We, myself and AdAce, are not trying to protect the intellectual property of this method. If you want to use my posts on this subject to implement your own URI-mangled session tracking, then please do so. You won't have to worry about patent license fees, lawsuits, or any of that crud.
I would be tickled absolutely f*cking pink if no one on the net used cookies anymore.
Of course I'd be pleased if you credit us, but the idea of getting rid of cookies throughout the Internet is far more interesting to me than any frivolity of credit for the method.
Well, you've got two questions there. The first is about bookmarks, the second is about unappealing URIs. So let's hit them one at a time.
bookmarks:
When you hit my webserver, an apache authentication handler module that I wrote gets tickled. That module extracts the session information from the URI and does an internal redirect to the same URI without the session info. But before the redirect, it queries the login daemon (that's my little session management daemon that I talked about before) to see if it's a valid session and comma-delimited string. If so, you pass right through. Otherwise it assigns a new session and redirects you to the front page of the website.
I'm reskinning the website right now, and in the process I'm revamping this module so that it knows about "logged in" pages vs. "anonymous" pages. If you come in with an invalid session and are requesting an anonymous page, it'll give you a new session and redirect you to the actual page you requested. But if you're requesting a "logged in" page and have an invalid session, it'll assign you a new session, then redirect you to a login page. If you log in successfully, that'll redirect you to the page that you originally requested. That functionality isn't in place right now, but it will be soon.
I should point out that I truly despise methods that allow a person to log in without typing a password. Whether that's storing a password or password equivalent somewhere is equally heinous. So I'll never add support to allow a user to go straight to a "logged in" page: they'll always have to enter a password at least.
ugly URIs
No, we really haven't gotten any negative feedback about our abominable URIs. Ya, if someone had to actually type in one of these URIs, I could certainly see them being annoyed. But no one does. They come to our front door, click on the members login link, and go from there.
Now, there is actually a situation in which you would want to actually type one of our long session ids. That's the whole affiliate program. We allow people to sign up as affiliates to AdAce, and then put a link to us on their own web page. If someone follows that link and purchases an ad campaign, we give a 10% bounty to the affiliate. The way that works is with a set of special session ids. If you come into our website with a session id that has a particular numerical characteristic, then that's considered to be an affiliate code. A database lookup is performed to see if that matches an existing affiliate. Whether it does or not, you're assigned a new (regular) session id. But if it does match an existing affiliate, your session data is stamped with that affiliate's id, so that if you do make a purchase, we know which affiliate should get the 10% reward.
As you might have noticed, our session IDs are 32 hex digits long. That gives us 2^128 possible sessions simultaneously. Our actual max limit is much lower than that, but I specifically wanted our valid session space to be very sparse. This is complicated by the affiliate codes. There are 2^112 values in our session id space which possess the numerical characteristic that distinguish session ids from affiliate codes. And, yes, that's also a very sparse space. But in any case, 2^112 is a tiny portion of the whole 2^128 space, so it really doesn't impact us at all.
When an affiliate sets up their link to us, they might have to type in this ugly URI that contains their affiliate code. But we send them that URI in an email, so if their mail reader can handle it, they can just cut-and-paste the URI into their web page. No typing involved. If their software can't handle it -- well then, shucks.
But the whole point of this: no, no one has complained.
(incidentally, I've been wanting to redo our session ids so that instead of using just hex digits, we use 0-9, a-z, A-Z, -, and _. That'll make our session ids shorter (64 values per digit or 6 bits instead of 16 values or 4 bits), and much less obnoxious as a result.)
Please, Evelyn Wood isn't doing you any favors. Read a little more slowly:
The session information doesn't get logged, only the fact of the session, in the form of the session id. The session info never gets written to any hard disk. Anywhere. It is completely impossible to reconstruct the contents of the session info by looking at server or proxy logs. Every page you go to that asks a user to enter information that will end up in the session data block is an SSL (v3) page. Not just that page, but the IMG links, post address, etc, so I can protect the referrer URLs, too. Yes, you could reconstruct small portions of the session data block by seeing which pages the user went to, but by no means can you get anything interesting.
And you might want to try reading some web server configuration instructions some day. Not only can cookies get logged... not only do cookies get logged... but if you use cookies for session tracking and you want to use WebTrends to analyze your logs (as is precisely the case with most websites) then you/must/ log cookies. Netscape, IIS, and Apache all support the logging of cookies.
Note that not only do I not use cookies, I also don't use WebTrends (any more). But that's untrue of the vast majority of commerce sites out there.
Cookies are needed for only one thing. Every other current use for cookies can be done better without them, or (IMNSHO) shouldn't be done at all. The best example is session tracking. Those of my websites which need to track sessions all use URI mangling to do so.
For instance, look at my website for AdAce. When you go there, you get immediately redirected to a URI that includes session information, that looks something like this: http://www.adace.com/0123456789abcdef0123456789abc def/guest,0,1,1/index.html
The long hex number and the comma-delimited string constitute your session id. No cookie needed. By using relative URIs in all the webpages, there's no problem with the mangled session information being lost: the browser thinks that its just a directory path. In those few places where we need to use absolute URIs, we use a cgi or an apache content handler to modify the URI in place to include the correct session id. This number is used to look up your session data in a daemon running a simple database for that purpose -- and to verify that the comma delimited string hasn't been tampered with. The database exists purely in RAM. I've even locked the pages in place so there's no danger of them getting swapped. None of your session data ever goes onto a hard disk; only the fact of the session, as it appears in the server logs. My cgis (and a couple special purpose apache modules) all use an API library that I wrote in order to communicate with this daemon. That lets them get data out of your session record, and put data into it. The point of all this is that we hold the burden of maintaining your session information. No need for cookies.
The only function provided by cookies that can't be done in any other way is what we in the advertising industry call "frequency capping". The idea is that you (the advertiser) have bought a big campaign with a lot of impressions, but you don't want one user to see your campaign more than, say, 3 times. So we need some way to track how often you've seen a particular campaign. If the campaign is all running on a single website, then it's easy enough to use other methods. But when the campaign is running across at least two unrelated websites, the adservers have to create and manipulate a cookie in order to track this.
If you've ever received a cookie whose name is RMID, and whose value is just a number, then you've received one of these cookies. They're generated by RealMedia's (not to be confused with Real Networks, the makers of realmedia player) ad server for campaigns that have frequency capping turned on.
These cookies are the only cookies ever generated or inspected by any AdAce machine. I am strongly opposed to the use of cookies in any situation where some other method is possible. And as CSO of AdAce, I've put my foot down on this issue: no cookies where we can do something else, and even if we can't do something else, no cookies if its possible for it to be exploited by acquisition, mismanagement, or subpeona, to violate someone's privacy.
(incidentally, this form of session tracking gives WebTrends conniption fits -- that's the main reason that I'm writing my own log analyzer)
If bright matter truly makes 10% of the universe, then by definition the remaining 90% of the universe must be dark matter.
The reason is that neither the terms "bright matter" nor "dark matter" specify a single type of matter. Rather, they define two values of a single common characteristic of all matter. The characteristic in question is how the matter interacts with photons. If you shine a light on something and you can see it, then it's bright matter. If you heat something up and you can see it, then it's bright matter. If you energize something then let its energy level drop and you can see it, then it's bright matter. Otherwise it's dark matter.
Therefore we can't measure dark matter directly merely because we can't see it. All astronomical observations depend on photons. Radio. Light. X-Ray. Gamma. Just different frequencies of photons. Since dark matter neither reflects nor emits photons, astrophysicists can't observe it. Or perhaps it does emit photons, but then immediately reabsorbs them (as in the case of black holes). Either mechanism comes down to the same thing. They can observe its effects indirectly by watching, for instance, the effect that its gravity has on surrounding bright matter, but no direct observation is even theoretically possible.
