but the energy they speak of might be related to Willmore energy. I gather from the Wiki writeup and assorted Google-gleanings that Willmore energy is a mathematical expression of what we consider in the real world as distortion tension. The more you have to bend a shape the more localized Willmore energy density you have. A good clue to me is the line in the Wiki article: "A sphere has zero Willmore energy." The curvature of a sphere is constant, with no localized puckers or distortion. Hence, zero Willmore energy. An untwisted flat strip would also have zero Willmore energy, but twist it and curve around to join up into a Mobius, and it gains significant distortion; hence, increased energy.
So go ahead, upgrade your boxes on patch tuesday. I've just had way to many experiences where that has caused me serious grief.
I'm picturing the classic "Far Side" cartoon depicting the herd of lemmings (herd? is that what they group in?) rushing down the beach and into the sea with singleminded determination, except for one smartass lemming wearing an inner tube flotation thingie and smiling knowingly at the viewer.
Of course, I did the singleminded-lemming thing Tuesday at home, and nothing's puking visibly yet. But on the gripping hand, the military network environment I work with tends to very carefully evaluate these Microsoft patches before letting them loose on their systems. I guess the network admins want to be the sole authority on unplanned outages, rather than outsourcing to the vendor.
Better yet, contact your congressman (of any Party, they all want to be re-elected) and tell them why this issue is important to you and how this will affect your vote in 2008.
Your congresscritter will know better. There's no absentee voting in Gitmo.
To the confused, Aunt Hillary is an ant hill, a character in Douglas Hofstadter's Gödel, Escher,Bach; an Eternal Golden Braid. The chapter she's featured in is subtitled "...Ant Fugue". (Which is the chapter following one subtitled "Prelude...")
Then imagine a Javascript program, uploaded to a victim's browser by your hypothetical shadyhackerswebsite. (The victim's looking for instructions for how to cut down the size of his window shades and got fooled by a seeded Google response, let's say.)
The Javascript takes advantage of the breach in document security which is the subject of TFA: if the brower the Javascript is running in has another window or tab open, and that tab (for instance) is authenticated into a trusted web-form-based site (like online banking), the Javascript can take advantage of the authenticated state of the other session to submit a form URL to the target website.
So, you say that referrer checking should safeguard that, because the white-hat browser session (doing real e-banking business, for instance) would have a valid referrer URL in the form submission but the black-hat Javascript can't.
This latter assertion (the Javascript can't synthesize the referrer) is wrong. Read http://www.cgisecurity.com/lib/XmlHTTPRequest.shtm l to see how to spoof a referrer string in a Javascript-based GET or POST.
Now, are you arguing that maybe the browser's HTTP interface should be intervening by validating any outbound referrer? That isn't happening. I don't know the mechanics of Javascript implementations in browsers, particularly in reference to the HTTP interface of the browser engine itself, but I'm guessing that they're independent and the browser has very little supervisory control over what Javascript is doing with the XmlHTTPRequest method. In other words, the browser will play by the referrer rules, but Javascript isn't obligated to.
Can CSRF be prevented by implementing referrer checking?
No. Referer headers can be spoofed using XMLHTTP and by using flash as demonstrated by Amit Klein and rapid7 and therefore cannot be trusted.
And yes, it's a bug. The real bug is the stupid conceit that HTTP can be stateful, first and foremost. You can hack at it and create state with cookies and the like, but if browser software can send valid information then crafted mobile malware can send invalid information and break state and get away with it.
Oh, I don't know. If an attacker is going to research the target form page well enough to generate convincing POST content, I would hope he or she would go a little further and research the referrer URL pattern and synthesize that as well.
It oughta also be +1 insightful. What ol' Zathras said is absolutely true; it is easier to get things done when everyone else's forgotten about you.
I always like Zathras. But even more than that, I liked his younger brother Zathras, who reminded me of myself. I just wish I could get the hang of the pronounciation differences among the Zathras brothers' names.
In the classified processing facilities I've seen, the PCs have no writeable removable media (CD-ROM drive only, no floppy drive, etc.) and the USB, Firewire, and unused I/O ports are filled with epoxy. And the cases are locked shut with the tamper-detection switch active. And reporting to something like Tivoli or HP OpenView.
Did I mention the network switches also administratively disable any network port that shows a significant interruption in ethernet link status (or change in attached MAC address)? So don't bother trying to switch out PCs either.
Ultimately, I'm sure it can be worked around. Just not very easily, and failing means an espionage trial and a few months or years in federal pound-you-in-the... well, you know.
Hmmm. Maybe our little town could have avoided annexation by the big city next door if we could have counted the inhabitants of the local graveyards in our population.
C'mon, SF, get it together. Dead is DEAD. A project with no activity and no ability to contact the principals needs to AT LEAST get "archived".
