
Perhaps I should add that I give anyone permission to use the above explanation freely. You may also paraphrase it however you think will get the concept across to your thick-skulled management.
Ignore slathdot's comment that I own the copyright on my explanation. I won't sue you for using it as you like.
(Though it could be interesting to consider the possibility of suing anyone who releases their copyrighted text using language similar to the above.;-)
It should be very easy to explain to any copyright holder how then can prevent linking to or downloading their documents.
First, you explain that a web server is basically a very simple program: It has a directory, and anything you put in that directory (or any subdirectory) is handed out via HTTP by your web server. Any file not in that directory is not handed out to anyone.
So to prevent unauthorized linking or downloading, all you have to do is not put your file(s) in the web server's directory. It really is that simple. If you do that, then you don't need to mess with expensive lawsuits to protect your valuable Intellectual Property. The web server will protect it for you, by not handing it out when someone asks or follows a link to your site.
Slashdot Mirror
At best what Amazon is doing is like a friend who's been given a key to your house coming in, taking books, and leaving what they think the book is worth on the table.
Interesting analogy. But it's actually more like you bought a house, and didn't realize that the broker kept a copy of the keys. The broker then went into your house, took things, and left money in their place. It'd be especially fun if the broker took things that "belong" with the house, such as the refrigerator or furnace or water heater or bathroom fixtures; that would give a better parallel than if the goods were purchased from a different seller.
If this sort of things is upheld by the courts, it could make for an interesting legal precedent.
Why does an author need copyright protecttion after he's dead?
Perhaps to delay the author's death?
For example, there are probably a number of publishers and movie studios who would consider the price of a hit man just a minor business expense, if the death of J.K.Rowling would put all the Harry Potter stories in the Public Domain.
(If you think this is facetious or a troll, do a bit of reading on how the "free market" in non-Soviet Russian has worked for the past couple of decades. Businessmen there routinely surround themselves with bodyguards when out in public.)
However, there is no way at all that MySQL will be allowed to acquire features that will let it compete with Oracle.
It's likely that a lot of MySQL users will consider this a feature. There's a niche for a simple, basic DB that's fairly fast and has a small footprint. If you don't actually need those advanced features that PostgreSQL and Oracle provide, there's no reason to pay for them (with money or memory or slower speed).
It's sorta like how the makers of word-processor software would love to eliminate the use of plain text, so we all have to pay them to use formatting features even when we don't need them. So far, they haven't succeeded at this, and it's fairly obvious (even to managment) why. There's no reason the same reasoning shouldn't be applied to databases.
In fact, I've worked on a few projects in which the management eventually gave up on the fancy database version, because our "preliminary test" setup that used the unix filesystem did everything that was needed, was an order of magnitude faster, required no memory other than the usual libc and kernel filesystem drivers. Why pay good money for a system that doesn't do anything extra, needs more resources, and costs more?
Of course, as the DB and WP folks know, there's a good market for their products. Some customers do need their extra capabilities. And I suppose it's no surprise that they would also push their products for situations where they aren't needed. More income is better than less, after all, even if it means conning customers into buying things that they don't need.
Even though I know it won't be enough, Mythbusters shined a laser at the moon. Of course any committed moon hoaxer will say 'hey you just faked the computer output' to that I would say
aaaaaaaaaarrrrrrrrrrrrrrggggggggggggghhhhhhhhhhhhhh!!!!!!!!!!!!!!!!!!!!!!
Well, I wouldn't. I'd prefer to point out that, as with most scientific and/or engineering data, you don't have to depend on some remote authority to verify this. Lasers are for sale lots of places, and it's quite within the capabilities of a "backyard scientist" to set up and perform their own test of the claim. The positions of the reflectors on the moon are published, and google can find them for you. You can design your own experiment to test the existence of the reflectors, and publish your results.
Of course, for a debunker's results to be accepted, you would have to publish a detailed description of your experimental setup, to convince other skeptics that you haven't faked your tests or biased them to produce failure. But that's a routine part os the scientific process.
There's actually nothing wrong with skepticism in scientific circles. It's fairly common, and generally approved. But the skeptics are expected to follow the generally accepted methods, including making their results reproducible by others. The reason the "moon hoax" crowd isn't generally respected is that they haven't done a good job of this.
