> They weren't trolls. I've seen the memory leaks first hand. Plenty of people have posted OS memory usage screenshots. It may have been particular extensions or advanced settings that caused the problems but it was not some work of fiction.
While they weren't trolls, people have been talking about them as if they were still there long after Firefox addressed pretty much all of them. There might be a buggy extension or two still designed to gobble up memory, but I haven't seen one no matter how much I use Firefox on the pitiful machines we have at work, and I use quite a few of the more popular extensions (Adblock+, NoScript, and about a dozen others).
So they weren't trolling, but I suspect some people are still bashing Firefox based on outdated information. Unless you have new OS memory usage screenshots to post?
I'm just glad she *has* a lawyer. Am I horribly mistaken, or didn't her former lawyer withdraw from the case? Unless I have my cases confused, Jammie Thomas was in a bind having no lawyer and the RIAA opposing any continuance of the case (i.e. let's not give her any time to find a new lawyer).
Who is this guy that he could jump in and go after them like this? Legal research takes time...
> You can omit the 'or later versions' license and have the possibility that the later versions of other FSF licenses will be incompatible with your version (e.g. LGPLv3 is incompatible with GPLv2; good luck if you were working on a GPLv2-only project that depended on a library that has moved from LGPLv2-or-later to LGPLv3-or-later).
The "or later" clauses allow the licensee (in your example, the GPLv2 project maintainer) to choose which license terms they choose to follow. That choice is *not* made by the licensor (who is, in your example, the LGPL library maintainer).
While the library can start accepting v3-or-later code, the v2-or-later code will still be usable under those terms, you just won't be able to get any new v3-or-later licensed updates. You can keep that v2+ code in your project so long as you abide by the terms, though you may have to maintain that library yourself from now on.
At least, that's my understanding from reading the GNU website.
> And clearly if the ODF 1.1 spec is that vague it is close to useless as a spec.
Right. That's exactly why a bunch of hobbyist programmers managed to figure it out and make a bunch of different ODF 1.1 implementations, while Microsoft couldn't make heads or tails of the vague and useless specification.
Clearly, poor little Microsoft couldn't possibly afford to hire any of these folks to help them follow the standard which everyone else has no trouble following. I mean, how could Microsoft possibly figure out what to do with Excel-style formulas?
> That's the problem - the spec is too vague to be implemented properly.
The hell it is! There are reference implementations. There's BSD code they could copy-paste. The oft-referenced "problems" have already been dealt with by many other comments. If you're going to complain about ODF 1.2 documents in ODF 1.1 programs, I'm going to have to complain about Word 2003 documents that don't work right in Word 95, even if you use save as to save it to the old version.
And then I'll quote one of your own comments (including the typo) back to you:
"Ever wonder how all these other people can get it working, and you can't? Every thought it might not be the technology, it might be you? Just asking..."
> Curious. At home, I've got a large collection of children's educational and gaming software written for DOS through Windows 98 that utterly fail to run properly in Windows XP or Vista. I haven't experienced this compatibility of which you speak.
At least for DOS, try DOSBox. It's great for firing up an old copy of Master of Magic...
> You'll be waiting for a long time. It's impossible to index a database for matching via regex, therefore searches on such an engine would be inordinately expensive to process.
It may not be the same as a database index, but Perl has the 'study' function, and I'm sure that there are more than a few ways to speed up regex searches once the data to be searched is known. I wouldn't be too quick to assume that indexing something is the only way to do efficient searching any more than I would say that comparison is the only way to sort things and that O(n log n) is a fundamental lower limit (it is, but only for sorting based on comparison of elements).
> While the assertion may not be "incorrect", as there is a pending sanctions motion against Beckerman, the fact that the RIAA frames it as a reason to discredit Beckerman makes it inaccurate.
Yeah. You see, you have to pretend that you're Data with your ethical subroutines disabled to be able to make RIAA-lawyer type arguments. Here, I'll show you how:
What they're doing is sort of like saying, "But you can't listen to the RIAA lawyers, they're all accused pedophiles!" And then neglecting to disclose the fact that you're the one alleging that they're pedophiles. And that you have no proof.
