I recently upgraded eight Macs to 10.3, and they generally took 35-50 minutes to upgrade from OSX 10.2 to OSX 10.3. All of these computers are 1.0-1.25 ghz G4s with 0.75-1.0 GB of ram; a couple of them have dual processors. These were full upgrade installs of most system components, including BSD & X11, but not including the full package of printer drivers (only HP support was needed) and not including any of the localization packages. I took notes and would be happy to get into detail if anyone is curious, but to give an overview:
On a dual 1.25 ghz G4 with 768mb of ram took 20 minutes to finish disc 1 of the Panther install, and the full install took about 35 minutes. A twin of this machine came in at about the same time.
A single 1.0 ghz G4 with 768mb of ram took about 45 minutes.
Two single 1.0 ghz G4s with 1 gb of ram each took about 30 minutes.
Another single 1.0 ghz G4 with 1gb of ram took about 50 minutes, but for that one I forgot to deselect the localization files so it had to spend time installing half a gigabyte or so of localized interface data.
Another single 1.0 ghz G4 with 1 gb of ram took about 70 minutes, but I'm not sure what the bottleneck was. This was the first one I upgraded and I wasn't taking as many notes of the process. Going from start to install disc 2 alone took 60 minutes, but it may be that I was away from the desk and simply gave it more time than necessary to finish.
These times are from booting the machine from the first Panther install disc through to the initial login screen. These times don't include installation of XCode, the 10.3.3 upgrade, or other system patches that Apple has released since Panther came out; if you include that stuff, then the average installation time goes over an hour for these computers.
You say you got a 400mhz G3 iMac to install Panther in 10 minutes? I say baloney. Either you're only counting the time for a partial install, you're not really paying attention to how long it's taking, or you're pulling some kind of trick to make things run faster.
If you have such a trick for speeding up the process, I'd love to know what it is. I was taking such careful notes because I was looking for ways to speed things up, or at least figure out where I could get things going in parallel. The only promising looking ways I found to speed things up seemed to be either a command line or single user console mode installs (but I wasn't able to get anywhere with that) or by setting up OSX Server and doing netboot (which I'd like to try, but that's a bigger project).
I just didn't see any way to get a normal, graphical install of OSX to take any less than half an hour or so on reasonably current (no more than a year old) hardware. Ten minutes for an old iMac? Sorry, but I don't believe you.
Apple seems to have a pretty good reputation for getting security patches out quickly, either before the issue becomes public or often within days or hours of the public announcement of a problem.
The unusually long delay in getting out a fix for this is the factor that got me thinking about how broad this vulnerability might be. The problem isn't anything to do with Safari or any particular web browser, nor is it just the Help application. Rather, the real problem is in the way the underlying system handles these URI protocols, many of which are Mac-specfic.
Patching Safari is no big deal -- we seem to get a new version of Safari with most system updates. Fixing the Help Viewer probably wouldn't be much harder. On the other hand, fixing the framework for URI handling might be much harder, because it hits so many parts of the system, and any changes to the framework is going to require extensive bug testing.
If I'm right, and that is the problem, then it wouldn't surprise me if it takes a while for a fix to come along, and it wouldn't surprise me if the fix comes in the form of a BIG download. It may be that we get only partial fixes for 10.3.x releases, and the situation won't really be corrected until 10.4 comes along.
It occurs to me that this problem could be broader than is being portrayed.
Consider: the fundamental issue here is that an OSX web browser -- Safari in the original reports, but apparently also Mozilla etc -- is acting as a broker for any URI that the user may come across, delegating the request out to external handler programs. Whether those external programs handle their URIs safely may be an open question.
The problem isn't really that Safari or Help is broken, but that the interaction between them, arising from the URI handling mechanism on OSX, is leading to Unintended Consequences.
OSX can handle many different URI namespaces, some of which seem to be used nowhere other than OSX. I'm having a hard time finding an exhaustive list of the URI protocols that OSX supports, but a partial list includes, in no particular order:
So far, I can think of published vulnerabilities in the telnet:// and now help:// protocols, but is that the end of it, or is the whole framework vulnerable to these sorts of attacks?
I have a hunch that we're just seeing the thin edge of the wedge...
Modifying the README's sample script slightly (the garbage filter isn't letting me do the SQL statement above):
use DBI;
my $dbh = DBI->connect("dbi:google:", $KEY);
my $sth = $dbh->prepare(qq[
SELECT title, URL FROM google WHERE Upper(q) like "DOUOSVAVVM"
]);
while (my $r = $sth->fetchrow_hashref) { ...
So you can actually use Google as your database!:-)
Re:I Call Shennanigans
on
G5 in an iMac
·
· Score: 1, Informative
The list may be bizarre, but I didn't make it up -- someone else in this thread verified that he saw it too, a couple of months ago. I don't know why the Macworld signup page is so bizarre, but it is as I submitted it, and it seems worth considering.
Re:iMac G5 "im Anflug" ?!?
on
G5 in an iMac
·
· Score: 4, Informative
According to Babelfish, it just seems to be a tech news site parroting a rumor. Here's the Babelfish version of the article, with mild corrections where I can [in brackets]:
The last rumor: iMac G5 in the approach?
