Wasn't it within the last year that Balmy Balmer was frothing at the mouth about how he was going to destroy Linux and feed Torvalds to frickin sharks with frickin laser beams attached to their heads?
I'd like to believe that the SCO experiment taught them OSS has a leg to stand on, but that would make me a starry eyed optimist and I'm just not.
Because the north american gov'ts are too bedazzled by arguments of "free market forces" to realise that they need to legislate standardisation for the common good.
Standardisation isn't really meaningful to the consumer unless everyone is doing it (the gain to the consumer is mobility and interoperability, but this only happens if everyone is standardised). Hence, there is no competitive advantage to be gained by standardising (essentially a variation of the prisoner's dilemma). Hence, it will not happen unless forced on the industry, it's too happy providing shitty, dated, overpriced services to consumers and claiming "difficulties in interoperability" between wildly different formats and protocols as an excuse.
Chris Wilson is a guy with his heart in the right place working for people who, in the past, put business strategy over standards support (I'm not editorializing, that's what they did). This is why MS's standard support is lame.
That being said, Chris Wilson (at least) talks the talk, and IE 7 was a (small) step in the right direction.
The more important, and encouraging, signal imo is MS hiring Standardista Molly Holzschlag. Given her history, I think we can expect more and better from MS on this front in the future.
If he claims prostitution is a sin, family values, blah blah blah and then turns around and does it, that makes him dishonest and THEN I don't want him in office. But it's the dishonesty that gets me, personally I think prostitution should be legalised. Just cause it isn't my cup of tea, doesn't mean women should have to work in oppressive, marginalised situations.
Then, if that ever came out, the reputational and legal implications for Oracle would be disastrous.
While it's feasible someone with "pull" at Oracle is dumb enough to try something like that, it's not within the realm of reasonable probability. Courtesy of Sorbannes-Oxley, companies have checks and balances built in to prevent just these types of things (audits and reviews), meaning that the collusive elements required to pull this off would be fairly distributed, and difficult to contain.
Inappropriate? Inappropriate is when my boss caught me photoshopping my buddy's head onto a screen cap of the Pamela and Tommy video (It was for his bachelor party, I swear it).
This is illegal and perhaps fradulent (ie they claimed they were customers seeking service). But what gets me the most about this is how blisteringly stupid it is. "There's no way they could know it's us! Well, there's no way, apart from the webserver logs, that they could know it's us!".
From the article:
Oracle said TomorrowNet used identities of Oracle customers and phony users to gain access to its systems. Customers for whom SAP allegedly conducted illegal downloads include Merck & Co. and Bear Stearns & Co., according to the March 22 lawsuit.
So not only are they picking a legal fight with Oracle, pissing of the DOJ, and destroying their reputation, but they've basically shown they're not above pretending to be their customers. I bet the SAP CEO is turfed before the end of the next quarter.
My point was a bit different. Banks, in general, shouldn't be developing their own encryption algorithms. Maybe the big ones, but piss pot bank of NZ, that would be asking for trouble.
What I was getting at is that if they expect users to do things they can reasonably effectuate to improve their security, the bank shouldn't do dumb stuff like leave a session cookie unencrypted.
The real problem with this is that the bank's site is not 100% secure. https://www.bnz.co.nz/
Just from looking at their login form,
The session cookie vgnvisitor is flagged as available in any type of session, and will be transmitted in the clear to any http request to that domain. This is exacerbated by their advice to "Always visit our site by typing www.bnz.co.nz into your browser" since typing that in will default to http, broadcasting a session id the could still be valid.
On the login form the hidden input field "pageID" probably isn't a page ID. It appears to be an incrementing number. If this is in anyway security related, it's exploitable. (time-based number to try to prevent CSRF??)
Anyways, that's my 30 second assesment of their sign on page. My problem with this is that if banks try to put the onus on their users, they damn well better make sure their own house is in order first.
I agree, though all that seems to have happened thus far is that the school is passing on the letters. I don't think the RIAA knows anymore than ip addresses at this point.
Bull. Spreading knowledge about attack vectors is the best way to stop them. Keeping them all secret is asking for trouble.
Stopping it is essentially as follows: never assume trust of anything in the request. Validate sessions against at least B-class ip (this will accomodate the AOL'ers, it's not perfect, but it makes the exposure smaller), white list allowed urls and parameter values (as opposed to blacklisting, which leaves one prone to forgetting something), enforce strict workflow, never expect that javascripts have executed, and keep in mind that it's fairly trivial to craft HTTP requests.
In a web app, the only thing one controls as a developer is what executes on the server. Never fall into the fallacy of believing that you're sending "instructions" to the client, they're more like suggestions, e.g. pretty please with sugar on top render this bold.
I am perfectly happy to have eBay send ad content to my computer. I'm also perfectly happy to have my computer ignore that content. Their markup interpreted by my computer. Showing me adds never made them any money to begin with, so skipping them doesn't hurt anyone.
Slashdot Mirror
bullshit detector just blow up?
Wasn't it within the last year that Balmy Balmer was frothing at the mouth about how he was going to destroy Linux and feed Torvalds to frickin sharks with frickin laser beams attached to their heads?
