Remote attackers may exploit these issues by enticing victims into opening maliciously crafted TIFF files.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.
Because it was an already existing center of high speed data connectivity and so they thought it would be a nice perk to set up a few PCs in the lobby and run a free internet cafe. It's not like they took an existing regular internet cafe and then decided it should be 100Mbit.
If you're going to get all pendantic like that, it should be "100 Mb/s". 'b' = bit, 'B' = Byte. It's not 100 megabytes per second, it's measured in bits.
I'm not a big fan of blogs, but there are occasionally ones that contain useful information and come across with some thought-provoking ideas. I like this idea of the customizeable email alert; I get these already from my bank and credit card company, and from CNN, why not a blog?
You can approximate this today with feedrinse.com (which allows you to filter a feed based on search criteria) and rssfwd.com which sends you feeds by email. I think if you combine these creatively you can get an emails for blog updates that match a given criteria.
They're really easy to block if you use the right tool. Things like Adblock work for the old-school type of image ads, but that style is slowly being phased out.
For google specifically there is the CustomizeGoogle Fx extension which makes it very simple to remove all text ads across all the google sites.
A more general-purpose tool is the (seemingly little-known) Remove it Permanently (RIP). This lets you specify things to be removed with XPATH queries. If you don't know XPATH you can just right click on any element on the page and choose "Remove permanently" and it will construct an XPATH for that particular object. But the real fun starts when you start making your own XPATH rules. For example, if a page had their text ads in a DIV with ID "textads" you just specify
//div[@id='textads']
Or maybe you want to remove one of the skyscraper things:
//table[@width='700' and @height='80']
The one I use for the nytimes site is:
//div[@id='bColumn' or @id='adxCircBottom' or @id='adxSponLink' or @id='adxLeaderBoard']
These are still really trivial XPATH examples, you can really get extremely sophisticated with it. The point is that it is rather quick and easy to do this, especially when you combine this with the DOM inspector and the Inspect This extension (which allows you to right click on the undesired element and go right to it in the DOM inspector.)
Using these tools you can easily block any part of the page with surgical accuracy, without having to know javascript or search for a Greasemonkey script.
The music and video compression codecs (like mp3, Xvid, Divx, h.264, mpeg-4) use a specialization of the FFT, the discrete cosine transformation (DCT) because in these applications you don't care about the imaginary part of the input data points (i.e. you're dealing with all real numbers.) You may have seen settings in your video playback options for iDCT - the inverse DCT used by the decoder.
You cannot possibly be suggesting that you can compare some shitty cablemodem to the kind of thing you get at a datacenter. Residential broadband is almost always highly asynchronous (the upload is only a fraction of the download rate), it has tons of restrictions (usage caps, cop-out clauses, etc), and it is typically oversold by ratios of 100:1 or more. This means you aren't actually paying for the true cost of the bandwidth, you are paying a fraction of it because most people don't come anywhere clost to using the full amount.
"Real" bandwidth has none of this BS. You get a SLA. You get an engineer on the phone when it breaks. You get a dedicated and provisioned port on a router. You can run it flat out at full duty cycle (100% utilization) continuously without any kind of "you've used too much" bullshit that residential ISPs like to pull. The speeds are synchronous and are contractually guaranteed, none of that "up to X mbps but sometimes much less because you have crappy wiring" stuff. Your equipment is stored in a location that has redundant power supplies, diesel generators, raised floors, heavy duty cooling, and sophisticated fire alarm/control systems.
"Real" bandwidth costs real money. The stuff you get with a cablemodem is not real bandwidth, and it appropriately costs only a fraction. When you realize the difference between the two you will realize that from a cost standpoint comparing what you get from your residential cable company to what a large site like youtube has to use, they are in totally and completely different leagues.
The Forbes article from a few weeks ago states that thier bandwidth usage is approximately 200TB per day, the cost of which "may be approaching $1 million a month".
People want to go online and interact with other people. The key to going online is usually quite literally a unique key that is shipped with the game. If you haven't paid for the game, tough luck going online! A copy of the game is therefore useless for 99% of the people interested in playing it.
While this is generally true, I think you underestimate the number of cracked/private servers out there that don't check CD keys. Witness sites like epcgaming.com. Now obviously with a legit CD key your choices are much larger, but if you limit yourself to cracked servers you can still play a lot of multiplayer games online to your heart's content.