Different rumor [sites] in Europe and the USA speculate at present upon possible G5-iMacs in June. Starting point is a report of the [Taiwanese] hardware side Digitimes, Apple with the there OEM manufacturer Quanta computer for June new "Notebook models" ordered. The French Mac side MacBidouille means now however, it can act possibly over iMacs, these for Apple by laptop manufacturers nevertheless already before produced themselves. (G5-PowerBooks are considered as rather improbabl[e].) Independently of it announces Mac Rumors with reference to anonymous sources, which are next in AC version as G5-Ausfuehrung planned and "at present in work". Acquaintance masses at the end of of June the next WWDC is held, on which Steve job wants to present the next Mac OS ( 10,4, code name"tiger"). In the past year it used its WWDC Keynote still, in order to introduce the G5-Power Macs.
11.05.2004 10:15 - Rumors - bs
So, nothing to see here, no "codes" to break...:-/
Re:Or maybe....
on
G5 in an iMac
·
· Score: 0, Redundant
The current (official) name for the iMac is "iMac G4", to differentiate from the original G3-based iMac, so the typo probably happened with that number right next to the 4.
I don't know what's going on here, but there's more to it than a simple typo. This was done deliberately; whether it was thought-through or accurate is a different matter, but it wasn't done on accident.
Re:it's a typo
on
G5 in an iMac
·
· Score: 0, Redundant
G5 iMac will happen sooner or later, perhaps WWDC next month. but there's nothing here... it's simply a typo.
I don't know what's going on here, but there's more to it than a simple typo...
Re:Or maybe....
on
G5 in an iMac
·
· Score: 2, Interesting
A good observation, but one I'm not sure how to interpret. They want it to appear on the form, but they aren't actually gathering the data if you select that. I'm not sure why they would do that...
Re:Or maybe....
on
G5 in an iMac
·
· Score: 5, Interesting
The form was a dropdown list, the HTML source for which was:
I'd post the URL, but I can't tell if they have my information encoded in it, so I'd rather not.
As a substitute, I'll leave up a screenshot for a little while. Astute readers will pick up on the fact that the URL is on a buysub.com server -- I have no idea who they are, but that's the URL that Apple's subscription invitation sent me to, and it seems to be legit.
(Now, i'm trying to be generous here, but please don't melt my puny server. If the load gets too bad I'll have to shut it down, so if there's interest in seeing that screenshot, mirrors would be welcome.)
The first time you run a program under use Acme::Bleach, the module removes all the unsightly printable characters from your source file. The code continues to work exactly as it did before, but now it looks like this:
use Acme::Bleach;
And if that's too much for you, and you just want to smoothe over all those confusing operators, you may want to have a look at Acme::DWIM, which just Does What I Mean:
Acme::DWIM - Perl's confusing operators made easy
SYNOPSIS
use Acme::DWIM;
my ($x) = +("Hullo " x 3 . "world" & "~" x 30) =~/(.*)/;
$x =~ tr/tnv/uow/;
print $x;
DESCRIPTION
The first time you run a program under use Acme::DWIM, the module replaces all the unsightly operators et al. from your source file with the new DWIM operator:... (pronounced "yadda yadda yadda").
The code continues to work exactly as it did before, but now it looks like this:
use Acme::DWIM;
my ($x)......("Hullo "... 3... "world"... "~"... 30).../(...)/;
$x... tr/tnv/uow/;
print $x;
Share and Enjoy! If you thought these were fun, thank Damian Conway -- he's a veritable fountain of this kind of inspired Perl silliness.
The Sieve of Eratosthenes is one of oldest well-known algorithms. As the better part of Roman culture was ``borrowed'' from the Greeks, it is perhaps fitting that the first ever Perligata program should be as well:
#!/usr/local/bin/perl -w
use Lingua::Romana::Perligata;
maximum inquementum tum biguttam egresso scribe.
meo maximo vestibulo perlegamentum da.
da duo tum maximum conscribementa meis listis.
dum listis decapitamentum damentum nexto
fac sic
nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis.
cis.
The use Lingua::Romana::Perligata statement causes the remainder of the program to be translated into the following Perl:
print STDOUT 'maximum:';
my $maxim = <STDIN>;
my (@list) = (2..$maxim);
while ($next = shift @list)
{
print STDOUT $next, "\n";
@list = grep {$_ % $next} @list;
}
Note in the very last Perligata statement (lista sic hoc...da listis) that the use of inflexion distinguishes the @list that is grep'ed (lista) from the @list that is assigned to (listis), even though each is at the "wrong'' end of the statement, compared with the Perl version.
Actually, Perligata is more serious than it may seem.
On one level, it uses Latin -- which packs much of the meaning of sentences into word endings rather than word order -- as a case study for a programming language that doesn't enforce a particular mandatory word order on language statements. That is, in English, "boy chases dog" has a much different meaning than "dog chases boy", but in Latin you could write it either way because the inflection on the words controls the meaning. Likewise, in most programming languages, x = y has a different meaning than y = x, but if you had a language that was agnostic about "sentence order" then you could write it either way. Using Latin allowed him to demonstrate this in practice.