Very often, the best approach to dealing with assorted skeptics is to just treat their claims seriously. This involves asking them for details of the work they've done to reach their conclusion, and reporting what happens when you attempt to duplicate their work. This is why, for example, the "cold fusion" reports were treated as pseudo-science. It would have been marvelous if they had been corect. But people did seriously attempt to replicate the results, and found that they couldn't.
Everybody knows that it won't be limited to child porn. They just need some reminders. Point at how every other country that has head down this road, has failed to limit their filters to child porn, ...
This story did come along just a couple of days after it was revealed that the Chinese "Green Wall" porn filter flagged such things as an image of Garfield the Cat as porn, along with such images as a piece of roast pork and the face of Johnny Depp. OK; I'll admit that the last one is getting close.
And lest we try to claim that this was due to the primitive nature of Chinese computing, we should take a good look at the results of such filters in countries that have been in the business longer. Thus, here in the US, there have been things like the repeated blocking of breast-cancer support forums.
Of course, the real issue is the imposition of government censorship via a scare campaign about something that hardly has an Internet presence at all. But that won't convince the people that most need convincing, because the politicians themselves probably aren't much concerned with such trivia. So we should be on the lookout for fun absurd stories about the things that the NZ filters actually block.
One way of fighting such things is to publicly point out how stupid they are in practice, making the politicians look stupid for supporting such things. I mean, how can you respect a system that thinks we don't have the right to see Garfield comics? Yeah; I know; it stopped being funny 30 years ago. But that makes it look even dumber that the government has been spending its time (and our money) implementing something that blocks it because the software can't tell Garfield from kiddie porn. Or is that kitty porn?
(And why are they spelled "kiddie" and "kitty"? That's what firefox's spell checker insists is right. ;-)
And don't say your programs have no bugs. That only means you never found them.
One of my favorite examples of this is the fact that (as various people over the years have discovered), the original "Hello world!" program in the C bible has a subtle bug.
It can be fun to challenge people to find it. My favorite clue to get them even more puzzled is to tell them that the bug doesn't affect the behavior of the "Hello world!" program itself; it affects the behavior of other nearby programs.
I read somewhere NASA plans to de-orbit the ISS in 2016 due to budgetary concerns... /. main page, it's three stories higher on the screen. TFA for that one references a couple of news publications' stories on the topic.
You probably read it here on slashdot. In my FF tab showing the
(Yeah, I read that one earlier than this one, too. They both appeared on my screen at the same time. I guess I was busy and didn't refresh /. for over two hours. ;-)
If Vint Cerf is the 'father of the Internet', I wonder who the mother is ...
I'm willing to open my mind. Does your team have a site on the humans' World Wide Web?
Actually, some of us do. I have a personal web site that includes a FAQ that describes my job as a sort of "field worker", an anthropologist visiting Earth to collect information about human society. I occasionally get nice messages from others who turn out to be human, saying that they're doing something similar. I also get occasional email from human nut cases with the usual incoherent rambling. That's interesting, too; it's part of the "human condition", and goes into the records. But so far no contact from any government agency. All the stories about secret government contact with aliens seem to be just fiction. You'd think that some of them would want to make contact, but even when we write openly about our activities, it doesn't happen.
I see no evidence that any intelligence other than human can compose original, coherent posts to an online forum.
You just go on thinking that way; it makes life very easy for us visiting aliens. We can move about doing our jobs, mostly documenting and studying this primitive newcomer species, without the need to take extraordinary precautions against being "discovered". Yes, a few humans do realize what we are, but when they try to tell the rest, they're just treated as insane or stupid. The majority uses the same circular reasoning: They've never seen an intelligent creature that wasn't human, so anything that shows intelligence above some minimal threshold is classified as human. This provides additional evidence to the "only humans are intelligent" belief.
Actually, your descendants will thank you for your obliviousness. You aren't keeping very good records of your own history, as you can easily see by trying to learn about the lives of 99% of the humans who lived only a century ago. Going back 1000 years, you can't even name more than 99% of them. But we have the data, for the use of your descendants when they wise up and realize they want to know about it. And now with the advent of computerized record keeping, your records are even more fragile; the data on the development of computers themselves only a few decades ago is now nearly inaccessible due to near-total loss of the (mostly) computerized records. But again, since we find it so easy to pass for human, we've collected most of that information, for the education of your descendants.
