Cross Site Scripting is a recently recognized problem on the 'net. IIS may still be vulnerable to similar problems (Microsoft apparently doesn't consider the issue to be that important).. The other patchse were (AFIK) precautionary -- not in response to known exploits.
The first malfunction (hydraulic sensors) occurred a couple of minutes before the breakup, and things snowballed from there. The interior of the left wing was getting hot. The 4 specialists in the lower cabin may not have known that anything was wrong, but the 3 in the command/pilot chairs probably knew that shit was approaching the fan.
After loss of stability, the shuttle is said to have been tumbling slowly. The crew could have easily survived until the cabin was ripped open and winds ripped off body parts and/or broke bones. As a worst case, they might have survived for minutes -- burning and asphyxiating as their cabin ripped and burned apart about them.
It's not falling off the horse that make Reves a hero. It's what he did after the tragedy. Similarly, I don't view the miners who get trapped in a mine heroes -- I have far more respect for the people who went in after them, risking their lives to get their colleagues out. What people celebrate is the fact that their loved ones were rescued.
This is, similarly, why I consider the firefighters and police who died at The World Trade Centre to be far more heroic and deserving of an arlington burial than the pilot who got his throat slit by the hijackers (or simply let them take control of the plain, expecting a 'normal' hijacking).
Wasn't there a post on slashdot a few months ago saying something like 80% of linux boxes weren't patched and vulnerable.?
I'm not sure what that 80% refers to, or even if it's accurate. Even if it is, many Linux 'fixes' would never even be considered for patching by MS. Linux fixes range from the benign and theoretical to the very serious. Linux patches are generally released almost immediately after a bug is found that might (in theory) be exploited, or used as part of an exploit. (e.g. someone finds the possibility of a buffer or stack overflow).
Windows patches, on the other hand, often aren't released until somebody proves that a bug is exploitable/ exploited. Even when a proof of concept (or even wild) exploit is made available, security experts sometimes have to argue with MS about whether the exploit is serious enough to be worth fixing. I remember one recent case where MS downgraded a pair of bugs as minor and refused to release a fix. When frustrated security experts were able to combine those bugs to enable arbitrary command execution (their sample code: format a hard drive), they were criticized for not giving MS advanced warning(!).
Nontheless, when MS finally released the fix for these same bugs, they classified them as moderate. Some people think that, having just released one crutitical patch, they didn't want to face the embarrassment of two severe bug fixes in one week.
Because Windows patches are rarely released until the problem is both proven and serious, MS security patches are far more critical to install. Unfortunately, MS security patches are also problem plagued. System admins have no way of knowing exactly what a patch will do. Some patches undo each other, some patches break other (sometimes seemingly unrelated) systems. Because of the nature of closed source, System admins who have problems with a patch can find themselves stuck between a rock and a hard place. They can either install the patch and break their installation, or leave the system unpatched. In either case, they must beg for a compatible fix. The OS solution of engineering their own patch is generally not feasable -- possibly even illegal.
Both the cost and public embarrassment of repeated fixes to a given problem discourage MS from releasing patches against bug fixes. Lack of the ability of a customer to provide -- much less prove -- their own version of a fix exacerbates the problem.
In this environment of fear, uncertainty and doubt, an MS system administrator must decide if, when and how to install their patch. sometimes they get it wrong.
Linux admins face a similar problem, but with a good deal more information and control. Systems are generally more compartmented, so interactions between parts is better understood. If installation of a patch causes problems, users have the ability to examine the source code of the changes, get an exact understanding of what they're doing and determine whether their best course of action is to patch the patch or fix the problem elsewhere. If the solution turns out to be a further patch, they have the ability to release their own fix in hopes of having it folded back into the 'official' distribution. This is an option which most MS users will probably never have.
In the chatter about Israel's first astronaut, Illan Ramon, it seems to be forgotten that Kalpana Chawla was born in India, and got her BSc there, before getting her PhD in the US. Although she now appears to be a US citizen, I would expect that India has been very proud of her, and is probably as much in morning at her loss as Israel is at the loss of Ramon.