Why would anyone care? Well, when Perligata was written, Perl6 was just starting to be considered, and Damian was wondering what core concepts had to be maintained and which were open to revision. Among the assumptions he wanted to consider was word order, and Perligata is a case study in how you can throw it out the window without breaking anything.
Coming down to Earth, this technique could have other applications as well. For example, the techniques used in Perligata could be applied in a source filter to convert VBScript to Perl at run time. There are issues to consider, of course, but it could work, if you wanted it badly enough. To cite a real example, one of the core plans for Perl6 is that it should be able to run existing Perl5 code, and the techniques demonstrated in Perligata will probably be used to make that possible.
Likewise, the object framework for Perl 6 is very flexible, allowing people to hand-roll almost any style of OO programming they are comfortable with. If you pair this with things like the built in Unicode support (and, allegedly, no obstacles to using Unicode symbols directly in Perl6 code for things like variables, functions, overridden operators, etc), there's no reason why people couldn't prepare "localized" versions of Perl6. It'll be interesting to see if this ends up happening, but I wouldn't be surprised at all if
hence the phrase 'lingua franca' which practically means 'the language that you can use everywhere' but literally means 'the French language,' (in Latin, no less..).
Actually, the sources I've checked suggest that the term is Italian for (second and apparently original definition) "A mixture of Italian with Provençal, French, Spanish, Arabic, Greek, and Turkish, formerly spoken on the eastern Mediterranean coast.". The etymology I can find suggests that it's Italian for "language of the Franks" (by which is meant all Europeans, not just the French).
Weird, I thought it was Latin too, but I can't find any sources to back that up...
(I belive some of them can actually play an MP3 file with out converting if you burn it with out using their software)
That's just it though -- it seems like the devices they make can generally handle mp3s just fine. it's their gateway software that's trying to prevent you from using mp3, but it's dirt easy to use alternatives.
The people writing their software may be hell-bent on pushing ATRAC support, but the people building the hardware don't seem to be putting up such barriers in most cases.
If the Vaio / iPod knockoff really prohibits mp3 on the device itself, that would appear to be a new move. The Clie PDAs and mp3 Discman players can play mp3 files just fine though. Apparently the MiniDisc players do some kind of on-device decryption, so okay they seem to be ATRAC only, but in general I can think of more "begrudingly open" devices in Sony's catalog than truly closed ones...
It plays MP3 files by converting them to ATRAC on your PC.
This may be what the device announced today does, but this isn't what Sony gear in general does.
My Clie PDA can play MP3 files just fine, as can my wife's. The manuals these devices came with instruct you to use their [really effing annoying] media software to manage what ends up on the device, but there's nothing stopping you from popping the Memory Stick into a card reader and just copying the files over with normal operating system tools (Windows Explorer, Mac Finder,/bin/cp, etc).
If this new device doesn't support MP3 at all, that's a new move for Sony, and one that will probably limit adoption of the device among people shopping for "mp3 players" that can, you know, actually play mp3s. I can't picture them doing that...
When I took my photography classes at university, the rule of thumb we were taught was that professional photographers tend to be deliriously happy when they end up with one half-decent shot per roll of film, and that more often than not a day long photoshoot might go through a dozen rolls of film and only result in one or two prints they want to do anything with.
The nice thing about digital is that it makes this side of things really easy. You don't have that nagging disappointment of "man, I spent a hundred bucks to get all this film developed," and so fool yourself into think that the shots are better than they are.
The bad thing about digial is that cheap mass storage (hard drives, cd-r) makes it awfully tempting to not throw anything away. That can be useful for learning, too -- you can look back over your history at what did & didn't work -- but you don't have that discipline to focus on the small fraction of situations that really work well. Throwing the bulk away is in the long run a very useful learning tool...
Re:Select the camera with most pixels
on
Camera Phone Tips
·
· Score: 1
But that's what I'm interested in -- a "standard camera".
I learned photography on a 30 year old pair of Nikons, where the "new" one had auto shutter speed capability, and the other was full manual. I loved learning the balance among lens length, aperture, and shutter speed, and how I could tailor photos just by spinning a dial or swapping out a lens.
I realize that a lot of the decent mid to high end "prosumer" cameras will have these without being a full SLR, but my thinking is the other way around: I just want a basic digital SLR and I don't really care what else it can do as long as I can control lens length, aperture, and shutter speed. A lot of these cameras have features that I just don't care about.
"YMMV."
Re:Select the camera with most pixels
on
Camera Phone Tips
·
· Score: 5, Insightful
There's more to it than that though. The cheap plastic lens on these phones isn't really capable of taking high quality photos, even if you had a high megapixel system behind the lens. This becomes especially true after the thing rattles around in your pocket for a while and you get lint, sand, fingerprints, etc on it.
Another poster had it right: if you want good photos, get a good camera. If you're not worried about being the next Ansel Adams, use your camera phone.
