Actually, the cookie spec says that web sites have to do what the Europeans propose:
6. PRIVACY
Informed consent should guide the design of systems that use cookies.
A user should be able to find out how a web site plans to use
information in a cookie and should be able to choose whether or not
those policies are acceptable. Both the user agent and the origin
server must assist informed consent.
Note the wording: "Both the user agent and the original server must assist informed consent."
Its not optional (it says "must", not "may"), and it's not something that the web server can simply delegate to the user agent (browser). If your web site doesn't do this, your site is broken according to the RFC. the Europeans want to bring web sites into conformity with the spec. How is that a bad thing?
First, the cookie spec is in complete agreement with the European law:
6. PRIVACY
Informed consent should guide the design of systems that use cookies.
A user should be able to find out how a web site plans to use
information in a cookie and should be able to choose whether or not
those policies are acceptable. Both the user agent and the origin
server must assist informed consent.
Now as for your:
Session or server-side variables may also be used for this, but that's more work for the web designer, who usually is up to his neck trying to support different versions of IE misbehavior.
So the real problem, like always, is Microsoft:-)
The real problem is that cookies have really been abused by "web designers." Real programmers don't like them for several reasons:
We're mostly privacy nuts. We know how data can be misused because we've seen it happen up close and dirty too many times;
The spec makes it clear that there is a very low bound as to the number of cookies that conforming browsers need to support - see section 5.3 - 300 cookies total, 4k per cookie, 20 cookies per site.
Applications should use as few and as small cookies as possible, and
they should cope gracefully with the loss of a cookie.
5.3.1 Denial of Service Attacks User agents MAY choose to set an
upper bound on the number of cookies to be stored from a given host
or domain name or on the size of the cookie information. Otherwise a
malicious server could attempt to flood a user agent with many
cookies, or large cookies, on successive responses, which would force
out cookies the user agent had received from other servers. However,
the minima specified above SHOULD still be supported.
But as I note at the bottom, it's not just a security issue - it's also a performance issue. (and this ignores the fact that certain versions of IE fail to meet the minimum of 4k per cookie, failing at 2083 bytes, while some other browsers stupidly allow over 100k per cookie as a "feature".
Cookies leak information
Cookies can be turned off, so depending on them is, by definition bad programming
Poor performance over time. We're seeing slowdowns in browsers because of the enormous number of cookies that are stored. Like your browser cache, your cookie cache takes time to read in, parse out, and search, so your browser does slow down over its' lifetime, in part, because of scads of cookies.
Third-party tracking doesn't require cookies. You're either misinformed, unimaginative, lazy, or some combination of those three. No cookie for YOU!
Okay - that was harsh. Look, you've been misinformed about how you "need" cookies to track stuff. You don't - but programmers are just as much a bunch of lazy shits when we're not scratching our own itches as anyone else.
There's enough blame to go around for everyone, and this article is just more FUD and people looking for page hits so they can make a few bucks keeping the unwashed masses in an OMG hysterical state. Like Fox News.
You can use php sessions without cookies. Search for "php sessions without cookies". It's all there. And turn in your programmers' card because you didn't know something as basic as that.
I guess you'd prefer we stored it all in the query string and pass it from page to page? Guess what,that's where we're headed. That, or every link becomes a POST.
Either one works without cookies. Or you could just pass along a unique session identifier. You can also do it via ajax - again no cookies required.
You don't need cookies for a shopping cart. You don't need cookies to track someone who is logged in. Ajax, or even hidden variables in a POST request, work fine.
You don't need cookies to do usability testing - you can track mouse movements and keypresses in real time with javascript and log them to the server. Most of us would rightfully consider that level of intrusiveness as spyware.
You don't need cookies to make a fully functioning web site.
You don't even need cookies for affiliate marketing (unfortunately - the sooner "affiliate marketing" dies, the better).
Everything cookies do today, you can do without cookies.
... except that the file should be handled as either an swf or a zip - if the browser handles it as both, for any reason, then it's the browser implementation that is broken.
For example, if the browser says "all files that end in ".zip" , I'll do "x" with them, AND says "all files that have a header that begins with the magic number for an swf, I'll do "y" with them, so that you cat the swf and the zip and you can end up running both plugins, it's a broken browser.