Oh, and good luck identifying the gateways to the galactic network, where we've backup up the data and made it available to the galaxy's historians. You probably also believe that all the computers on the Internet were built by humans, because there's nothing else intelligent enough to build such things. We won't feel insulted if you mistake our comm devices for those made in China or Malaysia; honest, we won't. Again, it makes life easy for us.
And we can even write about it openly in forums like this. I'll probably get a "funny" moderation, and nobody here (except my colleagues) will believe it for a second. If you are one of the few humans who does believe, it doesn't matter, because the rest will consider you stupid or insane.
Privacy policies can't violate data protection laws.
Well, no, but the companies who write those policies can and do.
Company policies are written (or at least vetted) by lawyers who make sure that a policy doesn't contain a blatantly illegal clause. But if you think that companies never violate their own written policies, I have a very nice bridge to sell you out in San Francisco. Such policies are PR documents; they have little effect on the company's actual behavior, except toward customers with the financial leverage to take them to court.
You don't like the idea that a company might violate its written policy? OK, sue them.
(And note that in this case, we're talking about a not-yet-written policy of some unknown company that purchases VIP's assets. Good luck trying to get them to cooperate. Or getting a court to enforce VIP's policy on the new owner.)
Care to elaborate? What kinds of attacks?
Oh, you know; pings from lots of different addresses. That's a "DDoS" attack, y'know.
(Yeah, I know; the military security guys aren't that dumb. But many of their superiors are, and they have a strong incentive to play up such things. That's how you get funding, after all.)
We've had a portable GPS gadget (from Garmin) that we use in our cars for about 6 years now, and we now have a couple of cell phones (an iPhone and an Android G1) now with GPS, so we've gotten some idea how well the known problems with GPS have been debugged in recent years. The answer is that GPS just isn't ready for prime time.
One of my favorite anecdotes about the older one (which is actually still the best) was when I was driving south on a street a couple of towns away, and noticed that the GPS map showed me about a block north of where I actually was, and headed north. I pressed the button that switches to the number display, and sure enough, it said I was headed north at something like 50 mph, well over the speed limit. I switched back to the map, and after a few seconds, the "you are here" icon was at my current position, aimed south. I switched back to the numbers, and it said I was headed south - at over 250 mph!.
One thing that obviously bogus speed implies is that it thought I had reversed direction and travelled over the 2 blocks or so at high speed. So I switched to the "trip" display, and sure enough, it showed that I'd travelled nearly a mile so far on this trip, although I was only about half a mile south of my starting point. It had added up the backtracking as I switched direction twice, and included the extra 3 blocks or so in the trip, with the 3rd time over that block at high speed.
I've mentioned this before, in online discussions of proposals to use GPS trip records as court evidence. I've also looked at the trip records in a few friends' GPS gadgets, and all of them have shown similar wild driving. When you consider it as court evidence, it seems pretty clear that this sort of thing would simply disqualify the GPS records as valid evidence, since it would be obvious to anyone (even a judge) that the car simply can't perform the maneuvers that the GPS claims it did.
When it comes to mere mileage reports, however, I'd guess that it could be a lot harder to get the records thrown out. We're talking about bean counters here, not courts of law, and their approach would be to politely listen to you, then put the GPS data into their database as-is.
But it's possible that appeals could lead to rejection of the GPS data. Thus, a few days ago while driving somewhere nearby, my wife and I found that our GPS phones both reported our positions as around 100 miles away from where we were. The G1, for example, said that we were driving about 20 miles east of Cape Cod. After a while, it showed us at close to our correct position. Presumably that little (and wet) detour was done at around Mach 4 or 5, since that's the speed we'd need to travel from our position to the outer Cape in the second or so that the GPS said we did it in. And, as with the older GPS, our trip records did show that we made that detour, adding 200 miles or so to the trip of maybe 3 miles.
The iPhone showed a similar detail, but it had us driving on land on a road in the western part of the state, which was a place that the car actually could have been (except for taking only a second or two to get there).
Anyway, I sorta have the feeling that when the GPS trip record shows a car as driving along out in the ocean, that just might be the evidence that will get all its data dismissed as bogus.
