Stop and read it again. Nowhere did my comment say that they would have move vulnerabilities than mozilla. It simply said that they would probably have more than 0.
so although they are making security a priority, it looks like they're not a "key" leader.
Your inference that security focus listing several browsers with 0 known security holes makes them secure, is erroneous. I'm sure we'd see a flaw or two with some of the other browsers if they were enjoying the recent surge in popularity and attention that firefox is enjoying.
Oh, and your reference URL shows firefox at 0 vulnerabilities now. And Safari now has 1.
Okay, sorry if I am sounding like a jerk. I really just want to know how this can happen!
In case you've been living in a hole for the past few years, IE has a particularly lengthy history of exploits. Auto execution of downloaded files by playing mime-type tricks, arbitrary execution of code via client side scripting languages, etc., etc..
It's perfectly possible that you could download and install spyware/adware/virii with IE with 0 clicks. Sure there are patches issued but they've been far from what I'd consider timely responses.
You can be as vigilant as you want with IE patches but I'd still be very cautious going to "seedier" sides of the the internet. I'm not saying there aren't problems in other browsers because there are. They just don't have nearly as many problems. Maybe that's because they don't have large enough of a market share to catch adware/virus author's attention.
Regardless, I've stopped using IE years ago because of these very issues and couldn't be happier with the alternatives.
If all Slashdot readers stop viewing ads and their ad revenue disappears, Rob will or will not keep offering free access?
And whose problem is that? Should I worry about how companies make their profit from me?
That's all find and dandy if/. and other free content sites on the web want to start charging for content. If what they have is worth paying for, they should do well. Myself and others will pay good money for a good product. If not, they will sink into the abyss with all the other companies who are trying to push a product that's not worth paying for. How is it my responsibility to make their business model work for them? If that's not a free market at work, I don't know what is.
I often wonder about PHP in large scale applications. I'm obviously ignorant about PHP and just as lazy about researching it but maybe you can share a few things that might clear up some of these perceptions about PHP.
1) Transactions Not just database, but business logic transactions. What kind of support is offered out of the bag here?
2) RPC What options are available for creating multi-tier applications? Are remote procedure calls limited to XLM and WesServices? Web services are great and all but not exactly efficient.
3) Clustering Does it cluster well? Sharing sessions, state, etc. between servers?
4) MVC framework Are there frameworks/support for decoupling your business logic from your view and controller without feeling like it's a kludge?
5) Testing Is it easy to unit test the application outside of the server environment?
6) If PHP has support for all these, how much coding left to the developer to implement them? IMHO, if you're focusing on anything but business logic, you're wasting your time. A lot of people like to complain about how complex and massive J2EE projects can be but if you're worth a damn as a developer, you shouldn't be writing much of this code at all. With utils like xdoclet, spring, hibernate, maven and a good IDE, the only thing you should be coding is BL.
Yes you really need virus protection on Linux. The situation is dire. There are thousands of viruses being brewed up around the world to infect Linux boxen. Be afraid, be very afraid!!
But now McAfee has come to your rescue. Only $49.95 for complete peace of mind.
I feel so much better already.
Did you stop to think that there is added value in a linux application server scanning for windows virii from uploaded files? What about being able to scan your samba shares on your file servers. Wouldn't it be lovely if your company got sued because your client downloaded an infected file from your linux FTP server?
I've seen plenty of OSS and proprietary software code that had comments that *looked* auto-generated. Stuff like:/** Sets the Home to a new value */
public void setHome(String newHome)
{...
}
I've never understood why people do things like this. Why not do something useful: specify what's a valid or invalid value of newHome, say when it should or should not be called. Or just leave it blank if you can't find something useful to say.
Have you never used an IDE? They look auto-generated because they were.
The 1961 Report of the Register of Copyrights on the General Revision of the U.S. Copyright Law cites examples of activities that courts have regarded as fair use: "quotation of excerpts in a review or criticism for purposes of illustration or comment; quotation of short passages in a scholarly or technical work, for illustration or clarification of the author's observations; use in a parody of some of the content of the work parodied; summary of an address or article, with brief quotations, in a news report; reproduction by a library of a portion of a work to replace part of a damaged copy; reproduction by a teacher or student of a small part of a work to illustrate a lesson; reproduction of a work in legislative or judicial proceedings or reports; incidental and fortuitous reproduction, in a newsreel or broadcast, of a work located in the scene of an event being reported."
