XML isn't the problem.
on
XML in a Nutshell
·
· Score: 4, Insightful
As someone already said, XML is the ultimate replacement for the comma-delimited file. For the purposes of storing human readable/modifyable data, it's great, and does fill many of the roles a comma seperated file used to fill. XML itself is pretty darned easy to pick up.
That's not the problem.
The problem is with the description technologies - most of which just add a layer of abstraction to the XML data, and try to pass a secondary version of the data back to an HTML template.
That's all well and good - but quite frankly, the current incarnation of XSL stinks. It's tough to comprehend, easy to butcher, and half the time doesn't make sense.
Much easier (and more useful, I would think) are the parsers which transform an XML document into a data structure you can use in an existing language like Perl or PHP (for the web), or C, or whatever you want. Once you're in a native data format, you're set, and can manipulate the data just as you normally would.
That's the way to leverage the strength of XML. Ditch XSL for now, until it can be made clearer - and use some existing backend technology to format the data once it's in a data structure.
I'm all in favor of retaliation - but I think you need to calm down for a second and think about what you're suggesting.
Bringing out the nukes is the WORST thing we can do. Think about it. Once one nuke is in the air, if the intended target country has ANY nuclear capability, they will use it. In response, more are fired, and soon, every major city on the planet is a glass parking lot, and the air is unbreathable for a few hundred years ANYWHERE on the planet.
No - I say we find out who's responsible, and punish THEM harshly - as harshly as our system will allow - in public - in front of the eyes of the world - and show EVERYONE what happens to those who fsck with us. But, we need to be ABSOLUTELY SURE we have the right people - and that we don't involve any more innocents in this than we have to - preferably none at all. I fear that we will take more drastic measures, however, and more innocent lives will be lost in the name of Justice.
A lot of the humor in Grim Fandango might be a bit above them - but it was a great game =) I still love the balloon animal part - "Run you pigeons! It's Robert Frost!"
He's a little vague on the requirements though - can the game itself contain no "violence", or can the protaganist simply not use violence (I'm thinking about the kidnapping, "sprouting", etc... plus there's the whole afterlife theme, which may or may not be kosher where he's working)?
If there can be no "violent" acts at all in the game (even ones you're supposed to stop/rectify, like rescuing the kidnapped girl, etc...) then even Grim Fandango could be considered "violent", and his only real choices would come from puzzle and strategy games. Even some of those, even good ones like Risk for example, involve armies clashing in battles - even though it's depicted solely through plastic roman numerals and dice, it's basis is in violence, technically. It all depends on how stringent about it the rules are.
Not the whole story, or not thinking far enough
on
E-Paper Moves Closer
·
· Score: 4, Insightful
In the article, they talk about making a "book" of this stuff -- what an incredible waste! If the epaper's contents can be changed electronically, there's no reason to have a whole "book" of it -- one sheet should suffice (with some sort of input device to capture "page turn" requests) for most everything.
Furthermore, if you view the epaper as simply a medium through which to display information, you wouldn't need a seperate physical volume for each book - they could all fit into something, say, the size of a PDA (compactflash, etc for removable, expandable storage, and a hookup to the epaper to display -- or even a PDA screen made OF this stuff (thin, light, flexible (foldable?) PDA ^_^ ) - would be insanely useful.
All of this doesn't come with a price, however. If publishing of mainstream works went electronic, there would be no "ownership" of a copy of a work, only a "license". Then, by simply encrypting the contents, by any means, no matter how light, makes it CRIMINAL to build, use and/or distribute a compatible viewer, under the DMCA. So whomever is first to market, wins, and has a larger stranglehold on the publishing industry than M$ has on PC OS's - because noone will *legally* be able to compete in that arena. ("Your honor, our file format, which is used by every major publication, is encrypted, and thus protected under the DMCA. The defendants willfully broke the law when they decrypted the contents of our file format and used it to create their product...")
There are MANY more issues here than just a superthin, flexible, high-contrast display. The article doesn't really touch on the major issues at all, and instead only glosses over the technology involved.
I compare the Internet to a Lord of the Flies situation. Let them be animals and they will be animals. If Americans weren't so blindly protective of "Free Speech", we could regulate it like other information mediums and return to an Internet with CONTENT! I disagree. Were the US to repeal it's first amendment rights, and regulate speech, who would get the shit end of the stick? The answer is the same people who get the shaft by Congress now. The American people. Corporations make a nice "campaign contribution" and buy whatever laws they want (DMCA, UCITA, etc...) -- whereas the average citizen doesn't have that kind of influence. Who is the Congressman going to side with? The side giving him the cookie, of course. THe only "cookie" his constituents can give him individually is their one vote - which in the grand scheme of things is pretty worthless, seeing as the media conveniently splits things into a 2 party system (forcing 3rd parties out of the picture) and promiting two people who probably aren't really the best ones for the job - but of course, noone knows that because those are the only two choices presented to them before they get to the voting booth. Once there, the see a long list of names -- most of which they've never heard about before (thanks media!) so of *course* they're not going to vote for them.
