The RC version of PHP has a new directive, max_input_vars. Should be easy to implement. The POST data come in as a string, just like a query string, as I recall it. So just count the number of ampersands.
Article says the DoS happens as the hash table is populated, so there is no easy fix for the PHP user. A patched version of PHP must be compiled. Or maybe some apache magic can be applied before the data hits PHP. Something in mod_rewrite in the.htaccess?
Opera has been free with no ads for many years. They make the majority of their money from the mobile version (free to individuals, though), and some from other embedded devices and search partners (Google). I don't know if the cloudy thing, Opera Unite, or Opera mail makes money.
He hears rumors in Calif. of a new trust system to complement PKI. That's all he will say when the interviewer questions him repeatedly about a solution to the problem he goes on at length about: that browsers have PKI roots built in. I agree it's a terrible system, but asking the clueless user to select trusted roots would have its own problems, in, say, Iran. Or more precisely, clueless users in the US make it hard to deploy a system for careful users in Iran. The UI has to be both easy & difficult.
can fix. Also amazing how complex CA authority has become. The concept is fairly simple, but the niceties of the trust bits have become so arcane that Mozilla is having to fix erroneous understandings of the bits in their own code, without breaking legacy. Then the people working on security code have highly resistant personalities and so all kinds of nonsense gets frozen in for years.They sort of have to be that way, to keep their code gov't certified... what a mess. Crowd-sourced verification of self-signed certs is starting to sound better & better.
The practical results of the way the code works at least at Mozilla were mystified complaints about the fake revoked Digninotar certs put in Mozilla to block real fake certs! That is not a model for the future. They are working on it, but it's glacial.
The Probably Most Popular Shopping Cart plugin for wordpress had developers who decided to write their own parser for the wp config file instead of using include/require. Consequently, salts and passwords like "foo);bar" break all product images. Now that is a hard bug to find! https://shopp.lighthouseapp.com/projects/47561-shopp/tickets/970
No, they are being punished by a semi-monopoly. What if Kleenex refused to supply drug stores that stole cases of the truck... and Kleenex was a semi-monopoly whose name was synonymous with tissue... or something like that.
What if you ran a web site Google was lifting content from, enough content that people stopped buying your paper product (newspaper) and visiting your website? And then you lost your remaining traffic when you complained? A company as big as Google has to play by different rules. And corporations are only entitled to the rights we give them; they have no natural rights.
The newspapers, by the way, need to charge because the only way they make real money is on print. When they don't charge for online access, print subscribers drop out. People even want to pay! Look at iPad & Kindle & Nook.
When the NYT first tried charging, a few years ago, online hits dropped fast. They panicked at went back to free. But that was exactly what was supposed to happen! The point of Times Select was to save print subscribers, not make money off online viewers.
It uses Javascript to obfuscate email addresses. That is helpful but not foolproof, contrary to the article. It stops most harvesters, at the cost of no-script users and the like. The chirpy article is less than trustworthy, so I would not assume the service is a CDN, or if it does cache that it will continue to maintain capacity. Or the speedup, if real, could be due to minifying html and serving small images in the Google News way, as inline data. The number of connections can be more important than speed.
France wins on the rural side. Every little commune, some barely populated if at all, has a Wikipedia article, in an example of historical French rationalist completionism meeting early Wikipedian diligence. This is on English Wikipedia.
A fantastic amount of heat is created, which further melts the control structures used to dissipate heat. The only thing keeping it together is massive amounts of water, which cannot cool off the melted-together blobs very well. Then when it finally cools, the surrounding structure will have to be taken apart with cranes and jackhammers, while not exposing workers for more than a few minutes per year.
The mistake was right at the binning, at not putting all effort to cooling right away. Containment, leading to hydrogen explosions, was a cautious and disastrous choice. Company management announced after the first explosion there might be second explosion, and let it happen. Perhaps there was no other way, but I doubt it. Once the buildings exploded, the cooling problems became more difficult.
It seems the fear of small amounts of radiation led to much higher releases which will indeed kill people over the next 200 years or so.