The beauty of camera phones isn't that the picture quality is worth a damn -- it isn't. The great thing is that you always have the thing with you, so if something interesting happens you've got the ability to capture it on the spot without having to run home for your Nikon, by which time the moment will inevitably have passed.
If you want spontaneous pictures that are also of high quality, lug around a nice Nikon SLR -- the D70 looks fantastic. If on the other hand you'd rather not lug around an expensive camera body and a bag full of delicate lenses all the time, then the Lo-Fi, cheap-o camera on modern phones or PDAs can do in a pinch.
But don't bother mixing the two -- I can't imagine wanting to carry around a phone that doubled as a high megapixel camera. Think about it: the image sizes will be far too big to send to other camera phone users, which is a big part of the appeal with camera phones. You could have some kind of removable media, but at that point you have a crappy, expensive camera-phone hybrid that is cumbersome as a phone and inept as a camera. Why bother?
******
Composition, on the other hand, is a different matter entirely, and it has nothing to do with the quality of the image. Look at the ways movies & magazines do photography, and copy what they do. Random examples off the top of my head:
If a photo is of a person, fill up the image with the person. Don't stand 15 feet away so that the person is just this little vague sliver down the middle of the frame -- get close, or zoom in! With traditional SLRs, my favorite lens for portrait photos is 105mm, which is roughly a 2x zoom. This is nice, because you can stand several feet away from your subject (which generally allows the person to relax & look more natural), but you still get a nice close-up effect that looks really good.
If the photo is of a person, center the whole person in the image. That is to say, don't make the standard snapshot error of putting the face in the middle, then the torso (and maybe feet) at the middle of the frame, and then have the top half of the photo filled with ceiling or sky. If you want a picture of something in the background, then get what you want of that background into the frame and then find an interesting place for the people to get in front of it; on the other hand, if the picture is of the people and not the background, then don't give 70% of the frame to the background!
Be aware of, but not necessarily a slave to, the rule of thirds. For those not familiar with it, the idea isn't very complicated: if you imagine a 3x3 "tic tac toe" grid over your composition, then you end up with a box in the center of your image. The rule of thumb is that the "interesting" bits of the image should be aligned with one or more of the edges of this center box. For example, if you're taking a picture of the horizon, don't put the horizon exactly across the middle of the frame; if you want to emphasize the sky a little, put the horizon along the bottom third of the photo, while if you want to emphasize what's going on on the ground, put the horizon along the top third of the photo. Likewise, shifting the subject of the photo from the center to the left or right thirds often makes a photo more interesting.
As a corollary to the rule of thirds, when taking portrait shots, never ever put the person's face right in the middle of the image. It's boring & unflattering. It has lon
What's with all the stupid, stupid names for open source projects? "Ignalum" is an awful name for anything, and the only thing that could possibly be worse would be "Ogg Vorbis" or "Ogg Theora", but fortunately (or horrifyingly), those names are already taken.
I don't get how anyone can expect to be taken seriously when they're trying to promote "mainstream" software with these silly, bad sci-fi bad guy names. What next? Ooga-Booga-zilla? SlartiBartFoonix?
Apparently, the only things that open source developers do worse than UI design is project naming. The UI problem is well known and widely complained about, but it seems like this naming thing is a more recent phenomenon. But it's already bad & getting worse -- a couple more high profile silly names like this and people will be laughing too hard at open source software projects to notice the interfaces to begin with...
It's possible to build a strong authentication system based purely around something you know / have / are, but any system that relies on only one of these classes is prone to certain types of attacks.
"Things you know" systems are vulnerable to you forgetting, or to other people finding out the secret (Frank Abagnale showed lots of variants of this form of attack in the movie "Catch Me If You Can").
"Things you have" systems are vulnerable to loss or theft of the authentication token (see almost every suspense or spy movie ever made).
"Things you are" systems are vulnerable to various identity theft attacks ("Catch Me If You Can" showed some of this, but "Gattaca" was written around the idea).
The easiest way to cover up the gaps is to build systems that overlap these approaches. As you say, putting identity data on an access token (like a driver's license) makes the token stronger, as does requiring something you know (a PIN) to activate the something you have (an ATM card). Mixing in all three is even better.
The thing is, none of this is a guarantee that the system is unbreakable; rather, adding on these authentication layers just narrows the opportunity window for attacks, but it can never close it. You just have to evaluate how much risk you're willing to accept and then come up with a system that tries to deliver no more than that level of risk.
The original "Italian Job" is a fantastic movie -- I was delighted to find out that it was getting remade, though I haven't seen the remake yet, as I'm cynical about the fact that they obviously just made it to market the new Mini [not that I have a huge problem with that -- if I was in the market for a car these days that's what I'd be shopping for] and from what I hear the new one doesn't even take place in Italy. Oh well.
But anyway, yeah, the original. Fan-fucking-tastic movie. The building jumping scene you're talking about actually has two or three cars jump the gap [the chase scene has three Minis, but off the top of my head I forget if all three were involved for this part -- I think they were, but I forget], and the gap was something like 5 stories up and 75 feet wide. If you watch the director's commentary for the movie, the cinematographer has been kicking himself about the scene to this day because they only had one chance to get the shot on film and he's disappointed that they didn't think to get a shot of the cars sailing overhead from street level. The way the shot is done in the movie, you could almost assume that they were jumping over some kind of wide, shallow ditch on a movie set or something, but if they caught the shot from another angle it would have been more obvious that no, there really were three little tiny cars sailing through the sky like that.