If Free Speech is regulated, it's not the corporations that will be silenced, and their content removed -- it's the independant sites who will be squelched - because they don't give nice cookies like the X10 people do.
There's no chance at all that the reason 50% of people's time is spent on web sites belonging to four companies is because those four companies are providing a service that Americans feel is worth spending 50% of their time reading?
Nah - it's because us Americans, for the most part, with notable exeptions, are lazy technophobes who have been convinced that if technology isn't "so easy a complete moron could use it", or doesn't look super-slick and glitzy, that it's not worth using.
People aren't interested in content, they're interested in big flashy graphics, and pretty lights, and little midi jingles that play when you hit a page.
Welcome to the world created by mass-capitalism and the sellout of government to corporations - where the incentive is not to make a better, cheaper, more efficient product, but to produce the lowest-quality product you can, while still making it sell well. Where the incentive is not to properly educate the consumer, so they can make an informed decision, and buy your product on it's merits, but to confuse the customer, and keep them stupid by telling them that competitors products aren't "as easy to use", and that they "shouldn't be bothered" with things that aren't "easy".
Yep. That's where we are. We're in a world whre everyone is supposed to be, and assumed to be morons. Distracted by bright lights and flash, while ignoring the larger issues. Don't worry about those things - they're not "easy". "Let us take care of that for you -- all you have to do is hand over your credit card -- that's a nice doggy -- here's a biscuit::pat pat::"
Nah--I'm not bitter;P
Freedom of choice means freedom to make bad choices, and freedom of the press includes freedom to print crap.
So it does =) I hope it stays that way. Everyone (corporate or private) should have the right to publish what they'd like to publish. I'm even against "gating" content behind warnings and layers of obfuscation to "save the children" from pr0n, violence and the like -- I say let them find it! Let them learn about those things - and make their own *choice* as to whether or not to look at it again. Let parents give their kids the morals to know whether the stuff is "right" or "wrong" - instead of imposing "right" and "wrong" based on some farsical community hivemind. And for people that feel they "shouldn't be bothered" with pr0n or various disgusting content sites - here's a clue: "Don't go back there if you didn't like what you've seen there!"
::sigh:: of course, I *know* I'm in the minority - I just rant a lot;P
As long as it's printed on the chip itself, I could care less if it's in the marketing materials. It's a technical detail, and those non-technical folks are getting confused by it, and believe a higher MHz rating belies a better processor, regardless of architecture or design. Fine. Take it out of the promotional materials, but leave it on the chip, so I know what I'm getting;P
Instructions/sec is what matters in the end. Start using that for the main speed indicator, and noone will have a chance to get confused. Of course, the marketdroids want us to be confused...but that's another matter entirely;P
I really shouldn't post before I'm done with my first cup of coffee! ^_^
images.google.com has most of them - just do a search for atheos.
The one they don't have (of course) is the web browser one. ANyone have that one mirrored?
Re:It's the logical move
on
The New Zelda
·
· Score: 2
mmm...SD Zelda...that would be tasty...
Hopefully these are EARLY shots and don't reflect the art of the final version -- I'd love to see a more anime-like Zelda, rather than...well...whatever this is.
Microsoft already fixed the problem when eEye released their press release.
So exactly how did this "pressure" help?
In this specific instance not at all - as there was already a patch to fix the problem - but what if this had been an unpatched vulnerability? *That* is where the pressure *can* help.
I was arguing a generic point, while you're dealing with a single specific instance =)
Furthermore, I don't think you understand what Full Disclosure really means, verus Responsible Disclosure.
Full Disclosure, IMHO is making all the details surrounding your findings available to the public (in this case, "the public" would probably only consist of sysadmins smart enough to read security bulletins, as Joe Consumer probably wouldn't know the right sites to visit, but the point is that if he did, he could read about it.).
Now, this "Responsible Disclosure" *seems* to mean not telling "the public" ANYTHING about the exploit - even the fact that it exists - and only telling the manufacturer about it. Now, admittedly, in a proprietary piece of software, the only fixes *internal* to that program could possibly come from the manufacturer, but when dealing with networking issues, there are other steps that can be taken by competant sysadmins. Under the "Responsible Disclosure" policy, these sysadmins wouldn't be able to protect their systems until the manufacturer decided to release a patch. Often, by that time it's far too late.