A radical policy would be too allow one unit to keep running if the plant was expected to lose mains and diesel. After all, we have seen they do not shut down quickly enough to prevent problems. The NYT says it will take one year now of bathing and radioactive venting to cool down the pile.
But I doubt these plants are set up to power themselves anyway. I seem to recall they depend on the grid to make it all work.
One single-point-of-failure stands out. The diesel generators were under the building, so depended on the seawall. Battery capacity was apparently quite small.
One report said there was a safety device to ignite hydrogen before too much built up, but it required electricity from the mains. The story seems a bit fishy, as electricity has been restored and Unit 3 still blew up. Had the gases been too great to ignite for more than two days?
Most critically, the decision whether to vent radioactive gas vs. try to contain it seems not to be clearly laid out in policy. I can't imagine there is a policy to let the building blow up. Yet that was the decision today. Officials announced it might blow up several hours ahead of time.
At Three Mile Island they tried a plasma device to convert hydrogen back to water or something, but finally ended up venting.
One more point about the press. It is using Chernobyl and Three Mile Island as comparisons, but have forgotten Windscale (1957). That disaster was widely reported at the time. The graphite reactor was more experimental than the operators realized. The geometry of these things is tricky.
Windscale was between Chern. and TMI in severity, so would be an instructive scenario of the after effects of a radiation leak.
The hydrogen at TMI almost exploded off the containment dome. They guessed there was no oxygen to make it burn, but put all effort towards getting rid of it, using a plasma device and then just venting it out. Too bad the Japanese did not vent more? http://en.wikipedia.org/wiki/Three_Mile_Island_accident
It's a syndrome. Quality niche channel just destroy themselves once they get a modicum of popularity. I don't know it cashing in on the brand name, obnoxious executives. Tragedy of the commons maybe. It every channel is CheezeFest, even though it's called History, A&E, AMC, SyFy, then people will drop the whole tier. They already are, and becoming online only viewers.
The channels may also have better metrics now, with digital cable. They really really know you are watching Brittany Spears on an Ice Road Trucker. Same with newspaper front pages, with celebrity gossip taking over because of the clicks. Short-term it works. But long-term, people abandon LA Times or whatever if it's no better than TMZ.
Typewriters are fine for printing envelopes. Better actually. Wish I had one. But I saw a funny scene on TV recently: mad dude brings in a typewriter and the young people are all covering their ears.
About games, I put together computers with some middle school students recently. Had Ubuntu preloaded on the drives for them. Once the power was on, they had found and were running the Ubuntu games before I could turn around! Not the teacher's intention. We soon switched to Perl scripting.
The 10.2 update was a security fix for "all platforms". I don't know if that included Android. Do these mobile systems have better sandboxxing than desktops? http://www.adobe.com/support/security/bulletins/apsb11-02.html Then again, "all platforms" apparently does not include Mac OSX on PPC, which I read elsewhere is no longer supported AND not affected by the security problems.
Flash went to version 10.2 about a week ago on all the desktop platforms. Is it different on mobiles? Are they even updated? They aren't listed here: http://www.adobe.com/software/flash/about/
Or, correction, the good DLL would have to go into a folder that is in the PATH and not in any of the higher priority system folders. And you would have to register a file handler and a new type... since the directory of the EXE has first priority. Oh well.
The priority list goes:
1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current working directory (CWD) 6. The directories that are listed in the PATH environment variable
And the patch + adding the new reg value disables #5.
The whole fix should be rolled up into a little switching program. We should not have to edit the registry to fix this vulnerability. And we should be able to turn the fix off easily if it causes problems.
Slashdot Mirror
Apache has an input filter mechanism. Could also proxy I guess. Easy to detect the bad input, just a question of how to hook.
The RC version of PHP has a new directive, max_input_vars. Should be easy to implement. The POST data come in as a string, just like a query string, as I recall it. So just count the number of ampersands.
Article says the DoS happens as the hash table is populated, so there is no easy fix for the PHP user. A patched version of PHP must be compiled. Or maybe some apache magic can be applied before the data hits PHP. Something in mod_rewrite in the .htaccess?