Copyright infringement isn't a criminal act in Australia
Someone correct me if I'm wrong here but Austraila is a member of interpol correct? I know that interpol enforces copyright violations between countries. It would make sense to me that if it's a crime in the US that being a member of interpol allows for extradition if circumstances are severe enough. In that case, it's not good enough for it not to be a crime in the perpetrator's home country.
I fail to see how intentionally violating a EULA is either legal or ethical.
It's obvious that you have no experience with IGE and it's "farmers". They dominate an entire area 24/7 griefing legit players and monopolizing the market/economy. If you want to get anywhere in the game, you have no choice but to buy from them. They've ruined several MMORPGs and are intent on ruining more in the name of making a buck.
I'm glad that more people are becoming aware of these "hidden ties" so they can stop unintentionally helping them if they have any sort of conscience.
For me, it's about not contributing to a company I despise. In my past experiences, IGE has done everything they can to monopolize the economy and ruin the game for anyone who doesn't buy currency from them. Why would I knowingly want to support (directly or indirectly) a company like that?
FFXI (Final Fantasy X1) is a wonderful MMORPG. I picked up FFXI to pass the time until WoW came out. Now that I've been playing it for almost 6 months now, I gotta tell ya... I don't see myself switching unless WoW is absolutely amazing.
As an old EQ player, I can't tell you what a breath of fresh air FFXI has been.
The UI is a bit odd at first but once you get use to it, it's more than functional... it's actually nice. Just takes some adjustments.
Blake Stowell is quoted as saying, "We've not introduced copyright infringement as part of our case with IBM. We've tried to make it clear that it's a contract issue."
How can they say that this case is over contract breach w/ IBM and in the same week demand (again) end users license their "IP" (which nobody has seen because, despite a court order, they will not produce it).
It's pretty obvious that they're in a tailspin now.
Javascript not just for Clients
on
Javascrypt
·
· Score: 3, Interesting
There are a number of servers that support server-side javascript. I recently had a project where a remote office needed to communicate with a servlet based webpage using RC4 ecnrypted parameters.
The remote office didn't know much programing so I wrote a RC4 and base64 implementation in Javascript for them to implement server side.
I could not help but notice that Google, Yahoo, and Slashdot are omitted from their "top 1000" list. Yet rumors persist that these three web sites get a fair amount of traffic.
Well, because Google's headers repot server GWS/2.1 (Google Web Server?) and Yahoo's headers strip the server header all together.
That's the major flaw with this, and all other web surveys done by examining the HTTP headers.
Now they're eating it up like hot cakes cause it's EXPENSIVE! Linux is no longer a free thing.
Sense when does Apache (or any other non IIS web server) = Linux? A *lot* of other OS's can run it too. Hell, Oracle's 9iAS application server uses apache as it's HTTP server.
You have to look at their survey. It's talking about the CORPORATE web servers. I work for a major corporate america company. We have close to 4000 servers handling our "web" environment. That consists of web, app, and database servers. There's more IIS then anything else out there for sure in corporate america. Expecially on the WEB front end. In a corporate environment there are about 20 Windows to 1 Unix boxes. Mostly due to Windows servers being so cheap and can't handle as much load per server. But on the DATABASE backend there is much more UNIX to Windows.
First of all, this survey is total crap. Any web server survey that focuses on corporate servers can't possibly be accurate. Anyone (corporate admins at least) with a clue about security would only allow access to server via a reverse proxy and strip any identifying headers (or strip them at the server, if the server permits).
Look, I've worked for many corporations, including fortune 500 companies and companies with more than 120,000 employees. I currently have a federal government job. In *all* the places I've ever worked at, IIS was avoided like the plague. Most of the time, windows boxes were banned from the DMZ, period.
Of course, most web connections were reversed proxied (with the servers being behind the DMZ) in with a non-windows solution (mostly solaris boxes) but policy even refused to allow reverse proxies to windows boxes.
I personally think you'd have to be off your friggin' rocker to allow anyone from the outside to access your IIS server (no matter how they acces it). But then again, I think you'd have to be off your rocker to allow internal users to access a IIS server too (internal users are usually your greatest security risk).