Of course, I could be wrong. =)
Nobody is saying that they won't release info telling you what piece is broken, what port the information is coming in, or some sort of tag identifying the issue. (For instance the query string clearly showing up in everybody's web logs)
They're also going to tell you that it's the index ISAPI filter, and you know you are vulnerable because you have the.ida and.idq mappings on your web site, etc.
Good. That's the sort of information we need in order to take action to protect ourselves. Where the problem lies. What the earmarks of it are. What issues it raises for your network's security. How to combat it.
What they don't need to do is give out a detailed description of how you would write Assembler to take advantage of the hole.
I consider this to be the proof of the theorem, myself. In order to prove the vulnerability exists, you need to show how to exploit it -- if an exploit exists, dissecting it's workings can provide a solution. Sort of like the process of finding an antivenom for a new strain of poisonous snake generally starts with a sample of the venom itself.
Know thy Enemy.;P
And lastly, what exactly do you think "Security through Obscurity" actually means?
Basically "If we don't publicize the details of a possible exploit, noone will exploit it" -- collary to not disclosing a found vulnerability to the public, instead keeping it a secret, told only to the manufacturer.
The simple act of keeping the workings of an exploit a secret won't stop "blackhats" from using it. People seem to forget that "they" have an information network too -- one that includes code, examples, and no restrictions on who has access to them. In order to keep the damage minimal, ours needs to be as good, if not better. Throwing up walls and saying "You can't know about this" doesn't help anyone -- sure, it may prevent a few kiddies from finding what they need to make an exploit on "whitehat" security sites -- but it won't prevent them from picking it up at easily accessible "underground" sites - and most of all, it won't stop them from using or deploying worms or viruses - they're going to do it anyway.
Keeping the details of how an exploit works a secret only hurts those who would use that information to protect themselves.
I'm all in favor of full, detailed exposure of exploits - how they're done, why they're possible, and possible steps to fix them.
Just because the exploit only hits MS systems doesn't mean that ONLY MS and "blackhats" should know the details. The more people that know the details of HOW these exploits are possible, the better - as these people will not only put more pressure on MS to actually FIX the problem, but they will also be exposed to the reasons WHY the MS product was vulnerable in the first place.
Some of them might even suggest ways of improving the situation. But that's in a perfect world, and this world is far from perfect.
Just telling people "There's an exploit in IIS that allows malicious intruders to use your system(s) to infect others, install a backdoor, and potentially use your system(s) for other purposes" isn't enough. I know as a system administrator, I'd want to know what port the backdoor was put into, so I could secure it at the firewall. I'd want to know how the exploit was executed, so I could potentially filter out the infection requests. I'd want to know exactly WHAT was making my system insecure, and where, so that in the absence of an official fix, I could work my own fixes, to secure my own system(s) against known intrusions.
Nah - unless they trade sabres during the fight, you'll know if it's the "good clone" or the "bad clone" by the color of the sabre -- red = "evil" anything else = "good".
Or by the goatee - everyone knows the evil version always has a goatee;P
windows is easy and there is nothing you can do about it:)
Nah - it's not "easy". It's "familiar".
People have been so conditioned to the way that Windows works, and told over and over again that Windows is "easy" - that it has become "easy" for them, in their minds. They know how things work in Windows - not because it's intuitive, but because they've been taught that that's how it works.
I'm fully convinced that in an hour, I could make a complete (non-MS-conditioned) computer newbie pretty proficient with Linux. An MS-conditioned newbie would be harder to teach, because they've been coddled and told that using a computer is "hard" and that the MS way is "easy" -- and they believe it so much that they resist learning anything.
That's why "Dummies" books are so popular. People like thinking they're stupid, as it gives them an excuse not to learn. "I can't use linux - I'm stupid with computers" -- yet this same person will spend HOURS learning the MS way of doing things -- because it's "easy". Reality check: If it takes hours to learn, it ain't "easy", no matter what MS tells you.
Make it so it patches against the exploit, then routes all attempted re-exploitation to a small CGI that uses the backdoor to disinfect the attacking system, and install the countermeasure.
So...assuming you're getting hit with 30 requests an hour from 30 different IPs -- and each of those 30 is getting hit the same way -- the "fix" could propagate itself like wildfire, without being an "active" worm (seeking out hosts to disinfect), but instead being a "passive" worm (waiting for an infected computer to contact it, then disinfecting that computer, and passing on the "passive" disinfector).
