Okay I agree that the reasons for the survey by this group are political, and that can taint the methodology of the survey itself and the motivation of respondents. Unless they got a large number of people to outright lie it still shows a problem with science and laws being subverted for specific private interests - whether that subversion took place under Bush or Clinton is beside the point. The point of the survey may have been "take a poke at Bush", but the findings of the survey show me that the development industry is not above breaking the law to make a profit.
Those damn pinko scum! Thank goodness you alerted everyone to their bias.
The Union's trendy radicalism launched it into money, power and influence.
So all liberal groups should be made up entirely of broke college students chanting stupid slogans and preaching to each other?
With the rhetoric and slander removed your post basically says that UCS has an agenda. I don't think they try to conceal that and unless they got a large number of people to lie I don't think it discredits the survey.
There is no need to "trick" browsers into sending any particular value for referer, it is optional and somewhat freeform - a browser could be completely complaint with all standards and set the referer on every request to match the domain of the resource being requested. I used a cgi to illustrate for convenience because it shows an easily understandable way in which arbitrary headers can be injected into a request, I'm certain there is some client scripting method to manipulate the headers of requests for embeded objects.
Any dependancy on unverifiable information supplied by the client is dangerous and the level of actual protection it affords is trivial.
Why on earth would somebody do that instead of simply copying the image to their server?
Some people might just copy the image, but a system that just works transparently has the potential to be more popular. Once such a script is written it works the exact same way that an img tag would.
I don't think that wget itself is likely to be a problem, it merely illustrates a desire to defeat 'referer' restrictions. In my previous reply in this thread I describe a simple cgi that could easily become part of webboard code to handle signatures and automate the process of faking a referer header.
My point is not that wget can get around 'referer' header filters, but that the technique itself is a very weak protection. The fact that wget has a built feature to get around it shows that a large number of people are already aware of the technique and how to defeat it.
Since referer restriction is becoming common I bet it is only a matter of time before web board software comes up with a script for all signature images. The signature img tag is rewritten from www.whatever.tld/myimage.jpg to www.board.tld/img-sig.cgi?www.whatever.tld and a request that fakes up a referer header to make the request look like an internal link from www.whatever.tld sent instead by way of the cgi.
I know this isn't rocket science or supposed to be secure, but header based security is so weak that if it becomes an irritant people will automate a way to break it.
This technique is actually so common that wget has an option get around it. If external links directly to your images, downloads, or mail sending scripts is really is a problem for you I'd think that 'unlock this resource for this ip when ip requests this page' methods are slightly more effective, although a dynamic system that changes the referring page and the target on a periodic basis or per session (automate what the question submitter mentioned as his method) could be better.
HTTP headers are so incredibly easy to fake that methods that depend on them are probably a bad idea
A wildly successful advanced computer book like 'The C Programming Language' or 'UNIX Network Programming' will take years to match the sales that a mildly successful book aimed at new users can make within months.
Also, when 'Programming Perl', 'Lex and Yacc', 'Sendmail: TDG' and the other classic O'Reilly books came out they were aimed at the accidental system admin/programmer. The new books are a little more mass market, but the audience is not much less technical than those first books.
Been a while since I used outlook, but I seem to remember at least some of those script viruses took advantage of a preview pane that would execute embedded material without requiring any action from the user.
I agree that run of the mill Mac users aren't any smarter than Windows users and that most users will click 'okay' to get rid of a dialogue without reading it. An 'always ask the user policy' is irresponsible, the user probably doesn't know and doesn't understand.
At a previous job I was peripherally connected with computer security and worked with quite a few people with law enforcement backgrounds. The most authoritarian types who really buy into the situational control through intimidation are the people I think of as "cop groupies", they are the sort with CIA/FBI backgrounds who would wind up being mall security guards if they came from a less wealthy background. The "real cops" were normal people that I could be friends with when they weren't cops, they explained pretty frankly about how they were trained to deal with people, but they viewed it as a necessary skill and not a worldview.
OT, but Nixon at least had a noble (and self aggrandizing) reason to set up recordings in the oval office, with the expectation that the recordings themselves would be accessed only after everyone involved was long dead.
And anyone who thinks the Celts were matriarchic needs to put the pipe down.
I certainly don't believe that the celts were matriarchal, but the romantic fantasy view of the various pre-Roman, pre-Saxon, pre-Norman people seems to assume that they were.
For example, please outline how the infringement lawsuit for "Method of Swinging on a Swing"
The funny thing is that even if the swing method were genuinely novel and non-obvious, based on new applications of materials, it would tend to be looked down on by a jury. The opposite problem applies to computer related patents, the patent could cover an uninteresting application of a modified basic algorithm or an obvious technique that is novel only by the addition of trivial changes. Computers are magic, swings are contemptible.