Of course, for an ATM, it wouldn't make much sense to sign code because it's never going to see the outside of that machine, nor should the machine ever have any non-approved code in it. Signing the code would just add unnecesary overhead and slow the entire machine down in that case.
Well, it appears that it executed external code in this case. I don't think that making a signature check part of the shell will work in this situation either. Correct me if I'm wrong. If a buffer overflows, and you jump into memory that allows you to start processes, it's not done through a shell (right?). I would think that it needs to be tightly coupled to the kernel.
Now, the problem with having an OS that only runs signed code is that most software isn't signed
In a restricted environment, like an ATM, that's exactly what you want. You most likely don't want it to run *anything* that you didn't sign yourself (and the ATM has only you as it's certificate authority).
It's obviously not practicle to have everything be signed for a desktop or server(independant developers would eat it big time due to certificate authority charges). If you want an extremely sterile environment, this would seem to be a good fit.
The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code. You need to patch? Run the software off a CD/DVD, and when you need to change the code, change the CD. Nothing to get cracked, nothign to get corrupted, nothing but hardwired code. Burn an extended BIOS on a rom chip to run the physical end. Then lock the whole thing up in a metal box, and BAM its as secure as you can make it.
Just a thought... how hard would it be to make an operating system that only executed signed code?
Slashdot Mirror
Stop and read it again. Nowhere did my comment say that they would have move vulnerabilities than mozilla. It simply said that they would probably have more than 0.
So much for reading comprehension.
I beg to differ
Permission to beg granted. Start differing.
so although they are making security a priority, it looks like they're not a "key" leader.
Your inference that security focus listing several browsers with 0 known security holes makes them secure, is erroneous. I'm sure we'd see a flaw or two with some of the other browsers if they were enjoying the recent surge in popularity and attention that firefox is enjoying.
Oh, and your reference URL shows firefox at 0 vulnerabilities now. And Safari now has 1.
Yes but, they knew enough to block W3C's validator from their site:
w .slashdot.org%2F
http://validator.w3.org/check?uri=http%3A%2F%2Fww
Okay, sorry if I am sounding like a jerk. I really just want to know how this can happen!
In case you've been living in a hole for the past few years, IE has a particularly lengthy history of exploits. Auto execution of downloaded files by playing mime-type tricks, arbitrary execution of code via client side scripting languages, etc., etc..
It's perfectly possible that you could download and install spyware/adware/virii with IE with 0 clicks. Sure there are patches issued but they've been far from what I'd consider timely responses.
You can be as vigilant as you want with IE patches but I'd still be very cautious going to "seedier" sides of the the internet. I'm not saying there aren't problems in other browsers because there are. They just don't have nearly as many problems. Maybe that's because they don't have large enough of a market share to catch adware/virus author's attention.
Regardless, I've stopped using IE years ago because of these very issues and couldn't be happier with the alternatives.
If all Slashdot readers stop viewing ads and their ad revenue disappears, Rob will or will not keep offering free access?
/. and other free content sites on the web want to start charging for content. If what they have is worth paying for, they should do well. Myself and others will pay good money for a good product. If not, they will sink into the abyss with all the other companies who are trying to push a product that's not worth paying for. How is it my responsibility to make their business model work for them? If that's not a free market at work, I don't know what is.
And whose problem is that? Should I worry about how companies make their profit from me?
That's all find and dandy if
I often wonder about PHP in large scale applications. I'm obviously ignorant about PHP and just as lazy about researching it but maybe you can share a few things that might clear up some of these perceptions about PHP.
1) Transactions
Not just database, but business logic transactions. What kind of support is offered out of the bag here?
2) RPC
What options are available for creating multi-tier applications? Are remote procedure calls limited to XLM and WesServices? Web services are great and all but not exactly efficient.
3) Clustering
Does it cluster well? Sharing sessions, state, etc. between servers?
4) MVC framework
Are there frameworks/support for decoupling your business logic from your view and controller without feeling like it's a kludge?
5) Testing
Is it easy to unit test the application outside of the server environment?