Of course I read that. That's not the point. I'm not debating that the driver support at the moment blows.
You made the assertion that this technology requires special software support from the games. That is not true, it is all handled in the driver in a way that is transparent to the app. Yes, it's buggy now, but that is beside the point.
So I guess you missed the part of the article where they played it with about a dozen of today's current most popular games off the shelf. You know, that whole benchmarking part?
Your links are fucked. Hint: you don't type the domain shit in []'s. That's added by slashcode automatically (or not, as the user's preferences dictates.) Line breaks would be a good thing to have too, otherwise your text just looks like a jumbled mass of crap.
You should read it again. And then reread the GPL faq, because you're still wrong. The clause "Accompany it with a written offer, valid for at least three years, to give any third party..." is ONE OF SEVERAL OPTIONS. It is sufficient but not necessary.
If I give one person one binary copy accompanied by one source copy, then I have fulfulled my obligations under 3.a) completely and 3.b) is entirely irrelevent. I have no further requirements to give anyone anything. Now, the person that I gave that binary and source to is free to give it to anyone he chooses, but that has nothing to do with what is required of me.
If I instead choose to use 3.b) and include a written offer rather than including the source with the binary, then that offer must be redeemable by any third party and so I must give anyone who asks a copy of the source. But again, this is an option that I can choose.
The GPL FAQ is very clear that the GPL cannot force a party to redistribute anything that they don't want to. In other words, if I choose to give you a binary then I must also include the text of the GPL and the source with it (or a means of getting the source.) However if I do not wish to give you a copy of the binary, then I have no obligation to you at all, provided I have not chosen 3.b).
From the GPL faq:
If I distribute GPL'd software for a fee, am I required to also make it available to the public without a charge?
No. However, if someone pays your fee and gets a copy, the GPL gives them the freedom to release it to the public, with or without a fee. For example, someone could pay your fee, and then put her copy on a web site for the general public.
I just found out that a company has a copy of a GPL'ed program, and it costs money to get it. Aren't they violating the GPL by not making it available on the Internet?
No. The GPL does not require anyone to use the Internet for distribution. It also does not require anyone in particular to redistribute the program. And (outside of one special case), even if someone does decide to redistribute the program sometimes, the GPL doesn't say he has to distribute a copy to you in particular, or any other person in particular.
What the GPL requires is that he must have the freedom to distribute a copy to you if he wishes to. Once the copyright holder does distribute a copy program to someone, that someone can then redistribute the program to you, or to anyone else, as he sees fit.
That's great and all, but seeing as it's still vaporware it really doesn't do anything to help with the current situation. The original poster is still correct that _right now_ you have to have a modified guest, which puts Xen in a completely different ballpark than VMWare. In a year or two when CPUs start to come out with additional virtualization features then things may change, but until then....
Isn't that the whole point of this exercise? VMWare is encouraging just that. If you look at the list of images currently available on their site, most of them seem along the lines of trying out a linux distro or an app server or some vendor's software. It seems like they're actively encouraging people to make images that people can play with the free player.
Like for example, say you're Oracle and you want to have some way for customers to take a test drive of your software, but you don't want to have to worry about installing and configuring it. Just offer an image of a linux system that's all pre-configured and set up ready to go. The end user gets to try the software in a realistic setting without having to commit to installing anything.
Or maybe you're doing training or certification, and you want to have a downloadable "reference system" that students can practice on or experiment with. They can download the image and the free player and go to town, regardless of what their current operating system is. And they don't have to worry about messing anything up, they can always hit the virtual reset button.
Wow, you so totally don't understand the point of placeholders.
No matter what the value of the bound variable, you cannot escape out of the quotes and write an SQL injection. That's the entire point of the exercise. It's not just a simple "search for ? and replace it with this" operation. It's explicitly telling the database, "you don't have to even bother parsing the contents of this variable, for it contains pure data and no SQL." In your example this means it will return rows in x where the column p contains the literal string "1; delete employees;".
As an analogy, consider the case of PHP and its register_globals setting. Originally this defaulted to 'on' but this puts great pressure on the author of the code to take extra care not to introduce serious security bugs, and it was widely recommended that people disable this and not write scripts that depend on it.