But there really aren't any theories about the nature of dark matter, because it's fundamentally impossible to observe remotely. Maybe it's some truly strange substance. Maybe its just a whole bunch of black holes. No one knows. The only reason that we know about black holes is that some brilliant physicist who'd been downing a few too many beers one night did a thought experiment about the implications of gravity's inverse square strength. So we had a theoretical phenomenon that astrophysicists could later go and look for. But that's not true of other forms of dark matter.
All that's important is that "dark" matter is every piece of matter that isn't "bright" matter. It's still matter, and will still behave exactly the same as bright matter behaves. But it may come to be discovered that some characteristic that we thought was endemic to all matter is, in fact, only endemic to bright matter. We have no comparison yet, so we can't make that determination.
I don't think that anyone believes that all dark matter is in the form of black holes. Who knows, maybe so. I'm certainly not an astrophysicist (though I know a number of them who are on the bleeding edge), so someone can easily have come up with some theories about all this of which I'm unaware.
But this is my current understanding, and with the rate that astrophysics moves, I'm probably at least 5 years out of date.
Oh, explaining this caused me to remember a theory about dark matter that I heard from my undergraduate adviser back in my college days (Dr. Douglas Lin: he was and is a big shot in the astrophysics circles). The idea is that there actually isn't any special dark matter. It's all bright matter. But some matter might be in locations where so few photons fall on them that we just never get a chance to observe that matter. For instance, it's known that all the galaxies of the universe exist on the surfaces of voids in the universe (that observation is what gave rise to superstring theory). Think of soap suds. We've got complex surfaces, where all the soap is, each surrounding a small void with no soap. Small from our perspective, but from the point of view of a technological civilization living in one of the "galaxies" within the soap film, those voids are huge. The universe has the same structure. And these voids are just monstrously huge. In the center of one of these voids, there would be very little light, because all the light sources are very far away. So you could stick a whole lot of matter there and no one would ever see it. These voids are so huge that you could easily fit 90% of the universe's mass in them and still have a very low density of matter. It's normal "bright" matter, but insufficient light reaches it for us to observe it. The problem with the theory is that if you have 90% of the universe stuck in these voids, then the voids should collapse from gravity and make the galaxy distribution homogenous. And we don't see that. Perhaps this problem has been resolved by now. I don't know. And, of course, there are other locations where matter can be hidden, where we wouldn't be able to observe it. Those voids are just a single example.
I don't know anyone who is trying to force Linux, in specific (or any particular distribution of Linux) onto every computer.
Most of the die-hard Linux evangelists (of which I am one) are pushing Linux because we see that as the best means to our ends. And those ends are to get Windows/off/ of all computers. I don't care what goes back onto the computer so long as it isn't a Microsoft product. The fact that every OS that I'm familiar with is technologically superior to Windows (in its various flavors) means that I don't have to be particularly picky about which OS I push. But as far as I can see, Linux is the OS that's easiest to get people to accept. And so I push Linux.
Hell, before I got involved with Linux, I was writing my own OS (Syrinx) specifically for this purpose. Then 386BSD (or was it BSD386? don't remember) and Linux were both starting up at the time. I generally prefer BSD flavors of UNIX to SysV flavors (I'm addicted to ^Z, and my early experience with SysV stuff -- SCO UNIX and AT&T SysV -- didn't support a posteriori backgrounding), so I took a look at 386BSD. It didn't support my ESDI drives, so I couldn't even test it. Linux did. So I could play with it. And it was quite spiffy. So I abandoned Syrinx and jumped in with both feet and have been there since. If 386BSD had supported ESDI drives when I tested it, I'd probably be a *BSD bigot instead of a Linux bigot. Sure, some of you can argue that I should've just added support for ESDI mysqlf, but in those days 386BSD wasn't accepting patches from the general public, and the developers told me that they had no interest in supporting ESDI. To top it all off, I couldn't even play around with it enough to see if it was interesting enough to warrant the effort of adding that support myself.
(To this day, Linux is the only operating system that understands the Syrinx partition type, and there is only one computer running Syrinx: an old 25MHz 286 that I sold to a buddy many years ago).
I've been doing contract work since 1994. A little work off and on for years before that, but we can ignore it. And less these days since I'm tied up with AdAce.
But with years of experience under my belt, I've had my share of disputes.
In order to protect your receivables, you have to take a very firm, very cruel stand right from the get go. There is absolutely no benefit in being even slightly merciful at the start, and a whole lot of harm. And if you take a hard stand, that gives you room to negotiate in trying to convince a client to pay up. You've gotta make sure that your client sees themselves lying in the way of a hurtling sisyphine rock, and you hold the key to the only way out of its path.
If you negotiate a contract for net 30 terms, and you haven't received a check 20 days after billing, send them a reminder. If you haven't received a check on the 30th day, submit a bad credit report. Don't wait. Do it. If you haven't received a check on the 40th day, file suit, and send a letter to your client telling them that you've done so. You can always drop the suit if the client finally pays. Be mean. Be cruel. Be a right bastard.
The finance and legal people at your client won't get offended: that's the way that they play the game too. Many accounts payable departments don't pay net 30 bills until the 30th day. You've gotta take a hard stand with them and make the point that net-30 means that they have 30 days to complete payment, not 30 days to start.
Don't be forgiving, don't be kind. If the client jerks you around in payment, you don't want to work for them again. I have occasionally accepted second jobs from bad clients, but I always insist on payment in advance for them. I keep a counter on one of my machines, tracking the available balance in their account. I leave it up to their people to track the balance and make sure it doesn't drop to zero, because when it does drop, I immediately stop what I'm doing.
If everything that Mosfet said is true, and if everything that the post from "Giovanni" here says is true, then Mosfet is being overly kind to Future Tech. He's not being petty. He's not suffering from a mood swing. He's not being an irresponsible worker who doesn't finish his tasks. He's being foolishly forgiving and naive.
Oh ya, almost forgot: always get a contract in writing, and always negotiate the terms. Never accept the first offer.
Years ago, I had a potential client in San Jose, California. They wanted someone to build them a consumer-level internet firewall machine, that Joe Blow could just plug in and run with. So they were soliciting proposals. We negotiated $50/hour for me to produce a proposal for them, which I did. Standard type of proposal, talking about the hardware, OS, and configured components that I would be using. He rejected it, saying that this isn't what he was used to getting, that out of a proposal he expected the complete texts of all configuration files, build scripts, the whole 9 yards. Well, of course I told him that that would constitute the entire contract, not just a project proposal, and I would require my full rate and 50 hours to do so. He tried to claim that all his previous contractors had complied, and my response was that it is not my concern what his previous contractors did or did not do; if they truly did comply, then they were naive, and really shouldn't be in this business at all. He didn't like that response. Finally after I threatened suit, he agreed to pay my fee for the proposal, but of course he didn't give me the project. Boo hoo. I've since discovered that this particular manager at this company (not the whole company: just that one manager) had been making a practice over many years before and since of taking overly detailed project proposals for free or cheap, rejecting the projects, and then using the recipe in the proposal to implement the project in house. He was adored by his bosses, because he always produced "his" projects far under budget. Ha. Small wonder. Then, as I and others spread the word through the contractors that we know here in the SF Bay Area, he started to fall from favor with his bosses. It seems that he was no longer able to finish projects at all, much less under budget. And those few projects that he did manage to finish were very poor quality. He's now been unemployed for 2 years. So you see, taking a firm stand and being a bastard gives you wonderful anectodes with happy endings. Not to mention that you actually get paid.
When both parties to a contract are equally at breach, then judges usually rule that the contract is void, unless either or both parties can show real damages. In that case, the judges usually subtract the smaller real damages from the larger real damages, and awards the difference without allowing any punitive damages.
In this case, since Liquid was a "product" that existed before the contract with FT, I don't really see how a judge would award IP rights to FT.
Once again, I haven't seen the contract, blah blah blah. etc etc etc.
Whether or not I am a lawyer depends on the definition that you use.
If you're talking about someone who prosecutes and defends cases in court on at least a semiregular basis, then yes, I am a lawyer (I haven't lost any cases yet).