FILE_TYPE_MASK tile_type_mask = 0x00;
if_file_has_swf_header( file_type_mask += IS_SWF);
if_file_has_zip_ext() {file_type_mask +=IS_ZIP};
if_file_has_doc_ext() {file_type_mask +=IS_DOC};
// at this point, the invalid file sets the mask to 0x03, (both swf and zip bits set)
switch (file_type_mask) {
case IS_SWF: some code; break;
case IS_ZIP: some code; break;
case IS_DOC: some code; break;
default: unknown_or_corrupt_file();
}
// since file_type_mask doesn't match any of the valid values, it calls the unknown_or_corrupt_file() routine.
In the second example, your file is completely ignored, because it has more than one bit in the mask set, It isn't recognized as a valid swf, and it isn't recognized as a valid zip. The browser doesn't try to load it in the flash plugin, and doesn't try to display the zipped contents either.
All code should have one execution path or "choke point" for stuff like this. If your code doesn't, it's an indication that you need to refactor. If you have a waterfall of if statements, you have a logic fart waiting to stink up the place.
The article is bullshit, and your comment is also misinformed. Read what you wrote after the stuff you quoted:
Short of rewriting everything that has anything to do with several popular formats, you're out of luck
The very first rule is "be restrictive in what you allow."
Anyone uploading an swf with a jpg extension is going to find that they're fucked on anything I'd write, simply because when I call code to resize it and convert it to a png, the swf is going to get really mangled, isn't it... so your renaming "sploit" isn't going to work.
This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs
If it's not running on the server, and it's not running in the client browser, I don't give a shit what it contains - it's not my problem, and it doesn't affect what I'm doing. I'm not going to use jars from joe q public in my code, it'll be a cold day in hell when I use MSOOXML, xpi files suck, and I'm certainly not going to take an untrusted zip file, unzip it, and use it. And the stuff you quote agrees with me:
the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.
Only an idiot trusts crap uploaded by the general public.
How, you do ask, is such a prepared file going to be uploaded? A worm that intercepts uploads in the browser, for example. I was able to come up with this in two minuttes (sic), I'm sure that any self-respecting blackhat hacker will as well.
The source is irrelevant - the simple fact is that if you trust end-user-supplied data, you're either on drugs, or you should be. BTW - Your statement "worm that intercepts uploads in the browser" doesn't even parse. Go back to your bong.
I read the article, and I agree with Adobe for once. This is TOTAL bullshit. Anyone who is stupid enough to code an app to fall for this should be fired immediately. This is on the same juvenile level as using javascript to validate data client-side. IOW, 1995 called and wants their "vulnerability" back.
Anti-viruses? Go play with a real operating system for a decade or two.
"All they need to do is create a malicious Flash object, and upload it to the [Web] server."
He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."
Since when are you going to allow someone to upload an swf for an avatar. It's going to get creamed when you resize it via php anyway.
This is the same "vulnerability" you'd have by allowing people to upload php code, or perl code, or javascript, to your server and you sending it out without doing ANY validation.
In other words, it's not a vulnerability, it's a symptom of totally bonehead design and someone looking for page hits.
What next - "All Windows Versions of Apache Vulnerable To.EXE Exploit" - where they'll say that if you allow people to upload.exe files to your site and blindly execute them, BAD THINGS (TM) will happen?
This belongs in idle.slashdot.org - it's not news, it's so bad it's not even wrong.
If they don't want to learn to use linux, tell them to get a mac and be done with it.
if they don't want to learn linux, why do you think they would want to learn using a mac? (for anyone with years of windows experience ingrained, there IS a learning curve either way)
I've noticed that humans are illogical, Captain. They won't take the time to learn something that's free and can save them money, but they'll take the time to learn something that they spent money on and will continue to cost them money. Even tribbles act more logically.
How would that save energy and transportation costs, which were your argument for telepresence?
For example, the telepresence unit could already be standard equipment in the home, just operated by the professional who has the particular expertise. So - plumber, electrician, dog-walker, home care worker, elderly assistant, whatever.
Or units could be like taxi cabs - they could have a local stand where they're parked and recharged when not needed.
Use your imagination. There are plenty of ways this can work.
im going to have to agree. I'm dyslexic and am working on my Ph.D in Computer Science. Also, everyone in my house is using Linux now too since I refused to support Windows any longer. There hasn't been a single problem since. Dyslexics Untie!
All you dyslexic linux worshipers - linux is the work of Santa, not Dog!
Read the subject line carefully - "Bank of Arnerica" - it isn't spelled "B a n k [space] o f [space] A m e r i c a" either in the subject or on this line.
Scammers will always find a way.
Older people and crappy monitors don't mix well.