GPS is useful for some things. It's a long way from being useful for official records of where the GPS gadget has actually been. And the behavior of commercial GPS gadgets hasn't improved in this regard over the last 5 or 6 years. They still show wild, instantaneous changes of position and physically impossible speeds for part of some trips. If there are exceptions, nobody I know has one. This is easy to show by just mentioning some of the funny data in ours, and listening while others regale listeners with their similar stories. As a gadget that's good at what it does, these occasional flukes are just funny. As the source of official data that we'll be charged for (in court or invoi
One of my favorite examples of "popular" misuse of technical scientific terms is the way the media uses "quantum" with a meaning almost opposite to its scientific meaning. For example, a while ago I read a news article claiming a "quantum leap in income" for a certain company in the past year. My immediate thought was "The company's income was $0.01 more than the previous year, and it's a news story?" After all, the quantum of the US's monetary system is the penny, $0.01.
But of course the writer meant a very large increase. The curious thing here is the question of how the media adopted the term "quantum", which basically means the smallest change possible, and uses it to describe very large changes. It's easy to understand why they might not understand the actual technical definition as physicists use it, but how they could get the magnitude so wrong is a real mystery.
It turns out in this case that there's usually a clue as to which meaning is being used. A physicist would write "quantum jump", while journalists usually write "quantum leap". Why this change was made is also a linguistic mystery, but it helps decode what people are writing. If a physicist said he'd had a quantum jump in income, it probably would mean that his/her paycheck had increased by $.01 (or the equivalent in the local currency), and it might be written with a smiley. A journalist would read this and write an article stating that physicists in general are seeing a large increase ("quantum leap") in income.
Examples like this are useful to explain how hopeless it is. Physicists aren't about to change their definition of "quantum" to match the media's misuse of the term, and journalists aren't about to change their definition of an impressive-sounding technical term just because their definition isn't the same as the physicists' definition (which the journalists can't understand). So we just have to live with it.
The computer industry has lots of similar situations. Probably the funniest is the way that computer geeks still use "hacker" as a compliment, despite the media using it to mean "computer criminal". This term isn't as critical to computing as "quantum" is to physics, of course, so the two definitions of "hacker" are mostly just the basic of some geek humor.
But we computer geeks have seen enough of this sort of thing to realize that it's a hopeless situation. So more and more, we take the physicists' approach, and just continue to use terms with their technical meaning in private. The only real problem is in forums like this, that are sorta halfway houses between the technical field and the general population. In such surroundings, it can be tricky getting across which of the various possible meanings you're using. The term "theory" is one of the most common cases, since the techies here tend to use it in its scientific sense, and then are taken aback by the evidence that others read it in its media/political/religious sense.
Note the difference between your definition and mine. My definition (shared by everyone else) involves three computers:
Actually, that's not shared by quite everyone else. I just followed the link in another post, to the cgisecurity.com site's FAQ. I should perhaps remark that I was rather embarrassed to read some of what's there. But note that it's from a company that is clearly pushing itself as an expert on web security.
If you read the "What is Cross Site Scripting?" section, you'll probably have a hard time pointing to anything that mentions three or more computers. I don't read that anywhere in the paragraph. Later on, there are a couple of sketchy example that would probably involve three machines, but even then, it's not clear that that's a critical detail. What does seem clear is that they aren't presenting a 3-machine setup as a significant part of what they're defining.
Also, the string "sandbox" doesn't occur in their FAQ. In fact, not even "san" was found by firefox. So their definition doesn't require 3 machines or a sandbox.
Actually, their "definition" is rather remarkable for its vagueness. I suspect that this page was written (or more likely, re-written) by marketers and/or tech writers who don't understand the topic, and probably don't care to. But that's beside the point, because this is the FAQ on "Cross Site Scripting" [their capitalization] of a company whose business is web security. What they have on that page is what they present to visitors as how they understand and define the topic.
This is yet another entry in my list of incompatible definitions of the phrase at hand. I think that the phrase has been co-opted by the marketers, sorta like "virus" and "hacker" and other scary-sounding technical terms. So, while we can talk about it all we like, chances are that the folks reading slashdot all have their own definitions, most of which are as confused as this one. And we'd have a lot of trouble finding two definitions that are even close to the same, even from people presenting themselves as web-security experts.
It reminds me of Bertrand Russell's famous description of mathematics as a subject in which "we never know what we're talking about nor whether what we're saying is true". That's a fun quote to bring up when people are discussing whether Computer Science is a branch of mathematics. If it really were, then we CS types should be happy to embrace (and extend) Russell's characterization.
Ah; I see! I'm not running my browsers in any sort of "sandbox", so obviously cross-site scripting can't affect me.
