It seems like they are talking about 2 real problems: 1) SQL injection (which could be solved by only using prepared statements) 2) storing cleartext passwords on the server (which could be solved by storing as hash with per-user salt) Both of these techniques have been old hat for around a decade so the real news is that so many sites could apparently be compromised this way (of course, the entire article sounds invented, so who knows if that is even true).
The "alleged weakness of username/password authentication" seems to be just a "conclusion" they invented for click-bate purposes.
I completely agree with you that their derivation makes no sense. These problems are independent of each other and neither directly implies the conclusion they want to state.
How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).
Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?
You shouldn't be able to steal a password since the site shouldn't have it.
I was very pleased with my 505, as well. I didn't bother with their software (I think it was Windows-only and was mainly used to buy DRM-encumbered stuff from their own store) but just using it as USB mass storage worked well enough for my purposes.
I use it primarily for reading stuff from Project Gutenberg (since there is no DRM insanity) or taking other miscellaneous PDF and text content with me. The screen was quite good and sure beat reading any amount of text off of a glowing screen.
It is too bad that they are leaving the market but I can tell my use-cases aren't those used by the masses so I am not too surprised.
Some of the best developers I have worked with had active ACM memberships and they definitely did come across some exceptionally valuable papers through it.
I think that the reason why more people don't find the value is that the vast majority of software developers are either just code monkeys or have become the "Jack of all trades" type of technical leaders.
There are few opportunities to become a specialist in a single, very deep, area of expertise. You typically need to work for a big enough company who can justify such specialists and not have them constantly prodding you to "float around the company" (since there is an HR theory, currently in style, which states that you should encourage movement within an organization so people don't get bored - now you just alienate the people who like big, complex problems).
I have never had problems with my Pi, either (Model B). It is powered by a USB port on my Odroid-U3. All that is attached to it is ethernet and the USB UART connector to the Odroid's serial interface.
I have never had problems with it and, when I am running my stress tests on it, the load average gets up to around 30 for about 20 minutes so it is sustained activity on the CPU and RAM (although I never use its GPU for anything, so maybe that helps). I also do wonder of the power draw of some of those USB WiFi dongles, since they probably need a lot.
In terms of filesystems (these are just partitions on the SD), my root is just the Raspbian default (which I think is ext4) but my write-heavy file system where my tests run is BtrFS, which is supposed to do better on such devices.
Their main products (if you look at their web site) are much more substantial.
I am writing this while using Ubuntu on one of their Odroid-U3 devices, right now. It is a great little machine. I highly recommend it if you are looking for a low-power, low-cost, small ARM Linux machine.
I had one of the all-laser ("Intralase SBK") approaches done about 4 years ago and the results were great! My vision was only about -2 in each eye, but the surgery put me to marginally better than 20/20.
The most annoying part was not being able to wear contacts for the week leading up to the surgery so my eyes could go back to their natural shape but the surgery was neat (only took 3 minutes) and I could see perfectly, as soon as I sat up from the chair (although my eyes had a "fog" effect for a few hours).
When doing the initial consultations, I expressed concern over night vision (since I am usually out at night) but they said that most of the issues related to that were pre-existing and were only noticeable due to the increased resolving power of their eyes, post-surgery. Personally, I haven't noticed a problem and things like lights, when out at night, seem much sharper (I could tell the first time I tried to get on a bus, after the surgery, and realized I could clearly make out the route name and number from MUCH further away than usual).
That largely applies to pretty much everything but there are actual cases where Z and P are incredibly different so unifying their back-end implementations will be potentially limiting in the future. Specifically, I am referring to memory coherence model: Z assumes a rigid write-back ordering where P allowed these to be highly out of sync, between cores. Now, I am not sure if any modern P implementations actually exploit this flexibility so the difference might be moot but this decision could be limiting in the future.
It shouldn't be too surprising that it runs well with Java. Embedded is where the first Java inroads were made. Recent VMs make the performance pretty sweet, once you get going.
Running the JVM on an emulator, however, is less than optimal: "it's turtles all the way down".
I understand why they did it but, if there are still serious performance problems with it (which wouldn't be surprising - phones are growing in performance faster than PCs) then they probably need to go the simulator route (even though that isn't quite as generally useful or rigidly correct).