If something "looks" familiar, people see what they expect, not what's really there. Look at how you thought it was "Bank of America."
Get a mac or install linux. Staying with Windows? You might want to see what Einstein said about people who do the same thing over and over and expect different results.
In your situation, a mac will pay for itself. If they don't want to learn to use linux, tell them to get a mac and be done with it.
Sure, they'll have to learn how to do a few things differently... but they're obviously going to have to anyway, so have them bite the bullet one way or another and be done with it.
If you don't, or don't stand firm, you have only yourself to blame next time you waste a weekend.
That doesn't seem to solve his worry about using computers without Firefox installed.
On reconsideration, any machine that he does not personally control simply has no acceptable solution if you want to be reasonably secure. A copy of firefox run off a thumb drives don't do it (copies of data on the hd swap file, keyloggers, malware, etc). Installing Firefox on the target doesn't do it either, for the same reason. Booting off the thumb drive? Thumb drives get lost/forgotten all the time. The real "solution" is simple, but inconvenient - don't use other people's machines.
Example: I would never use someone else's machine to do my online banking. Generally, when I need to use a computer somewhere, except at home or work, I bring on of my own. Part of that is because I'd rather use linux on my laptop than struggle with Windows on their desktop, part is "it just works", but even then, I wouldn't access anything sensitive from someone else's network. It's just not necessary. Plus it also gets out of the whole issue of other forms of leakage, such as shoulder surfing, web cams or security cams grabbing your keystrokes (I was actually able to do that once, just to show it was possible with a 25x PTZ camera)., etc.
Even less sensitive stuff, it's a hassle. I made the mistake of logging in to one account from a known-safe machine (only used linux and bsd) over a compromised network. Oh, the pain. No "serious" damage done, but still a PITA. Took a few hours to track down which Windows box had a chat session connected to a machine with a.ru domain... nowadays it's almost always.ru (russia) or.cn (china) or.ua (ukraine).
What can you do - it is what it is. All security is a balancing act - managing risk against ease of use. As one pundit said - the only completely secure machine is an unplugged machine - with the hard drive, cpu, and ram removed and run through a shredder (and all post-it notes removed from monitors, under the keyboard, and inside the case).
Meh, I rarely use sudo. I guess I'm just not too used to it. So su me.
Everyone knows any real BOfH uses the root account, even if they're not supposed to. Hmmm - let me be the first to fix that - Especially if they're not supposed to.
identifiers for rights? Try ls -l and you'll see something like drwxrwxrwx, defining a mask of all, group, and individual user rights to read, write, or execute (or in the case of directories, cd into).
association with the user? right there - the user # (though ls translates it into the user name if it's available).
frequency of use? Not really needed, but sure - acl logging (acl == access control list). As well as ctime (creation time), mtime (modification time) and atime (last access time - you should disable this if yo want a faster system, or leave it enabled if you want to monitor when a file was last accessed).
In other words, it's all there. Nothing original or groundbreaking.
Adding a GUI is no more "creative" and "non-obvious" than adding "on the Internet".
Then again, it might be non-obvious to Microsoft. Does anyone remember if Microsoft XENIX had a sudo equivalent? It would be nice to use something from them from a quarter-century ago as prior art.
There are specifications and laws for minimum yellow light duration. Cities that have gone below that can and have been forced to give back the money
Do you really believe that has completely stopped it from happeneing (sic), if so I have a bridge to sell you.
You need to work on your reading comprehension, Skippy. It's obvious from my post that I don't believe it prevents it - but that there ARE remedies available when they DO infringe the statutes.
They've already stated it will only do gross motions
Oh, so it's an interactive pr0n add-on... thanks for clearing that up. Now I don't feel so ridiculous inviting people to come over and play with my Wii.
Yeah.. and what's the attach rate? I have a Wii and an Xbox. I have bought maybe 3 games for the Wii since I got it and rarely play it. I buy like 5 games a year for the 360. And I'm not the only one, look at the numbers.
I bought mine at the end of February, when they FINALLY had some in stock.
So, immediately bought a half-dozen games, a second controller and nunchuk
A week later, bought more games, a wii fit, 2 more controllers and nunchuks, batter packs + rechargers for all the controllers and a battery pack and recharger for the fit.
Bought more games.... 4 steering wheels
Bought more games....
Bought an up-scaling 50" 600hz plasma TV and a nice sound system to play them on a few months ago.
Bought Wii Resort + a spare motion plus add-on.