Opera has been free with no ads for many years. They make the majority of their money from the mobile version (free to individuals, though), and some from other embedded devices and search partners (Google). I don't know if the cloudy thing, Opera Unite, or Opera mail makes money.
He hears rumors in Calif. of a new trust system to complement PKI. That's all he will say when the interviewer questions him repeatedly about a solution to the problem he goes on at length about: that browsers have PKI roots built in. I agree it's a terrible system, but asking the clueless user to select trusted roots would have its own problems, in, say, Iran. Or more precisely, clueless users in the US make it hard to deploy a system for careful users in Iran. The UI has to be both easy & difficult.
Monopoly €1000 certs, that's a not a biz model you can fix. Someday I will understand Slashdot editing.
can fix. Also amazing how complex CA authority has become. The concept is fairly simple, but the niceties of the trust bits have become so arcane that Mozilla is having to fix erroneous understandings of the bits in their own code, without breaking legacy. Then the people working on security code have highly resistant personalities and so all kinds of nonsense gets frozen in for years.They sort of have to be that way, to keep their code gov't certified... what a mess. Crowd-sourced verification of self-signed certs is starting to sound better & better.
The practical results of the way the code works at least at Mozilla were mystified complaints about the fake revoked Digninotar certs put in Mozilla to block real fake certs! That is not a model for the future. They are working on it, but it's glacial.
The Probably Most Popular Shopping Cart plugin for wordpress had developers who decided to write their own parser for the wp config file instead of using include/require. Consequently, salts and passwords like "foo);bar" break all product images. Now that is a hard bug to find!
https://shopp.lighthouseapp.com/projects/47561-shopp/tickets/970
Whoops, the Kleenex analogy is backwards. Oh well. What if Kleenex would only supply your drug store if you gave them drugs? It's more like that.
No, they are being punished by a semi-monopoly. What if Kleenex refused to supply drug stores that stole cases of the truck... and Kleenex was a semi-monopoly whose name was synonymous with tissue... or something like that.
What if you ran a web site Google was lifting content from, enough content that people stopped buying your paper product (newspaper) and visiting your website? And then you lost your remaining traffic when you complained? A company as big as Google has to play by different rules. And corporations are only entitled to the rights we give them; they have no natural rights.
The newspapers, by the way, need to charge because the only way they make real money is on print. When they don't charge for online access, print subscribers drop out. People even want to pay! Look at iPad & Kindle & Nook.
When the NYT first tried charging, a few years ago, online hits dropped fast. They panicked at went back to free. But that was exactly what was supposed to happen! The point of Times Select was to save print subscribers, not make money off online viewers.
It uses Javascript to obfuscate email addresses. That is helpful but not foolproof, contrary to the article. It stops most harvesters, at the cost of no-script users and the like. The chirpy article is less than trustworthy, so I would not assume the service is a CDN, or if it does cache that it will continue to maintain capacity. Or the speedup, if real, could be due to minifying html and serving small images in the Google News way, as inline data. The number of connections can be more important than speed.
France wins on the rural side. Every little commune, some barely populated if at all, has a Wikipedia article, in an example of historical French rationalist completionism meeting early Wikipedian diligence. This is on English Wikipedia.
A fantastic amount of heat is created, which further melts the control structures used to dissipate heat. The only thing keeping it together is massive amounts of water, which cannot cool off the melted-together blobs very well. Then when it finally cools, the surrounding structure will have to be taken apart with cranes and jackhammers, while not exposing workers for more than a few minutes per year.
The mistake was right at the binning, at not putting all effort to cooling right away. Containment, leading to hydrogen explosions, was a cautious and disastrous choice. Company management announced after the first explosion there might be second explosion, and let it happen. Perhaps there was no other way, but I doubt it. Once the buildings exploded, the cooling problems became more difficult.
It seems the fear of small amounts of radiation led to much higher releases which will indeed kill people over the next 200 years or so.
A radical policy would be too allow one unit to keep running if the plant was expected to lose mains and diesel. After all, we have seen they do not shut down quickly enough to prevent problems. The NYT says it will take one year now of bathing and radioactive venting to cool down the pile.