6) If PHP has support for all these, how much coding left to the developer to implement them? IMHO, if you're focusing on anything but business logic, you're wasting your time. A lot of people like to complain about how complex and massive J2EE projects can be but if you're worth a damn as a developer, you shouldn't be writing much of this code at all. With utils like xdoclet, spring, hibernate, maven and a good IDE, the only thing you should be coding is BL.
Yes you really need virus protection on Linux. The situation is dire. There are thousands of viruses being brewed up around the world to infect Linux boxen. Be afraid, be very afraid!!
But now McAfee has come to your rescue. Only $49.95 for complete peace of mind.
I feel so much better already.
Did you stop to think that there is added value in a linux application server scanning for windows virii from uploaded files? What about being able to scan your samba shares on your file servers. Wouldn't it be lovely if your company got sued because your client downloaded an infected file from your linux FTP server?
I've seen plenty of OSS and proprietary software code that had comments that *looked* auto-generated. Stuff like:
public void setHome(String newHome)
{
}
I've never understood why people do things like this. Why not do something useful: specify what's a valid or invalid value of newHome, say when it should or should not be called. Or just leave it blank if you can't find something useful to say.
Have you never used an IDE? They look auto-generated because they were.
What matters is that this article quality on /. is substandard and causing me to look for alternatives to /.
You must be new here. Welcome to Slashdot.
Fair Use
The 1961 Report of the Register of Copyrights on the General Revision of the U.S. Copyright Law cites examples of activities that courts have regarded as fair use: "quotation of excerpts in a review or criticism for purposes of illustration or comment; quotation of short passages in a scholarly or technical work, for illustration or clarification of the author's observations; use in a parody of some of the content of the work parodied; summary of an address or article, with brief quotations, in a news report; reproduction by a library of a portion of a work to replace part of a damaged copy; reproduction by a teacher or student of a small part of a work to illustrate a lesson; reproduction of a work in legislative or judicial proceedings or reports; incidental and fortuitous reproduction, in a newsreel or broadcast, of a work located in the scene of an event being reported."
Now... was this present before or after the lawsuit started
/beta /francais/news /english/news
Looks like it was there before (unless they manually modified the TS, which is kinda silly).
HTTP/1.1 200 OK
Date: Sat, 19 Mar 2005 18:10:51 GMT
Server: Apache/1.3.27 (Unix)
Cache-Control: max-age=300
Expires: Sat, 19 Mar 2005 18:15:51 GMT
Last-Modified: Wed, 23 Feb 2005 10:54:38 GMT
ETag: "761b2-4f-421c60ee"
Accept-Ranges: bytes
Content-Length: 79
Connection: close
Content-Type: text/plain
User-Agent: *
Disallow:
Disallow:
Disallow:
Copyright infringement isn't a criminal act in Australia
Someone correct me if I'm wrong here but Austraila is a member of interpol correct? I know that interpol enforces copyright violations between countries. It would make sense to me that if it's a crime in the US that being a member of interpol allows for extradition if circumstances are severe enough. In that case, it's not good enough for it not to be a crime in the perpetrator's home country.
I fail to see how intentionally violating a EULA is either legal or ethical.
It's obvious that you have no experience with IGE and it's "farmers". They dominate an entire area 24/7 griefing legit players and monopolizing the market/economy. If you want to get anywhere in the game, you have no choice but to buy from them. They've ruined several MMORPGs and are intent on ruining more in the name of making a buck.
I'm glad that more people are becoming aware of these "hidden ties" so they can stop unintentionally helping them if they have any sort of conscience.
Who said that any of this is about fairness?
For me, it's about not contributing to a company I despise. In my past experiences, IGE has done everything they can to monopolize the economy and ruin the game for anyone who doesn't buy currency from them. Why would I knowingly want to support (directly or indirectly) a company like that?
Ran across this the other day.
t =2 288
Gives some really good insight on what exactly is going on with the movie (in regards to the casting, plot, etc.):
http://www.douglasadams.se/forum/viewtopic.php?
Blizzard on the other hand, is making it right the first time. They aren't going to release until the game is ready, end of story
/em thinks about Diablo I & II and shudders
Yes, because Blizzard has such a great track record with their online games.
FFXI (Final Fantasy X1) is a wonderful MMORPG. I picked up FFXI to pass the time until WoW came out. Now that I've been playing it for almost 6 months now, I gotta tell ya... I don't see myself switching unless WoW is absolutely amazing.
p ://ffxi.allakhazam.com/forum.html?cat=16f fo.warcry.com/
As an old EQ player, I can't tell you what a breath of fresh air FFXI has been.