Try that with your frickin' Humvee, David Caruso! Hah!
Yeah, so, I've been fixated with Minis for a long time now, and seeing that movie a few years ago only cemented it for me. I've never understood the appeal of the big honkin' American car with something like the nimble little Mini would be so much more fun (and easier to parallel park, and get better gas mileage, and far more likely to avoid getting into accidents to begin with [the flip side of auto safety that Americans never seem to think about it -- surviving a crash is okay, but avoiding one is better].
"~o/ This is the self-preservation society..."/o~
Getting back on topic, does anyone have any idea if Mini / BMW has any plans to release a hybrid version of the Mini Cooper? When my current car wears out, the next one seems likely to be either a Prius [or some other hybrid] or a Mini, but if a gas/electric version of the Mini were available, there would be no question which one I'd want to buy...
Not really. Provisional (or walk-in) votes are specially tagged in our state and election officials ensure that additional votes in other districts from the same registered voter get discarded.
I didn't mean that I would vote using my own identity. What I mean is that voting records are public information, so if you wanted to do so, you could compile a list of registered voters [optional extra: registered voters that never bother to vote], and then go around claiming to be different registered voters in each precinct.
You'd have to be brave to try this stunt more than once in the same precinct -- the election volunteers would probably recognize you -- but pulling it off in different precincts probably wouldn't be very hard at all.
The important thing, in this context, is the reason why this attack is possible: the election officials generally don't do any kind of cross check against who you claim you are -- they never ask for any kind of ID, a piece of mail from the same address, etc. The honor system controls things here, but we all know that a lot of people aren't honorable.
Not that I'm advocating voter fraud of course -- the opposite in fact. I think the status quo is very trusting, and I'm nervous that that leaves it open to abuse by unscrupulous voters. And I think that at least on some level, the problem comes down to a weak implementation of a single form of voter authentication, and I think the obvious way to fix it is to either [a] choose a better technique along the same lines (I have no idea what off the top of my head), or [b] supplement the current "accept what you know" authentication with a "enforce who you are" method. A lot of budding democracies have a great solution to this too: when you show up at the polling station to cast your vote, you dip your thumb in indelible blue ink that takes a week to wash away. If you have a blue thumb, you already voted; if your thumb is clean, you may vote. Simple. Anonymous. Reliable....Probably untenable in these fashion conscious United States, but still a great solution to consider...
If the course continues, guns will be effectively banned.
Don'cha just love how gun nuts say things like this, as if it's some kind of tragedy?
Isn't it funny how the just-under-half of the population that's always jabbering on about protecting the second amendement just happens to be the same people as the just-under-half of the population that supports the current regime and their sustained attack on every other right that the constitution affords us?
Somehow, I can't see Idaho, Alabama, or Texas rising up against George Buh any time soon, and yet if they don't do it, no one else can. Catch-22, eh?
******
NB: Ok, I admit, I'm trolling, moderate as you will. But note that I may make fun of Alabama, but I'm also from Alabama so I'm not just talking out of my ass here. Well, not entirely talking out of my ass...:-)
Slashdot Mirror
I recently upgraded eight Macs to 10.3, and they generally took 35-50 minutes to upgrade from OSX 10.2 to OSX 10.3. All of these computers are 1.0-1.25 ghz G4s with 0.75-1.0 GB of ram; a couple of them have dual processors. These were full upgrade installs of most system components, including BSD & X11, but not including the full package of printer drivers (only HP support was needed) and not including any of the localization packages. I took notes and would be happy to get into detail if anyone is curious, but to give an overview:
These times are from booting the machine from the first Panther install disc through to the initial login screen. These times don't include installation of XCode, the 10.3.3 upgrade, or other system patches that Apple has released since Panther came out; if you include that stuff, then the average installation time goes over an hour for these computers.
You say you got a 400mhz G3 iMac to install Panther in 10 minutes? I say baloney. Either you're only counting the time for a partial install, you're not really paying attention to how long it's taking, or you're pulling some kind of trick to make things run faster.
If you have such a trick for speeding up the process, I'd love to know what it is. I was taking such careful notes because I was looking for ways to speed things up, or at least figure out where I could get things going in parallel. The only promising looking ways I found to speed things up seemed to be either a command line or single user console mode installs (but I wasn't able to get anywhere with that) or by setting up OSX Server and doing netboot (which I'd like to try, but that's a bigger project).
I just didn't see any way to get a normal, graphical install of OSX to take any less than half an hour or so on reasonably current (no more than a year old) hardware. Ten minutes for an old iMac? Sorry, but I don't believe you.
Apple seems to have a pretty good reputation for getting security patches out quickly, either before the issue becomes public or often within days or hours of the public announcement of a problem.