But wait! What if I look up the demographics of the RIAA's legal team, then compare them to statistics on the incidence of pedophilia, so that I can truthfully allege that there's an x% chance that at least one RIAA lawyer is a pedophile? I mean, we can't have pedophiles in our court rooms, now, can we?
So there you have it: with enough unethical logical contortions, you too can make someone out to be a horrible criminal worthy of public scorn based on unsubstantiated nonsense you made up yourself! Just don't do it in court unless you want to find out what Rule 11 is. Though I guess the judges are a bit lax these days, given that I haven't seen any judges granting them against the RIAA yet. I guess they're better at making people out to be statistically likely to be copyright infringers, given that almost everyone has infringed upon at least one copyright.
I mean, how many people do you know who haven't sung "Happy Birthday to You"? Yes, the damn thing is copyrighted. You're a low-down dirty copyright infringer if you've ever sung it at any time in your life. And no, it doesn't matter if you were 5 years old at the time and had no idea what a copyright was.
We'll never agree because whatever security-hardened distro I mention will not be "mainstream" enough for you. You never did tell me why OpenBSD isn't "mainstream." Why is only a "mainstream Linux distro" acceptable as proof? And why is ASLR the be-all-end-all of security? It's not like you can't harden a Linux box to have better security than Vista probably ever will. I mean, you can't even do a proper audit of Vista's code (unless maybe you're the government, or one of the small handful of people they will allow to see the code under special circumstances). People can (and have) done a great many audits of Linux. Hell, any time someone makes a new code security scanner, they almost always test it on large open-source codebases and publicize the results to get free advertising...
Anyhow, suffice it to say that ASLR, just like email, is indeed old hat, no matter how new it is to the general public. I'm glad you know what SYN cookies are for, though (I still remember when people suddenly "rediscovered" them a few years back...). It means that you're not dumb, you just want to argue. Even though you've had to retreat down to your only somewhat-defensible point: what constitutes "mainstream" and what constitutes a "weak" form of ASLR (even though I pointed out that the 'extra' randomness of the "strong" form in Vista isn't as great as it was supposed to be), so I have no interest in continuing after this post.
But I still don't agree with the way you put it, because it sounds like a few small updates to an old technique are being marketed as "NEW!! SHINY!!!" That's also how people perceived AOL during the year of the Eternal September, I grant you, so you can say that there's some truth to it. But I'm just not going to get swept up by it. It's old hat and I refuse to recognize it as anything else. It might not have been widely used beforehand. But to me, it's old hat.
> "4 pages longer than the document to which it was responding"
Legal briefs are subject to page count restrictions. I'm not sure if it happened in this particular incident, but they may have had to file a request to be allowed to file an over-length brief with the Court, just so they could waste more of the Court's time by calling the FSF an evil terrorist organization bent on copyright destruction and kitten eating (or whatever).
I'm with Ray on this one. I don't hate the RIAA, so much as I hope they find honest work someday.
> I also disagree that ASLR was old hat before MS announced support for it. ASLR isn't old hat even today.
Good God, man, ASLR was first introduced in 2001 with some patches for the Linux kernel, which is practically ancient history for a computer security geek. Next you'll be telling me that WEP is cryptographically weak. Although WEP was introduced in 1999, the cryptographic attack on the IVs wasn't disclosed until August 2001; around the time when the term ASLR was first coined. Just for reference, the Linux 2.4 kernel was not yet released at the start of 2001.
> As to your comments that MS NX and ASLR in Vista SP1 mean nothing, the back to back winner of pwn2own seems to disagree.
First, I didn't say that it "means nothing." I said that it wasn't as great as you're making it out to be and that Microsoft wasn't somehow at the head of the pack.
Second, security contests are a bad way to metric for a great many reasons that anyone who was part of the security community ought to know by now (they're gimmicky, they don't attract top talent, they're no replacement for a real security audit, and they're frequently used to "prove" things about security that simply aren't true). I'm not saying that guy who won is bad at security (anyone who can write their own exploits has to know a thing or two), just that you cannot and should not judge expertise by how many contests someone has won. Computer security is not a sport.