I guess the PHP developers got tired of being blamed for all the shoddy PHP code out there, so a few years ago they changed the stock default to 'off'. Yet there are still lots of (dare I say POORLY WRITTEN) scripts out there that require register_globals=on despite the fact that this is generally a bad idea. So even today you still find entire servers running with register_globals=on just because some dinky script needs it.
If that is any indication, it means that many/most MySQL sites will continue to run with strict checking disabled, because a) people don't know any better, b) it's the default, and c) there are probably deployed applications that break with it turned on. And even if they eventually make it enabled by default, people will still continue to rely on the old behavior. Though in this case I think the setting can be enabled per-connection, rather than being a server-wide setting -- but I'm not positive.
Can you then redistribute that package, and if anybody asks for the source, point them to the developers' site?
No, this is not okay. There is a question in the GPL faq that explains this, but I'm too lazy to look up a link.
Basically, if you distribute binaries you must also make available the source needed to build those binaries even if both the binaries and source are taken verbatim from somewhere else. You have to host it yourself. The reason you can't just say "go download the source from foobar.com" is that if for some reason foobar.com went offline tomorrow, never to return, you would suddenly be in violation of the GPL.
If you took binaries from a third party and modified them slighly (changing the filename or icons or whatever) you are still obligated to provide the source that is necessary to build those binaries. So if you modified the Makefile to use a different icon or something, you are obligated to package up that modified Makefile into a source package and distribute it alongside the binary. Since you're already required to do this even if you make no changes to the binary, it's really not any more of an imposition.
No, that's still not correct. The person/company that distributes the binary only has an obligation to provide the source to people that it has given the binary to. There is absolutely nothing that says "any third party" has to be able to get the source code, because the person/company has no relationship to random third parties, only those that it has given a copy of the binary. You may have thought this was the case because *most* GPL software is given out freely, but it doesn't have to be so. Go read the GPL faq again.
Example 1: I write a GPL program, and I give a single copy of the binary to my friend Bob and no one else. The only person I am obligated to give the source code to is Bob. Anyone else that asks me for it, I can tell to go to hell. However, Bob can of course turn around and give out the binary and source to anyone and everyone. But that's no longer my responsibility any more, because I've already met all my obligations by giving the source to Bob.
Example 2: A company has a commercial product based on GPL source code. It charges $300 for this product. If you pay them $300, you get a copy of the binary, as well as a password to a protected area of the web site to download the source if you want it. This company is under absolutely no obligation whatsoever to give the source code to anyone but those people who have paid $300 and gotten a copy of the binaries. However, any one of those people that have paid the $300 can turn around and give the binary and source to anyone and everyone at no charge. But again, that has nothing to do with the obligations of the Company, which are met by offering the source to the customers that have received the binaries.
Slashdot Mirror
Because it was an already existing center of high speed data connectivity and so they thought it would be a nice perk to set up a few PCs in the lobby and run a free internet cafe. It's not like they took an existing regular internet cafe and then decided it should be 100Mbit.
+1 Spaceballs
If you're going to get all pendantic like that, it should be "100 Mb/s". 'b' = bit, 'B' = Byte. It's not 100 megabytes per second, it's measured in bits.
They're really easy to block if you use the right tool. Things like Adblock work for the old-school type of image ads, but that style is slowly being phased out.
//div[@id='textads']
//table[@width='700' and @height='80']
//div[@id='bColumn' or @id='adxCircBottom' or @id='adxSponLink' or @id='adxLeaderBoard']
For google specifically there is the CustomizeGoogle Fx extension which makes it very simple to remove all text ads across all the google sites.
A more general-purpose tool is the (seemingly little-known) Remove it Permanently (RIP). This lets you specify things to be removed with XPATH queries. If you don't know XPATH you can just right click on any element on the page and choose "Remove permanently" and it will construct an XPATH for that particular object. But the real fun starts when you start making your own XPATH rules. For example, if a page had their text ads in a DIV with ID "textads" you just specify
Or maybe you want to remove one of the skyscraper things:
The one I use for the nytimes site is:
These are still really trivial XPATH examples, you can really get extremely sophisticated with it. The point is that it is rather quick and easy to do this, especially when you combine this with the DOM inspector and the Inspect This extension (which allows you to right click on the undesired element and go right to it in the DOM inspector.)