(12 extra characters)
probably won't work on an ibm (ebcdic) system.
If this fixes it, then it's a browser translation induced problem.. not a perl problem. The equivalent in C++ would have failed in exactly the same way.
I think that it may be a browser-related issue: I'm betting that you cut and pasted from Mozilla in all three test cases, while friend possibly used IE (at least under Windows). For VMS, I'm betting (s)he used lynx....
In any case, I'm thinking that the problem is that mozilla copies the program as one continuous block, while under the other viewers, they get coppied as a multi-line string. and this messes with the translation.(most notably the HTTP string)
In your y translation string, try translating
\x0a (and probably \x0d, too) to nothing. using the 'd' modifier.
I doubt that patching openbsd is at easy as opening the default browser, clicking on the Tools toolbar and click Windows Update.
If OpenBSD had as many serious security patches as Windows, somebody would probably get around to writing something like that:-). Then again, if it was as buggy as Windows, it wouldn't be OpenBSD.
Redhat has their RedHat Network which does easy updates. I have my own package that I use instead (mostly 'cause I'm used to it). If I'd wanted to, I could probably modify it to work with openSSh but, so far, it really hasn't been worth it (my OpenBSD box is used as a firewall, so it has a lot less loaded on it to begin with (on a 500MB disk) -- thus a lot less to patch.
When playing with servers, patching a system is often much more than just blindly installing the latest patch. (especially with windows). One also has to check to make sure that the patch doesn't also break something critical. From an operatonal point of view, there isn't much of a difference between a system brought down by the most recent worm and one brought down by the most recent patch.
Of course, unlike the Open Source world, you almost never have the option of back-porting the most recent patch to your system if the 'product updates' included with a patch break your software. (actually, acording to the most recent M$ EULA, you may not even have the right to wait until you can fix your software to survive the latest patch).
From the video (or the 3 frame JPG) of his test fire, it looks like the blue curley trail from the quake gun aren't actually that far from reality...
Granted, it appears to have occurred as a result of a malfunction (too short a burst -> mild projectile vaporization), but -- hey, you can't have everything!
Who has an estimate on how long it will take for the Army to outfit its troops with anti-personnel rocket launchers?"
Anti-personel launchers are (by some reports) considered inhumane (and thus illegal for warfare use). Personel rocket launchers, on the other hands have been around since at least the second world war (Allies called them bazookas. I always thought that Germans called them panzerhausers, but apparently they called them
Panzerschreck.
They're also a method for the signatory nations to assert their commitment to humane-ness, even (especially!) in the brutalizing context of war.
More like only in the context of war.
The weird thing about the Geneva convention is that weapons that are considered illegal for your soldiers to use against soldiers of another country, are sometimes considered quite legal for use against civilians of your own country (where the Geneva Convention doesn't apply). Police use of hollow point bullets are an example.
Why use the goverment to quiet those with whom you do not agree?
That's what Clear Channel has done. They've taken control of most of the more popular radio stations. Only people with enough money to hold them off or a small enough market share that they're not worth it can stay independant. Of course, someone with enough money would be hard pressed to turn down a price that only makes sense to a monopolist. As Clear Channel controls more of the market, they'll alswo find it more worthwhile to go after smaller, and smaller stations.
Once a company has gotten a stranglehold on a market, FCC rules make it very hard for a competetor to start up. At that point the monoply holder has an effective stranglehold on radio speech in that market, with the government quieting any nascent dissent.
In addition, very few people can read a book aloud at the speed a trained typist can type it,
Yeah, true -- but few people can type at the speed a trained typist can. I consider myself reasonably lucky that -- on a good day -- I can type fast enough to transcribe the spoken word.
That having been said, I agree that OCR seems to be the best (general) case for mass transcription. There is, BTW, a Gutenberg-associated project that allows people to help correct the mistakes that an OCR makes (and remove the extra bits like page numbers, etc.).
No problem?? Tell that to the 'decoy' seamen on the decoy bridge. For me, an enlisted man's life is no less valuable than an officer's life. (definitely no less valuable to his family and friends).
If a piece of software would otherwise violate the GPL, then source-only distribution is pretty much the only answer.