Third, I still say you're misreading what the guy is saying. You made me research it more than I had bothered to yet, but Vista's ASLR implementation isn't all that great (PDF). Apparently, this one guy hadn't worked out how to use any of that in time for the contest. Don't worry, even with the contest over, hackers will continue to analyze it and exploit those weaknesses later.
> There is only one mainstream OS that ships with it on, so it's not old hat yet.
If you're going to play the "mainstream OS" game, I'm going to have to ask for a definition of "mainstream" that isn't ad hoc. Especially when you say "ships." Nobody uses just the Linux kernel and nothing else, they use a packaged distro (several of which do, in fact "ship" with this on, because they're made with security in mind). Linus' kernel is not the end-all-be-all of Linux. Hardened Linux distros are widely used and generally contain features like ASLR by default (along with a great many other things).
Furthermore, OpenBSD is quite mainstream for security-critical applications. I personally prefer using Linux, but if someone wants a server and security is top priority, I would start by exploring OpenBSD-based solutions followed by various hardened Linux distros. There's no way in hell I'd go to Vista first. Their security records aren't even comparable, particularly if you want to compare default installations.
Now, you can either continue to insist on misunderstanding what some security guy you don't know wrote, or listen to someone who was a part of the security community when ASLR was new. It's old hat.
But that's okay, if you hang around long enough you'll find out that people often find really old stuff (say, the reasons for using SYN cookies) and think they've discovered something brand new. It happens all the time in the security community. That, too, is old hat.
It's been happening since long before I first learned the basics of the art.
> As mentioned in the article, without adding stuff to the kernel that is not in the default on distros, you aren't getting the same protection as Vista has.
I don't know when it was added to Linux, but OpenBSD had all of this (and more) ages ago (about 2003, according to Wikipedia). Fact is, this was old hat by the time Microsoft announced support for it.
I'm not buying any Vista/Win7 marketing hype. It's good that they're adding more security, but they're not doing anything other people haven't done long before them. They're playing catch-up, and they're quite a ways behind.
Anyhow, I don't think your premise (that Microsoft's stuff is the latest and greatest) is supported by that link. You're misreading it. He's saying that the implementation is new (so people haven't had time to explore it yet), not that the technique is new (as previously documented, NX bits and ASLR have been around for years now, in various kernels, even by default).
I'm not saying that Microsoft doesn't have a credible implementation (I haven't seen enough research yet to make a determination), but whatever they have is built off of ideas that were created independently by the security community long before Microsoft even thought about implementing them.
P.S. Just in case you want to play "but he's a security expert," I'm one, too, and I remember thinking "it's about damn time" when I heard Microsoft announce support for them.
> Verified signup/credit card with confirmation: > Nearly-full, with shutoff or limitations imposed at first sign of abuse.
I'm not saying that the concept itself is wrong, but you say this as if the spammers don't have the information pertaining to millions of identities to use on a whim.
You know that they sell CC#s and details by the thousands, right?
> I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.
A) Some of us have JavaScript disabled unless you make the whitelist.
B) If everybody used that, they'd automate a way around what everybody was doing. It might be harder, but these days there are major spamming/botnet operations that seem to be connected to the Russian Mafia. So...
> Owning.ass is only profitable if you also own.tits. After all, we all know that what sells is.tits and.ass.
Yeah, but just getting all the yellow properties isn't enough. You need to build some hotels on them to really rake in the money. With blackjack. And hookers. In fact...
> "No other company can realistically get an equivalent license,"
Sure they could! Just pay the same $millions Google did and go through the same thing...
Or are they complaining because they want it for free?:-]
Because we *could* also just change the law concerning orphan works (which might require some modifications to certain copyright treaties)... In fact, wasn't there a recent bill to do exactly that?
> So if I post reviews on by blog, I'm allowed to pirate anything I want? I just have to review it?
Judges aren't that dumb. The courts won't believe you if you're only reviewing it to attempt to give yourself an out against claims of infringement, even if they'd otherwise allow what you're doing as a fair use. They tend to take a dim view of people trying to twist the law like that, which is why people hire very expensive lawyers to twist the laws for them.