That is the one thing I think the IEEE article had completely right - jurors are not qualified to make decisions on the validity of a patent. If a jury of peers can be claimed as an essential right it would still require that the jury be made up of scientists, engineers, and expert practitioners.
There's a big difference though, GRRM and JRRT have written books worth reading. Rawn and Lackey put out pseudo medieval Welsh propaganda about how this awful male centric scientific death society would never have arisen in the West if we'd kept to our matriarchal roots.
I don't think you can dismiss a useful approach just because criminals might eventually get wise and start taking precautions against it. That might be a reasonable argument if the approach required invasive laws to implement, but that doesn't seem to be the case here. Also, I imagine the majority of these pictures are not taken with wide distribution in mind.
Again, I'm not really sure exactly what Gosling said, so I don't want to put words in his mouth, but in interviews of his I've seen in the past it seems that he claims that JNI is safer than 'unsafe' because in JNI there is a firewall - data is passed off to unsafe code that can't access anything other than the data it is given, in the CLR model code within the program itself is marked as unsafe which allows it to do things which are very difficult to verify do not act outside the memory it is supposed to be operating on and additionally that this makes verification, even when code is not marked as unsafe, very difficult to do correctly.
I certainly can't claim to know whether or not Gosling's belief is true or not, but I think this goes beyond being a security manager issue of allowing or not allowing JNI/unsafe operations by an applet or program and states that allowing C types to operate at all within the program makes bulletproof verification impossible.
One counter argument to Gosling's position of course is that in JNI itself the firewall of external code operating only on the data you give it is an illusion, that by allowing an unsafe SO to be loaded into your memory space and request operations of the JVM you have the exact same problems that embedding the unsafe code within the program create in the first place. That by pretending that JNI constrains unsafe operations you are simply being dishonest.
I think he is talking about the fact that the type system of managed code itself could potentially be subverted by unmanaged code added by other developers.
The article is heavy on sensationalism and short on content so it is difficult to tell what is actually being debated here, but I think that Gosling is claiming that support of C type handling in itself creates a chink in the armor of the CLR, regardless of any particular project's use of that feature.
I played SWG off and on for about 15 months and saw the whole spectrum of drop rates for loot - from the nearly nonexistent rate at launch (save for tons of broken skill tapes) to the 'every gdk drops 3+ scales' to the 'log on real fast at 5am and solo Nyax and get something decent once a week'. It seems like loot has been increasing in importance from launch and the change to the system is important, but far too late to save the game.
(In defense of Koster I think the situation created by jedi is a total vindication of his 'ignore what the players claim they want' remark that attracts so much hate.)
I really like what I'm hearing about most aspects of WoW, and I'm going to give it a try once they start selling it again.
I actually gave the show a miss for the first half of season 1 because I got the impression of forced shock value and pandering from the marketing. Then I happened to catch an episode and discovered that despite the advertising focus it was very funny. The show was all about absurdity, pop culture, and nostalgia - with the shock value actually playing a decreasing role as the show went on.
You know, there didn't used to be a big "firewall-everything" mentality on the net
NAT and firewalls are different things that seem to have become confused with each other. NAT is a violation of the original nature of the Internet, firewalls are a way of isolating problems and a natural result of applying engineering principles to the issues of security and reliability.
Slashdot Mirror
Okay I agree that the reasons for the survey by this group are political, and that can taint the methodology of the survey itself and the motivation of respondents. Unless they got a large number of people to outright lie it still shows a problem with science and laws being subverted for specific private interests - whether that subversion took place under Bush or Clinton is beside the point. The point of the survey may have been "take a poke at Bush", but the findings of the survey show me that the development industry is not above breaking the law to make a profit.
Those damn pinko scum! Thank goodness you alerted everyone to their bias.
The Union's trendy radicalism launched it into money, power and influence.
So all liberal groups should be made up entirely of broke college students chanting stupid slogans and preaching to each other?
With the rhetoric and slander removed your post basically says that UCS has an agenda. I don't think they try to conceal that and unless they got a large number of people to lie I don't think it discredits the survey.
Any dependancy on unverifiable information supplied by the client is dangerous and the level of actual protection it affords is trivial.
Some people might just copy the image, but a system that just works transparently has the potential to be more popular. Once such a script is written it works the exact same way that an img tag would.
I don't think that wget itself is likely to be a problem, it merely illustrates a desire to defeat 'referer' restrictions. In my previous reply in this thread I describe a simple cgi that could easily become part of webboard code to handle signatures and automate the process of faking a referer header.