So, I've bought almost 3 dozen games, a full set of controllers and other add-ons, and I'm just waiting for the release of some other motionplus games that (1) I'm interested in or I think others will play and (2) have motionplus bundles.
Total cost so far this year (console, games, controllers, TV, sound system) is over $5k.
The real problem with the Wii is that people buy a couple of crap games in the bargain bin and go "Is that all there is?" Make a proper investment in a decent game library, and you'll have something for everyone, and you'll also get more of your money's worth. Just don't buy Wii Music or some of the other shovelware games.
Consider this: I hadn't even thought about buying any of the other consoles, or their previous incarnations - trying out my daughters' Wii last Christmas is what got me wanting one. Since then, she's sold hers to a friend because they wanted one and couldn't afford to buy retail, and she doesn't have the time (between work and university, she has one day off, which she reserves for a noon-time breakfast with me and taking care of everything else she has to do). She's even thinking of getting rid of her 60" TV because she just doesn't have the TIME to watch it. She figures (probably correctly) that when she again has time, she'll be able to replace it all with better, cheaper. with the recent price reduction in the Wii, she's already almost there on that. It has nothing to do with disappointment with the product itself - for example, she really enjoys Frisbee Golf.
That's the one thing I've found, and others as well - we don't have the TIME to play. So when we do, we really like that we can just pass Wiimotes around to the guests and just get into it.
Actually, the cookie spec says that web sites have to do what the Europeans propose:
Note the wording: "Both the user agent and the original server must assist informed consent."
Its not optional (it says "must", not "may"), and it's not something that the web server can simply delegate to the user agent (browser). If your web site doesn't do this, your site is broken according to the RFC. the Europeans want to bring web sites into conformity with the spec. How is that a bad thing?
First, the cookie spec is in complete agreement with the European law:
Now as for your:
So the real problem, like always, is Microsoft :-)
The real problem is that cookies have really been abused by "web designers." Real programmers don't like them for several reasons:
But as I note at the bottom, it's not just a security issue - it's also a performance issue. (and this ignores the fact that certain versions of IE fail to meet the minimum of 4k per cookie, failing at 2083 bytes, while some other browsers stupidly allow over 100k per cookie as a "feature".
Third-party tracking doesn't require cookies. You're either misinformed, unimaginative, lazy, or some combination of those three. No cookie for YOU!
Okay - that was harsh. Look, you've been misinformed about how you "need" cookies to track stuff. You don't - but programmers are just as much a bunch of lazy shits when we're not scratching our own itches as anyone else.
There's enough blame to go around for everyone, and this article is just more FUD and people looking for page hits so they can make a few bucks keeping the unwashed masses in an OMG hysterical state. Like Fox News.
You can use php sessions without cookies. Search for "php sessions without cookies". It's all there. And turn in your programmers' card because you didn't know something as basic as that.
Either one works without cookies. Or you could just pass along a unique session identifier. You can also do it via ajax - again no cookies required.
As for affiliate marketing - let it die.
You don't need cookies for a shopping cart. You don't need cookies to track someone who is logged in. Ajax, or even hidden variables in a POST request, work fine.
You don't need cookies to do usability testing - you can track mouse movements and keypresses in real time with javascript and log them to the server. Most of us would rightfully consider that level of intrusiveness as spyware.
You don't need cookies to make a fully functioning web site.
You don't even need cookies for affiliate marketing (unfortunately - the sooner "affiliate marketing" dies, the better).
Everything cookies do today, you can do without cookies.
... except that the file should be handled as either an swf or a zip - if the browser handles it as both, for any reason, then it's the browser implementation that is broken.
For example, if the browser says "all files that end in ".zip" , I'll do "x" with them, AND says "all files that have a header that begins with the magic number for an swf, I'll do "y" with them, so that you cat the swf and the zip and you can end up running both plugins, it's a broken browser.
To illustrate:
BAD:
if_file_has_swf_header() {code}
if_file_has_zip_ext() {code}
A file with an swf header and a zip extension runs both pieces of code. Bad programmer. BAD programmer. No treat for you!