I'd like to believe that the SCO experiment taught them OSS has a leg to stand on, but that would make me a starry eyed optimist and I'm just not.
Because the north american gov'ts are too bedazzled by arguments of "free market forces" to realise that they need to legislate standardisation for the common good.
Standardisation isn't really meaningful to the consumer unless everyone is doing it (the gain to the consumer is mobility and interoperability, but this only happens if everyone is standardised). Hence, there is no competitive advantage to be gained by standardising (essentially a variation of the prisoner's dilemma). Hence, it will not happen unless forced on the industry, it's too happy providing shitty, dated, overpriced services to consumers and claiming "difficulties in interoperability" between wildly different formats and protocols as an excuse.
Chris Wilson is a guy with his heart in the right place working for people who, in the past, put business strategy over standards support (I'm not editorializing, that's what they did). This is why MS's standard support is lame.
That being said, Chris Wilson (at least) talks the talk, and IE 7 was a (small) step in the right direction.
The more important, and encouraging, signal imo is MS hiring Standardista Molly Holzschlag. Given her history, I think we can expect more and better from MS on this front in the future.
I'm kinda in the same boat except for this:
If he claims prostitution is a sin, family values, blah blah blah and then turns around and does it, that makes him dishonest and THEN I don't want him in office. But it's the dishonesty that gets me, personally I think prostitution should be legalised. Just cause it isn't my cup of tea, doesn't mean women should have to work in oppressive, marginalised situations.
Then, if that ever came out, the reputational and legal implications for Oracle would be disastrous.
While it's feasible someone with "pull" at Oracle is dumb enough to try something like that, it's not within the realm of reasonable probability. Courtesy of Sorbannes-Oxley, companies have checks and balances built in to prevent just these types of things (audits and reviews), meaning that the collusive elements required to pull this off would be fairly distributed, and difficult to contain.
This is illegal and perhaps fradulent (ie they claimed they were customers seeking service). But what gets me the most about this is how blisteringly stupid it is. "There's no way they could know it's us! Well, there's no way, apart from the webserver logs, that they could know it's us!".
From the article: So not only are they picking a legal fight with Oracle, pissing of the DOJ, and destroying their reputation, but they've basically shown they're not above pretending to be their customers. I bet the SAP CEO is turfed before the end of the next quarter.
My point was a bit different. Banks, in general, shouldn't be developing their own encryption algorithms. Maybe the big ones, but piss pot bank of NZ, that would be asking for trouble.
What I was getting at is that if they expect users to do things they can reasonably effectuate to improve their security, the bank shouldn't do dumb stuff like leave a session cookie unencrypted.
- The session cookie vgnvisitor is flagged as available in any type of session, and will be transmitted in the clear to any http request to that domain. This is exacerbated by their advice to "Always visit our site by typing www.bnz.co.nz into your browser" since typing that in will default to http, broadcasting a session id the could still be valid.
- On the login form the hidden input field "pageID" probably isn't a page ID. It appears to be an incrementing number. If this is in anyway security related, it's exploitable. (time-based number to try to prevent CSRF??)
Anyways, that's my 30 second assesment of their sign on page. My problem with this is that if banks try to put the onus on their users, they damn well better make sure their own house is in order first.Maybe we could build a fire, play a couple rounds of starcraft, huh? Why don't we try that?
I agree. Anyone who downloads a Prince song deserves -1 retarded. Probably should be tattooed onto their forehead too.
I agree, though all that seems to have happened thus far is that the school is passing on the letters. I don't think the RIAA knows anymore than ip addresses at this point.
Stopping it is essentially as follows: never assume trust of anything in the request. Validate sessions against at least B-class ip (this will accomodate the AOL'ers, it's not perfect, but it makes the exposure smaller), white list allowed urls and parameter values (as opposed to blacklisting, which leaves one prone to forgetting something), enforce strict workflow, never expect that javascripts have executed, and keep in mind that it's fairly trivial to craft HTTP requests.
In a web app, the only thing one controls as a developer is what executes on the server. Never fall into the fallacy of believing that you're sending "instructions" to the client, they're more like suggestions, e.g. pretty please with sugar on top render this bold.
that dungeon siege had already been finished, released and bombed. I really need to cut down on my spice consumption, prescience is too trippy.
That's probably because you're a stinking filthy republican. .....
pun --------->
O
\|/
|
/ \ You
So you're telling me I've been making an ass out of myself by claiming that people should repent now or they are having had been to be smitified upon?
Vee vere invited, punch vas served. Check vit Poland.
So, wait, George Lucas is the Polkaroo? It explains where Jar Jar came from.
I am perfectly happy to have eBay send ad content to my computer. I'm also perfectly happy to have my computer ignore that content. Their markup interpreted by my computer. Showing me adds never made them any money to begin with, so skipping them doesn't hurt anyone.
"it is not for us to determine who, in the supply chain leading to the final consumer, will be the ultimate beneficiary of these refunds."
- CPCC
Couldn't the credit card be considered the token? Technically, it amounts to the same information: who to charge.
Ya but they'll make him commit to a deadline, and then the cold bubbles can just wait him out.
Global warming = more heat = more energy = a more energetic system (ie weather patterns).
Hurricanes may have slacked off last year but this is attributable to El Nino.