Problem being, it's still modifying the data on someone else's computer, without their knowledge or permission. I believe that makes it illegal -- even if it is working for "good" rather than for "evil".
I saw the same thing - plus there was another interview by some other channel (not MTV or VH1) before that, where he said that basically he does it because he's a nice guy -- satire and parody are protected, so legally, he doesn't *need* permission -- but because he's a nice guy, he goes and gets the artist's permission anyway.
I have a lot of respect for the guy -- he could just be a dick and do it without permission -- but instead he takes the high road and actually talks with the artists beforehand.
IIRC, the whole Coolio bit was a misunderstanding between Weird Al, Coolio, and Coolio's agent -- Al talked to the agent, who said that Coolio was cool with it, when in fact he wasn't. Coolio came out *after* the song was released, saying he wasn't OK with it - but by that time nothing could be done, as it was already out there. Al has publically apologized on several occasions for the mixup.
The only remake I've seen that lived up to the original was Evil Dead 2...which was, for all intents and purposes a remake of Evil Dead - although they set it up as a sequel.
Problem being that it gets your real email address out there into someone else's hands -- someone who you can't control. Someone could grab the last year's worth of logs of forwarding addresses (most of which are probably legit, considering the purpose of the tool) and compile it into a list. BLAMMO! You've been spammed.
I don't give out addresses @ my domain to any company that I buy/order/sign up for something from -- they get my hotmail address.
Sonce noone who I *really* want to hear from ever emails me at the hotmail account - I can be reasonably sure the email there came from:
- MS's Spam Farm (IE: the master Hotmail list that quite obviously gets sold every couple of months to a lucky set of spammers -- despite what the article says, I open a new hotmail account every few months, and generally within a couple weeks of not doing anything with it (no mail sent, no address given out to anyone) there's about 5-10 a day - the longest this has ever taken was 2 months.)
- Companies I've signed up for stuff with
- Spammers
Thus, it's easy to contain, and about 5 minutes every month or two, I skim over the email there to make sure nothing legit came in (it never does).
My real email address gets obfuscated everywhere but on my webpage -- which is low-traffic anyway. All mail coming into me gets passed through a filter which weeds anything NOT directly addressed to me into a "suspect" mailbox.
My main mbox gets MAYBE one spam a month. The "suspect" mbox gets about one a day, two a day on Sundays (don't know why, but that's how it goes). My hotmail account gets at LEAST 40-50 a day, about half of which are generally caught by the filters there. MAYBE one legit message comes into my hotmail address every two or three months.
This isn't really a relaying issue, though - they're just disguising it as one.
The real issue is that people are ordering Verizon, and either hosting their own domains (over DSL, with a static IP), or using other email addresses (such as domains they may have forwarding to their Verizon account, or alternate ISP accounts with better email packages/controls) - and Verizon doesn't like that.
The dream of all big consumer-oriented corporations is a huge closed-doors community, where once you're a customer, you have to do everything through them. That's what Verizon wants.
They want to guarantee that if you're a Verizon customer, that you USE your Verizon-branded email. That makes your address a "verified good" address, that they can then put on a list, along with your name, and any other personal information that you've given them, and sell to other companies.
They want to make sure that when you go for a domain for yourself, or your business, that you have NO CHOICE but to have Verizon host it - otherwise yo won't be able to take advantage of it through your existing Verizon 'net access account.
Were I a Verizon Online customer, which I'm not, I would be furious - even if this policy didn't affect me *now* - as it might in the future.
I'm very glad I went with Speakeasy for my DSL line, and not Verizon. It will be a sad day when Speakeasy implements any kind of policy like this.
As for options existing Verizon customers have - the best option would, of course, be to cancel your Verizon account, tell them the reason, and go with a competitor who has a saner policy. Barring that - is Verizon blocking SMTP sends from DSL customers running their own SMTP servers on static IPs? If not, it might not be a bad idea to pick up a cheap linux box and run Sendmail/Postfix/Exim/Qmail to handle external accounts.
Off topic, of course, but who's replacing him? I'm assuming Satriani and Vai are still doing it -- did they get a third, or are they gonna call it G2 now?;P
Slashdot Mirror
As someone already said, XML is the ultimate replacement for the comma-delimited file. For the purposes of storing human readable/modifyable data, it's great, and does fill many of the roles a comma seperated file used to fill. XML itself is pretty darned easy to pick up.
That's not the problem.
The problem is with the description technologies - most of which just add a layer of abstraction to the XML data, and try to pass a secondary version of the data back to an HTML template.