Right?
This is how most people would understand your explanation, after all. ;-)
And I suppose I sorta intended my comments as a "troll". That is, I was trying to prod people into explaining what they were talking about, rather than just using vaguely-defined phrases without explaining them. To most people, such prodding is trolling. As I said, I've collected a lot of purported definitions of "cross-site scripting", and what stand out to me is that no two of them are compatible. Maybe yours is the right one; I can't tell. What makes you the authority whose definition should be used against the other purported authorities who give incompatibile definitions? Ordinarily I don't question people's credentials here, but where there are competing authorities criticising me (implicitly or explicitly), I think it's a reasonable thing to do.
If this is trolling, so be it. What I see is the conventional arrogance of the self-described security experts who (often quite intentionally) write so that not even ordinary computer geeks can get a clear idea of what they're warning us against. So I'm probably violating all sorts of security rules or guidelines, as are the rest of the computer-using public, but it's because the security folks are (often quite intentionally) keeping us ignorant.
What a lot of us would like to read is a good way of telling whether we're doing the wrong thing, and how to do it right. In this case, since the definition of the purported dangers apparently requires that I be running my browser in a "sandbox", and I'm obviously not doing that, it would be reasonable for me to ignore the issue as not being relevant to me. I'm fairly sure this isn't the correct conclusion, but that's the skeptical computer geek in me talking. If I read the discussion wearing my "mere human" hat, I have to dismiss it as an obscure technical thing that doesn't apply to me or my computers.
Just for yuks, when I reached a resting point in what I was doing, I decided to kill off Firefox and restart it, clicking on the "Restore Previous Session" button when it appeared. Before killing it, the numbers on this Macbook Pro with 4 GB memory were RSIZE=338MB, VSIZE=1.95GB. After restarting and letting the windows stabilize, the numbers are now RSIZE=190MB, VSIZE=1.15GB. Those differences (RSIZE=148MB, VSIZE=.80GB) seem to me to be fairly indicative of a memory-management problem of some sort. But of course I don't know much about the inner details.
Is it really flamebait to say that humans are the most likely cause of biodiversity downfall?
No; it's only considered flamebait in political/religious circles. ;-)
In scientific circles, it's conventional to attribute most of the current extinction event to human activity. Thus, we don't really know when humans first arrived in the Americas, and there are estimates at high as 30,000 years ago for the first. However, it does seem fairly clear that humans were rare on those continents before about 12,000 years ago, when there was a huge increase in the human population. At the same time, large numbers of large animal species went extinct. Some of those would have died out anyway, but the mass extinction is generally attributed to humans. After all, if you introduce a new major predator, you'd expect that the sort of prey it likes (large, meaty critters in this case) would start to disappear.
So the human-caused extinction has long been the default hypothesis. There are other possibilities, but if you want to argue for them, you should have some pretty good evidence, and such evidence doesn't seem to exist. Death at the hands of a new, powerful predator is just too reasonable to be dismissed without evidence, and it quite properly the primary hypothesis when there is evidence of such a predator. And, unlike in political discussions, there is rather little scientific argument about this. Rather, there are lots of scientists looking for evidence wherever they can find it. Other contributing factors have been reported, but so far nothing much that seriously challenges the primary hypothesis.
(Actually, there is a good recent example of the opposite process. Starting about 500 years ago, there was a mass extinction of humans in the Americas. It is common to attribute this to the introduction of a different human subspecies that had better weapons. But we have the evidence, and it shows that weaponry was a minor factor in the extinction, and only in the eastern coastal areas. It turns out that most of the people in the interior died from the diseases that the new humans unknowingly brought along, long before the newcomers reached the interior. Both groups of people attributed the plagues to acts of various gods, since neither had any understanding of microorganisms at the time. It wasn't until the 1800s that "germs" were understood, and the newcomers started using biological warfare in a controlled fashion against the original inhabitants. This produced a second extinction event, but it was much smaller than the one in the 1500s.)
(And it'll be interesting to see whether this gets any "flamebait" mods. There's gotta be at least a few people who'll read it that way. I've already got both "flamebait" and "insightful" for one post; now I'm trying for "flamebait" + ("informative" || "insightful") + "funny". ;-)
How about calling them hypotheses?
Let's reserve "theory" for something that actually has solid evidence.