Good to see on many fronts: 1) kids looking into how things actually work and wondering about what that means 2) kids acting to fix the problem, as opposed to exploiting it 3) a company actually thankful for the help without "shooting the messenger"
In terms of the ATM configuration, I am a little surprised that it was so easy to get in. It reminds me of when I used a similar technique to get configuration access to a heated timer cabinet at a McDonald's, when I was in my teens (It meant I could use it to solve some additional problems which had no ideal solutions - as well as add my name as a food item). That wasn't changed from its factory defaults but that one was at least behind the counter so it was physically protected. I am a little surprised that there isn't some kind of physical locking switch to enable that mode, on these devices. Banks are usually pretty good about that.
Still, at least I am happy to see that they were thankful for the help.
They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs. As far as I can tell, this was purely to thicken the walls on the garden.
This is the problem with anyone becoming too big within an otherwise open space: there is no reason for them to play nice when they have de facto control. Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.
I have said almost word-for-word what you just said about walled gardens (even using Compuserve and AOL as examples) so I am totally in agreement with your concerns on that front.
Because no internet company has ever gone out of business, strayed into an area of legal ambiguity, had a security vulnerability, made their software incompatible with your existing work flow, or made unpleasant changes to their terms of service or privacy policy...
I would still like to see OpenGL largely punted in favour of OpenGL ES. As you point out, it is a much smaller API and it reflects the realities of the hardware, as it actually evolved (shader programs and GPU-memory vertex buffers), instead of how the software initially wanted to see it (immediate mode and imperative matrix manipulation).
Hopefully, the inclusion of OpenGL ES as a subset of OpenGL within the 4.x versions will make this more a reality, as well as the use of things like WebGL.
The point is that, with influence, they don't need to buy the politician as control of information is far more powerful than control of resources.
In effect, they could manufacture their own candidate and ensure that the information they returned is heavily biased in light of this new "underdog" or "dark horse" and suddenly political manipulation has been accomplished, and packaged in a story you can sell to Hollywood, for added attention.
They would also be able to keep their puppet on a short leash since they had already demonstrated that they have the ability to control all the information around them. That kind of control can't be purchased with campaign donations or lobbying.
Interestingly, because of the way many people seem to vote and because they had so much control over the information, even pointing out that this was happening would be unlikely to change the result (since it would take attention away from the competitors, it would probably make matters worse).
I always try to remember this when I wonder if I am getting out-of-touch (being a 30-something, primarily C guy) but the reality is, despite all the hype around new languages (or new service providers *cough* GitHub *cough*), it turns out that much of what is currently used, is used for a reason.
The best software developers I knew were comfortable in several languages and could pick up new ones in an afternoon but they preferred writing in simple C, heavily-simplified C++ (basically just C plus classes, no other language features), or maybe Java.
They could easily express their ideas and the code could be easily read by even a novice (part of knowing many languages means avoiding esoteric or "clever" language features).
It is nice to see new ideas on the horizon but the signal to noise can get a little overwhelming when there are more frameworks or languages than developers (as it sometimes seems).
Actually, a document isn't private unless you physically own it (hence, no "cloud" anything) and control the access to it (private links, self-destructing links, HTTP sessions, etc). Relying on an external walled garden means that you gave them ownership (either legally, or physically).
As bandwidth increases, owning a link which resolves a piece of information will become increasingly equivalent to owning that information.
The confusing thing is why this is so popular, anyway. As far as I see it, it is nothing more than Clippy, the next generation.
Maybe people only disliked Clippy because it seemed like a distraction. I suppose the "omnibar" wouldn't be as popular if, every time it got focus, put up a large overlay box with the content: "It looks like you are trying to type a URL".
Alternatively, it means people _would_ have liked Clippy if it just started silently writing the letter for you or if it sent the letter to Microsoft so they could finish it for you.
The address bar and any kind of search bar are different things with _very_ different uses. I don't understand why I would ever want to conflate them. It makes no sense from a UI perspective and is an absolute disaster from a privacy perspective.
I always took complete notes, by hand, until I got a laptop in second-year and started typing up the complete notes in LaTeX.
I think that typing worked better than writing, but only because I was doing a verbatim copy of board information and the tex files could be grepped, after-the-fact. I can also type with my eyes closed and I wasn't getting much sleep, in those days.
The friends of mine who just sat in class and listened seemed to understand the content much better (they just needed to be sure to discuss the content or do the assignment before it fell from memory as unreachable information).