If, on the other hand, you're talking about someone who has a membership in the BAR and uses that to provide legal representation for clients, then no, I'm not a lawyer.
But no matter what definition you use, I am not your lawyer, and therefore my words shouldn't be taken as legal advice to you.
Assuming that everything in the story is true, and that the contract included terms to pay Mosfet for his work, then FT is in breach of contract, and any consideration that Mosfet assigned to FT through the contract (including assignment of IP rights) is void. So all such considerations remain with Mosfet, and FT has no rights at all. In fact, Mosfet has the right to sue for breach of contract, which allows you to up the damages way beyond the real damages.
Of course, this has a lot of assumptions in it. I certainly haven't read the contract, and I have no way to know that what Mosfet and FT are saying about the situation is even remotely true.
[damned internet explorer posted my last (empty) message when I hit return in this text box. Bleah]
Anyway, this is all pretty standard stuff. I get asked to do this kind of stuff occasionally by my clients. It's highly fun work.
One of my buddies once hacked into his client by discovering that one of the employees at the client's ISP was running a warez site at the ISP, and got the employee into letting him install a sniffer on the client's line.
The trick with doing tiger team work is that you have to uncover weaknesses. No one hires a tiger team unless they suspect that they have a problem, and if you don't uncover a problem, they presume that you suck rather than that their security is actually good. Luckily, that's not a problem, because everyone has terrible security. Some are less terrible than others, but even when technical means fail, creative social engineering never does.
The basic problem is the existance of people who are, by nature, trusting. These people are the bane of good security. If you have a single one of these people, even in a lowly position like a janitor (who're great because they have almost unlimited physical access) or receptionist, the company's premises are left wide open. Optimists ensure that security professionals will forever be employable.
Some of you will recall that I'm CSO of an advertising company. We have servers at an ISP who pretends to good security. They've got palm-print scanners on all their doors, code keypads, badges, security guards, locked cages, the whole 9 yards. But since they have all this technical hoohaw, the people have gotten lazy. So the technical stuff doesn't mean a damn. One day, I accidentally locked myself out of my cage. So I pulled out my lockpicks (which I always have on hand) and just picked the lock. Now I'm not particularly good with lockpicks, just being at the level of hobbiest. I can get most locks open, but it can sometimes take me an hour of uninterrupted work when I'm on a difficult lock. But I was able to get that cage open in about 20 seconds. A camera was looking right at me the whole time, and no one came to investigate. And here I am, a shabby looking character with long hair, bushy beard, and a leather jacket. And a handy set of lockpicks on hand. That should've raised a bunch of eyebrows back at the security desk. But, no.
I'm really getting irked now. The new FAQ contains the following text:
What does the proposed policy change? It establishes a process that requires people to disclose to a Working Group that a specification in development may intersect with patented technology.
This is a complete and bald-faced lie. The new policy has no such requirement. In fact, this is one of the specific objections that I raised in my email to W3C.
The fact of the matter is that the new policy requires participants to circulate memoranda throughout their individual companies, using the same channels normally used for W3C information. These memoranda are requests for employees to respond from memory if they believe that that company owns a patent that would encumber a proposed W3C standard. If a positive response comes back, the contributor is bound to report the response to W3C. But nothing binds the employees to respond to the memorandum. Nothing binds them to read it. Nothing prevents the legal department from issuing an order that no such memoranda will receive positive responses. In fact, the PPWG's definition specifically states that these companies are not expected to do internal patent searches.
In every company I've ever worked in (since the inception of W3C), in every company I've ever contracted for, W3C related memoranda are generally ignored by the legal and technical staffs. One or two people out of the tech staff might actually read the things, but most don't. More importantly, the people who are likely to know about such patents never read the memos.
So the clause in the proposed policy that "requires" disclosure of patents, in truth, only requires that memos be sent. And that's the end of it.
When I, John Q. Public, abuse a power that is granted to me, only myself and the people directly involved with the abuse are affected.
When the government, its agents or assigns, abuse a power that has been granted to them, every resident of that nation is adversely affected.
There is no conceivable crime that is more heinous, more reprehensible, more downright evil, than governmental abuse of power. They have been trusted by their citizenry with certain powers that the people have acknowledged are needed in order for the government to do its job. When the government abuses that power, it violates that trust. It invalidates its purpose in existance. And it labels itself an enemy of the nation. An enemy that must be fought down.
With the incredible repercussions that result from governmental abuses, it is only prudent to do everything possible to limit the damage that a government can do when it abuses its powers. And the best way to do that is to ensure that its powers are inherently limited in scope and power. Not by some legal prohibition, but through the inherent nature of the power itself.
A power that is not inherently limited (such as crypto backdoors) must be jealously withheld from the government under all circumstances.
My take comes from being on many different sides of the issue over the course of my career. I've been a university student (BS CE, honors in the comprehensive). I've been that entry-level tyke whose every idea is considered no better than "cute" by the other guys. I've been a self-employed contractor. I've been a high-level tech employee. I've been an executive.
The one thing in a new hire that helps me in my businesses is attitude. I need people who've got the basics skills down solid, but more than anything I need someone who is passionate about learning. Someone who can think clearly. I don't even need someone who can communicate clearly: there are too many good workers who speak English poorly for me to have that luxury. If I've got someone who loves to learn and can think clearly, then that person can grow into my needs.
I gave up years ago trying to find that new hire who'll fit perfectly into the position that I have open; it only happens out of blind luck. What I look for is someone who can/become/ the employee that I need.
And those skills that I need have nothing to do with being well-rounded. In fact, being well-rounded is harmful in someone straight out of college. The basic problem is that public High Schools are miserable failures when it comes to teaching a student how to think and learn. So it falls on the universities. That means a student who has spent a great deal of time in hard sciences. Especially with a theoretical focus rather than an applied one. People with applied educations aren't capable of thinking out of the box. People with theoretical educations are slower to get started in application, but once they get over that first hurdle, they really zoom ahead.
The more time a university spends trying to "round out" a student, the less time there is for that student to develop his ability to learn and think. There's no room for thinking in the humanities: that's all just memorization and political games. Or at worst, you get stuck with a deconstructionist. And that means that the student isn't practicing the skills that I need from him.
This isn't to say that I don't like well-rounded people. I just hate well-rounded people who can't think, and that's the most common case. If someone masters thinking and learning, then I don't have any problem with them going out and making themselves well-rounded. But they should do it to themselves, not have it imposed on them by a University. If they don't have the desire to do it on their own, then it won't succeed, so there's no benefit for the University doing it. If they do have desire to do it on their own, then the University is just wasting its effort. And in any case, that desire itself is valuable to me.
government phone taps do not bother me because I know the only reason the.gov would want to tap my phones is if I were doing something bad
That's a completely specious argument.
Government people don't tap people's phones because they're doing something bad. Government people tap people's phones because they're under suspicion of doing something bad. You own a gun. You post on slashdot. You have a computer. You have political opinions. In some jurisdictions, that's more than enough to put you under suspicion of doing something bad. Like here in California.
If the government knows someone is doing something bad, then they don't have any need of a phone tap: they already have enough evidence for a conviction. The rule in law enforcement is "go far enough to get sufficient evidence for a conviction, and then stop!" The perpetual fear in the DA's office is that law enforcement will uncover exculpatory evidence (that's evidence that proves the suspect's innocence). Since the prosecution is obligated under discovery rules to turn over all evidence to the defense, the presence of exculpatory evidence is a bad thing in the eyes of the DA's office. DAs don't make the connection with the fact that the presence of exculpatory evidence means they're prosecuting the wrong guy: they just want a conviction so they can close the book.
What all this means is that if the LEAs have enough evidence to convict you, they won't even attempt to tap your phone, because their investigation might backfire. And since you don't need proof of wrongdoing to convict (you only need enough evidence to show wrongdoing "beyond a reasonable doubt"), the certain knowledge of wrongdoing is also a guarantee that the LEAs have enough evidence to satisfy a jury. Note that I said certain knowledge, not strong suspicion: LEAs are excitable folks who tend to leap to conclusions.