That's all well and good - but quite frankly, the current incarnation of XSL stinks. It's tough to comprehend, easy to butcher, and half the time doesn't make sense.
Much easier (and more useful, I would think) are the parsers which transform an XML document into a data structure you can use in an existing language like Perl or PHP (for the web), or C, or whatever you want. Once you're in a native data format, you're set, and can manipulate the data just as you normally would.
That's the way to leverage the strength of XML. Ditch XSL for now, until it can be made clearer - and use some existing backend technology to format the data once it's in a data structure.
My 2 cents, anyway =)
I'm all in favor of retaliation - but I think you need to calm down for a second and think about what you're suggesting.
Bringing out the nukes is the WORST thing we can do. Think about it. Once one nuke is in the air, if the intended target country has ANY nuclear capability, they will use it. In response, more are fired, and soon, every major city on the planet is a glass parking lot, and the air is unbreathable for a few hundred years ANYWHERE on the planet.
No - I say we find out who's responsible, and punish THEM harshly - as harshly as our system will allow - in public - in front of the eyes of the world - and show EVERYONE what happens to those who fsck with us. But, we need to be ABSOLUTELY SURE we have the right people - and that we don't involve any more innocents in this than we have to - preferably none at all. I fear that we will take more drastic measures, however, and more innocent lives will be lost in the name of Justice.
AOL owns CNN now...(through Time Warner)
People trust CNN, for the most part.
Looks like Geocities cut off your bandwidth =(
A lot of the humor in Grim Fandango might be a bit above them - but it was a great game =) I still love the balloon animal part - "Run you pigeons! It's Robert Frost!"
He's a little vague on the requirements though - can the game itself contain no "violence", or can the protaganist simply not use violence (I'm thinking about the kidnapping, "sprouting", etc... plus there's the whole afterlife theme, which may or may not be kosher where he's working)?
If there can be no "violent" acts at all in the game (even ones you're supposed to stop/rectify, like rescuing the kidnapped girl, etc...) then even Grim Fandango could be considered "violent", and his only real choices would come from puzzle and strategy games. Even some of those, even good ones like Risk for example, involve armies clashing in battles - even though it's depicted solely through plastic roman numerals and dice, it's basis is in violence, technically. It all depends on how stringent about it the rules are.
In the article, they talk about making a "book" of this stuff -- what an incredible waste! If the epaper's contents can be changed electronically, there's no reason to have a whole "book" of it -- one sheet should suffice (with some sort of input device to capture "page turn" requests) for most everything.
Furthermore, if you view the epaper as simply a medium through which to display information, you wouldn't need a seperate physical volume for each book - they could all fit into something, say, the size of a PDA (compactflash, etc for removable, expandable storage, and a hookup to the epaper to display -- or even a PDA screen made OF this stuff (thin, light, flexible (foldable?) PDA ^_^ ) - would be insanely useful.
All of this doesn't come with a price, however. If publishing of mainstream works went electronic, there would be no "ownership" of a copy of a work, only a "license". Then, by simply encrypting the contents, by any means, no matter how light, makes it CRIMINAL to build, use and/or distribute a compatible viewer, under the DMCA. So whomever is first to market, wins, and has a larger stranglehold on the publishing industry than M$ has on PC OS's - because noone will *legally* be able to compete in that arena. ("Your honor, our file format, which is used by every major publication, is encrypted, and thus protected under the DMCA. The defendants willfully broke the law when they decrypted the contents of our file format and used it to create their product...")
There are MANY more issues here than just a superthin, flexible, high-contrast display. The article doesn't really touch on the major issues at all, and instead only glosses over the technology involved.
THEN already *was* NOW, THEN. Now, *that* NOW is THEN, and NOW is NOW now. Of course, soon, NOW will be THEN, and THEN will be IN THE OLD DAYS. ;P
I compare the Internet to a Lord of the Flies situation. Let them be animals and they will be animals. If Americans weren't so blindly protective of "Free Speech", we could regulate it like other information mediums and return to an Internet with CONTENT!
I disagree. Were the US to repeal it's first amendment rights, and regulate speech, who would get the shit end of the stick? The answer is the same people who get the shaft by Congress now. The American people. Corporations make a nice "campaign contribution" and buy whatever laws they want (DMCA, UCITA, etc...) -- whereas the average citizen doesn't have that kind of influence. Who is the Congressman going to side with? The side giving him the cookie, of course. THe only "cookie" his constituents can give him individually is their one vote - which in the grand scheme of things is pretty worthless, seeing as the media conveniently splits things into a 2 party system (forcing 3rd parties out of the picture) and promiting two people who probably aren't really the best ones for the job - but of course, noone knows that because those are the only two choices presented to them before they get to the voting booth. Once there, the see a long list of names -- most of which they've never heard about before (thanks media!) so of *course* they're not going to vote for them.