The GPL doesn't restrict what you can do with a piece of GPL code once you have it (to do otherwise would be a violation of the GPL). It only kicks in once you start distributing something with GPL code in it.
Similarly, the GPL can't prevent someone from distributing their own source code, even though it would (if compiled and linked with GPL code) not be legal to distribute.
In other words, if one feels that there may be GPL problems with their code, source-only distribution seems to be the appropriated thing to do.
Telling people not to distribute binaries is simply a warning to prevent them from violating the GPL themselves.
Not blatently sensible, and IANAL, but it seems to be legal.
They said there are mechanical stops in the turret rotating equipment to physically prevent it from being able to target any part of the ship.
Probably true, for current ships -- but what's betting that some oops designing a fire-by-wire ship isn't going to trust that software interlocks are just as good (saves at least $5000 in big metal blocks). Once the first bridge gets shot out, they'll retrofit all the existing ships of that class.
Re:Behind the times...
on
Potato Bazookas
·
· Score: 5, Insightful
The issue here is not that potatoe guns exist. It's that they're becoming popular.
A couple dozen kids playing with the things is simply annoying. When you get thousands, the statistics start to catch up with you.
When they start being 'in', the nature of the problem also shifts.
You start to leave the domain of 'geeks playing with tech' and get into the realm of 'jocks playing with weapons'. It's a completly different mindset -- one with far less interest in (or even knowledge of) safety.issues.
A geek firing a cement-filled cannister at a brick wall is one thing. A jock firing a cement-filled cannister at his favorite geek target is another. The first death from one of these things is not going to be pretty.
I can understand using wireless as a backup system, in case the wire lines get cut by structural damage (read: a hit). Using them as a primary communication system, on the other hand, seems like just asking for trouble.
No need for suicide missions any more. . . I can just see the incident report:
A little white dinghy pulled up along side the ship. There were three people in the boat. Two of them stood up and screamed something about "Allah Akbar", the third appeared to be hunched over a laptop.
The next thing we knew, the bow gun was firing at the bridge. (I didn't think it could do that... It must have been just a software limitation).
The hard part, of course, is going to be figuring out the encryption codes (thank god for quantum computing).
Don't sue them for access to the documentation, that'd get tossed on a preliminary motion.
Sue them for false advertising and ask for an injunction against using the phrase "Open Architecture" WRT UltraSparc machines. This would probably have to be done on the behalf of someone who had put out good money based on the open architecture PR, and then found them stoewallwed on the question of documentation. The worst case would be that the case goes to court and they are forced to remove the claims to be open. The best case would be that they start supplying the needed documentation and make the suit moot.
Actually Win 95 is EOL..... Apparently the EOL thing hasn't hurt you to much.
Yeah, but it EOLed in 2002, not 1996.
I'm willing to use it because the only reason I ever run win'95 is to play my favorite (old) games (they won't work in wine). Damned if I'm going to pay $100 for an upgrade when all I'm doing is playing a $20 game.
Slashdot Mirror
Cross Site Scripting is a recently recognized problem on the 'net. IIS may still be vulnerable to similar problems (Microsoft apparently doesn't consider the issue to be that important).. The other patchse were (AFIK) precautionary -- not in response to known exploits.
uhm ...
Incubating in a nice, warm IIS shop?
After loss of stability, the shuttle is said to have been tumbling slowly. The crew could have easily survived until the cabin was ripped open and winds ripped off body parts and/or broke bones. As a worst case, they might have survived for minutes -- burning and asphyxiating as their cabin ripped and burned apart about them.
This is, similarly, why I consider the firefighters and police who died at The World Trade Centre to be far more heroic and deserving of an arlington burial than the pilot who got his throat slit by the hijackers (or simply let them take control of the plain, expecting a 'normal' hijacking).
I'm not sure what that 80% refers to, or even if it's accurate. Even if it is, many Linux 'fixes' would never even be considered for patching by MS. Linux fixes range from the benign and theoretical to the very serious. Linux patches are generally released almost immediately after a bug is found that might (in theory) be exploited, or used as part of an exploit. (e.g. someone finds the possibility of a buffer or stack overflow).