Stop looking at this as an us-and-them dynamic, as though there is a line somewhere which divides the "old" from the "young" and everyone on one side is a firmly entrenched, 1-dimensional stereotype.
People are different and I doubt that everyone at that company enjoys the specific culture you have described (let alone doing so proportional to their "youth"). If you can work well together, that is the primary concern.
Relying on static analysis to solve parameter validation bugs is asking technology to solve a human problem, akin to asking the computer "do what I want, not what I said".
Static analysis and defensive programming techniques are good ideas but there is always a chance for something to go wrong.
The problem has more to do with the "hey, this is free so lets just take it" attitude of the downstream consumers not willing to pay for anyone to look at the code or pay anyone to write it.
Why would you want the OpenSSL people to be held accountable for something they basically just wrote on their own time since nobody else bothered?
Striking out to solve a problem should NOT be punished (that culture of legal punishment for being useful is part of why knowledge industries are leaving North America).
This problem was caused by a simple missed parameter check, nothing more. Stop acting like the cultural problem is with the developers when it is with the leaches who consumer their work.
It seemed like, although Clippy might have died, his religion ("the user is stupid and needs the computer to help them use the computer") is alive and well.
The thing that confuses me is, why do people think this is "good"? Personally, I spend appreciable time fighting with software "helping" me when I already knew what I wanted to do.
It might be worth determining why "sex discrimination" is an issue, and seeing whether the concept is a problem in this case for the same underlying problems, rather than simply jumping on it and implying it's wrong because it's discrimination.
Any form of discrimination is wrong precisely because it is discrimination. Instead of allowing the abilities and merits of the individual to distinguish them, you group them based on some notion of grouping which may only exist to you and then act as though all people in that group are the same and share opinions and resources.
If I am an individual of group X, telling me that someone else needs an advantage over me because they are of group Y doesn't make any sense since we are just 2 people who may not even have heard of those groups or claimed membership within them.
Remember that we must, as one great speaker once said, judge people "by the content of their character".
Slashdot Mirror
Yeah, it is an odd article.
It seems like they are talking about 2 real problems:
1) SQL injection (which could be solved by only using prepared statements)
2) storing cleartext passwords on the server (which could be solved by storing as hash with per-user salt)
Both of these techniques have been old hat for around a decade so the real news is that so many sites could apparently be compromised this way (of course, the entire article sounds invented, so who knows if that is even true).
The "alleged weakness of username/password authentication" seems to be just a "conclusion" they invented for click-bate purposes.
I completely agree with you that their derivation makes no sense. These problems are independent of each other and neither directly implies the conclusion they want to state.
How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).
Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?
You shouldn't be able to steal a password since the site shouldn't have it.
I was very pleased with my 505, as well. I didn't bother with their software (I think it was Windows-only and was mainly used to buy DRM-encumbered stuff from their own store) but just using it as USB mass storage worked well enough for my purposes.
I use it primarily for reading stuff from Project Gutenberg (since there is no DRM insanity) or taking other miscellaneous PDF and text content with me. The screen was quite good and sure beat reading any amount of text off of a glowing screen.
It is too bad that they are leaving the market but I can tell my use-cases aren't those used by the masses so I am not too surprised.
Some of the best developers I have worked with had active ACM memberships and they definitely did come across some exceptionally valuable papers through it.
I think that the reason why more people don't find the value is that the vast majority of software developers are either just code monkeys or have become the "Jack of all trades" type of technical leaders.
There are few opportunities to become a specialist in a single, very deep, area of expertise. You typically need to work for a big enough company who can justify such specialists and not have them constantly prodding you to "float around the company" (since there is an HR theory, currently in style, which states that you should encourage movement within an organization so people don't get bored - now you just alienate the people who like big, complex problems).
I have never had problems with my Pi, either (Model B). It is powered by a USB port on my Odroid-U3. All that is attached to it is ethernet and the USB UART connector to the Odroid's serial interface.
I have never had problems with it and, when I am running my stress tests on it, the load average gets up to around 30 for about 20 minutes so it is sustained activity on the CPU and RAM (although I never use its GPU for anything, so maybe that helps). I also do wonder of the power draw of some of those USB WiFi dongles, since they probably need a lot.
In terms of filesystems (these are just partitions on the SD), my root is just the Raspbian default (which I think is ext4) but my write-heavy file system where my tests run is BtrFS, which is supposed to do better on such devices.