Using these tools you can easily block any part of the page with surgical accuracy, without having to know javascript or search for a Greasemonkey script.
The music and video compression codecs (like mp3, Xvid, Divx, h.264, mpeg-4) use a specialization of the FFT, the discrete cosine transformation (DCT) because in these applications you don't care about the imaginary part of the input data points (i.e. you're dealing with all real numbers.) You may have seen settings in your video playback options for iDCT - the inverse DCT used by the decoder.
Check for a malfunctioning humor unit in this one.
Yes, you're right. I meant asymmetrical not asynchronous.
You cannot possibly be suggesting that you can compare some shitty cablemodem to the kind of thing you get at a datacenter. Residential broadband is almost always highly asynchronous (the upload is only a fraction of the download rate), it has tons of restrictions (usage caps, cop-out clauses, etc), and it is typically oversold by ratios of 100:1 or more. This means you aren't actually paying for the true cost of the bandwidth, you are paying a fraction of it because most people don't come anywhere clost to using the full amount.
"Real" bandwidth has none of this BS. You get a SLA. You get an engineer on the phone when it breaks. You get a dedicated and provisioned port on a router. You can run it flat out at full duty cycle (100% utilization) continuously without any kind of "you've used too much" bullshit that residential ISPs like to pull. The speeds are synchronous and are contractually guaranteed, none of that "up to X mbps but sometimes much less because you have crappy wiring" stuff. Your equipment is stored in a location that has redundant power supplies, diesel generators, raised floors, heavy duty cooling, and sophisticated fire alarm/control systems.
"Real" bandwidth costs real money. The stuff you get with a cablemodem is not real bandwidth, and it appropriately costs only a fraction. When you realize the difference between the two you will realize that from a cost standpoint comparing what you get from your residential cable company to what a large site like youtube has to use, they are in totally and completely different leagues.
The Forbes article from a few weeks ago states that thier bandwidth usage is approximately 200TB per day, the cost of which "may be approaching $1 million a month".
While this is generally true, I think you underestimate the number of cracked/private servers out there that don't check CD keys. Witness sites like epcgaming.com. Now obviously with a legit CD key your choices are much larger, but if you limit yourself to cracked servers you can still play a lot of multiplayer games online to your heart's content.
Of course I read that. That's not the point. I'm not debating that the driver support at the moment blows.
You made the assertion that this technology requires special software support from the games. That is not true, it is all handled in the driver in a way that is transparent to the app. Yes, it's buggy now, but that is beside the point.
So I guess you missed the part of the article where they played it with about a dozen of today's current most popular games off the shelf. You know, that whole benchmarking part?
Next time sent it to the Norman sandbox or virustotal.
Your links are fucked. Hint: you don't type the domain shit in []'s. That's added by slashcode automatically (or not, as the user's preferences dictates.) Line breaks would be a good thing to have too, otherwise your text just looks like a jumbled mass of crap.
o rak_powerbook.jpge .asp?id=94e .html
http://www.geocities.com/rjpoling/MacOS/dvorak/dv
http://www.sil.org/computing/catalog/show_softwar
http://www.acm.vt.edu/~jmaxwell/dvorak/comparePag
This will be a great help for all the slashdot readers that are not already familiar with Penny Arcade.... all three of them.
If I give one person one binary copy accompanied by one source copy, then I have fulfulled my obligations under 3.a) completely and 3.b) is entirely irrelevent. I have no further requirements to give anyone anything. Now, the person that I gave that binary and source to is free to give it to anyone he chooses, but that has nothing to do with what is required of me.
If I instead choose to use 3.b) and include a written offer rather than including the source with the binary, then that offer must be redeemable by any third party and so I must give anyone who asks a copy of the source. But again, this is an option that I can choose.
The GPL FAQ is very clear that the GPL cannot force a party to redistribute anything that they don't want to. In other words, if I choose to give you a binary then I must also include the text of the GPL and the source with it (or a means of getting the source.) However if I do not wish to give you a copy of the binary, then I have no obligation to you at all, provided I have not chosen 3.b).