If Free Speech is regulated, it's not the corporations that will be silenced, and their content removed -- it's the independant sites who will be squelched - because they don't give nice cookies like the X10 people do.
There's no chance at all that the reason 50% of people's time is spent on web sites belonging to four companies is because those four companies are providing a service that Americans feel is worth spending 50% of their time reading?
::pat pat::"
;P
;P
Nah - it's because us Americans, for the most part, with notable exeptions, are lazy technophobes who have been convinced that if technology isn't "so easy a complete moron could use it", or doesn't look super-slick and glitzy, that it's not worth using.
People aren't interested in content, they're interested in big flashy graphics, and pretty lights, and little midi jingles that play when you hit a page.
Welcome to the world created by mass-capitalism and the sellout of government to corporations - where the incentive is not to make a better, cheaper, more efficient product, but to produce the lowest-quality product you can, while still making it sell well. Where the incentive is not to properly educate the consumer, so they can make an informed decision, and buy your product on it's merits, but to confuse the customer, and keep them stupid by telling them that competitors products aren't "as easy to use", and that they "shouldn't be bothered" with things that aren't "easy".
Yep. That's where we are. We're in a world whre everyone is supposed to be, and assumed to be morons. Distracted by bright lights and flash, while ignoring the larger issues. Don't worry about those things - they're not "easy". "Let us take care of that for you -- all you have to do is hand over your credit card -- that's a nice doggy -- here's a biscuit
Nah--I'm not bitter
Freedom of choice means freedom to make bad choices, and freedom of the press includes freedom to print crap.
So it does =) I hope it stays that way. Everyone (corporate or private) should have the right to publish what they'd like to publish. I'm even against "gating" content behind warnings and layers of obfuscation to "save the children" from pr0n, violence and the like -- I say let them find it! Let them learn about those things - and make their own *choice* as to whether or not to look at it again. Let parents give their kids the morals to know whether the stuff is "right" or "wrong" - instead of imposing "right" and "wrong" based on some farsical community hivemind. And for people that feel they "shouldn't be bothered" with pr0n or various disgusting content sites - here's a clue: "Don't go back there if you didn't like what you've seen there!"
::sigh:: of course, I *know* I'm in the minority - I just rant a lot
As long as it's printed on the chip itself, I could care less if it's in the marketing materials. It's a technical detail, and those non-technical folks are getting confused by it, and believe a higher MHz rating belies a better processor, regardless of architecture or design. Fine. Take it out of the promotional materials, but leave it on the chip, so I know what I'm getting ;P
;P
Instructions/sec is what matters in the end. Start using that for the main speed indicator, and noone will have a chance to get confused. Of course, the marketdroids want us to be confused...but that's another matter entirely
I really shouldn't post before I'm done with my first cup of coffee! ^_^
images.google.com has most of them - just do a search for atheos.
The one they don't have (of course) is the web browser one. ANyone have that one mirrored?
mmm...SD Zelda...that would be tasty...
Hopefully these are EARLY shots and don't reflect the art of the final version -- I'd love to see a more anime-like Zelda, rather than...well...whatever this is.
Microsoft already fixed the problem when eEye released their press release.
.ida and .idq mappings on your web site, etc.
;P
So exactly how did this "pressure" help?
In this specific instance not at all - as there was already a patch to fix the problem - but what if this had been an unpatched vulnerability? *That* is where the pressure *can* help.
I was arguing a generic point, while you're dealing with a single specific instance =)
Furthermore, I don't think you understand what Full Disclosure really means, verus Responsible Disclosure.
Full Disclosure, IMHO is making all the details surrounding your findings available to the public (in this case, "the public" would probably only consist of sysadmins smart enough to read security bulletins, as Joe Consumer probably wouldn't know the right sites to visit, but the point is that if he did, he could read about it.).
Now, this "Responsible Disclosure" *seems* to mean not telling "the public" ANYTHING about the exploit - even the fact that it exists - and only telling the manufacturer about it. Now, admittedly, in a proprietary piece of software, the only fixes *internal* to that program could possibly come from the manufacturer, but when dealing with networking issues, there are other steps that can be taken by competant sysadmins. Under the "Responsible Disclosure" policy, these sysadmins wouldn't be able to protect their systems until the manufacturer decided to release a patch. Often, by that time it's far too late.