Their main products (if you look at their web site) are much more substantial.
I am writing this while using Ubuntu on one of their Odroid-U3 devices, right now. It is a great little machine. I highly recommend it if you are looking for a low-power, low-cost, small ARM Linux machine.
I had one of the all-laser ("Intralase SBK") approaches done about 4 years ago and the results were great! My vision was only about -2 in each eye, but the surgery put me to marginally better than 20/20.
The most annoying part was not being able to wear contacts for the week leading up to the surgery so my eyes could go back to their natural shape but the surgery was neat (only took 3 minutes) and I could see perfectly, as soon as I sat up from the chair (although my eyes had a "fog" effect for a few hours).
When doing the initial consultations, I expressed concern over night vision (since I am usually out at night) but they said that most of the issues related to that were pre-existing and were only noticeable due to the increased resolving power of their eyes, post-surgery. Personally, I haven't noticed a problem and things like lights, when out at night, seem much sharper (I could tell the first time I tried to get on a bus, after the surgery, and realized I could clearly make out the route name and number from MUCH further away than usual).
I highly recommend it.
That largely applies to pretty much everything but there are actual cases where Z and P are incredibly different so unifying their back-end implementations will be potentially limiting in the future. Specifically, I am referring to memory coherence model: Z assumes a rigid write-back ordering where P allowed these to be highly out of sync, between cores. Now, I am not sure if any modern P implementations actually exploit this flexibility so the difference might be moot but this decision could be limiting in the future.
It shouldn't be too surprising that it runs well with Java. Embedded is where the first Java inroads were made. Recent VMs make the performance pretty sweet, once you get going.
Running the JVM on an emulator, however, is less than optimal: "it's turtles all the way down".
I understand why they did it but, if there are still serious performance problems with it (which wouldn't be surprising - phones are growing in performance faster than PCs) then they probably need to go the simulator route (even though that isn't quite as generally useful or rigidly correct).
Good to see on many fronts:
1) kids looking into how things actually work and wondering about what that means
2) kids acting to fix the problem, as opposed to exploiting it
3) a company actually thankful for the help without "shooting the messenger"
In terms of the ATM configuration, I am a little surprised that it was so easy to get in. It reminds me of when I used a similar technique to get configuration access to a heated timer cabinet at a McDonald's, when I was in my teens (It meant I could use it to solve some additional problems which had no ideal solutions - as well as add my name as a food item). That wasn't changed from its factory defaults but that one was at least behind the counter so it was physically protected. I am a little surprised that there isn't some kind of physical locking switch to enable that mode, on these devices. Banks are usually pretty good about that.
Still, at least I am happy to see that they were thankful for the help.
You are going to have to explain how popularity precludes incompetence.
They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs. As far as I can tell, this was purely to thicken the walls on the garden.
This is the problem with anyone becoming too big within an otherwise open space: there is no reason for them to play nice when they have de facto control. Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.
I have said almost word-for-word what you just said about walled gardens (even using Compuserve and AOL as examples) so I am totally in agreement with your concerns on that front.
Because no internet company has ever gone out of business, strayed into an area of legal ambiguity, had a security vulnerability, made their software incompatible with your existing work flow, or made unpleasant changes to their terms of service or privacy policy...
I would still like to see OpenGL largely punted in favour of OpenGL ES. As you point out, it is a much smaller API and it reflects the realities of the hardware, as it actually evolved (shader programs and GPU-memory vertex buffers), instead of how the software initially wanted to see it (immediate mode and imperative matrix manipulation).
Hopefully, the inclusion of OpenGL ES as a subset of OpenGL within the 4.x versions will make this more a reality, as well as the use of things like WebGL.
The point is that, with influence, they don't need to buy the politician as control of information is far more powerful than control of resources.
In effect, they could manufacture their own candidate and ensure that the information they returned is heavily biased in light of this new "underdog" or "dark horse" and suddenly political manipulation has been accomplished, and packaged in a story you can sell to Hollywood, for added attention.
They would also be able to keep their puppet on a short leash since they had already demonstrated that they have the ability to control all the information around them. That kind of control can't be purchased with campaign donations or lobbying.
Interestingly, because of the way many people seem to vote and because they had so much control over the information, even pointing out that this was happening would be unlikely to change the result (since it would take attention away from the competitors, it would probably make matters worse).