Windows patches, on the other hand, often aren't released until somebody proves that a bug is exploitable/ exploited. Even when a proof of concept (or even wild) exploit is made available, security experts sometimes have to argue with MS about whether the exploit is serious enough to be worth fixing. I remember one recent case where MS downgraded a pair of bugs as minor and refused to release a fix. When frustrated security experts were able to combine those bugs to enable arbitrary command execution (their sample code: format a hard drive), they were criticized for not giving MS advanced warning(!).
Nontheless, when MS finally released the fix for these same bugs, they classified them as moderate. Some people think that, having just released one crutitical patch, they didn't want to face the embarrassment of two severe bug fixes in one week.
Because Windows patches are rarely released until the problem is both proven and serious, MS security patches are far more critical to install. Unfortunately, MS security patches are also problem plagued. System admins have no way of knowing exactly what a patch will do. Some patches undo each other, some patches break other (sometimes seemingly unrelated) systems. Because of the nature of closed source, System admins who have problems with a patch can find themselves stuck between a rock and a hard place. They can either install the patch and break their installation, or leave the system unpatched. In either case, they must beg for a compatible fix. The OS solution of engineering their own patch is generally not feasable -- possibly even illegal.
Both the cost and public embarrassment of repeated fixes to a given problem discourage MS from releasing patches against bug fixes. Lack of the ability of a customer to provide -- much less prove -- their own version of a fix exacerbates the problem.
In this environment of fear, uncertainty and doubt, an MS system administrator must decide if, when and how to install their patch. sometimes they get it wrong.
Linux admins face a similar problem, but with a good deal more information and control. Systems are generally more compartmented, so interactions between parts is better understood. If installation of a patch causes problems, users have the ability to examine the source code of the changes, get an exact understanding of what they're doing and determine whether their best course of action is to patch the patch or fix the problem elsewhere. If the solution turns out to be a further patch, they have the ability to release their own fix in hopes of having it folded back into the 'official' distribution. This is an option which most MS users will probably never have.
In the chatter about Israel's first astronaut, Illan Ramon, it seems to be forgotten that Kalpana Chawla was born in India, and got her BSc there, before getting her PhD in the US. Although she now appears to be a US citizen, I would expect that India has been very proud of her, and is probably as much in morning at her loss as Israel is at the loss of Ramon.
If my guess is right, the following (relatively trivial) modification should do the trick:
(12 extra characters)probably won't work on an ibm (ebcdic) system.
If this fixes it, then it's a browser translation induced problem.. not a perl problem. The equivalent in C++ would have failed in exactly the same way.
In any case, I'm thinking that the problem is that mozilla copies the program as one continuous block, while under the other viewers, they get coppied as a multi-line string. and this messes with the translation.(most notably the HTTP string)
In your y translation string, try translating \x0a (and probably \x0d, too) to nothing. using the 'd' modifier.
That seemed to work for my tests.
If OpenBSD had as many serious security patches as Windows, somebody would probably get around to writing something like that :-). Then again, if it was as buggy as Windows, it wouldn't be OpenBSD.
Redhat has their RedHat Network which does easy updates. I have my own package that I use instead (mostly 'cause I'm used to it). If I'd wanted to, I could probably modify it to work with openSSh but, so far, it really hasn't been worth it (my OpenBSD box is used as a firewall, so it has a lot less loaded on it to begin with (on a 500MB disk) -- thus a lot less to patch.
When playing with servers, patching a system is often much more than just blindly installing the latest patch. (especially with windows). One also has to check to make sure that the patch doesn't also break something critical. From an operatonal point of view, there isn't much of a difference between a system brought down by the most recent worm and one brought down by the most recent patch.
Of course, unlike the Open Source world, you almost never have the option of back-porting the most recent patch to your system if the 'product updates' included with a patch break your software. (actually, acording to the most recent M$ EULA, you may not even have the right to wait until you can fix your software to survive the latest patch).
Granted, it appears to have occurred as a result of a malfunction (too short a burst -> mild projectile vaporization), but -- hey, you can't have everything!