> We use the much more trusted MediaDefender these days."?
Trusted? Do you guys not remember MediaDefender-Defenders and the leaked email? As I recall, they were even branching out into partnerships with the government to go after kiddie porn.
Also, it was interesting to read the emails where the MD guys talked about the bestiality porno they had and whatnot.
If they really want THAT to come up in court, well, maybe they should get Jack Thompson as their lawyer. Not that he is a lawyer any more, but...
> I foresee a future where this innovation will be carried to things like simple desk calculators, where 2+2 is no longer shackled to equal 4, where one will have a "multi-calculator" that gives a range of results. I can't wait!
Sweet! I could really use a calculator that does mod 3 arithmetic! That will show those people who don't believe me when I tell them that 2+2 == 1!
> High-sounding but irrelevant verbiage having no bearing on the facts. I mean, how grandiose you are in dismissing one simple fact: working our manufacturing economy was how Americans managed to have a standard of living envied by most of the world. How do you think wealth is created? By magic? Hardly: it's by building and selling things to other countries, it's called trade.
So, let me get this straight. We have a huge trade deficit. This means that we're exporting American dollars and importing lots of foreign products. You're telling me we're screwed because those dollars aren't really worth anything, not being real wealth.
But we're getting rid of those and getting real, physical goods for that money.
Please explain to me one more time how we're getting the short end of the stick in that arrangement? If things go belly-up, we still have all those goods that we bought. What makes you say that an industrial superpower is the only kind?
> Suppose we took your idea to its logical conclusion, and ended up with an entirely automated production system with no need for people at all. We'd all be unemployed at that point. No thanks.
Would anyone NEED to be employed at that point, if robots could take care of everything?
> All the air would be rushing in, so why would it be exploding outwards? I guess it'd make it shatter more but I'd think the pressure differential would make it spread less, not more.
I guess that's just an assumption of mine, but I'm guessing that the pieces would end up with more kinetic energy due to the vacuum.
All I know is that I was once sternly warned about the proper way to break a CRT tube (put it inside a trash bag and carefully crack the thin end on the back with a hammer until you could hear air rush in) and those are vacuum filled. I was told that the implosion would be pretty bad if I broke it any old way (and that I shouldn't just toss it into the trash with the vacuum intact).
> still have trouble with perl that uses OO stuff (and what was so wrong with chop() that we needed chomp()?)
Idiots fed it things they expected to have newlines at the end which didn't.
I've honestly never used chop or chomp for anything except removing the newline from the end of a string. While I could do that in a regex, some people get that deer-in-the-headlights look whenever they see them...
(Me? I bought the O'Reilly regex book to read for fun.)
Parent post is correct. I work for a window manufacturer and our IG units are only ever filled with normal air, nitrogen, or argon.
("IG units" are insulated glass units, AKA double pane windows, and consist of two lites of glass with a spacer between them. They are sealed shut with PIB and silicone.)
It's possible that they're confused by part of the manufacturing process where the IG units go through a vacuum chamber which removes all the air, before filling the units with nitrogen or argon and sealing them. But I'm quite sure we don't make any vacuum filled units. And even if we did, I have to think that at least some sound would be transmitted through the spacer that holds the two lites of glass apart.
As if the bow wouldn't be bad enough, the vacuum would cause the windows to explode even more violently than they already do if they were broken. As someone who has seen tempered lites of glass around 6' x 9' explode, I can tell you that your living room would already be a mess of broken glass if a picture window like that broke. You really don't want a vacuum in there to make things worse. Especially given that a window that size would likely be made out of 6 mm glass...
Well, I guess if someone was crazy enough to make a window like that, they'd use laminated glass. At least, I hope they would. Our customers are always trying to push the limits of how big you can allow a lite to get before it has to be thicker...
Slashdot Mirror
> They weren't trolls. I've seen the memory leaks first hand. Plenty of people have posted OS memory usage screenshots. It may have been particular extensions or advanced settings that caused the problems but it was not some work of fiction.