That would go over well in a scientific forum. OTOH, in the mass media and the general population, "theory" is used the same way that scientists use "hypothesis", for a guess that's consistent with known data but hasn't been tested.
So the question is: Is slashdot a scientific or a general-reader forum? The best answer is "both". There are lots of techie geeks here; there are lots of non-techie readers with an interest in tech stuff. So we get what you'd expect: Different people use the terminology differently, and most of them can't be bothered to make their definitions clear.
I get as annoyed as others here at the frequent blatant disregard for the proper scientific terminology. But I remind myself that this isn't really a scientific forum; it's a general-reader forum with an emphasis on techological issues. So getting our terminological act together here is probably hopeless. A large fraction of the readers don't understand such issues. And a small fraction are actively opposed to correct terminology. All this is quite normal for a mixed-level forum such as this. And we need such forums to get better information out to the public than the mass media can provide.
Still, it probably doesn't hurt to occasionally point out the technical definition of a term, for the benefit of non-tech readers who are amenable to such details. In this case, we could just point out that in scientific circles, "theory" refers to a hypothesis that has been fairly thoroughly tested, has passed the tests, and is generally accepted as the best explanation we have at present. Something that explains all known data but hasn't been tested much isn't a "theory"; it's a "hypothesis".
We have good theories of cloud formation in low-level weather phenomena. For clouds at higher altitudes (>10 or 20 km), we mostly have hypotheses. People have done a lot of mathematical modelling, which is interesting but doesn't qualify as scientific testing, so the results aren't proper (scientific) theories yet. But to the mass media, they are theories, since the media is using a different dictionary.
I can't seem to fun FF without at least 100MB of physical memory, but I never see the sum of physical and virtual go over 600MB
Hmmm ... I'm using a Macbook Pro at the moment, and according to the Activity Monitor window, Firefox is currently using RSIZE=338.62MB and VSIZE=1.37GB. This is with 7 windows with 25 tabs open, plus the "Library" (i.e., bookmarks) window. This seems about normal We also have a smaller, 5-year-old Mac Powerbook with only 1 GB of memory (vs the 4 GB on this machine), and FF there typically shows numbers about half as large. It's a lot slower there, of course.
I've noticed that the RSIZE and VSIZE numbers rarely seem to have any discernable correlation with what FF is doing. I've also found that if I "kill -9" (force quit) the firefox process, restart it, and tell it to restore the previous windows, it usually uses only about half as much memory as it used before it was killed. This tells me something about its memory wastage, I suppose. But it doesn't really tell me much that's usable, since it usually balloons back up in a fairly short time.
I do have some evidence that part of the problem is that memory expands permanently if I download any sort of "active" page. A page with flash is the really visible culprit, and I have flashblock installed. Still, there are some sites I'd like to look at that use flash in a useful way, so sometimes I enable flash for them. Then I watch to see whether it has ballooned up. Every few days I kill it and restart it, to get the memory back.
It does seem likely that FF has little if any control over memory usage by plugins such as video viewers. They are really separate pieces of software, with minimal interaction with the main program. They are "black boxes" as far as FF itself is concerned, and FF would have little if any control over the way they use memory.
Well, yeah; I've done lots of web scripting, and I get all that. I've even written demos of the dangers, usually to try to impress on others (such as managers) why it's a potential threat to users. This hasn't usually been too successful, as shown by the fact that those people usually continue to run their browsers with scripting enabled.
My question wasn't about how you write web scripts. My question is why you'd add a modifier like "cross-site" to it. Defining it as a script on one machine (the server) which runs on another machine (the client) adds no information, because that's how almost all web scripting works. I added "almost" because there is the special case of a developer testing web stuff by accessing it from a browser on the same machine, something I do all the time, but which isn't the usual use of a web browser. In the other 99.999% of the cases of "scripting" with a browser, the code is downloaded from a remote server and run by the browser. So adding an adjective that describes this case isn't imparting any addition information to the usual case. It does mislead readers who think you're talking about some dangerous special case.
To use the canonical automobile analogy: It's as if auto companies were to start talking about "road-drivable vehicles" as if this were some special feature. Yes, there are off-road vehicles. But "road-drivable" is the usual, default use of an auto, so adding an adjective for that case is at best silly, and at worst confusing to the reader, since it's an attempt to convince them that there's something special about the vehicles you're talking about. Imagine a claim that "Road-drivable vehicles are a threat because they can collide with your car or pedestrians and cause injuries." Well, yeah; as if anyone with a grain of sense didn't know that. The "road-drivable" modifier is nonsense, because it's describing the normal use of most vehicles, not some special sort of vehicle. And buying an off-road vehicle doesn't lessen the danger, especially if you drive it on a road.