The unusually long delay in getting out a fix for this is the factor that got me thinking about how broad this vulnerability might be. The problem isn't anything to do with Safari or any particular web browser, nor is it just the Help application. Rather, the real problem is in the way the underlying system handles these URI protocols, many of which are Mac-specfic.
Patching Safari is no big deal -- we seem to get a new version of Safari with most system updates. Fixing the Help Viewer probably wouldn't be much harder. On the other hand, fixing the framework for URI handling might be much harder, because it hits so many parts of the system, and any changes to the framework is going to require extensive bug testing.
If I'm right, and that is the problem, then it wouldn't surprise me if it takes a while for a fix to come along, and it wouldn't surprise me if the fix comes in the form of a BIG download. It may be that we get only partial fixes for 10.3.x releases, and the situation won't really be corrected until 10.4 comes along.
It occurs to me that this problem could be broader than is being portrayed.
Consider: the fundamental issue here is that an OSX web browser -- Safari in the original reports, but apparently also Mozilla etc -- is acting as a broker for any URI that the user may come across, delegating the request out to external handler programs. Whether those external programs handle their URIs safely may be an open question.
The problem isn't really that Safari or Help is broken, but that the interaction between them, arising from the URI handling mechanism on OSX, is leading to Unintended Consequences.
OSX can handle many different URI namespaces, some of which seem to be used nowhere other than OSX. I'm having a hard time finding an exhaustive list of the URI protocols that OSX supports, but a partial list includes, in no particular order:
So far, I can think of published vulnerabilities in the telnet:// and now help:// protocols, but is that the end of it, or is the whole framework vulnerable to these sorts of attacks?
I have a hunch that we're just seeing the thin edge of the wedge...
You laugh, but have you actually tried it?
Modifying the README's sample script slightly (the garbage filter isn't letting me do the SQL statement above):
So you can actually use Google as your database! :-)
The list may be bizarre, but I didn't make it up -- someone else in this thread verified that he saw it too, a couple of months ago. I don't know why the Macworld signup page is so bizarre, but it is as I submitted it, and it seems worth considering.
According to Babelfish, it just seems to be a tech news site parroting a rumor. Here's the Babelfish version of the article, with mild corrections where I can [in brackets]:
So, nothing to see here, no "codes" to break... :-/
Yeah. That's it..
I don't know what's going on here, but there's more to it than a simple typo. This was done deliberately; whether it was thought-through or accurate is a different matter, but it wasn't done on accident.
Yeah. That's it..
I don't know what's going on here, but there's more to it than a simple typo...
Yeah. That's it..
I don't know what's going on here, but there's more to it than a simple typo...
A good observation, but one I'm not sure how to interpret. They want it to appear on the form, but they aren't actually gathering the data if you select that. I'm not sure why they would do that...
The form was a dropdown list, the HTML source for which was:
This doesn't seem to have been a typo.
I'd post the URL, but I can't tell if they have my information encoded in it, so I'd rather not.
As a substitute, I'll leave up a screenshot for a little while. Astute readers will pick up on the fact that the URL is on a buysub.com server -- I have no idea who they are, but that's the URL that Apple's subscription invitation sent me to, and it seems to be legit.
(Now, i'm trying to be generous here, but please don't melt my puny server. If the load gets too bad I'll have to shut it down, so if there's interest in seeing that screenshot, mirrors would be welcome.)
Completely without letters? Slacker. How about a method for removing all those unsightly printable characters?
And if that's too much for you, and you just want to smoothe over all those confusing operators, you may want to have a look at Acme::DWIM, which just Does What I Mean:
Share and Enjoy! If you thought these were fun, thank Damian Conway -- he's a veritable fountain of this kind of inspired Perl silliness.
How does Latin Perl sound to you?
And you too can do this !
Actually, Perligata is more serious than it may seem.
On one level, it uses Latin -- which packs much of the meaning of sentences into word endings rather than word order -- as a case study for a programming language that doesn't enforce a particular mandatory word order on language statements. That is, in English, "boy chases dog" has a much different meaning than "dog chases boy", but in Latin you could write it either way because the inflection on the words controls the meaning. Likewise, in most programming languages, x = y has a different meaning than y = x, but if you had a language that was agnostic about "sentence order" then you could write it either way. Using Latin allowed him to demonstrate this in practice.
Why would anyone care? Well, when Perligata was written, Perl6 was just starting to be considered, and Damian was wondering what core concepts had to be maintained and which were open to revision. Among the assumptions he wanted to consider was word order, and Perligata is a case study in how you can throw it out the window without breaking anything.
Coming down to Earth, this technique could have other applications as well. For example, the techniques used in Perligata could be applied in a source filter to convert VBScript to Perl at run time. There are issues to consider, of course, but it could work, if you wanted it badly enough. To cite a real example, one of the core plans for Perl6 is that it should be able to run existing Perl5 code, and the techniques demonstrated in Perligata will probably be used to make that possible.