GOOD:
#define IS_SWF 0x01;
#define IS_ZIP 0x02;
#define IS_DOC 0x04;
FILE_TYPE_MASK tile_type_mask = 0x00;
// at this point, the invalid file sets the mask to 0x03, (both swf and zip bits set)
// since file_type_mask doesn't match any of the valid values, it calls the unknown_or_corrupt_file() routine.
if_file_has_swf_header( file_type_mask += IS_SWF);
if_file_has_zip_ext() {file_type_mask +=IS_ZIP};
if_file_has_doc_ext() {file_type_mask +=IS_DOC};
switch (file_type_mask) {
case IS_SWF: some code; break;
case IS_ZIP: some code; break;
case IS_DOC: some code; break;
default: unknown_or_corrupt_file();
}
In the second example, your file is completely ignored, because it has more than one bit in the mask set, It isn't recognized as a valid swf, and it isn't recognized as a valid zip. The browser doesn't try to load it in the flash plugin, and doesn't try to display the zipped contents either.
All code should have one execution path or "choke point" for stuff like this. If your code doesn't, it's an indication that you need to refactor. If you have a waterfall of if statements, you have a logic fart waiting to stink up the place.
The article is bullshit, and your comment is also misinformed. Read what you wrote after the stuff you quoted:
The very first rule is "be restrictive in what you allow."
Anyone uploading an swf with a jpg extension is going to find that they're fucked on anything I'd write, simply because when I call code to resize it and convert it to a png, the swf is going to get really mangled, isn't it ... so your renaming "sploit" isn't going to work.
If it's not running on the server, and it's not running in the client browser, I don't give a shit what it contains - it's not my problem, and it doesn't affect what I'm doing. I'm not going to use jars from joe q public in my code, it'll be a cold day in hell when I use MSOOXML, xpi files suck, and I'm certainly not going to take an untrusted zip file, unzip it, and use it. And the stuff you quote agrees with me:
Only an idiot trusts crap uploaded by the general public.
The source is irrelevant - the simple fact is that if you trust end-user-supplied data, you're either on drugs, or you should be. BTW - Your statement "worm that intercepts uploads in the browser" doesn't even parse. Go back to your bong.
I read the article, and I agree with Adobe for once. This is TOTAL bullshit. Anyone who is stupid enough to code an app to fall for this should be fired immediately. This is on the same juvenile level as using javascript to validate data client-side. IOW, 1995 called and wants their "vulnerability" back.
Anti-viruses? Go play with a real operating system for a decade or two.
Sheesh, kids these days ... *grumble grumble*
Example from the article:
Since when are you going to allow someone to upload an swf for an avatar. It's going to get creamed when you resize it via php anyway.
This is the same "vulnerability" you'd have by allowing people to upload php code, or perl code, or javascript, to your server and you sending it out without doing ANY validation.
In other words, it's not a vulnerability, it's a symptom of totally bonehead design and someone looking for page hits.
What next - "All Windows Versions of Apache Vulnerable To .EXE Exploit" - where they'll say that if you allow people to upload .exe files to your site and blindly execute them, BAD THINGS (TM) will happen?
This belongs in idle.slashdot.org - it's not news, it's so bad it's not even wrong.
Kind of ironic that an article that warns about flash vulnerabilities as:
Oh, wait - it's ComputerWorld. Sorry, I had my expectations too high.
I've noticed that humans are illogical, Captain. They won't take the time to learn something that's free and can save them money, but they'll take the time to learn something that they spent money on and will continue to cost them money. Even tribbles act more logically.
For example, the telepresence unit could already be standard equipment in the home, just operated by the professional who has the particular expertise. So - plumber, electrician, dog-walker, home care worker, elderly assistant, whatever.
Or units could be like taxi cabs - they could have a local stand where they're parked and recharged when not needed.
Use your imagination. There are plenty of ways this can work.
All you dyslexic linux worshipers - linux is the work of Santa, not Dog!
Read the subject line carefully - "Bank of Arnerica" - it isn't spelled "B a n k [space] o f [space] A m e r i c a" either in the subject or on this line.
Get a mac or install linux. Staying with Windows? You might want to see what Einstein said about people who do the same thing over and over and expect different results.
In your situation, a mac will pay for itself. If they don't want to learn to use linux, tell them to get a mac and be done with it.
Sure, they'll have to learn how to do a few things differently ... but they're obviously going to have to anyway, so have them bite the bullet one way or another and be done with it.
If you don't, or don't stand firm, you have only yourself to blame next time you waste a weekend.
Your original point, to which I responded, was:
On reconsideration, any machine that he does not personally control simply has no acceptable solution if you want to be reasonably secure. A copy of firefox run off a thumb drives don't do it (copies of data on the hd swap file, keyloggers, malware, etc). Installing Firefox on the target doesn't do it either, for the same reason. Booting off the thumb drive? Thumb drives get lost/forgotten all the time. The real "solution" is simple, but inconvenient - don't use other people's machines.