Geesh. That's why I never search SF itself for anything; I take pointers from external sources like recent mail-list traffic. That way you know the project mentioned isn't merely dust and a bad smell.
People/businesses could go there and buy the food directly. 0 transportation cost.
For very large values of "0", I guess.
Again: People/businesses could go there...
Which is the textbook definition of "transportation".
Let's not oversell this. Unless we're discussing a true Soleri arcology, consumers will not be within "0-transportation" range of producers. The big win sounds like reduced production and transport impacts from mega-farm equipment and bulk transportation of products from field to market to table, but this all seems counterintuitive to the presumed economies of scale of modern industrial agriculture.
myserver:/home/idontgno > ping science.slashdot.org PING science.slashdot.org (66.35.250.150): 56 data bytes 64 bytes from 192.168.65.24: icmp_seq=0 ttl=255 time=-23.45 ms 64 bytes from 192.168.65.24: icmp_seq=1 ttl=255 time=-20.84 ms 64 bytes from 192.168.65.24: icmp_seq=2 ttl=255 time=-21.33 ms 64 bytes from 192.168.65.24: icmp_seq=3 ttl=255 time=-19.43 ms
----science.slashdot.org PING Statistics---- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = -23.45/-21.26/-19.43 ms
I can take 100,000 customers a night on that infrastructure and we actually have less incidents of harm than we do on our corporate back-office infrastructure.'"
That says less about the robustness of the hospitality net and more about the poor planning and administration of the enterprise intranet.
Odd. My Oracle instance is complaining that ID is an unknown identifier.
Now, if you know the table structure, and ID is a valid column name... OK, I buy it. But this is Microsoft! "count(*)" works even if you have no idea of the row structure, which is precisely where Microsoft is.
You really didn't read TFA, did you? Understandable, really,/. being what it is.
The last two paragraphs were, quite specifically, about taxing e-mail.
The upshot? Federal tax agencies express no interest in an e-mail tax, but if the internet service tax moratorium expires you can count on at least a few lesser jurisdictions (states, municipalities, etc.) to attempt to impose come crack-brained e-mail tax (or something similar). I'd expect in that case they'd just levy a flat or proportionate fee and call it a message communication tax or something. (Rather than try to define e-mail in some measurable and definite sense and then monitor your traffic to count the number of times you do measured and defined thing X.)
"Internet security firms began to release patches to fight the malicious software on Monday night."
"Hey, dammit, don't close that barn door now, we're trying to put the horses away!"
but the energy they speak of might be related to Willmore energy. I gather from the Wiki writeup and assorted Google-gleanings that Willmore energy is a mathematical expression of what we consider in the real world as distortion tension. The more you have to bend a shape the more localized Willmore energy density you have. A good clue to me is the line in the Wiki article: "A sphere has zero Willmore energy." The curvature of a sphere is constant, with no localized puckers or distortion. Hence, zero Willmore energy. An untwisted flat strip would also have zero Willmore energy, but twist it and curve around to join up into a Mobius, and it gains significant distortion; hence, increased energy.
I'm picturing the classic "Far Side" cartoon depicting the herd of lemmings (herd? is that what they group in?) rushing down the beach and into the sea with singleminded determination, except for one smartass lemming wearing an inner tube flotation thingie and smiling knowingly at the viewer.
Of course, I did the singleminded-lemming thing Tuesday at home, and nothing's puking visibly yet. But on the gripping hand, the military network environment I work with tends to very carefully evaluate these Microsoft patches before letting them loose on their systems. I guess the network admins want to be the sole authority on unplanned outages, rather than outsourcing to the vendor.
Better yet, contact your congressman (of any Party, they all want to be re-elected) and tell them why this issue is important to you and how this will affect your vote in 2008.
Your congresscritter will know better. There's no absentee voting in Gitmo.
Aunt Hillary would agree.
To the confused, Aunt Hillary is an ant hill, a character in Douglas Hofstadter's Gödel, Escher,Bach; an Eternal Golden Braid. The chapter she's featured in is subtitled "...Ant Fugue". (Which is the chapter following one subtitled "Prelude...")
In the context I'm talking about, the browser has no control over the referrer.
Review TFA and read the pretty-good Wikipedia article about Cross-Site Request Forgery.
Then imagine a Javascript program, uploaded to a victim's browser by your hypothetical shadyhackerswebsite. (The victim's looking for instructions for how to cut down the size of his window shades and got fooled by a seeded Google response, let's say.)
The Javascript takes advantage of the breach in document security which is the subject of TFA: if the brower the Javascript is running in has another window or tab open, and that tab (for instance) is authenticated into a trusted web-form-based site (like online banking), the Javascript can take advantage of the authenticated state of the other session to submit a form URL to the target website.
So, you say that referrer checking should safeguard that, because the white-hat browser session (doing real e-banking business, for instance) would have a valid referrer URL in the form submission but the black-hat Javascript can't.