And that tendency to leap to conclusions is part of the problem. By and large, LEAs are ignorant boobs. I've had a lot of contact with the Secret Service's technology investigations group and the FBI's computer crime squad in San Fransisco, and even these guys (law enforcement's technological elites) aren't sufficiently up to speed to avoid leaping to conclusions.
Just look at the public records of the LAPD's illegal use of wiretaps throughout the 90's. At the instruction of the LA DA's office, no less. This was an ongoing, persistant misuse of wiretaps lasting many years, none of which were authorized by courts. With such widespread misuse in one jurisdiction, one must conclude that such misuse occurs in other jurisdictions as well. Cops, just like other professionals, have a tendancy to jump from one job to another, though perhaps not as often as in technical fields. So even if other jurisdictions didn't come up with the idea on their own, crosscontamination would've occurred. And the record is clear that illegal wiretaps have been commonplace throughout the US for decades at least. Since not all misuse is detectable, the truth must be that wiretaps are even more horribly misused than is known.
What all this means is that you should assume that any ability that the.gov has will be misused to a greater or lesser degree. Innocent people will be hit by these misuses. Innocent people will go to jail as a direct result of these misuses. And innocent people will have no recourses.
Whether you're talking about wiretaps, gun registration databases, sex offender registries, or crypto backdoors, the issue isn't whether or not you've done something bad. It's merely whether or not you appear to have done something bad, or in the worst case, whether or not it can be made to appear that you've done something bad.
The simple matter is that with the sheer quantity and scope of the laws that already exist on the books, every one of you has done something bad. It's not possible to live a day in society without breaking a law. Do you have a bag of blue ice (the freezable cold packs) in your freezer? How about a piece of wood and some sandpaper? Or maybe a can of gasoline? If any of those are true, then you are in possession of bomb making materials. That's a federal felony. Do you own a car? Do you drive it? Then you're guilty of transporting hazardous materials without a license. Federal misdemeanor. Have you ever said the words "someone should kill the president" or anything to that effect, regardless of context or intent? Federal felony. Called a enemy in an online multiplayer game a "fucking nigger" for cheating? Or how about "bitch"? That's hate speech. Municipal misdemeanor in many jurisdictions. Do you possess pictures of your children as babies, naked? Child porn (go read the statute: it's very much over broad). Federal felony. Have you ever had sex with your boyfriend/girlfriend while they were a minor and you weren't (such as when you were 18 and they were 17)? Statutory rape. Federal felony with strong enforcement ("strong enforcement" is a term of art that means that the victim or victim's parents don't have to agree that a crime has been committed in order for prosecution to proceed).
LEAs will try to tell you that they won't proceed with prosecution unless there was "intent to commit a crime." But in practice, that's nonsense. "Intent" is defined and shown by the DA's office (or AG's office), not by the LEAs or defendant, and in the case of strong enforcement statutes, is irrelevant anyway.
Ok, I'm starting to ramble. So I'll sum up: we must always resist giving any power to law enforcement that is capable of being abused, because any abusable power will be abused, and the innocents are the only people who will suffer.
Assuming that the software works 100% (read: it blocks content if and only if the ads weren't viewed), then it will kill advertising revenue. The reason is all about click through ratios. It goes back to my previous statements: if someone doesn't want to view ads, then they aren't gonna be clicking on ads. And if they aren't clicking on ads, then forcing them to see the ad only lowers your click through ratio. And that means that you can't charge as much for advertising as you would otherwise be able to. So your costs go up, your revenues go down, and things are bad all around.
This doesn't even address the repercussions of the simple fact that forcing your viewers to also view ads is gonna piss them the hell off.
And then there's the technology itself. I could see it done in 2 ways: java/javascript and redirected frames.
The java/javascript method would require the user to have java enabled. And if they don't have java enabled, clearly the system won't work. Trying to put up a website that doesn't work for users with java or javascript disabled doesn't work. There are far too many users out there who have them disabled. Hell, I wish all users disabled them, but that's just me.
The redirected frame would be the best way. Make the ad server serve out an HTML frame that contains a link to the graphic and another link to a 1 pixel frame on the host's server. The host's server sits there and counts the hits on this other frame, and when it reaches the right number, serves out the content. But this doesn't prevent the user from blocking the ad graphic at all. It works if the user blocks the ad frame, but doesn't prevent the user from just blocking the ad graphic.
The only way you could tell that the real graphic is actually displayed is to send out java or javascript that knows the checksums for the ads that the user is going to be served, and then compares the checksums before the real content is displayed. But once again that depends on the user having java or javascript enabled. And it also requires the ad host's webserver to be integrated with the ad network's webserver. Only really big sites can afford to do that integration, because it means that they have to own their own ad server and content server. Ad servers are highly expensive. Yes, there are freeware ad servers out there, but none of them have the speed that a high traffic site needs, or they lack reasonable targeting options.
All in all, I'd say that this new beast is going to be a miserable failure. The problem isn't that this beast exists, but that someone actually thought it would be a good idea. That means that I have to get back into the propa^H^H^H^H^Heducation war again.
When I bought by DTS system, I started shopping for a good universal remote. The most basic feature to me is that it has to be a learning remote. I can't deal with those remotes that are preprogrammed with all the knee-jerk low-end consumer electronics. They never support my oddball equipment.
The moment you look at learning remotes, you jump up $50 in remote price right there. And then I needed a remote that handled multiple IR frequencies, because about half my components use one and the rest use another. That raises the price again.
Once I got up there, it wasn't really that much more money to just splurge and get the RC-5000. And lets face it, the damned thing has some serious hack value.
Firewire was too good for its time. When it came out, few needed a/serial/ communications medium that could handle such a high throughput. So few bought it.
Same with bubble memory. When bubble memory came out it was far more memory than anyone thought anyone would ever need. "128Mb in a nonvolatile memory chip? Who would ever need that much memory? 5MB hard disks are far more spacious than people need already. So the extra cost for bubble memory just isnt worth it." Well, guess what technology is making a comeback.
As long as the technology is open, things that are too advanced for their time aren't lost; they can make a comeback 10, 20, 30 years later when the market catches up. There are lots of examples of these orphaned technologies lying around.
The important thing to realize is that any market is always going to be dominated by the manufacturers' own ideas. And with only very rare exceptions, those ideas are not going to be able improving technology, but about making more money. Our world's technological level is far more advanced than is reflected in the market... but since selling an advanced technology means that you have to spend money on marketing to convince the consumers that they'll benefit from it, you never see those technologies come out until the market has caught up on its own.
Apparently. At least that's what I'm told. I don't have any shares, so I can't verify it myself. I could check the firewall logs for blocked accesses on UDP 137, 139, and the rest, but I always get lots of blocked accesses on those ports anyway, so it wouldn't really tell me much.
My servers are all apache, and none of the attacks have gotten through.
Apache itself isn't the culprit. Maybe you have something else there, or a bad configuration of apache or some insecure cgi installed. Lots of possibilities.
My servers at AdAce have been getting hits from nimba since 6:23am PST today. Each infected machine hits me 16 times in 3 seconds, then I don't hear from it again for about 10 minutes.
At this point, there are 5723 unique IP addresses trying to probe my servers. I see a new IP address about every 45 seconds.
And, of course, there is no microsoft software of any kind that's accessible on those networks. All boxes running any microsoft software are isolated on a ghetto network, with very tight firewall rules.
You'd think that the bozos who write these things would at least check to see if the server was IIS before trying their probes. At least then my automatic log cycler wouldn't trigger so often.
Slashdot Mirror
Oh, and in case it wasn't obvious.
We, myself and AdAce, are not trying to protect the intellectual property of this method. If you want to use my posts on this subject to implement your own URI-mangled session tracking, then please do so. You won't have to worry about patent license fees, lawsuits, or any of that crud.
I would be tickled absolutely f*cking pink if no one on the net used cookies anymore.
