If that attack worked, it would be because of a bug in Slashdot - the users.pl script shouldn't allow any setting to be updated just from a GET request. It should require a form submission (POST request) to perform any operation that has a permanent effect. There is no limit to stupidity on the Internet, so I would not be surprised if some bank website allows you to get account.php?transfer_amount_dollars=1000000;dest_a ccount=12345 but really, if you write web applications where a simple link can have dangerous effects, you deserve what you get.
Could anyone explain what this is all about? The article doesn't go into much detail. We all know that any http GET request can be accessed from another website, for example by putting it inside an IMG tag. When the user's browser visits the site, it goes and fetches all the image URIs. But that doesn't seem like an attack, because as we all know, you should never use GET requests for anything other than harmless idempotent information retrieval (to perform potentially dangerous operations use POST requests, which cannot be linked to).
Steam engines are valued for their greater efficiency? As a comment on the article points out, the boilers generate 4MW of power but only 300 horsepower comes out of the engine. Apart from the stupidity of using different units, this means only about 225kW is output, so the engine is about 6% efficient.
Or is it just that they could have built a more efficient one but wanted to go for the record above all else. But that doesn't make a great deal of sense. What's the normal efficiency you can expect from a steam engine?
Re:Asynchronous Transfer Mode?
on
ATM Turns 40
·
· Score: 1
Bank of Scotland calls it an 'autoteller', which has the benefit of being just as obscure, but not possible to turn into a TLA.
Probably a bit redundant to call it an 'automated machine'. Cue complaints about withdrawing '$100 dollars' from the 'ATM machine' using your 'PIN number' etc...
Re:Mmmm, chocolate...
on
ATM Turns 40
·
· Score: 1
It's true - I remember when my phone number was three digits long. For those interested, it was 583. However you would have to live in the same village as me.
Still, the human eye is more sensitive to changes in light intensity (luminance) than to changes in colour (chrominance), so it may be worthwhile trading off some colour resolution that you won't notice for some light sensitivity that you will. Remember that with existing colour digital cameras you need software to interpolate and guess colours for pixels because of the alternating RGB pattern on the sensor. The guessing job won't be that much more difficult if there are a few clear pixels in there as well.
You may be right or wrong that the patent system as a whole is flawed, but this story is about software patents. There, the fix is very simple: do not make software patentable - so that no patent is infringed by writing, distributing or running a computer program. There was never any legislation to extend the patent system to software and no economic study showing that the good effects outweigh the bad; it's mostly because the patent office took matters into its own hands (after all, if you work at the patent office, it helps your job security to get more work).
T-Mobile has always gone after the young and hip crowd, and the Wing is no different in that regard. The vibrant exterior of the Wing is bluish in color, an ideal color choice for teens and 20-somethings. We get the feeling that T-Mobile may be going after the professional crowd, but we doubt too many professionals would go after such a trendy looking device.
I will never get back the 30 seconds of my life wasted reading those two sentences. Could they not have said 'it is blue'?
Why do you feel the need to draw lines between different locations of licensee?
If a buisness doesn't want control of their hardware, they should rent that hardware. And I seriously doubt that any business really wants manufacturers to have control over their hardware. Manufacturers who are worried about modifications to their software causing them liabilities should put it bluntly (at point of sale) that they are not responsible if the thing they sell is modified in any way.
We don't want to draw a line based on whether you rent or own the device that houses the software, because if we do, every device manufacturer will find a way to "rent" their device as a way to get around the GPL's requirements. We've already seen some distributors try to make this very argument with GPLv2, particularly in the ISP business where it's common to lease modems to customers--even though rental qualifies as distribution in pretty much every jurisdiction.
Moreover, the companies that have the sort of "managed IT" that we're trying to allow--where they don't have the keys to modify the software and actively don't want them--are already renting that hardware. Nonetheless, they were still concerned that it would not be possible to use GPLv3 software in these programs.
...
Any device you can buy at an electronics store should qualify as a Consumer Product. This includes the overwhelming majority of desktop and laptop computers, portable media players, all kinds of mobile phones, DVRs, plenty of digital cameras, wireless routers, and other dedicated hardware.
Devices that probably don't count are the kind of very-high-end computing equipment you would expect: Blade servers, huge rackmount Gigabit Ethernet switches, that sort of thing.
The line between these two extremes is blurry. I don't know exactly where we're going to settle on a cut-off point. None of these devices should be locked down; we say that in the preamble of the draft. But the people distributing these devices aren't locking them down just to take away users' freedom, and right now there's no reason to believe that's going to change--quite the opposite, actually. Meanwhile, the devices where this is a problem are all very safely tucked under the Consumer Products umbrella. So even if the definition of Consumer Product isn't perfect, we think it's still a good compromise to help us achieve our goals.
I think he is saying that in practice, the freedom-denying effects of say Tivo (forcing DRM down your throat) are more serious than those caused by unmodifiable firmware in an Ethernet switch. I agree, ideologically it seems like an uncomfortable compromise position.