While they weren't trolls, people have been talking about them as if they were still there long after Firefox addressed pretty much all of them. There might be a buggy extension or two still designed to gobble up memory, but I haven't seen one no matter how much I use Firefox on the pitiful machines we have at work, and I use quite a few of the more popular extensions (Adblock+, NoScript, and about a dozen others).
So they weren't trolling, but I suspect some people are still bashing Firefox based on outdated information. Unless you have new OS memory usage screenshots to post?
I'm just glad she *has* a lawyer. Am I horribly mistaken, or didn't her former lawyer withdraw from the case? Unless I have my cases confused, Jammie Thomas was in a bind having no lawyer and the RIAA opposing any continuance of the case (i.e. let's not give her any time to find a new lawyer).
Who is this guy that he could jump in and go after them like this? Legal research takes time...
> You can omit the 'or later versions' license and have the possibility that the later versions of other FSF licenses will be incompatible with your version (e.g. LGPLv3 is incompatible with GPLv2; good luck if you were working on a GPLv2-only project that depended on a library that has moved from LGPLv2-or-later to LGPLv3-or-later).
The "or later" clauses allow the licensee (in your example, the GPLv2 project maintainer) to choose which license terms they choose to follow. That choice is *not* made by the licensor (who is, in your example, the LGPL library maintainer).
While the library can start accepting v3-or-later code, the v2-or-later code will still be usable under those terms, you just won't be able to get any new v3-or-later licensed updates. You can keep that v2+ code in your project so long as you abide by the terms, though you may have to maintain that library yourself from now on.
At least, that's my understanding from reading the GNU website.
> And clearly if the ODF 1.1 spec is that vague it is close to useless as a spec.
Right. That's exactly why a bunch of hobbyist programmers managed to figure it out and make a bunch of different ODF 1.1 implementations, while Microsoft couldn't make heads or tails of the vague and useless specification.
Clearly, poor little Microsoft couldn't possibly afford to hire any of these folks to help them follow the standard which everyone else has no trouble following. I mean, how could Microsoft possibly figure out what to do with Excel-style formulas?
> That's the problem - the spec is too vague to be implemented properly.
The hell it is! There are reference implementations. There's BSD code they could copy-paste. The oft-referenced "problems" have already been dealt with by many other comments. If you're going to complain about ODF 1.2 documents in ODF 1.1 programs, I'm going to have to complain about Word 2003 documents that don't work right in Word 95, even if you use save as to save it to the old version.
And then I'll quote one of your own comments (including the typo) back to you:
"Ever wonder how all these other people can get it working, and you can't? Every thought it might not be the technology, it might be you? Just asking..."
> Curious. At home, I've got a large collection of children's educational and gaming software written for DOS through Windows 98 that utterly fail to run properly in Windows XP or Vista. I haven't experienced this compatibility of which you speak.
At least for DOS, try DOSBox. It's great for firing up an old copy of Master of Magic...
> You'll be waiting for a long time. It's impossible to index a database for matching via regex, therefore searches on such an engine would be inordinately expensive to process.
It may not be the same as a database index, but Perl has the 'study' function, and I'm sure that there are more than a few ways to speed up regex searches once the data to be searched is known. I wouldn't be too quick to assume that indexing something is the only way to do efficient searching any more than I would say that comparison is the only way to sort things and that O(n log n) is a fundamental lower limit (it is, but only for sorting based on comparison of elements).
> While the assertion may not be "incorrect", as there is a pending sanctions motion against Beckerman, the fact that the RIAA frames it as a reason to discredit Beckerman makes it inaccurate.
Yeah. You see, you have to pretend that you're Data with your ethical subroutines disabled to be able to make RIAA-lawyer type arguments. Here, I'll show you how:
What they're doing is sort of like saying, "But you can't listen to the RIAA lawyers, they're all accused pedophiles!" And then neglecting to disclose the fact that you're the one alleging that they're pedophiles. And that you have no proof.