Of course I'd be pleased if you credit us, but the idea of getting rid of cookies throughout the Internet is far more interesting to me than any frivolity of credit for the method.
Well, you've got two questions there. The first is about bookmarks, the second is about unappealing URIs. So let's hit them one at a time.
bookmarks:
When you hit my webserver, an apache authentication handler module that I wrote gets tickled. That module extracts the session information from the URI and does an internal redirect to the same URI without the session info. But before the redirect, it queries the login daemon (that's my little session management daemon that I talked about before) to see if it's a valid session and comma-delimited string. If so, you pass right through. Otherwise it assigns a new session and redirects you to the front page of the website.
I'm reskinning the website right now, and in the process I'm revamping this module so that it knows about "logged in" pages vs. "anonymous" pages. If you come in with an invalid session and are requesting an anonymous page, it'll give you a new session and redirect you to the actual page you requested. But if you're requesting a "logged in" page and have an invalid session, it'll assign you a new session, then redirect you to a login page. If you log in successfully, that'll redirect you to the page that you originally requested. That functionality isn't in place right now, but it will be soon.
I should point out that I truly despise methods that allow a person to log in without typing a password. Whether that's storing a password or password equivalent somewhere is equally heinous. So I'll never add support to allow a user to go straight to a "logged in" page: they'll always have to enter a password at least.
ugly URIs
No, we really haven't gotten any negative feedback about our abominable URIs. Ya, if someone had to actually type in one of these URIs, I could certainly see them being annoyed. But no one does. They come to our front door, click on the members login link, and go from there.
Now, there is actually a situation in which you would want to actually type one of our long session ids. That's the whole affiliate program. We allow people to sign up as affiliates to AdAce, and then put a link to us on their own web page. If someone follows that link and purchases an ad campaign, we give a 10% bounty to the affiliate. The way that works is with a set of special session ids. If you come into our website with a session id that has a particular numerical characteristic, then that's considered to be an affiliate code. A database lookup is performed to see if that matches an existing affiliate. Whether it does or not, you're assigned a new (regular) session id. But if it does match an existing affiliate, your session data is stamped with that affiliate's id, so that if you do make a purchase, we know which affiliate should get the 10% reward.
As you might have noticed, our session IDs are 32 hex digits long. That gives us 2^128 possible sessions simultaneously. Our actual max limit is much lower than that, but I specifically wanted our valid session space to be very sparse. This is complicated by the affiliate codes. There are 2^112 values in our session id space which possess the numerical characteristic that distinguish session ids from affiliate codes. And, yes, that's also a very sparse space. But in any case, 2^112 is a tiny portion of the whole 2^128 space, so it really doesn't impact us at all.
When an affiliate sets up their link to us, they might have to type in this ugly URI that contains their affiliate code. But we send them that URI in an email, so if their mail reader can handle it, they can just cut-and-paste the URI into their web page. No typing involved. If their software can't handle it -- well then, shucks.
But the whole point of this: no, no one has complained.
(incidentally, I've been wanting to redo our session ids so that instead of using just hex digits, we use 0-9, a-z, A-Z, -, and _. That'll make our session ids shorter (64 values per digit or 6 bits instead of 16 values or 4 bits), and much less obnoxious as a result.)
Ne delere orbum rigidium meum.
means (or is intended to mean)
Don't you dare erase my hard disk.
Please, Evelyn Wood isn't doing you any favors. Read a little more slowly:
/must/ log cookies. Netscape, IIS, and Apache all support the logging of cookies.
The session information doesn't get logged, only the fact of the session, in the form of the session id. The session info never gets written to any hard disk. Anywhere. It is completely impossible to reconstruct the contents of the session info by looking at server or proxy logs. Every page you go to that asks a user to enter information that will end up in the session data block is an SSL (v3) page. Not just that page, but the IMG links, post address, etc, so I can protect the referrer URLs, too. Yes, you could reconstruct small portions of the session data block by seeing which pages the user went to, but by no means can you get anything interesting.
And you might want to try reading some web server configuration instructions some day. Not only can cookies get logged... not only do cookies get logged... but if you use cookies for session tracking and you want to use WebTrends to analyze your logs (as is precisely the case with most websites) then you
Note that not only do I not use cookies, I also don't use WebTrends (any more). But that's untrue of the vast majority of commerce sites out there.
hehe.
Ummm. No.
Bugger. I didn't intend to up that post's score by +1. Grr. Grr.
Oh well.
That's just crap.
c def/guest,0,1,1/index.html
Cookies are needed for only one thing. Every other current use for cookies can be done better without them, or (IMNSHO) shouldn't be done at all. The best example is session tracking. Those of my websites which need to track sessions all use URI mangling to do so.
For instance, look at my website for AdAce. When you go there, you get immediately redirected to a URI that includes session information, that looks something like this: http://www.adace.com/0123456789abcdef0123456789ab
The long hex number and the comma-delimited string constitute your session id. No cookie needed. By using relative URIs in all the webpages, there's no problem with the mangled session information being lost: the browser thinks that its just a directory path. In those few places where we need to use absolute URIs, we use a cgi or an apache content handler to modify the URI in place to include the correct session id. This number is used to look up your session data in a daemon running a simple database for that purpose -- and to verify that the comma delimited string hasn't been tampered with. The database exists purely in RAM. I've even locked the pages in place so there's no danger of them getting swapped. None of your session data ever goes onto a hard disk; only the fact of the session, as it appears in the server logs. My cgis (and a couple special purpose apache modules) all use an API library that I wrote in order to communicate with this daemon. That lets them get data out of your session record, and put data into it. The point of all this is that we hold the burden of maintaining your session information. No need for cookies.
The only function provided by cookies that can't be done in any other way is what we in the advertising industry call "frequency capping". The idea is that you (the advertiser) have bought a big campaign with a lot of impressions, but you don't want one user to see your campaign more than, say, 3 times. So we need some way to track how often you've seen a particular campaign. If the campaign is all running on a single website, then it's easy enough to use other methods. But when the campaign is running across at least two unrelated websites, the adservers have to create and manipulate a cookie in order to track this.
If you've ever received a cookie whose name is RMID, and whose value is just a number, then you've received one of these cookies. They're generated by RealMedia's (not to be confused with Real Networks, the makers of realmedia player) ad server for campaigns that have frequency capping turned on.
These cookies are the only cookies ever generated or inspected by any AdAce machine. I am strongly opposed to the use of cookies in any situation where some other method is possible. And as CSO of AdAce, I've put my foot down on this issue: no cookies where we can do something else, and even if we can't do something else, no cookies if its possible for it to be exploited by acquisition, mismanagement, or subpeona, to violate someone's privacy.
(incidentally, this form of session tracking gives WebTrends conniption fits -- that's the main reason that I'm writing my own log analyzer)
Thermodynamics.
No machine (even a dyson sphere) can possibly capture all the energy.
Remember the laws of thermodynamics: You can't win, you can't break even, you can't even quit the game.
If bright matter truly makes 10% of the universe, then by definition the remaining 90% of the universe must be dark matter.
The reason is that neither the terms "bright matter" nor "dark matter" specify a single type of matter. Rather, they define two values of a single common characteristic of all matter. The characteristic in question is how the matter interacts with photons. If you shine a light on something and you can see it, then it's bright matter. If you heat something up and you can see it, then it's bright matter. If you energize something then let its energy level drop and you can see it, then it's bright matter. Otherwise it's dark matter.
Therefore we can't measure dark matter directly merely because we can't see it. All astronomical observations depend on photons. Radio. Light. X-Ray. Gamma. Just different frequencies of photons. Since dark matter neither reflects nor emits photons, astrophysicists can't observe it. Or perhaps it does emit photons, but then immediately reabsorbs them (as in the case of black holes). Either mechanism comes down to the same thing. They can observe its effects indirectly by watching, for instance, the effect that its gravity has on surrounding bright matter, but no direct observation is even theoretically possible.