As I understand it, the 'consumer products' restriction was put in because of pressure from companies. Business wanted it that way. Saying yes to this request may count as anti-business in your reckoning, but not mine.
However, words like 'anti-business' are usually meaningless. Many would argue that GPLv3 is anti-consumer because it deprives consumers of the wonderful opportunities given by exciting new business models that are enabled by DRM.
IMHO 'anti-business' should be added to the list of meaningless slogans, along with 'intellectual property' and even, dare I say it, 'freedom'.
Re:GPLv3 anti-business
on
GPLv2 Vs. GPLv3
·
· Score: 3, Insightful
Professor Moglen mentioned that in many cases businesses _want_ to buy locked-down hardware where they cannot change the software (perhaps for regulatory reasons). Most of the serious abuses and loss of freedom (such as imposing DRM with no way to disable it) occur in consumer products, so it's a reasonable compromise to make freedom an inalienable right for consumers, while allowing businesses a bit more rope to hang themselves with if they really want to use locked-down systems.
You're right - I looked at the Google description which said 'LiveJournal.com is a free service for all your journaling and blogging needs' but in fact this is not true.
However, how many of the accounts kicked off are paid-for accounts?
What customers? LiveJournal's customers are the advertisers. They're probably not too bothered about no longer being able to put their adverts on discussions of incest or Harry Potter erotic furries.
In the early days many machines would run fine with DOS and Windows but would crash with signal 11 on Linux, particularly when running gcc. As strange as it sounds this was usually a hardware problem - bad memory. There was even a FAQ on the signal 11 problem. Saying 'but it works with Windows' does not really excuse bad hardware. Similarly, if hardware is generating BSODs on Windows, and you have good reason to believe they're not caused by Windows kernel bugs, then most likely the hardware is faulty and Linux just doesn't push it as hard, or perhaps masks the problem rather than trapping it and dying immediately (which is the safest course of action).
I can't rule out that Windows prints a meaningless complaint about IRQ levels when the real cause is a bug somewhere else.
Heh. 'Feb 30th' is just one particularly silly example I picked of MySQL behaviour. The new default is just as stupid IMHO (what sort of date is 0000-00-00, and how can it get stored in a date column?). It's not a difficult concept to grasp or to program, to check a date for validity, so I'm pretty surprised that MySQL is still choosing a weird default behaviour.
That is great to hear. The only question I have is why on _earth_ the safe (and standards-compliant) mode isn't the default, with the weird MySQL-only accept-Feb-30-as-a-valid-date kind of behaviour enabled with a special option for those who really want it.
It's this kind of thing that makes me still suspicious of MySQL. I hope that for the next release - 6.0 or whatever it is - they can make a clean break with historical stupidity, and release a DBMS that gives safe, ANSI-compliant behaviour out of the box. However, there's nothing wrong with letting the sysadmin deliberately loosen some of the transactional constraints in cases where ultra high speed is important, although note that for all its supposed emphasis on speed over correctness, MySQL is slower than Postgres.
People were making the same argument twenty-five years ago, why write bloated and slow code that needs a fast 2MHz CPU to run it at an acceptable speed, can't we just make things optimized like the good old days?
Slashdot Mirror
If that attack worked, it would be because of a bug in Slashdot - the users.pl script shouldn't allow any setting to be updated just from a GET request. It should require a form submission (POST request) to perform any operation that has a permanent effect. There is no limit to stupidity on the Internet, so I would not be surprised if some bank website allows you to get account.php?transfer_amount_dollars=1000000;dest_a ccount=12345 but really, if you write web applications where a simple link can have dangerous effects, you deserve what you get.
Javascript is allowed to submit forms to other websites? If that's really true, there would be thousands of exploits by now.
Could anyone explain what this is all about? The article doesn't go into much detail. We all know that any http GET request can be accessed from another website, for example by putting it inside an IMG tag. When the user's browser visits the site, it goes and fetches all the image URIs. But that doesn't seem like an attack, because as we all know, you should never use GET requests for anything other than harmless idempotent information retrieval (to perform potentially dangerous operations use POST requests, which cannot be linked to).
Is there something else going on here?
Steam engines are valued for their greater efficiency? As a comment on the article points out, the boilers generate 4MW of power but only 300 horsepower comes out of the engine. Apart from the stupidity of using different units, this means only about 225kW is output, so the engine is about 6% efficient.
Or is it just that they could have built a more efficient one but wanted to go for the record above all else. But that doesn't make a great deal of sense. What's the normal efficiency you can expect from a steam engine?
Bank of Scotland calls it an 'autoteller', which has the benefit of being just as obscure, but not possible to turn into a TLA.
Probably a bit redundant to call it an 'automated machine'. Cue complaints about withdrawing '$100 dollars' from the 'ATM machine' using your 'PIN number' etc...