But wait! What if I look up the demographics of the RIAA's legal team, then compare them to statistics on the incidence of pedophilia, so that I can truthfully allege that there's an x% chance that at least one RIAA lawyer is a pedophile? I mean, we can't have pedophiles in our court rooms, now, can we?
So there you have it: with enough unethical logical contortions, you too can make someone out to be a horrible criminal worthy of public scorn based on unsubstantiated nonsense you made up yourself! Just don't do it in court unless you want to find out what Rule 11 is. Though I guess the judges are a bit lax these days, given that I haven't seen any judges granting them against the RIAA yet. I guess they're better at making people out to be statistically likely to be copyright infringers, given that almost everyone has infringed upon at least one copyright.
I mean, how many people do you know who haven't sung "Happy Birthday to You"? Yes, the damn thing is copyrighted. You're a low-down dirty copyright infringer if you've ever sung it at any time in your life. And no, it doesn't matter if you were 5 years old at the time and had no idea what a copyright was.
We'll never agree because whatever security-hardened distro I mention will not be "mainstream" enough for you. You never did tell me why OpenBSD isn't "mainstream." Why is only a "mainstream Linux distro" acceptable as proof? And why is ASLR the be-all-end-all of security? It's not like you can't harden a Linux box to have better security than Vista probably ever will. I mean, you can't even do a proper audit of Vista's code (unless maybe you're the government, or one of the small handful of people they will allow to see the code under special circumstances). People can (and have) done a great many audits of Linux. Hell, any time someone makes a new code security scanner, they almost always test it on large open-source codebases and publicize the results to get free advertising...
Anyhow, suffice it to say that ASLR, just like email, is indeed old hat, no matter how new it is to the general public. I'm glad you know what SYN cookies are for, though (I still remember when people suddenly "rediscovered" them a few years back...). It means that you're not dumb, you just want to argue. Even though you've had to retreat down to your only somewhat-defensible point: what constitutes "mainstream" and what constitutes a "weak" form of ASLR (even though I pointed out that the 'extra' randomness of the "strong" form in Vista isn't as great as it was supposed to be), so I have no interest in continuing after this post.
But I still don't agree with the way you put it, because it sounds like a few small updates to an old technique are being marketed as "NEW!! SHINY!!!" That's also how people perceived AOL during the year of the Eternal September, I grant you, so you can say that there's some truth to it. But I'm just not going to get swept up by it. It's old hat and I refuse to recognize it as anything else. It might not have been widely used beforehand. But to me, it's old hat.
> "4 pages longer than the document to which it was responding"
Legal briefs are subject to page count restrictions. I'm not sure if it happened in this particular incident, but they may have had to file a request to be allowed to file an over-length brief with the Court, just so they could waste more of the Court's time by calling the FSF an evil terrorist organization bent on copyright destruction and kitten eating (or whatever).
I'm with Ray on this one. I don't hate the RIAA, so much as I hope they find honest work someday.
> I also disagree that ASLR was old hat before MS announced support for it. ASLR isn't old hat even today.
Good God, man, ASLR was first introduced in 2001 with some patches for the Linux kernel, which is practically ancient history for a computer security geek. Next you'll be telling me that WEP is cryptographically weak. Although WEP was introduced in 1999, the cryptographic attack on the IVs wasn't disclosed until August 2001; around the time when the term ASLR was first coined. Just for reference, the Linux 2.4 kernel was not yet released at the start of 2001.
> As to your comments that MS NX and ASLR in Vista SP1 mean nothing, the back to back winner of pwn2own seems to disagree.
First, I didn't say that it "means nothing." I said that it wasn't as great as you're making it out to be and that Microsoft wasn't somehow at the head of the pack.
Second, security contests are a bad way to metric for a great many reasons that anyone who was part of the security community ought to know by now (they're gimmicky, they don't attract top talent, they're no replacement for a real security audit, and they're frequently used to "prove" things about security that simply aren't true). I'm not saying that guy who won is bad at security (anyone who can write their own exploits has to know a thing or two), just that you cannot and should not judge expertise by how many contests someone has won. Computer security is not a sport.