Likewise, the object framework for Perl 6 is very flexible, allowing people to hand-roll almost any style of OO programming they are comfortable with. If you pair this with things like the built in Unicode support (and, allegedly, no obstacles to using Unicode symbols directly in Perl6 code for things like variables, functions, overridden operators, etc), there's no reason why people couldn't prepare "localized" versions of Perl6. It'll be interesting to see if this ends up happening, but I wouldn't be surprised at all if
Actually, the sources I've checked suggest that the term is Italian for (second and apparently original definition) "A mixture of Italian with Provençal, French, Spanish, Arabic, Greek, and Turkish, formerly spoken on the eastern Mediterranean coast.". The etymology I can find suggests that it's Italian for "language of the Franks" (by which is meant all Europeans, not just the French).
Weird, I thought it was Latin too, but I can't find any sources to back that up...
That's just it though -- it seems like the devices they make can generally handle mp3s just fine. it's their gateway software that's trying to prevent you from using mp3, but it's dirt easy to use alternatives.
The people writing their software may be hell-bent on pushing ATRAC support, but the people building the hardware don't seem to be putting up such barriers in most cases.
If the Vaio / iPod knockoff really prohibits mp3 on the device itself, that would appear to be a new move. The Clie PDAs and mp3 Discman players can play mp3 files just fine though. Apparently the MiniDisc players do some kind of on-device decryption, so okay they seem to be ATRAC only, but in general I can think of more "begrudingly open" devices in Sony's catalog than truly closed ones...
This may be what the device announced today does, but this isn't what Sony gear in general does.
My Clie PDA can play MP3 files just fine, as can my wife's. The manuals these devices came with instruct you to use their [really effing annoying] media software to manage what ends up on the device, but there's nothing stopping you from popping the Memory Stick into a card reader and just copying the files over with normal operating system tools (Windows Explorer, Mac Finder, /bin/cp, etc).
If this new device doesn't support MP3 at all, that's a new move for Sony, and one that will probably limit adoption of the device among people shopping for "mp3 players" that can, you know, actually play mp3s. I can't picture them doing that...
Was it Jimmy Carter? I'd guess James Madison, but he probably doesn't use computers.
Or is your President Kim Jong Il? Would he dare to use a Japanese computer? Wow, what a thought...
When I took my photography classes at university, the rule of thumb we were taught was that professional photographers tend to be deliriously happy when they end up with one half-decent shot per roll of film, and that more often than not a day long photoshoot might go through a dozen rolls of film and only result in one or two prints they want to do anything with.
The nice thing about digital is that it makes this side of things really easy. You don't have that nagging disappointment of "man, I spent a hundred bucks to get all this film developed," and so fool yourself into think that the shots are better than they are.
The bad thing about digial is that cheap mass storage (hard drives, cd-r) makes it awfully tempting to not throw anything away. That can be useful for learning, too -- you can look back over your history at what did & didn't work -- but you don't have that discipline to focus on the small fraction of situations that really work well. Throwing the bulk away is in the long run a very useful learning tool...
But that's what I'm interested in -- a "standard camera".
I learned photography on a 30 year old pair of Nikons, where the "new" one had auto shutter speed capability, and the other was full manual. I loved learning the balance among lens length, aperture, and shutter speed, and how I could tailor photos just by spinning a dial or swapping out a lens.
I realize that a lot of the decent mid to high end "prosumer" cameras will have these without being a full SLR, but my thinking is the other way around: I just want a basic digital SLR and I don't really care what else it can do as long as I can control lens length, aperture, and shutter speed. A lot of these cameras have features that I just don't care about.
"YMMV."
There's more to it than that though. The cheap plastic lens on these phones isn't really capable of taking high quality photos, even if you had a high megapixel system behind the lens. This becomes especially true after the thing rattles around in your pocket for a while and you get lint, sand, fingerprints, etc on it.
Another poster had it right: if you want good photos, get a good camera. If you're not worried about being the next Ansel Adams, use your camera phone.
The beauty of camera phones isn't that the picture quality is worth a damn -- it isn't. The great thing is that you always have the thing with you, so if something interesting happens you've got the ability to capture it on the spot without having to run home for your Nikon, by which time the moment will inevitably have passed.
If you want spontaneous pictures that are also of high quality, lug around a nice Nikon SLR -- the D70 looks fantastic. If on the other hand you'd rather not lug around an expensive camera body and a bag full of delicate lenses all the time, then the Lo-Fi, cheap-o camera on modern phones or PDAs can do in a pinch.
But don't bother mixing the two -- I can't imagine wanting to carry around a phone that doubled as a high megapixel camera. Think about it: the image sizes will be far too big to send to other camera phone users, which is a big part of the appeal with camera phones. You could have some kind of removable media, but at that point you have a crappy, expensive camera-phone hybrid that is cumbersome as a phone and inept as a camera. Why bother?
******
Composition, on the other hand, is a different matter entirely, and it has nothing to do with the quality of the image. Look at the ways movies & magazines do photography, and copy what they do. Random examples off the top of my head:
Ignalum? Ignalum? You must be joking.
What's with all the stupid, stupid names for open source projects? "Ignalum" is an awful name for anything, and the only thing that could possibly be worse would be "Ogg Vorbis" or "Ogg Theora", but fortunately (or horrifyingly), those names are already taken.