Of course, I could be wrong. =)
Nobody is saying that they won't release info telling you what piece is broken, what port the information is coming in, or some sort of tag identifying the issue. (For instance the query string clearly showing up in everybody's web logs)
They're also going to tell you that it's the index ISAPI filter, and you know you are vulnerable because you have the
Good. That's the sort of information we need in order to take action to protect ourselves. Where the problem lies. What the earmarks of it are. What issues it raises for your network's security. How to combat it.
What they don't need to do is give out a detailed description of how you would write Assembler to take advantage of the hole.
I consider this to be the proof of the theorem, myself. In order to prove the vulnerability exists, you need to show how to exploit it -- if an exploit exists, dissecting it's workings can provide a solution. Sort of like the process of finding an antivenom for a new strain of poisonous snake generally starts with a sample of the venom itself.
Know thy Enemy.
And lastly, what exactly do you think "Security through Obscurity" actually means?
Basically "If we don't publicize the details of a possible exploit, noone will exploit it" -- collary to not disclosing a found vulnerability to the public, instead keeping it a secret, told only to the manufacturer.
The simple act of keeping the workings of an exploit a secret won't stop "blackhats" from using it. People seem to forget that "they" have an information network too -- one that includes code, examples, and no restrictions on who has access to them. In order to keep the damage minimal, ours needs to be as good, if not better. Throwing up walls and saying "You can't know about this" doesn't help anyone -- sure, it may prevent a few kiddies from finding what they need to make an exploit on "whitehat" security sites -- but it won't prevent them from picking it up at easily accessible "underground" sites - and most of all, it won't stop them from using or deploying worms or viruses - they're going to do it anyway.
Keeping the details of how an exploit works a secret only hurts those who would use that information to protect themselves.
I'm all in favor of full, detailed exposure of exploits - how they're done, why they're possible, and possible steps to fix them.
Just because the exploit only hits MS systems doesn't mean that ONLY MS and "blackhats" should know the details. The more people that know the details of HOW these exploits are possible, the better - as these people will not only put more pressure on MS to actually FIX the problem, but they will also be exposed to the reasons WHY the MS product was vulnerable in the first place.
Some of them might even suggest ways of improving the situation. But that's in a perfect world, and this world is far from perfect.
Just telling people "There's an exploit in IIS that allows malicious intruders to use your system(s) to infect others, install a backdoor, and potentially use your system(s) for other purposes" isn't enough. I know as a system administrator, I'd want to know what port the backdoor was put into, so I could secure it at the firewall. I'd want to know how the exploit was executed, so I could potentially filter out the infection requests. I'd want to know exactly WHAT was making my system insecure, and where, so that in the absence of an official fix, I could work my own fixes, to secure my own system(s) against known intrusions.
Nah - unless they trade sabres during the fight, you'll know if it's the "good clone" or the "bad clone" by the color of the sabre -- red = "evil" anything else = "good".
;P
Or by the goatee - everyone knows the evil version always has a goatee
windows is easy and there is nothing you can do about it :)
Nah - it's not "easy". It's "familiar".
People have been so conditioned to the way that Windows works, and told over and over again that Windows is "easy" - that it has become "easy" for them, in their minds. They know how things work in Windows - not because it's intuitive, but because they've been taught that that's how it works.
I'm fully convinced that in an hour, I could make a complete (non-MS-conditioned) computer newbie pretty proficient with Linux. An MS-conditioned newbie would be harder to teach, because they've been coddled and told that using a computer is "hard" and that the MS way is "easy" -- and they believe it so much that they resist learning anything.
That's why "Dummies" books are so popular. People like thinking they're stupid, as it gives them an excuse not to learn. "I can't use linux - I'm stupid with computers" -- yet this same person will spend HOURS learning the MS way of doing things -- because it's "easy". Reality check: If it takes hours to learn, it ain't "easy", no matter what MS tells you.
Easy. Make it so it isn't a true "worm".
Make it so it patches against the exploit, then routes all attempted re-exploitation to a small CGI that uses the backdoor to disinfect the attacking system, and install the countermeasure.
So...assuming you're getting hit with 30 requests an hour from 30 different IPs -- and each of those 30 is getting hit the same way -- the "fix" could propagate itself like wildfire, without being an "active" worm (seeking out hosts to disinfect), but instead being a "passive" worm (waiting for an infected computer to contact it, then disinfecting that computer, and passing on the "passive" disinfector).
Problem being, it's still modifying the data on someone else's computer, without their knowledge or permission. I believe that makes it illegal -- even if it is working for "good" rather than for "evil".