Since the normal use of scripts with web browsers is to copy a script from the server to the browser and run it on the client's machine with data from both machines, adding a modifier that just says that two sites are involved is the same sort of silliness. It's adding an adjective that describes the usual, default case, which at best is just a waste of syllables. At worst, it misleads the reader by implying that you're talking about some mysterious special case. This isn't a spurious objection; reading discussions about the topic make it clear that most people don't understand that all scripting in web pages is a potential threat (just as all vehicles on a highway are a potential threat). This is why most people with a grain of sense run browsers that include NoScript or some similar capability such as turning scripting off entirely.
The problem with the above auto analogy, of course, is that most people understand that other vehicles on the road are a threat. But most people don't understand that downloading code from another site and running it is a threat to their computer. Their ignorance isn't helped by using any empty adjective when talking about "scripting" (another word that most people couldn't define). The way to help them is to get across the fact that all downloaded code is a threat, so they should make sure that any "scripting" tools that do that are disabled. The danger doesn't come from some special thing called "cross-site scripting"; that's just weasel wording designed to obscure the fact that all downloaded code is the same sort of threat.
Anyway, I'm still looking for a definition of "cross-site scripting" that explains why people are using that phrase rather than just "scripts". Or maybe just "code", since any web page that sends executable code is exactly the same sort of threat (if the client's browser is configured to run it).
So is there an official definition of "Cross-Site Scripting" somewhere? Since that phrase started to be used in scary security stories a few years ago, I've been collecting the definitions that various stories provide, and I've been a bit disappointed. Mostly, they aren't even "definitions", in the usual dictionary sense of the term. I.e., I can't use most of the purported "definitions" to decide whether what I'm looking at is an instance of the phrase. And in general, no two stories or sites seem to use similar definitions (when they actually give definitions at all).
My impression is that "Cross-Site Scripting" is an empty scare phrase that really just means "anything involving two different machines and a script -- whatever that may be".
So has some official organization defined the phrase? If so, what makes them an authority? And is there some way that I can tell when someone is using the official definition (if such exists), or should I just continue to view the phrase as an attempt to scare readers without actually informing them about the problem?
I note that the definition associated with TFA isn't actually a definition. And several other postings here have linked to sites that also give ambiguous non-definition definitions.
It sure seems there's something being talked about here, but it seems to suffer from the usual problem with security authorities, that they view me as an idiot who doesn't need to be informed about the subject matter; I only need to be scared (presumably so that I'll pay them to fix something that they've carefully made sure I can't understand clearly).
I'd think that security is an area where you'd want to be careful with your definitions and terminology. But apparently I'm wrong.
Lenovo boffins have decided the time is right to install larger Delete and Escape keys on their updated ThinkPad laptop T400s range. While it is a small change, it is fairly radical to tinker with an area of hardware which has been largely unchanged since the 19th century.
So can someone provide a list of 19th-century keyboards (i.e., typewriters) that had Delete or Escape keys?
Inquiring minds want to know about this bit of history ...
(I've long wanted a bigger ESC key that's easier to hit, and I suppose most vi users would say the same thing. ;-)
Perhaps I should add that I give anyone permission to use the above explanation freely. You may also paraphrase it however you think will get the concept across to your thick-skulled management.
Ignore slathdot's comment that I own the copyright on my explanation. I won't sue you for using it as you like.
(Though it could be interesting to consider the possibility of suing anyone who releases their copyrighted text using language similar to the above. ;-)
It should be very easy to explain to any copyright holder how then can prevent linking to or downloading their documents.
First, you explain that a web server is basically a very simple program: It has a directory, and anything you put in that directory (or any subdirectory) is handed out via HTTP by your web server. Any file not in that directory is not handed out to anyone.
So to prevent unauthorized linking or downloading, all you have to do is not put your file(s) in the web server's directory. It really is that simple. If you do that, then you don't need to mess with expensive lawsuits to protect your valuable Intellectual Property. The web server will protect it for you, by not handing it out when someone asks or follows a link to your site.
Think they could understand this?
(Lessee; do really need a ;-) here? Nah ....)