But there really aren't any theories about the nature of dark matter, because it's fundamentally impossible to observe remotely. Maybe it's some truly strange substance. Maybe its just a whole bunch of black holes. No one knows. The only reason that we know about black holes is that some brilliant physicist who'd been downing a few too many beers one night did a thought experiment about the implications of gravity's inverse square strength. So we had a theoretical phenomenon that astrophysicists could later go and look for. But that's not true of other forms of dark matter.
All that's important is that "dark" matter is every piece of matter that isn't "bright" matter. It's still matter, and will still behave exactly the same as bright matter behaves. But it may come to be discovered that some characteristic that we thought was endemic to all matter is, in fact, only endemic to bright matter. We have no comparison yet, so we can't make that determination.
I don't think that anyone believes that all dark matter is in the form of black holes. Who knows, maybe so. I'm certainly not an astrophysicist (though I know a number of them who are on the bleeding edge), so someone can easily have come up with some theories about all this of which I'm unaware.
But this is my current understanding, and with the rate that astrophysics moves, I'm probably at least 5 years out of date.
Oh, explaining this caused me to remember a theory about dark matter that I heard from my undergraduate adviser back in my college days (Dr. Douglas Lin: he was and is a big shot in the astrophysics circles). The idea is that there actually isn't any special dark matter. It's all bright matter. But some matter might be in locations where so few photons fall on them that we just never get a chance to observe that matter. For instance, it's known that all the galaxies of the universe exist on the surfaces of voids in the universe (that observation is what gave rise to superstring theory). Think of soap suds. We've got complex surfaces, where all the soap is, each surrounding a small void with no soap. Small from our perspective, but from the point of view of a technological civilization living in one of the "galaxies" within the soap film, those voids are huge. The universe has the same structure. And these voids are just monstrously huge. In the center of one of these voids, there would be very little light, because all the light sources are very far away. So you could stick a whole lot of matter there and no one would ever see it. These voids are so huge that you could easily fit 90% of the universe's mass in them and still have a very low density of matter. It's normal "bright" matter, but insufficient light reaches it for us to observe it. The problem with the theory is that if you have 90% of the universe stuck in these voids, then the voids should collapse from gravity and make the galaxy distribution homogenous. And we don't see that. Perhaps this problem has been resolved by now. I don't know. And, of course, there are other locations where matter can be hidden, where we wouldn't be able to observe it. Those voids are just a single example.
I don't know anyone who is trying to force Linux, in specific (or any particular distribution of Linux) onto every computer.
/off/ of all computers. I don't care what goes back onto the computer so long as it isn't a Microsoft product. The fact that every OS that I'm familiar with is technologically superior to Windows (in its various flavors) means that I don't have to be particularly picky about which OS I push. But as far as I can see, Linux is the OS that's easiest to get people to accept. And so I push Linux.
Most of the die-hard Linux evangelists (of which I am one) are pushing Linux because we see that as the best means to our ends. And those ends are to get Windows
Hell, before I got involved with Linux, I was writing my own OS (Syrinx) specifically for this purpose. Then 386BSD (or was it BSD386? don't remember) and Linux were both starting up at the time. I generally prefer BSD flavors of UNIX to SysV flavors (I'm addicted to ^Z, and my early experience with SysV stuff -- SCO UNIX and AT&T SysV -- didn't support a posteriori backgrounding), so I took a look at 386BSD. It didn't support my ESDI drives, so I couldn't even test it. Linux did. So I could play with it. And it was quite spiffy. So I abandoned Syrinx and jumped in with both feet and have been there since. If 386BSD had supported ESDI drives when I tested it, I'd probably be a *BSD bigot instead of a Linux bigot. Sure, some of you can argue that I should've just added support for ESDI mysqlf, but in those days 386BSD wasn't accepting patches from the general public, and the developers told me that they had no interest in supporting ESDI. To top it all off, I couldn't even play around with it enough to see if it was interesting enough to warrant the effort of adding that support myself.
(To this day, Linux is the only operating system that understands the Syrinx partition type, and there is only one computer running Syrinx: an old 25MHz 286 that I sold to a buddy many years ago).
I've been doing contract work since 1994. A little work off and on for years before that, but we can ignore it. And less these days since I'm tied up with AdAce.
But with years of experience under my belt, I've had my share of disputes.
In order to protect your receivables, you have to take a very firm, very cruel stand right from the get go. There is absolutely no benefit in being even slightly merciful at the start, and a whole lot of harm. And if you take a hard stand, that gives you room to negotiate in trying to convince a client to pay up. You've gotta make sure that your client sees themselves lying in the way of a hurtling sisyphine rock, and you hold the key to the only way out of its path.
If you negotiate a contract for net 30 terms, and you haven't received a check 20 days after billing, send them a reminder. If you haven't received a check on the 30th day, submit a bad credit report. Don't wait. Do it. If you haven't received a check on the 40th day, file suit, and send a letter to your client telling them that you've done so. You can always drop the suit if the client finally pays. Be mean. Be cruel. Be a right bastard.
The finance and legal people at your client won't get offended: that's the way that they play the game too. Many accounts payable departments don't pay net 30 bills until the 30th day. You've gotta take a hard stand with them and make the point that net-30 means that they have 30 days to complete payment, not 30 days to start.
Don't be forgiving, don't be kind. If the client jerks you around in payment, you don't want to work for them again. I have occasionally accepted second jobs from bad clients, but I always insist on payment in advance for them. I keep a counter on one of my machines, tracking the available balance in their account. I leave it up to their people to track the balance and make sure it doesn't drop to zero, because when it does drop, I immediately stop what I'm doing.
If everything that Mosfet said is true, and if everything that the post from "Giovanni" here says is true, then Mosfet is being overly kind to Future Tech. He's not being petty. He's not suffering from a mood swing. He's not being an irresponsible worker who doesn't finish his tasks. He's being foolishly forgiving and naive.
Oh ya, almost forgot: always get a contract in writing, and always negotiate the terms. Never accept the first offer.
Years ago, I had a potential client in San Jose, California. They wanted someone to build them a consumer-level internet firewall machine, that Joe Blow could just plug in and run with. So they were soliciting proposals. We negotiated $50/hour for me to produce a proposal for them, which I did. Standard type of proposal, talking about the hardware, OS, and configured components that I would be using. He rejected it, saying that this isn't what he was used to getting, that out of a proposal he expected the complete texts of all configuration files, build scripts, the whole 9 yards. Well, of course I told him that that would constitute the entire contract, not just a project proposal, and I would require my full rate and 50 hours to do so. He tried to claim that all his previous contractors had complied, and my response was that it is not my concern what his previous contractors did or did not do; if they truly did comply, then they were naive, and really shouldn't be in this business at all. He didn't like that response. Finally after I threatened suit, he agreed to pay my fee for the proposal, but of course he didn't give me the project. Boo hoo. I've since discovered that this particular manager at this company (not the whole company: just that one manager) had been making a practice over many years before and since of taking overly detailed project proposals for free or cheap, rejecting the projects, and then using the recipe in the proposal to implement the project in house. He was adored by his bosses, because he always produced "his" projects far under budget. Ha. Small wonder. Then, as I and others spread the word through the contractors that we know here in the SF Bay Area, he started to fall from favor with his bosses. It seems that he was no longer able to finish projects at all, much less under budget. And those few projects that he did manage to finish were very poor quality. He's now been unemployed for 2 years. So you see, taking a firm stand and being a bastard gives you wonderful anectodes with happy endings. Not to mention that you actually get paid.
When both parties to a contract are equally at breach, then judges usually rule that the contract is void, unless either or both parties can show real damages. In that case, the judges usually subtract the smaller real damages from the larger real damages, and awards the difference without allowing any punitive damages.
In this case, since Liquid was a "product" that existed before the contract with FT, I don't really see how a judge would award IP rights to FT.
Once again, I haven't seen the contract, blah blah blah. etc etc etc.
That's right, I am not your lawyer.