Anti-personel launchers are (by some reports) considered inhumane (and thus illegal for warfare use). Personel rocket launchers, on the other hands have been around since at least the second world war (Allies called them bazookas. I always thought that Germans called them panzerhausers, but apparently they called them Panzerschreck.
More like only in the context of war.
The weird thing about the Geneva convention is that weapons that are considered illegal for your soldiers to use against soldiers of another country, are sometimes considered quite legal for use against civilians of your own country (where the Geneva Convention doesn't apply). Police use of hollow point bullets are an example.
That's what Clear Channel has done. They've taken control of most of the more popular radio stations. Only people with enough money to hold them off or a small enough market share that they're not worth it can stay independant. Of course, someone with enough money would be hard pressed to turn down a price that only makes sense to a monopolist. As Clear Channel controls more of the market, they'll alswo find it more worthwhile to go after smaller, and smaller stations.
Once a company has gotten a stranglehold on a market, FCC rules make it very hard for a competetor to start up. At that point the monoply holder has an effective stranglehold on radio speech in that market, with the government quieting any nascent dissent.
Yeah, true -- but few people can type at the speed a trained typist can. I consider myself reasonably lucky that -- on a good day -- I can type fast enough to transcribe the spoken word.
That having been said, I agree that OCR seems to be the best (general) case for mass transcription. There is, BTW, a Gutenberg-associated project that allows people to help correct the mistakes that an OCR makes (and remove the extra bits like page numbers, etc.).
No problem?? Tell that to the 'decoy' seamen on the decoy bridge.
For me, an enlisted man's life is no less valuable than an officer's life. (definitely no less valuable to his family and friends).
The GPL doesn't restrict what you can do with a piece of GPL code once you have it (to do otherwise would be a violation of the GPL). It only kicks in once you start distributing something with GPL code in it.
Similarly, the GPL can't prevent someone from distributing their own source code, even though it would (if compiled and linked with GPL code) not be legal to distribute.
In other words, if one feels that there may be GPL problems with their code, source-only distribution seems to be the appropriated thing to do.
Telling people not to distribute binaries is simply a warning to prevent them from violating the GPL themselves.
Not blatently sensible, and IANAL, but it seems to be legal.
AES is proof against mathematical attacks, but it might not do as well against espionage. Remember: There's more than one way to cat a file.
Probably true, for current ships -- but what's betting that some oops designing a fire-by-wire ship isn't going to trust that software interlocks are just as good (saves at least $5000 in big metal blocks). Once the first bridge gets shot out, they'll retrofit all the existing ships of that class.
A couple dozen kids playing with the things is simply annoying. When you get thousands, the statistics start to catch up with you.
When they start being 'in', the nature of the problem also shifts. You start to leave the domain of 'geeks playing with tech' and get into the realm of 'jocks playing with weapons'. It's a completly different mindset -- one with far less interest in (or even knowledge of) safety.issues.
A geek firing a cement-filled cannister at a brick wall is one thing. A jock firing a cement-filled cannister at his favorite geek target is another. The first death from one of these things is not going to be pretty.
I can understand using wireless as a backup system, in case the wire lines get cut by structural damage (read: a hit). Using them as a primary communication system, on the other hand, seems like just asking for trouble.
Military intelligence -- a contradiction in terms
(from a 1984 usenet/arpanet posting)
I'm pretty sure that that should be recent, but resented would work pretty well, too.
Sue them for false advertising and ask for an injunction against using the phrase "Open Architecture" WRT UltraSparc machines. This would probably have to be done on the behalf of someone who had put out good money based on the open architecture PR, and then found them stoewallwed on the question of documentation. The worst case would be that the case goes to court and they are forced to remove the claims to be open. The best case would be that they start supplying the needed documentation and make the suit moot.
(IANAL, btw)
Yeah, but it EOLed in 2002, not 1996.
I'm willing to use it because the only reason I ever run win'95 is to play my favorite (old) games (they won't work in wine). Damned if I'm going to pay $100 for an upgrade when all I'm doing is playing a $20 game.