Third, I still say you're misreading what the guy is saying. You made me research it more than I had bothered to yet, but Vista's ASLR implementation isn't all that great (PDF). Apparently, this one guy hadn't worked out how to use any of that in time for the contest. Don't worry, even with the contest over, hackers will continue to analyze it and exploit those weaknesses later.
> There is only one mainstream OS that ships with it on, so it's not old hat yet.
If you're going to play the "mainstream OS" game, I'm going to have to ask for a definition of "mainstream" that isn't ad hoc. Especially when you say "ships." Nobody uses just the Linux kernel and nothing else, they use a packaged distro (several of which do, in fact "ship" with this on, because they're made with security in mind). Linus' kernel is not the end-all-be-all of Linux. Hardened Linux distros are widely used and generally contain features like ASLR by default (along with a great many other things).
Furthermore, OpenBSD is quite mainstream for security-critical applications. I personally prefer using Linux, but if someone wants a server and security is top priority, I would start by exploring OpenBSD-based solutions followed by various hardened Linux distros. There's no way in hell I'd go to Vista first. Their security records aren't even comparable, particularly if you want to compare default installations.
Now, you can either continue to insist on misunderstanding what some security guy you don't know wrote, or listen to someone who was a part of the security community when ASLR was new. It's old hat.
But that's okay, if you hang around long enough you'll find out that people often find really old stuff (say, the reasons for using SYN cookies) and think they've discovered something brand new. It happens all the time in the security community. That, too, is old hat.
It's been happening since long before I first learned the basics of the art.
> As mentioned in the article, without adding stuff to the kernel that is not in the default on distros, you aren't getting the same protection as Vista has.
I don't know when it was added to Linux, but OpenBSD had all of this (and more) ages ago (about 2003, according to Wikipedia). Fact is, this was old hat by the time Microsoft announced support for it.
I'm not buying any Vista/Win7 marketing hype. It's good that they're adding more security, but they're not doing anything other people haven't done long before them. They're playing catch-up, and they're quite a ways behind.
Anyhow, I don't think your premise (that Microsoft's stuff is the latest and greatest) is supported by that link. You're misreading it. He's saying that the implementation is new (so people haven't had time to explore it yet), not that the technique is new (as previously documented, NX bits and ASLR have been around for years now, in various kernels, even by default).
I'm not saying that Microsoft doesn't have a credible implementation (I haven't seen enough research yet to make a determination), but whatever they have is built off of ideas that were created independently by the security community long before Microsoft even thought about implementing them.
P.S. Just in case you want to play "but he's a security expert," I'm one, too, and I remember thinking "it's about damn time" when I heard Microsoft announce support for them.
> Verified signup/credit card with confirmation:
> Nearly-full, with shutoff or limitations imposed at first sign of abuse.
I'm not saying that the concept itself is wrong, but you say this as if the spammers don't have the information pertaining to millions of identities to use on a whim.
You know that they sell CC#s and details by the thousands, right?
> I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.
A) Some of us have JavaScript disabled unless you make the whitelist.
B) If everybody used that, they'd automate a way around what everybody was doing. It might be harder, but these days there are major spamming/botnet operations that seem to be connected to the Russian Mafia. So...
> Owning .ass is only profitable if you also own .tits. After all, we all know that what sells is .tits and .ass.
Yeah, but just getting all the yellow properties isn't enough. You need to build some hotels on them to really rake in the money. With blackjack. And hookers. In fact...
> "No other company can realistically get an equivalent license,"
Sure they could! Just pay the same $millions Google did and go through the same thing...
Or are they complaining because they want it for free? :-]
Because we *could* also just change the law concerning orphan works (which might require some modifications to certain copyright treaties) ... In fact, wasn't there a recent bill to do exactly that?
> So if I post reviews on by blog, I'm allowed to pirate anything I want? I just have to review it?
Judges aren't that dumb. The courts won't believe you if you're only reviewing it to attempt to give yourself an out against claims of infringement, even if they'd otherwise allow what you're doing as a fair use. They tend to take a dim view of people trying to twist the law like that, which is why people hire very expensive lawyers to twist the laws for them.
> We use the much more trusted MediaDefender these days."?