It's true - I remember when my phone number was three digits long. For those interested, it was 583. However you would have to live in the same village as me.
Surely you know that IQ is not a linear scale, and so an IQ of 140 is not 'twice as smart' as one of 50.
Still, the human eye is more sensitive to changes in light intensity (luminance) than to changes in colour (chrominance), so it may be worthwhile trading off some colour resolution that you won't notice for some light sensitivity that you will. Remember that with existing colour digital cameras you need software to interpolate and guess colours for pixels because of the alternating RGB pattern on the sensor. The guessing job won't be that much more difficult if there are a few clear pixels in there as well.
Infinite nines (99.999.... per cent) would be the same as the speed of light. I say this only to have an excuse to link to a list of proofs that 0.9 recurring equals 1.
You can decompile Java bytecode to something fairly reasonable - but it still sounds far-fetched I agree.
You may be right or wrong that the patent system as a whole is flawed, but this story is about software patents. There, the fix is very simple: do not make software patentable - so that no patent is infringed by writing, distributing or running a computer program. There was never any legislation to extend the patent system to software and no economic study showing that the good effects outweigh the bad; it's mostly because the patent office took matters into its own hands (after all, if you work at the patent office, it helps your job security to get more work).
I will never get back the 30 seconds of my life wasted reading those two sentences. Could they not have said 'it is blue'?
I think he is saying that in practice, the freedom-denying effects of say Tivo (forcing DRM down your throat) are more serious than those caused by unmodifiable firmware in an Ethernet switch. I agree, ideologically it seems like an uncomfortable compromise position.
As I understand it, the 'consumer products' restriction was put in because of pressure from companies. Business wanted it that way. Saying yes to this request may count as anti-business in your reckoning, but not mine.
However, words like 'anti-business' are usually meaningless. Many would argue that GPLv3 is anti-consumer because it deprives consumers of the wonderful opportunities given by exciting new business models that are enabled by DRM.
IMHO 'anti-business' should be added to the list of meaningless slogans, along with 'intellectual property' and even, dare I say it, 'freedom'.
Professor Moglen mentioned that in many cases businesses _want_ to buy locked-down hardware where they cannot change the software (perhaps for regulatory reasons). Most of the serious abuses and loss of freedom (such as imposing DRM with no way to disable it) occur in consumer products, so it's a reasonable compromise to make freedom an inalienable right for consumers, while allowing businesses a bit more rope to hang themselves with if they really want to use locked-down systems.
You're right - I looked at the Google description which said 'LiveJournal.com is a free service for all your journaling and blogging needs' but in fact this is not true.
However, how many of the accounts kicked off are paid-for accounts?
Seinfeld ran for almost a decade, what are you talking about?
What customers? LiveJournal's customers are the advertisers. They're probably not too bothered about no longer being able to put their adverts on discussions of incest or Harry Potter erotic furries.
In the early days many machines would run fine with DOS and Windows but would crash with signal 11 on Linux, particularly when running gcc. As strange as it sounds this was usually a hardware problem - bad memory. There was even a FAQ on the signal 11 problem. Saying 'but it works with Windows' does not really excuse bad hardware. Similarly, if hardware is generating BSODs on Windows, and you have good reason to believe they're not caused by Windows kernel bugs, then most likely the hardware is faulty and Linux just doesn't push it as hard, or perhaps masks the problem rather than trapping it and dying immediately (which is the safest course of action).
I can't rule out that Windows prints a meaningless complaint about IRQ levels when the real cause is a bug somewhere else.
Heh. 'Feb 30th' is just one particularly silly example I picked of MySQL behaviour. The new default is just as stupid IMHO (what sort of date is 0000-00-00, and how can it get stored in a date column?). It's not a difficult concept to grasp or to program, to check a date for validity, so I'm pretty surprised that MySQL is still choosing a weird default behaviour.
That is great to hear. The only question I have is why on _earth_ the safe (and standards-compliant) mode isn't the default, with the weird MySQL-only accept-Feb-30-as-a-valid-date kind of behaviour enabled with a special option for those who really want it.
It's this kind of thing that makes me still suspicious of MySQL. I hope that for the next release - 6.0 or whatever it is - they can make a clean break with historical stupidity, and release a DBMS that gives safe, ANSI-compliant behaviour out of the box. However, there's nothing wrong with letting the sysadmin deliberately loosen some of the transactional constraints in cases where ultra high speed is important, although note that for all its supposed emphasis on speed over correctness, MySQL is slower than Postgres.
Indeed, the existence of an Apple-branded vibrator was foreseen on the net: the iBrator.
Yes we should keep writing efficient code, just like Mel, the Real Programmer.
People were making the same argument twenty-five years ago, why write bloated and slow code that needs a fast 2MHz CPU to run it at an acceptable speed, can't we just make things optimized like the good old days?
iGasm poster that Apple complained about