This latter assertion (the Javascript can't synthesize the referrer) is wrong. Read http://www.cgisecurity.com/lib/XmlHTTPRequest.shtm l to see how to spoof a referrer string in a Javascript-based GET or POST.
Now, are you arguing that maybe the browser's HTTP interface should be intervening by validating any outbound referrer? That isn't happening. I don't know the mechanics of Javascript implementations in browsers, particularly in reference to the HTTP interface of the browser engine itself, but I'm guessing that they're independent and the browser has very little supervisory control over what Javascript is doing with the XmlHTTPRequest method. In other words, the browser will play by the referrer rules, but Javascript isn't obligated to.
By the way, to some extent I'm simply speculating, but the experts have already spoken. Read http://www.cgisecurity.com/articles/csrf-faq.shtml , and note well the following question/answer:
And yes, it's a bug. The real bug is the stupid conceit that HTTP can be stateful, first and foremost. You can hack at it and create state with cookies and the like, but if browser software can send valid information then crafted mobile malware can send invalid information and break state and get away with it.
Oh, I don't know. If an attacker is going to research the target form page well enough to generate convincing POST content, I would hope he or she would go a little further and research the referrer URL pattern and synthesize that as well.
Something like -423.745i
Measured in grams.
SOYLENT LINUX IS GIANT PENGUINS!
lameness filter etc. leave it to slashcode to ruin a perfectly cromulent jokememe.
It oughta also be +1 insightful. What ol' Zathras said is absolutely true; it is easier to get things done when everyone else's forgotten about you.
I always like Zathras. But even more than that, I liked his younger brother Zathras, who reminded me of myself. I just wish I could get the hang of the pronounciation differences among the Zathras brothers' names.
In the classified processing facilities I've seen, the PCs have no writeable removable media (CD-ROM drive only, no floppy drive, etc.) and the USB, Firewire, and unused I/O ports are filled with epoxy. And the cases are locked shut with the tamper-detection switch active. And reporting to something like Tivoli or HP OpenView.
Did I mention the network switches also administratively disable any network port that shows a significant interruption in ethernet link status (or change in attached MAC address)? So don't bother trying to switch out PCs either.
Ultimately, I'm sure it can be worked around. Just not very easily, and failing means an espionage trial and a few months or years in federal pound-you-in-the... well, you know.
Hmmm. Maybe our little town could have avoided annexation by the big city next door if we could have counted the inhabitants of the local graveyards in our population.
C'mon, SF, get it together. Dead is DEAD. A project with no activity and no ability to contact the principals needs to AT LEAST get "archived".
Geesh. That's why I never search SF itself for anything; I take pointers from external sources like recent mail-list traffic. That way you know the project mentioned isn't merely dust and a bad smell.
would be proud.
People/businesses could go there and buy the food directly. 0 transportation cost.
For very large values of "0", I guess.
Again: People/businesses could go there...
Which is the textbook definition of "transportation".
Let's not oversell this. Unless we're discussing a true Soleri arcology, consumers will not be within "0-transportation" range of producers. The big win sounds like reduced production and transport impacts from mega-farm equipment and bulk transportation of products from field to market to table, but this all seems counterintuitive to the presumed economies of scale of modern industrial agriculture.
Amiga Persecution Complex
Signed,
idontgno
former Amiga fanboi
But then James T. Kirk comes along and blows up your computers.
I can take 100,000 customers a night on that infrastructure and we actually have less incidents of harm than we do on our corporate back-office infrastructure.'"
That says less about the robustness of the hospitality net and more about the poor planning and administration of the enterprise intranet.
When exploits are outlawed, only outlaws will have exploits.
No kidding, I was gonna mod him up +1 Magicbane
(Yah, I know you're not supposed to enchant it all, but what good is a +0 moderation?)
Thanks for explaining that.
I remembered the movie scene in question, but "PbZ" was only registering as "Peanut Butter and Zinc".
Which would be the weirdest name for a Led Zeppelin tribute band EVAR.
Hey, zero Google hits! That must be worth something.
Microsoft Certified <foo>
Seriously
Now, if you know the table structure, and ID is a valid column name... OK, I buy it. But this is Microsoft! "count(*)" works even if you have no idea of the row structure, which is precisely where Microsoft is.
You really didn't read TFA, did you? Understandable, really, /. being what it is.
The last two paragraphs were, quite specifically, about taxing e-mail.
The upshot? Federal tax agencies express no interest in an e-mail tax, but if the internet service tax moratorium expires you can count on at least a few lesser jurisdictions (states, municipalities, etc.) to attempt to impose come crack-brained e-mail tax (or something similar). I'd expect in that case they'd just levy a flat or proportionate fee and call it a message communication tax or something. (Rather than try to define e-mail in some measurable and definite sense and then monitor your traffic to count the number of times you do measured and defined thing X.)