Whether or not I am a lawyer depends on the definition that you use.
If you're talking about someone who prosecutes and defends cases in court on at least a semiregular basis, then yes, I am a lawyer (I haven't lost any cases yet).
If, on the other hand, you're talking about someone who has a membership in the BAR and uses that to provide legal representation for clients, then no, I'm not a lawyer.
But no matter what definition you use, I am not your lawyer, and therefore my words shouldn't be taken as legal advice to you.
IANYL
Assuming that everything in the story is true, and that the contract included terms to pay Mosfet for his work, then FT is in breach of contract, and any consideration that Mosfet assigned to FT through the contract (including assignment of IP rights) is void. So all such considerations remain with Mosfet, and FT has no rights at all. In fact, Mosfet has the right to sue for breach of contract, which allows you to up the damages way beyond the real damages.
Of course, this has a lot of assumptions in it. I certainly haven't read the contract, and I have no way to know that what Mosfet and FT are saying about the situation is even remotely true.
[damned internet explorer posted my last (empty) message when I hit return in this text box. Bleah]
Anyway, this is all pretty standard stuff. I get asked to do this kind of stuff occasionally by my clients. It's highly fun work.
One of my buddies once hacked into his client by discovering that one of the employees at the client's ISP was running a warez site at the ISP, and got the employee into letting him install a sniffer on the client's line.
The trick with doing tiger team work is that you have to uncover weaknesses. No one hires a tiger team unless they suspect that they have a problem, and if you don't uncover a problem, they presume that you suck rather than that their security is actually good. Luckily, that's not a problem, because everyone has terrible security. Some are less terrible than others, but even when technical means fail, creative social engineering never does.
The basic problem is the existance of people who are, by nature, trusting. These people are the bane of good security. If you have a single one of these people, even in a lowly position like a janitor (who're great because they have almost unlimited physical access) or receptionist, the company's premises are left wide open. Optimists ensure that security professionals will forever be employable.
Some of you will recall that I'm CSO of an advertising company. We have servers at an ISP who pretends to good security. They've got palm-print scanners on all their doors, code keypads, badges, security guards, locked cages, the whole 9 yards. But since they have all this technical hoohaw, the people have gotten lazy. So the technical stuff doesn't mean a damn. One day, I accidentally locked myself out of my cage. So I pulled out my lockpicks (which I always have on hand) and just picked the lock. Now I'm not particularly good with lockpicks, just being at the level of hobbiest. I can get most locks open, but it can sometimes take me an hour of uninterrupted work when I'm on a difficult lock. But I was able to get that cage open in about 20 seconds. A camera was looking right at me the whole time, and no one came to investigate. And here I am, a shabby looking character with long hair, bushy beard, and a leather jacket. And a handy set of lockpicks on hand. That should've raised a bunch of eyebrows back at the security desk. But, no.
I'm really getting irked now. The new FAQ contains the following text:
What does the proposed policy change? It establishes a process that requires people to disclose to a Working Group that a specification in development may intersect with patented technology.
This is a complete and bald-faced lie. The new policy has no such requirement. In fact, this is one of the specific objections that I raised in my email to W3C.
The fact of the matter is that the new policy requires participants to circulate memoranda throughout their individual companies, using the same channels normally used for W3C information. These memoranda are requests for employees to respond from memory if they believe that that company owns a patent that would encumber a proposed W3C standard. If a positive response comes back, the contributor is bound to report the response to W3C. But nothing binds the employees to respond to the memorandum. Nothing binds them to read it. Nothing prevents the legal department from issuing an order that no such memoranda will receive positive responses. In fact, the PPWG's definition specifically states that these companies are not expected to do internal patent searches.
In every company I've ever worked in (since the inception of W3C), in every company I've ever contracted for, W3C related memoranda are generally ignored by the legal and technical staffs. One or two people out of the tech staff might actually read the things, but most don't. More importantly, the people who are likely to know about such patents never read the memos.
So the clause in the proposed policy that "requires" disclosure of patents, in truth, only requires that memos be sent. And that's the end of it.
When I, John Q. Public, abuse a power that is granted to me, only myself and the people directly involved with the abuse are affected.
When the government, its agents or assigns, abuse a power that has been granted to them, every resident of that nation is adversely affected.
There is no conceivable crime that is more heinous, more reprehensible, more downright evil, than governmental abuse of power. They have been trusted by their citizenry with certain powers that the people have acknowledged are needed in order for the government to do its job. When the government abuses that power, it violates that trust. It invalidates its purpose in existance. And it labels itself an enemy of the nation. An enemy that must be fought down.
With the incredible repercussions that result from governmental abuses, it is only prudent to do everything possible to limit the damage that a government can do when it abuses its powers. And the best way to do that is to ensure that its powers are inherently limited in scope and power. Not by some legal prohibition, but through the inherent nature of the power itself.
A power that is not inherently limited (such as crypto backdoors) must be jealously withheld from the government under all circumstances.
My take comes from being on many different sides of the issue over the course of my career. I've been a university student (BS CE, honors in the comprehensive). I've been that entry-level tyke whose every idea is considered no better than "cute" by the other guys. I've been a self-employed contractor. I've been a high-level tech employee. I've been an executive.
/become/ the employee that I need.
The one thing in a new hire that helps me in my businesses is attitude. I need people who've got the basics skills down solid, but more than anything I need someone who is passionate about learning. Someone who can think clearly. I don't even need someone who can communicate clearly: there are too many good workers who speak English poorly for me to have that luxury. If I've got someone who loves to learn and can think clearly, then that person can grow into my needs.
I gave up years ago trying to find that new hire who'll fit perfectly into the position that I have open; it only happens out of blind luck. What I look for is someone who can
And those skills that I need have nothing to do with being well-rounded. In fact, being well-rounded is harmful in someone straight out of college. The basic problem is that public High Schools are miserable failures when it comes to teaching a student how to think and learn. So it falls on the universities. That means a student who has spent a great deal of time in hard sciences. Especially with a theoretical focus rather than an applied one. People with applied educations aren't capable of thinking out of the box. People with theoretical educations are slower to get started in application, but once they get over that first hurdle, they really zoom ahead.
The more time a university spends trying to "round out" a student, the less time there is for that student to develop his ability to learn and think. There's no room for thinking in the humanities: that's all just memorization and political games. Or at worst, you get stuck with a deconstructionist. And that means that the student isn't practicing the skills that I need from him.
This isn't to say that I don't like well-rounded people. I just hate well-rounded people who can't think, and that's the most common case. If someone masters thinking and learning, then I don't have any problem with them going out and making themselves well-rounded. But they should do it to themselves, not have it imposed on them by a University. If they don't have the desire to do it on their own, then it won't succeed, so there's no benefit for the University doing it. If they do have desire to do it on their own, then the University is just wasting its effort. And in any case, that desire itself is valuable to me.
Oh boy.
.gov would want to tap my phones is if I were doing something bad
.gov has will be misused to a greater or lesser degree. Innocent people will be hit by these misuses. Innocent people will go to jail as a direct result of these misuses. And innocent people will have no recourses.
government phone taps do not bother me because I know the only reason the
That's a completely specious argument.
Government people don't tap people's phones because they're doing something bad. Government people tap people's phones because they're under suspicion of doing something bad. You own a gun. You post on slashdot. You have a computer. You have political opinions. In some jurisdictions, that's more than enough to put you under suspicion of doing something bad. Like here in California.
If the government knows someone is doing something bad, then they don't have any need of a phone tap: they already have enough evidence for a conviction. The rule in law enforcement is "go far enough to get sufficient evidence for a conviction, and then stop!" The perpetual fear in the DA's office is that law enforcement will uncover exculpatory evidence (that's evidence that proves the suspect's innocence). Since the prosecution is obligated under discovery rules to turn over all evidence to the defense, the presence of exculpatory evidence is a bad thing in the eyes of the DA's office. DAs don't make the connection with the fact that the presence of exculpatory evidence means they're prosecuting the wrong guy: they just want a conviction so they can close the book.
