if you're running his program, you're already running an entire closed source OS. You're also protecting against greedy closed source programs that you're installing that are registering themselves at startup without your permission (why else would you use the product?). Mike Lin isn't the one I'd be worried about here.
By default, state laws take precedence, but there are specific situations where federal laws take precedence over state laws. These are defined in Article 1, Section 8, clauses 2-18 of the US Constitution:
Clause 1: The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;
(Clause 2 is irrelevant to the discussion)
Clause 3: To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes;
A pretty good argument could be made that spam falls under "commerce with foreign nations" or "commerce among the several states".
Alright AC, maybe you should actually look at the post I linked to. The problem isn't in the link properties, its in the address bar. Go to my post and click on the "ASCII 1" link, and click on the exploit from there, and you will see a site that isn't slashdot with http://slashdot.org in the address bar. View source on the exploit to confirm if you wish. This is dangerous especially with the fake ebay spams. Now we can't tell users to trust the address bar anymore until they fix it in a month or so, if ever.
However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it.
(Below are the browsers I just happen to have installed)
IE6 for windows (for sake of having a control): 0 brings you to goatse.cx with http://goatse.cx in the address bar 1 brings you to goatse.cx with http://slashdot.org in the address bar
Opera 7.23 for windows and Opera 7.11 for FreeBSD: 0 brings you to slashdot.org with http://slashdot.org in the address bar 1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1. Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.
Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows: 0 brings you to slashdot.org with http://slashdot.org in the address bar 1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar
So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.
They might still have the code in them to deal with long filenames, if they took it from an existing implementation. Which brings up an interesting question: If a device has dead code in it that would infringe on a patent if used, is it still infringing on the patent?
The patents listed on microsoft's page cover the short/long filename system, which still applies to fat32, or anything else that uses that for that matter.
If you looked it up, you'd see that the patents listed on microsoft's page are not for FAT itself, but for long filename extensions to it.
The patents listed were filed in '92, 95, 96, and 97. I haven't looked into the details of the patents, but I assume the date those features were published would be during the mareting of windows 95, so the first 2 at the very least are within the 1 year publish-file grace period.
Not only that, but DNS was designed to handle a lot of tiny requests, and a few huge requests. For the many many tiny requests, it uses UDP, and doesnt have to go through the overhead of a full-blown TCP connection. This is what makes it so scalable. If it has to send back more than 512 bytes (for a zone transfer or torrent file), it sets up a TCP connection, but in the case of a zone transfer, it doesnt have to do this very often.
For a typical name query, only two UDP segments are involved, one for the request and one for the response. If you were to request a torrent file, you would need the first three TCP handshaking segments, one to send the request, and then 1 or 2( depending on the machine setup) to send back the torrent file.
Normal DNS query: 2 segments Torrent file DNS query: 5 or 6 segments
So that takes 2.5-3 times more processing time per request on the DNS server, and that doesnt even take into account the TCP session state.
IANA International Diplomat, but I believe our foreign embassies are technically American soil. Or maybe I've just watched "Bart vs Australia" too many times.
Slashdot Mirror
if you're running his program, you're already running an entire closed source OS. You're also protecting against greedy closed source programs that you're installing that are registering themselves at startup without your permission (why else would you use the product?). Mike Lin isn't the one I'd be worried about here.
I have to kill it and remove it out of the registry to from stop it from starting up whenever I login.
No you don't.
These are defined in Article 1, Section 8, clauses 2-18 of the US Constitution:
A pretty good argument could be made that spam falls under "commerce with foreign nations" or "commerce among the several states".
source
Never mind, I didn't restart winamp after copying the plugins over. They work.
Hmm... doesn't look like winamp5 supports old plugins. I can't play any of my .NSFs, .GYMs, or .SPCs in it.
Naw, it's true. I got program-greedy though and installed another 8-gig for my /usr directory.
Alright AC, maybe you should actually look at the post I linked to. The problem isn't in the link properties, its in the address bar. Go to my post and click on the "ASCII 1" link, and click on the exploit from there, and you will see a site that isn't slashdot with http://slashdot.org in the address bar. View source on the exploit to confirm if you wish. This is dangerous especially with the fake ebay spams. Now we can't tell users to trust the address bar anymore until they fix it in a month or so, if ever.
My previous post has a link to an exploit and results of it in multiple browsers.
However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it.
Untrue. It only works with 1. See my previous post.
The problem is that it looks like it affects them all.
That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.
I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".
Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.
ASCII 0
ASCII 1
(Below are the browsers I just happen to have installed)
IE6 for windows (for sake of having a control):
0 brings you to goatse.cx with http://goatse.cx in the address bar
1 brings you to goatse.cx with http://slashdot.org in the address bar
Opera 7.23 for windows and Opera 7.11 for FreeBSD:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1.
Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.
Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar
So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.
It's only a matter of time. The more "secure a system is, the more rewarding it is to crack.
I was running FreeBSD on a 100MHz processor and 1 gig HD, you insensitive clod!
They might still have the code in them to deal with long filenames, if they took it from an existing implementation. Which brings up an interesting question: If a device has dead code in it that would infringe on a patent if used, is it still infringing on the patent?
Kill linux and the GPL? Hmm...
Worst case for linux:
Long filename support for FAT is taken out of the kernel and you access everything using ~1's.
Worst case for GPL:
Nothing changes at all
The patents listed on microsoft's page cover the short/long filename system, which still applies to fat32, or anything else that uses that for that matter.
If you looked it up, you'd see that the patents listed on microsoft's page are not for FAT itself, but for long filename extensions to it.
The patents listed were filed in '92, 95, 96, and 97. I haven't looked into the details of the patents, but I assume the date those features were published would be during the mareting of windows 95, so the first 2 at the very least are within the 1 year publish-file grace period.
Stiffing? Hooker? Eh, never mind, too easy...
Not only that, but DNS was designed to handle a lot of tiny requests, and a few huge requests. For the many many tiny requests, it uses UDP, and doesnt have to go through the overhead of a full-blown TCP connection. This is what makes it so scalable. If it has to send back more than 512 bytes (for a zone transfer or torrent file), it sets up a TCP connection, but in the case of a zone transfer, it doesnt have to do this very often.
For a typical name query, only two UDP segments are involved, one for the request and one for the response. If you were to request a torrent file, you would need the first three TCP handshaking segments, one to send the request, and then 1 or 2( depending on the machine setup) to send back the torrent file.
Normal DNS query: 2 segments
Torrent file DNS query: 5 or 6 segments
So that takes 2.5-3 times more processing time per request on the DNS server, and that doesnt even take into account the TCP session state.
But when you use your neighbor's AP, you're sending signals back onto the neighbor's property, and then using their router and connection.
We aren't talking about just sniffing here, we're talking about usage.
You get a different phone book
IANA International Diplomat, but I believe our foreign embassies are technically American soil. Or maybe I've just watched "Bart vs Australia" too many times.
Yeah, except that no one modded you funny on that one... 8-)
Heh. Post late in the conversation, that way when the mods get to the bottom, they'll scroll up and up-mod your post!
That is one of the funniest trolls I have seen in a while.
Welcome back, PG.
Did they have a preview button back then too?