The UI is a bit odd at first but once you get use to it, it's more than functional... it's actually nice. Just takes some adjustments.
Here's more:
http://www.playonline.com/ff11us/gameplay/
htt
http://
Blake Stowell is quoted as saying, "We've not introduced copyright infringement as part of our case with IBM. We've tried to make it clear that it's a contract issue."
How can they say that this case is over contract breach w/ IBM and in the same week demand (again) end users license their "IP" (which nobody has seen because, despite a court order, they will not produce it).
It's pretty obvious that they're in a tailspin now.
There are a number of servers that support server-side javascript. I recently had a project where a remote office needed to communicate with a servlet based webpage using RC4 ecnrypted parameters.
The remote office didn't know much programing so I wrote a RC4 and base64 implementation in Javascript for them to implement server side.
I could not help but notice that Google, Yahoo, and Slashdot are omitted from their "top 1000" list. Yet rumors persist that these three web sites get a fair amount of traffic.
Well, because Google's headers repot server GWS/2.1 (Google Web Server?) and Yahoo's headers strip the server header all together.
That's the major flaw with this, and all other web surveys done by examining the HTTP headers.
Now they're eating it up like hot cakes cause it's EXPENSIVE! Linux is no longer a free thing.
Sense when does Apache (or any other non IIS web server) = Linux? A *lot* of other OS's can run it too. Hell, Oracle's 9iAS application server uses apache as it's HTTP server.
You have to look at their survey. It's talking about the CORPORATE web servers. I work for a major corporate america company. We have close to 4000 servers handling our "web" environment. That consists of web, app, and database servers. There's more IIS then anything else out there for sure in corporate america. Expecially on the WEB front end. In a corporate environment there are about 20 Windows to 1 Unix boxes. Mostly due to Windows servers being so cheap and can't handle as much load per server. But on the DATABASE backend there is much more UNIX to Windows.
First of all, this survey is total crap. Any web server survey that focuses on corporate servers can't possibly be accurate. Anyone (corporate admins at least) with a clue about security would only allow access to server via a reverse proxy and strip any identifying headers (or strip them at the server, if the server permits).
Look, I've worked for many corporations, including fortune 500 companies and companies with more than 120,000 employees. I currently have a federal government job. In *all* the places I've ever worked at, IIS was avoided like the plague. Most of the time, windows boxes were banned from the DMZ, period.
Of course, most web connections were reversed proxied (with the servers being behind the DMZ) in with a non-windows solution (mostly solaris boxes) but policy even refused to allow reverse proxies to windows boxes.
I personally think you'd have to be off your friggin' rocker to allow anyone from the outside to access your IIS server (no matter how they acces it). But then again, I think you'd have to be off your rocker to allow internal users to access a IIS server too (internal users are usually your greatest security risk).
Of course, for an ATM, it wouldn't make much sense to sign code because it's never going to see the outside of that machine, nor should the machine ever have any non-approved code in it. Signing the code would just add unnecesary overhead and slow the entire machine down in that case.
Well, it appears that it executed external code in this case. I don't think that making a signature check part of the shell will work in this situation either. Correct me if I'm wrong. If a buffer overflows, and you jump into memory that allows you to start processes, it's not done through a shell (right?). I would think that it needs to be tightly coupled to the kernel.
Now, the problem with having an OS that only runs signed code is that most software isn't signed
In a restricted environment, like an ATM, that's exactly what you want. You most likely don't want it to run *anything* that you didn't sign yourself (and the ATM has only you as it's certificate authority).
It's obviously not practicle to have everything be signed for a desktop or server(independant developers would eat it big time due to certificate authority charges). If you want an extremely sterile environment, this would seem to be a good fit.
The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code. You need to patch? Run the software off a CD/DVD, and when you need to change the code, change the CD. Nothing to get cracked, nothign to get corrupted, nothing but hardwired code. Burn an extended BIOS on a rom chip to run the physical end. Then lock the whole thing up in a metal box, and BAM its as secure as you can make it.
Just a thought... how hard would it be to make an operating system that only executed signed code?