What all this means is that if the LEAs have enough evidence to convict you, they won't even attempt to tap your phone, because their investigation might backfire. And since you don't need proof of wrongdoing to convict (you only need enough evidence to show wrongdoing "beyond a reasonable doubt"), the certain knowledge of wrongdoing is also a guarantee that the LEAs have enough evidence to satisfy a jury. Note that I said certain knowledge, not strong suspicion: LEAs are excitable folks who tend to leap to conclusions.
And that tendency to leap to conclusions is part of the problem. By and large, LEAs are ignorant boobs. I've had a lot of contact with the Secret Service's technology investigations group and the FBI's computer crime squad in San Fransisco, and even these guys (law enforcement's technological elites) aren't sufficiently up to speed to avoid leaping to conclusions.
Just look at the public records of the LAPD's illegal use of wiretaps throughout the 90's. At the instruction of the LA DA's office, no less. This was an ongoing, persistant misuse of wiretaps lasting many years, none of which were authorized by courts. With such widespread misuse in one jurisdiction, one must conclude that such misuse occurs in other jurisdictions as well. Cops, just like other professionals, have a tendancy to jump from one job to another, though perhaps not as often as in technical fields. So even if other jurisdictions didn't come up with the idea on their own, crosscontamination would've occurred. And the record is clear that illegal wiretaps have been commonplace throughout the US for decades at least. Since not all misuse is detectable, the truth must be that wiretaps are even more horribly misused than is known.
What all this means is that you should assume that any ability that the
Whether you're talking about wiretaps, gun registration databases, sex offender registries, or crypto backdoors, the issue isn't whether or not you've done something bad. It's merely whether or not you appear to have done something bad, or in the worst case, whether or not it can be made to appear that you've done something bad.
The simple matter is that with the sheer quantity and scope of the laws that already exist on the books, every one of you has done something bad. It's not possible to live a day in society without breaking a law. Do you have a bag of blue ice (the freezable cold packs) in your freezer? How about a piece of wood and some sandpaper? Or maybe a can of gasoline? If any of those are true, then you are in possession of bomb making materials. That's a federal felony. Do you own a car? Do you drive it? Then you're guilty of transporting hazardous materials without a license. Federal misdemeanor. Have you ever said the words "someone should kill the president" or anything to that effect, regardless of context or intent? Federal felony. Called a enemy in an online multiplayer game a "fucking nigger" for cheating? Or how about "bitch"? That's hate speech. Municipal misdemeanor in many jurisdictions. Do you possess pictures of your children as babies, naked? Child porn (go read the statute: it's very much over broad). Federal felony. Have you ever had sex with your boyfriend/girlfriend while they were a minor and you weren't (such as when you were 18 and they were 17)? Statutory rape. Federal felony with strong enforcement ("strong enforcement" is a term of art that means that the victim or victim's parents don't have to agree that a crime has been committed in order for prosecution to proceed).
LEAs will try to tell you that they won't proceed with prosecution unless there was "intent to commit a crime." But in practice, that's nonsense. "Intent" is defined and shown by the DA's office (or AG's office), not by the LEAs or defendant, and in the case of strong enforcement statutes, is irrelevant anyway.
Ok, I'm starting to ramble. So I'll sum up: we must always resist giving any power to law enforcement that is capable of being abused, because any abusable power will be abused, and the innocents are the only people who will suffer.
Ok, here I am, talking about advertising again.
Assuming that the software works 100% (read: it blocks content if and only if the ads weren't viewed), then it will kill advertising revenue. The reason is all about click through ratios. It goes back to my previous statements: if someone doesn't want to view ads, then they aren't gonna be clicking on ads. And if they aren't clicking on ads, then forcing them to see the ad only lowers your click through ratio. And that means that you can't charge as much for advertising as you would otherwise be able to. So your costs go up, your revenues go down, and things are bad all around.
This doesn't even address the repercussions of the simple fact that forcing your viewers to also view ads is gonna piss them the hell off.
And then there's the technology itself. I could see it done in 2 ways: java/javascript and redirected frames.
The java/javascript method would require the user to have java enabled. And if they don't have java enabled, clearly the system won't work. Trying to put up a website that doesn't work for users with java or javascript disabled doesn't work. There are far too many users out there who have them disabled. Hell, I wish all users disabled them, but that's just me.
The redirected frame would be the best way. Make the ad server serve out an HTML frame that contains a link to the graphic and another link to a 1 pixel frame on the host's server. The host's server sits there and counts the hits on this other frame, and when it reaches the right number, serves out the content. But this doesn't prevent the user from blocking the ad graphic at all. It works if the user blocks the ad frame, but doesn't prevent the user from just blocking the ad graphic.
The only way you could tell that the real graphic is actually displayed is to send out java or javascript that knows the checksums for the ads that the user is going to be served, and then compares the checksums before the real content is displayed. But once again that depends on the user having java or javascript enabled. And it also requires the ad host's webserver to be integrated with the ad network's webserver. Only really big sites can afford to do that integration, because it means that they have to own their own ad server and content server. Ad servers are highly expensive. Yes, there are freeware ad servers out there, but none of them have the speed that a high traffic site needs, or they lack reasonable targeting options.
All in all, I'd say that this new beast is going to be a miserable failure. The problem isn't that this beast exists, but that someone actually thought it would be a good idea. That means that I have to get back into the propa^H^H^H^H^Heducation war again.
Ya, I've got the RC-5000. Damned good remote.
When I bought by DTS system, I started shopping for a good universal remote. The most basic feature to me is that it has to be a learning remote. I can't deal with those remotes that are preprogrammed with all the knee-jerk low-end consumer electronics. They never support my oddball equipment.
The moment you look at learning remotes, you jump up $50 in remote price right there. And then I needed a remote that handled multiple IR frequencies, because about half my components use one and the rest use another. That raises the price again.
Once I got up there, it wasn't really that much more money to just splurge and get the RC-5000. And lets face it, the damned thing has some serious hack value.
Firewire was too good for its time. When it came out, few needed a /serial/ communications medium that could handle such a high throughput. So few bought it.
Same with bubble memory. When bubble memory came out it was far more memory than anyone thought anyone would ever need. "128Mb in a nonvolatile memory chip? Who would ever need that much memory? 5MB hard disks are far more spacious than people need already. So the extra cost for bubble memory just isnt worth it." Well, guess what technology is making a comeback.
As long as the technology is open, things that are too advanced for their time aren't lost; they can make a comeback 10, 20, 30 years later when the market catches up. There are lots of examples of these orphaned technologies lying around.
The important thing to realize is that any market is always going to be dominated by the manufacturers' own ideas. And with only very rare exceptions, those ideas are not going to be able improving technology, but about making more money. Our world's technological level is far more advanced than is reflected in the market... but since selling an advanced technology means that you have to spend money on marketing to convince the consumers that they'll benefit from it, you never see those technologies come out until the market has caught up on its own.
Apparently. At least that's what I'm told. I don't have any shares, so I can't verify it myself. I could check the firewall logs for blocked accesses on UDP 137, 139, and the rest, but I always get lots of blocked accesses on those ports anyway, so it wouldn't really tell me much.
My servers are all apache, and none of the attacks have gotten through.
Apache itself isn't the culprit. Maybe you have something else there, or a bad configuration of apache or some insecure cgi installed. Lots of possibilities.
My servers at AdAce have been getting hits from nimba since 6:23am PST today. Each infected machine hits me 16 times in 3 seconds, then I don't hear from it again for about 10 minutes.
At this point, there are 5723 unique IP addresses trying to probe my servers. I see a new IP address about every 45 seconds.
And, of course, there is no microsoft software of any kind that's accessible on those networks. All boxes running any microsoft software are isolated on a ghetto network, with very tight firewall rules.
You'd think that the bozos who write these things would at least check to see if the server was IIS before trying their probes. At least then my automatic log cycler wouldn't trigger so often.