Trusted? Do you guys not remember MediaDefender-Defenders and the leaked email? As I recall, they were even branching out into partnerships with the government to go after kiddie porn.
Also, it was interesting to read the emails where the MD guys talked about the bestiality porno they had and whatnot.
If they really want THAT to come up in court, well, maybe they should get Jack Thompson as their lawyer. Not that he is a lawyer any more, but...
[Citations Provided]
> no life
But I thought you got that Achievement just for posting?
> I foresee a future where this innovation will be carried to things like simple desk calculators, where 2+2 is no longer shackled to equal 4, where one will have a "multi-calculator" that gives a range of results. I can't wait!
Sweet! I could really use a calculator that does mod 3 arithmetic! That will show those people who don't believe me when I tell them that 2+2 == 1!
> High-sounding but irrelevant verbiage having no bearing on the facts. I mean, how grandiose you are in dismissing one simple fact: working our manufacturing economy was how Americans managed to have a standard of living envied by most of the world. How do you think wealth is created? By magic? Hardly: it's by building and selling things to other countries, it's called trade.
So, let me get this straight. We have a huge trade deficit. This means that we're exporting American dollars and importing lots of foreign products. You're telling me we're screwed because those dollars aren't really worth anything, not being real wealth.
But we're getting rid of those and getting real, physical goods for that money.
Please explain to me one more time how we're getting the short end of the stick in that arrangement? If things go belly-up, we still have all those goods that we bought. What makes you say that an industrial superpower is the only kind?
> Suppose we took your idea to its logical conclusion, and ended up with an entirely automated production system with no need for people at all. We'd all be unemployed at that point. No thanks.
Would anyone NEED to be employed at that point, if robots could take care of everything?
> I don't feel you can really consider serial keys to be DRM.
I would understand if people call them DRM, but they're also not a DRM I would get very worked-up over, and I'm very anti-DRM.
And I would commend them for listening to their customers in this instance. This is far better than computer-damaging crap like SecuROM.
> All the air would be rushing in, so why would it be exploding outwards? I guess it'd make it shatter more but I'd think the pressure differential would make it spread less, not more.
I guess that's just an assumption of mine, but I'm guessing that the pieces would end up with more kinetic energy due to the vacuum.
All I know is that I was once sternly warned about the proper way to break a CRT tube (put it inside a trash bag and carefully crack the thin end on the back with a hammer until you could hear air rush in) and those are vacuum filled. I was told that the implosion would be pretty bad if I broke it any old way (and that I shouldn't just toss it into the trash with the vacuum intact).
> still have trouble with perl that uses OO stuff (and what was so wrong with chop() that we needed chomp()?)
Idiots fed it things they expected to have newlines at the end which didn't.
I've honestly never used chop or chomp for anything except removing the newline from the end of a string. While I could do that in a regex, some people get that deer-in-the-headlights look whenever they see them...
(Me? I bought the O'Reilly regex book to read for fun.)
Parent post is correct. I work for a window manufacturer and our IG units are only ever filled with normal air, nitrogen, or argon.
("IG units" are insulated glass units, AKA double pane windows, and consist of two lites of glass with a spacer between them. They are sealed shut with PIB and silicone.)
It's possible that they're confused by part of the manufacturing process where the IG units go through a vacuum chamber which removes all the air, before filling the units with nitrogen or argon and sealing them. But I'm quite sure we don't make any vacuum filled units. And even if we did, I have to think that at least some sound would be transmitted through the spacer that holds the two lites of glass apart.
As if the bow wouldn't be bad enough, the vacuum would cause the windows to explode even more violently than they already do if they were broken. As someone who has seen tempered lites of glass around 6' x 9' explode, I can tell you that your living room would already be a mess of broken glass if a picture window like that broke. You really don't want a vacuum in there to make things worse. Especially given that a window that size would likely be made out of 6 mm glass...
Well, I guess if someone was crazy enough to make a window like that, they'd use laminated glass. At least, I hope they would. Our customers are always trying to push the limits of how big you can allow a lite to get before it has to be thicker ...