311 here, linux server also running apache =)
I saw the same thing - plus there was another interview by some other channel (not MTV or VH1) before that, where he said that basically he does it because he's a nice guy -- satire and parody are protected, so legally, he doesn't *need* permission -- but because he's a nice guy, he goes and gets the artist's permission anyway.
I have a lot of respect for the guy -- he could just be a dick and do it without permission -- but instead he takes the high road and actually talks with the artists beforehand.
IIRC, the whole Coolio bit was a misunderstanding between Weird Al, Coolio, and Coolio's agent -- Al talked to the agent, who said that Coolio was cool with it, when in fact he wasn't. Coolio came out *after* the song was released, saying he wasn't OK with it - but by that time nothing could be done, as it was already out there. Al has publically apologized on several occasions for the mixup.
The only remake I've seen that lived up to the original was Evil Dead 2...which was, for all intents and purposes a remake of Evil Dead - although they set it up as a sequel.
Problem being that it gets your real email address out there into someone else's hands -- someone who you can't control. Someone could grab the last year's worth of logs of forwarding addresses (most of which are probably legit, considering the purpose of the tool) and compile it into a list. BLAMMO! You've been spammed.
I don't give out addresses @ my domain to any company that I buy/order/sign up for something from -- they get my hotmail address.
Sonce noone who I *really* want to hear from ever emails me at the hotmail account - I can be reasonably sure the email there came from:
- MS's Spam Farm (IE: the master Hotmail list that quite obviously gets sold every couple of months to a lucky set of spammers -- despite what the article says, I open a new hotmail account every few months, and generally within a couple weeks of not doing anything with it (no mail sent, no address given out to anyone) there's about 5-10 a day - the longest this has ever taken was 2 months.)
- Companies I've signed up for stuff with
- Spammers
Thus, it's easy to contain, and about 5 minutes every month or two, I skim over the email there to make sure nothing legit came in (it never does).
My real email address gets obfuscated everywhere but on my webpage -- which is low-traffic anyway. All mail coming into me gets passed through a filter which weeds anything NOT directly addressed to me into a "suspect" mailbox.
My main mbox gets MAYBE one spam a month. The "suspect" mbox gets about one a day, two a day on Sundays (don't know why, but that's how it goes). My hotmail account gets at LEAST 40-50 a day, about half of which are generally caught by the filters there. MAYBE one legit message comes into my hotmail address every two or three months.
My personal fave is no.way@is.this.my.real.address.spammer.go.away.bzz zzzzzzzzzzzzt.org
Any human reading that will immediately know it's not real.
Any spambot reading it will try to send email to that address, and it will bounce since NOONE in their right mind has a machine name that long.
Admittedly, the bounce will cause traffic...but I'd much rather it be a bounce than my real address.
This isn't really a relaying issue, though - they're just disguising it as one.
The real issue is that people are ordering Verizon, and either hosting their own domains (over DSL, with a static IP), or using other email addresses (such as domains they may have forwarding to their Verizon account, or alternate ISP accounts with better email packages/controls) - and Verizon doesn't like that.
The dream of all big consumer-oriented corporations is a huge closed-doors community, where once you're a customer, you have to do everything through them. That's what Verizon wants.
They want to guarantee that if you're a Verizon customer, that you USE your Verizon-branded email. That makes your address a "verified good" address, that they can then put on a list, along with your name, and any other personal information that you've given them, and sell to other companies.
They want to make sure that when you go for a domain for yourself, or your business, that you have NO CHOICE but to have Verizon host it - otherwise yo won't be able to take advantage of it through your existing Verizon 'net access account.
Were I a Verizon Online customer, which I'm not, I would be furious - even if this policy didn't affect me *now* - as it might in the future.
I'm very glad I went with Speakeasy for my DSL line, and not Verizon. It will be a sad day when Speakeasy implements any kind of policy like this.
As for options existing Verizon customers have - the best option would, of course, be to cancel your Verizon account, tell them the reason, and go with a competitor who has a saner policy. Barring that - is Verizon blocking SMTP sends from DSL customers running their own SMTP servers on static IPs? If not, it might not be a bad idea to pick up a cheap linux box and run Sendmail/Postfix/Exim/Qmail to handle external accounts.
Off topic, of course, but who's replacing him? I'm assuming Satriani and Vai are still doing it -- did they get a third, or are they gonna call it G2 now? ;P
Am I the only one that thought they'd done a novelization of the old PS game series, until reading further? (Biohazard(jp) == Resident Evil(us))
::grin::