Since referer restriction is becoming common I bet it is only a matter of time before web board software comes up with a script for all signature images. The signature img tag is rewritten from www.whatever.tld/myimage.jpg to www.board.tld/img-sig.cgi?www.whatever.tld and a request that fakes up a referer header to make the request look like an internal link from www.whatever.tld sent instead by way of the cgi.
I know this isn't rocket science or supposed to be secure, but header based security is so weak that if it becomes an irritant people will automate a way to break it.
HTTP headers are so incredibly easy to fake that methods that depend on them are probably a bad idea
Also, when 'Programming Perl', 'Lex and Yacc', 'Sendmail: TDG' and the other classic O'Reilly books came out they were aimed at the accidental system admin/programmer. The new books are a little more mass market, but the audience is not much less technical than those first books.
I agree that run of the mill Mac users aren't any smarter than Windows users and that most users will click 'okay' to get rid of a dialogue without reading it. An 'always ask the user policy' is irresponsible, the user probably doesn't know and doesn't understand.
I think Nixon was more of a paranoid asshole than a crook.
At a previous job I was peripherally connected with computer security and worked with quite a few people with law enforcement backgrounds. The most authoritarian types who really buy into the situational control through intimidation are the people I think of as "cop groupies", they are the sort with CIA/FBI backgrounds who would wind up being mall security guards if they came from a less wealthy background. The "real cops" were normal people that I could be friends with when they weren't cops, they explained pretty frankly about how they were trained to deal with people, but they viewed it as a necessary skill and not a worldview.
Cops are often nice people, but the job requires that they be a prick - they even take courses in it.
OT, but Nixon at least had a noble (and self aggrandizing) reason to set up recordings in the oval office, with the expectation that the recordings themselves would be accessed only after everyone involved was long dead.
Well I *could* care less about the issue, but that would require effort on my part.
I certainly don't believe that the celts were matriarchal, but the romantic fantasy view of the various pre-Roman, pre-Saxon, pre-Norman people seems to assume that they were.
The funny thing is that even if the swing method were genuinely novel and non-obvious, based on new applications of materials, it would tend to be looked down on by a jury. The opposite problem applies to computer related patents, the patent could cover an uninteresting application of a modified basic algorithm or an obvious technique that is novel only by the addition of trivial changes. Computers are magic, swings are contemptible.
That is the one thing I think the IEEE article had completely right - jurors are not qualified to make decisions on the validity of a patent. If a jury of peers can be claimed as an essential right it would still require that the jury be made up of scientists, engineers, and expert practitioners.
There's a big difference though, GRRM and JRRT have written books worth reading. Rawn and Lackey put out pseudo medieval Welsh propaganda about how this awful male centric scientific death society would never have arisen in the West if we'd kept to our matriarchal roots.
Hmm, better be careful about that kind of talk, I bet there are lots of Mercedes Lackey and Melanie Rawn fans hanging about a story like this.
SciFi or 'skiffie' has a strong association with television and franchise potboilers with a futuristic setting.
I don't think you can dismiss a useful approach just because criminals might eventually get wise and start taking precautions against it. That might be a reasonable argument if the approach required invasive laws to implement, but that doesn't seem to be the case here. Also, I imagine the majority of these pictures are not taken with wide distribution in mind.
I certainly can't claim to know whether or not Gosling's belief is true or not, but I think this goes beyond being a security manager issue of allowing or not allowing JNI/unsafe operations by an applet or program and states that allowing C types to operate at all within the program makes bulletproof verification impossible.
One counter argument to Gosling's position of course is that in JNI itself the firewall of external code operating only on the data you give it is an illusion, that by allowing an unsafe SO to be loaded into your memory space and request operations of the JVM you have the exact same problems that embedding the unsafe code within the program create in the first place. That by pretending that JNI constrains unsafe operations you are simply being dishonest.
The article is heavy on sensationalism and short on content so it is difficult to tell what is actually being debated here, but I think that Gosling is claiming that support of C type handling in itself creates a chink in the armor of the CLR, regardless of any particular project's use of that feature.
(In defense of Koster I think the situation created by jedi is a total vindication of his 'ignore what the players claim they want' remark that attracts so much hate.)
I really like what I'm hearing about most aspects of WoW, and I'm going to give it a try once they start selling it again.
I actually gave the show a miss for the first half of season 1 because I got the impression of forced shock value and pandering from the marketing. Then I happened to catch an episode and discovered that despite the advertising focus it was very funny. The show was all about absurdity, pop culture, and nostalgia - with the shock value actually playing a decreasing role as the show went on.
NAT and firewalls are different things that seem to have become confused with each other. NAT is a violation of the original nature of the Internet, firewalls are a way of isolating problems and a natural result of applying engineering principles to the issues of security and reliability.