Example: I would never use someone else's machine to do my online banking. Generally, when I need to use a computer somewhere, except at home or work, I bring on of my own. Part of that is because I'd rather use linux on my laptop than struggle with Windows on their desktop, part is "it just works", but even then, I wouldn't access anything sensitive from someone else's network. It's just not necessary. Plus it also gets out of the whole issue of other forms of leakage, such as shoulder surfing, web cams or security cams grabbing your keystrokes (I was actually able to do that once, just to show it was possible with a 25x PTZ camera)., etc.
Even less sensitive stuff, it's a hassle. I made the mistake of logging in to one account from a known-safe machine (only used linux and bsd) over a compromised network. Oh, the pain. No "serious" damage done, but still a PITA. Took a few hours to track down which Windows box had a chat session connected to a machine with a .ru domain ... nowadays it's almost always .ru (russia) or .cn (china) or .ua (ukraine).
What can you do - it is what it is. All security is a balancing act - managing risk against ease of use. As one pundit said - the only completely secure machine is an unplugged machine - with the hard drive, cpu, and ram removed and run through a shredder (and all post-it notes removed from monitors, under the keyboard, and inside the case).
A well-reasoned and intelligent discussion from someone posting AC. Pity ... kind of hard to add you to the "friends" list ...
Everyone knows any real BOfH uses the root account, even if they're not supposed to. Hmmm - let me be the first to fix that - Especially if they're not supposed to.
identifiers for rights? Try ls -l and you'll see something like drwxrwxrwx, defining a mask of all, group, and individual user rights to read, write, or execute (or in the case of directories, cd into).
association with the user? right there - the user # (though ls translates it into the user name if it's available).
frequency of use? Not really needed, but sure - acl logging (acl == access control list). As well as ctime (creation time), mtime (modification time) and atime (last access time - you should disable this if yo want a faster system, or leave it enabled if you want to monitor when a file was last accessed).
In other words, it's all there. Nothing original or groundbreaking.
Adding a GUI is no more "creative" and "non-obvious" than adding "on the Internet".
Then again, it might be non-obvious to Microsoft. Does anyone remember if Microsoft XENIX had a sudo equivalent? It would be nice to use something from them from a quarter-century ago as prior art.
You need to work on your reading comprehension, Skippy. It's obvious from my post that I don't believe it prevents it - but that there ARE remedies available when they DO infringe the statutes.
Oh, so it's an interactive pr0n add-on ... thanks for clearing that up. Now I don't feel so ridiculous inviting people to come over and play with my Wii.
I bought mine at the end of February, when they FINALLY had some in stock.
So, immediately bought a half-dozen games, a second controller and nunchuk
A week later, bought more games, a wii fit, 2 more controllers and nunchuks, batter packs + rechargers for all the controllers and a battery pack and recharger for the fit.
Bought more games.... 4 steering wheels
Bought more games....
Bought an up-scaling 50" 600hz plasma TV and a nice sound system to play them on a few months ago.
Bought Wii Resort + a spare motion plus add-on.
So, I've bought almost 3 dozen games, a full set of controllers and other add-ons, and I'm just waiting for the release of some other motionplus games that (1) I'm interested in or I think others will play and (2) have motionplus bundles.
Total cost so far this year (console, games, controllers, TV, sound system) is over $5k.
The real problem with the Wii is that people buy a couple of crap games in the bargain bin and go "Is that all there is?" Make a proper investment in a decent game library, and you'll have something for everyone, and you'll also get more of your money's worth. Just don't buy Wii Music or some of the other shovelware games.
Consider this: I hadn't even thought about buying any of the other consoles, or their previous incarnations - trying out my daughters' Wii last Christmas is what got me wanting one. Since then, she's sold hers to a friend because they wanted one and couldn't afford to buy retail, and she doesn't have the time (between work and university, she has one day off, which she reserves for a noon-time breakfast with me and taking care of everything else she has to do). She's even thinking of getting rid of her 60" TV because she just doesn't have the TIME to watch it. She figures (probably correctly) that when she again has time, she'll be able to replace it all with better, cheaper. with the recent price reduction in the Wii, she's already almost there on that. It has nothing to do with disappointment with the product itself - for example, she really enjoys Frisbee Golf.
That's the one thing I've found, and others as well - we don't have the TIME to play. So when we do, we really like that we can just pass Wiimotes around to the guests and just get into it.