From the GPL faq:
That's great and all, but seeing as it's still vaporware it really doesn't do anything to help with the current situation. The original poster is still correct that _right now_ you have to have a modified guest, which puts Xen in a completely different ballpark than VMWare. In a year or two when CPUs start to come out with additional virtualization features then things may change, but until then ....
Isn't that the whole point of this exercise? VMWare is encouraging just that. If you look at the list of images currently available on their site, most of them seem along the lines of trying out a linux distro or an app server or some vendor's software. It seems like they're actively encouraging people to make images that people can play with the free player.
Like for example, say you're Oracle and you want to have some way for customers to take a test drive of your software, but you don't want to have to worry about installing and configuring it. Just offer an image of a linux system that's all pre-configured and set up ready to go. The end user gets to try the software in a realistic setting without having to commit to installing anything.
Or maybe you're doing training or certification, and you want to have a downloadable "reference system" that students can practice on or experiment with. They can download the image and the free player and go to town, regardless of what their current operating system is. And they don't have to worry about messing anything up, they can always hit the virtual reset button.
Wow, you so totally don't understand the point of placeholders.
No matter what the value of the bound variable, you cannot escape out of the quotes and write an SQL injection. That's the entire point of the exercise. It's not just a simple "search for ? and replace it with this" operation. It's explicitly telling the database, "you don't have to even bother parsing the contents of this variable, for it contains pure data and no SQL." In your example this means it will return rows in x where the column p contains the literal string "1; delete employees;".
That, and it's not turned on by default.
As an analogy, consider the case of PHP and its register_globals setting. Originally this defaulted to 'on' but this puts great pressure on the author of the code to take extra care not to introduce serious security bugs, and it was widely recommended that people disable this and not write scripts that depend on it.
I guess the PHP developers got tired of being blamed for all the shoddy PHP code out there, so a few years ago they changed the stock default to 'off'. Yet there are still lots of (dare I say POORLY WRITTEN) scripts out there that require register_globals=on despite the fact that this is generally a bad idea. So even today you still find entire servers running with register_globals=on just because some dinky script needs it.
If that is any indication, it means that many/most MySQL sites will continue to run with strict checking disabled, because a) people don't know any better, b) it's the default, and c) there are probably deployed applications that break with it turned on. And even if they eventually make it enabled by default, people will still continue to rely on the old behavior. Though in this case I think the setting can be enabled per-connection, rather than being a server-wide setting -- but I'm not positive.
No, this is not okay. There is a question in the GPL faq that explains this, but I'm too lazy to look up a link.
Basically, if you distribute binaries you must also make available the source needed to build those binaries even if both the binaries and source are taken verbatim from somewhere else. You have to host it yourself. The reason you can't just say "go download the source from foobar.com" is that if for some reason foobar.com went offline tomorrow, never to return, you would suddenly be in violation of the GPL.
If you took binaries from a third party and modified them slighly (changing the filename or icons or whatever) you are still obligated to provide the source that is necessary to build those binaries. So if you modified the Makefile to use a different icon or something, you are obligated to package up that modified Makefile into a source package and distribute it alongside the binary. Since you're already required to do this even if you make no changes to the binary, it's really not any more of an imposition.
No, that's still not correct. The person/company that distributes the binary only has an obligation to provide the source to people that it has given the binary to. There is absolutely nothing that says "any third party" has to be able to get the source code, because the person/company has no relationship to random third parties, only those that it has given a copy of the binary. You may have thought this was the case because *most* GPL software is given out freely, but it doesn't have to be so. Go read the GPL faq again.
Example 1: I write a GPL program, and I give a single copy of the binary to my friend Bob and no one else. The only person I am obligated to give the source code to is Bob. Anyone else that asks me for it, I can tell to go to hell. However, Bob can of course turn around and give out the binary and source to anyone and everyone. But that's no longer my responsibility any more, because I've already met all my obligations by giving the source to Bob.
Example 2: A company has a commercial product based on GPL source code. It charges $300 for this product. If you pay them $300, you get a copy of the binary, as well as a password to a protected area of the web site to download the source if you want it. This company is under absolutely no obligation whatsoever to give the source code to anyone but those people who have paid $300 and gotten a copy of the binaries. However, any one of those people that have paid the $300 can turn around and give the binary and source to anyone and everyone at no charge. But again, that has nothing to do with the obligations of the Company, which are met by offering the source to the customers that have received the binaries.