I don't get how anyone can expect to be taken seriously when they're trying to promote "mainstream" software with these silly, bad sci-fi bad guy names. What next? Ooga-Booga-zilla? SlartiBartFoonix?
Apparently, the only things that open source developers do worse than UI design is project naming. The UI problem is well known and widely complained about, but it seems like this naming thing is a more recent phenomenon. But it's already bad & getting worse -- a couple more high profile silly names like this and people will be laughing too hard at open source software projects to notice the interfaces to begin with...
Well, exactly -- that's the trick.
It's possible to build a strong authentication system based purely around something you know / have / are, but any system that relies on only one of these classes is prone to certain types of attacks.
The easiest way to cover up the gaps is to build systems that overlap these approaches. As you say, putting identity data on an access token (like a driver's license) makes the token stronger, as does requiring something you know (a PIN) to activate the something you have (an ATM card). Mixing in all three is even better.
The thing is, none of this is a guarantee that the system is unbreakable; rather, adding on these authentication layers just narrows the opportunity window for attacks, but it can never close it. You just have to evaluate how much risk you're willing to accept and then come up with a system that tries to deliver no more than that level of risk.
The original "Italian Job" is a fantastic movie -- I was delighted to find out that it was getting remade, though I haven't seen the remake yet, as I'm cynical about the fact that they obviously just made it to market the new Mini [not that I have a huge problem with that -- if I was in the market for a car these days that's what I'd be shopping for] and from what I hear the new one doesn't even take place in Italy. Oh well.
But anyway, yeah, the original. Fan-fucking-tastic movie. The building jumping scene you're talking about actually has two or three cars jump the gap [the chase scene has three Minis, but off the top of my head I forget if all three were involved for this part -- I think they were, but I forget], and the gap was something like 5 stories up and 75 feet wide. If you watch the director's commentary for the movie, the cinematographer has been kicking himself about the scene to this day because they only had one chance to get the shot on film and he's disappointed that they didn't think to get a shot of the cars sailing overhead from street level. The way the shot is done in the movie, you could almost assume that they were jumping over some kind of wide, shallow ditch on a movie set or something, but if they caught the shot from another angle it would have been more obvious that no, there really were three little tiny cars sailing through the sky like that.
Try that with your frickin' Humvee, David Caruso! Hah!
Yeah, so, I've been fixated with Minis for a long time now, and seeing that movie a few years ago only cemented it for me. I've never understood the appeal of the big honkin' American car with something like the nimble little Mini would be so much more fun (and easier to parallel park, and get better gas mileage, and far more likely to avoid getting into accidents to begin with [the flip side of auto safety that Americans never seem to think about it -- surviving a crash is okay, but avoiding one is better].
"~o/ This is the self-preservation society..." /o~
Getting back on topic, does anyone have any idea if Mini / BMW has any plans to release a hybrid version of the Mini Cooper? When my current car wears out, the next one seems likely to be either a Prius [or some other hybrid] or a Mini, but if a gas/electric version of the Mini were available, there would be no question which one I'd want to buy...
I didn't mean that I would vote using my own identity. What I mean is that voting records are public information, so if you wanted to do so, you could compile a list of registered voters [optional extra: registered voters that never bother to vote], and then go around claiming to be different registered voters in each precinct.
You'd have to be brave to try this stunt more than once in the same precinct -- the election volunteers would probably recognize you -- but pulling it off in different precincts probably wouldn't be very hard at all.
The important thing, in this context, is the reason why this attack is possible: the election officials generally don't do any kind of cross check against who you claim you are -- they never ask for any kind of ID, a piece of mail from the same address, etc. The honor system controls things here, but we all know that a lot of people aren't honorable.
Not that I'm advocating voter fraud of course -- the opposite in fact. I think the status quo is very trusting, and I'm nervous that that leaves it open to abuse by unscrupulous voters. And I think that at least on some level, the problem comes down to a weak implementation of a single form of voter authentication, and I think the obvious way to fix it is to either [a] choose a better technique along the same lines (I have no idea what off the top of my head), or [b] supplement the current "accept what you know" authentication with a "enforce who you are" method. A lot of budding democracies have a great solution to this too: when you show up at the polling station to cast your vote, you dip your thumb in indelible blue ink that takes a week to wash away. If you have a blue thumb, you already voted; if your thumb is clean, you may vote. Simple. Anonymous. Reliable. ...Probably untenable in these fashion conscious United States, but still a great solution to consider...
Don'cha just love how gun nuts say things like this, as if it's some kind of tragedy?
Isn't it funny how the just-under-half of the population that's always jabbering on about protecting the second amendement just happens to be the same people as the just-under-half of the population that supports the current regime and their sustained attack on every other right that the constitution affords us?
Somehow, I can't see Idaho, Alabama, or Texas rising up against George Buh any time soon, and yet if they don't do it, no one else can. Catch-22, eh?
******
NB: Ok, I admit, I'm trolling, moderate as you will. But note that I may make fun of Alabama, but I'm also from Alabama so I'm not just talking out of my ass here. Well, not entirely talking out of my ass... :-)