I always try to remember this when I wonder if I am getting out-of-touch (being a 30-something, primarily C guy) but the reality is, despite all the hype around new languages (or new service providers *cough* GitHub *cough*), it turns out that much of what is currently used, is used for a reason.
The best software developers I knew were comfortable in several languages and could pick up new ones in an afternoon but they preferred writing in simple C, heavily-simplified C++ (basically just C plus classes, no other language features), or maybe Java.
They could easily express their ideas and the code could be easily read by even a novice (part of knowing many languages means avoiding esoteric or "clever" language features).
It is nice to see new ideas on the horizon but the signal to noise can get a little overwhelming when there are more frameworks or languages than developers (as it sometimes seems).
Actually, a document isn't private unless you physically own it (hence, no "cloud" anything) and control the access to it (private links, self-destructing links, HTTP sessions, etc). Relying on an external walled garden means that you gave them ownership (either legally, or physically).
As bandwidth increases, owning a link which resolves a piece of information will become increasingly equivalent to owning that information.
The confusing thing is why this is so popular, anyway. As far as I see it, it is nothing more than Clippy, the next generation.
Maybe people only disliked Clippy because it seemed like a distraction. I suppose the "omnibar" wouldn't be as popular if, every time it got focus, put up a large overlay box with the content: "It looks like you are trying to type a URL".
Alternatively, it means people _would_ have liked Clippy if it just started silently writing the letter for you or if it sent the letter to Microsoft so they could finish it for you.
The address bar and any kind of search bar are different things with _very_ different uses. I don't understand why I would ever want to conflate them. It makes no sense from a UI perspective and is an absolute disaster from a privacy perspective.
That sounds about right.
I always took complete notes, by hand, until I got a laptop in second-year and started typing up the complete notes in LaTeX.
I think that typing worked better than writing, but only because I was doing a verbatim copy of board information and the tex files could be grepped, after-the-fact. I can also type with my eyes closed and I wasn't getting much sleep, in those days.
The friends of mine who just sat in class and listened seemed to understand the content much better (they just needed to be sure to discuss the content or do the assignment before it fell from memory as unreachable information).
Stop looking at this as an us-and-them dynamic, as though there is a line somewhere which divides the "old" from the "young" and everyone on one side is a firmly entrenched, 1-dimensional stereotype.
People are different and I doubt that everyone at that company enjoys the specific culture you have described (let alone doing so proportional to their "youth"). If you can work well together, that is the primary concern.
This is EXACTLY the way to look at this!
Relying on static analysis to solve parameter validation bugs is asking technology to solve a human problem, akin to asking the computer "do what I want, not what I said".
Static analysis and defensive programming techniques are good ideas but there is always a chance for something to go wrong.
The problem has more to do with the "hey, this is free so lets just take it" attitude of the downstream consumers not willing to pay for anyone to look at the code or pay anyone to write it.
Why would you want the OpenSSL people to be held accountable for something they basically just wrote on their own time since nobody else bothered?
Striking out to solve a problem should NOT be punished (that culture of legal punishment for being useful is part of why knowledge industries are leaving North America).
This problem was caused by a simple missed parameter check, nothing more. Stop acting like the cultural problem is with the developers when it is with the leaches who consumer their work.
That is what I keep thinking.
It seemed like, although Clippy might have died, his religion ("the user is stupid and needs the computer to help them use the computer") is alive and well.
The thing that confuses me is, why do people think this is "good"? Personally, I spend appreciable time fighting with software "helping" me when I already knew what I wanted to do.
This is generally what I have found, too.
The best uses of C++ I have seen were simple and fast since they were really just vanilla C with classes.
It might be worth determining why "sex discrimination" is an issue, and seeing whether the concept is a problem in this case for the same underlying problems, rather than simply jumping on it and implying it's wrong because it's discrimination.
Any form of discrimination is wrong precisely because it is discrimination. Instead of allowing the abilities and merits of the individual to distinguish them, you group them based on some notion of grouping which may only exist to you and then act as though all people in that group are the same and share opinions and resources.
If I am an individual of group X, telling me that someone else needs an advantage over me because they are of group Y doesn't make any sense since we are just 2 people who may not even have heard of those groups or claimed membership within them.
Remember that we must, as one great speaker once said, judge people "by the content of their character".