But I doubt these plants are set up to power themselves anyway. I seem to recall they depend on the grid to make it all work.
One single-point-of-failure stands out. The diesel generators were under the building, so depended on the seawall. Battery capacity was apparently quite small.
One report said there was a safety device to ignite hydrogen before too much built up, but it required electricity from the mains. The story seems a bit fishy, as electricity has been restored and Unit 3 still blew up. Had the gases been too great to ignite for more than two days?
Most critically, the decision whether to vent radioactive gas vs. try to contain it seems not to be clearly laid out in policy. I can't imagine there is a policy to let the building blow up. Yet that was the decision today. Officials announced it might blow up several hours ahead of time.
At Three Mile Island they tried a plasma device to convert hydrogen back to water or something, but finally ended up venting.
Normally I would agree with you, but the MOX issue is still up in the air, so to speak. Take a look at these, just text search down to "MOX". In fact, they are the first two Google News results on "MOX" at the moment.
http://www.bellona.org/articles/articles_2011/mox_reactor_coolant_loss
http://www.economist.com/blogs/asiaview/2011/03/after_earthquake
One more point about the press. It is using Chernobyl and Three Mile Island as comparisons, but have forgotten Windscale (1957). That disaster was widely reported at the time. The graphite reactor was more experimental than the operators realized. The geometry of these things is tricky.
Windscale was between Chern. and TMI in severity, so would be an instructive scenario of the after effects of a radiation leak.
TMI almost exploded. The dome was full of hydrogen.
http://en.wikipedia.org/wiki/Three_Mile_Island_accident
The hydrogen at TMI almost exploded off the containment dome. They guessed there was no oxygen to make it burn, but put all effort towards getting rid of it, using a plasma device and then just venting it out. Too bad the Japanese did not vent more?
http://en.wikipedia.org/wiki/Three_Mile_Island_accident
It's a syndrome. Quality niche channel just destroy themselves once they get a modicum of popularity. I don't know it cashing in on the brand name, obnoxious executives. Tragedy of the commons maybe. It every channel is CheezeFest, even though it's called History, A&E, AMC, SyFy, then people will drop the whole tier. They already are, and becoming online only viewers.
The channels may also have better metrics now, with digital cable. They really really know you are watching Brittany Spears on an Ice Road Trucker. Same with newspaper front pages, with celebrity gossip taking over because of the clicks. Short-term it works. But long-term, people abandon LA Times or whatever if it's no better than TMZ.
Typewriters are fine for printing envelopes. Better actually. Wish I had one. But I saw a funny scene on TV recently: mad dude brings in a typewriter and the young people are all covering their ears.
About games, I put together computers with some middle school students recently. Had Ubuntu preloaded on the drives for them. Once the power was on, they had found and were running the Ubuntu games before I could turn around! Not the teacher's intention. We soon switched to Perl scripting.
The 10.2 update was a security fix for "all platforms". I don't know if that included Android. Do these mobile systems have better sandboxxing than desktops? http://www.adobe.com/support/security/bulletins/apsb11-02.html
Then again, "all platforms" apparently does not include Mac OSX on PPC, which I read elsewhere is no longer supported AND not affected by the security problems.
Flash went to version 10.2 about a week ago on all the desktop platforms. Is it different on mobiles? Are they even updated? They aren't listed here:
http://www.adobe.com/software/flash/about/
http://en.wikipedia.org/wiki/Marbury_vs._madison
Doesn't this thing have 3G with no monthly charge?
The range is not great. ATT says 40 ft, which is about what we got. Other than that, works great.
The limit is 4 phones operating at one time, and you keep a list of up to 10 approved phones.
The weirdest thing is it has to get a GPS signal to activate.
And why microcell vs. femtocell?
Or, correction, the good DLL would have to go into a folder that is in the PATH and not in any of the higher priority system folders. And you would have to register a file handler and a new type... since the directory of the EXE has first priority. Oh well.
The priority list goes:
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable
And the patch + adding the new reg value disables #5.
The whole fix should be rolled up into a little switching program. We should not have to edit the registry to fix this vulnerability. And we should be able to turn the fix off easily if it causes problems.