Hi. It's sacriligious, I know, but try out the latest Wine stuff (www.winehq.com) and you can run much good windows software even under linux.
Not being a big news kindof guy, though, News was basically invented under the *nix umbrellas, and I'm pretty sure there is some excellent newsreading software out there. Witness P.A.N. (which used to stand for "Pimp Ass Newsreader", which it still deserves the title). It's great and gets a perfect score according to the "good netiquette institute". How it handles pr0n/w4rez, I'm not sure, since I use debian, mostly.:^)
Just look at Kuro5hin.org... it is not based on slashdot, but IMHO, that's a good thing. It manages to keep a pretty high S/N ratio even though people have never met. (Actually, some people, mostly in the UK do get together on the weekends, all organized through the site)
It attracts some seriously interesting journalistic content, and to my knowledge, noone has ever been paid for writing a story.
From my experience (#114517, if slashdot links are blocked), the maintainers/programmers have been really helpful and professional. But bug reports are almost useless if the person submitting them doesn't take the time to do it right. Reporting bugs is almost an art, and if approached with a humble and helpful attitude can be very helpful.
FYI: Fallout 1/2 for $9.95. Saw it in my local Fry's ad. Slashdot this game, please. It is excellent, and getting Fallout 1/2 for the same price is a great deal. According to the WineX people, Fallout 1 and 2 are both rated at "4", which means some glitches, but still very playable, possible installation weirdness.
Fresh and tasty Debian packages of WineX 2.0 (which supports Max Payne FLAWLESSLY) are available for the price of a $5 (1 month subscription). If I were you, I'd sign up for the 6 month plan. I did (it just ran out), and I have not been disapointed. If you do sign up, hook me up with the 'refer-a-friend' thing and reference 'ramses0' if you think about it.
I am not a big user of the P2P programs, but my first guess would be to figure out which ports are being used by common P2P programs, and then throttle them down to 0.5kbps. The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly.:^)
As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.
Try wine if you can (apt-get install wine on debian). If the normal wine doesn't work, see if you can pay $5 to transgaming and download their new WineX 2.0 packages. I think codeweavers also has a version of wine which is improved from the base distribution... maybe $30 to try that one out, but I'm not sure.
I know it's probably not an option, but also investigate GNUCash. It seems like a dumb way to manage your finances at first, but it's pretty well implemented once you get used to the "double accounting" method (where $$$ goes into "A", and then you move it from "income A" into "expense B")
Why bundle a distro when they are selling OS-less PC's? It makes much more sense for WalMart to say "Check out our fine selection of Linux distros" and then make an extra $20-$50. It's no good to replace the Microsoft tax with the Mandrake tax. Plus it gets new users used to paying for their distros. This will be the way everything moves to in the future, simply because nothing in this world is free, no matter how much you want to believe it. Sometimes costs can be "negligible", especially if you break it down on a per-user basis with a lot of users, but time == money, and bandwidth == money. Both of these have to be paid for.
I have no use for it at all, but did an apt-cache show odontolinux and it might be worth investigating. Vaguely related to the medical field, etc. And if you can't find Free (libre) software to do what you want, you can invest money or pay some coders to write it for you.
After ironing out issues between the Adaptec/SCSI firmware and my DVD drive, it took ~2 hours to get my Linux box playing encrypted DVD's (with a little help from the friendly people in #debian).
Basically, my process was: Bootable Debian 2.2 CD installation. apt-get install kernel-image-2.4.18-k7; vim/etc/lilo.conf; lilo; shutdown -r now; I don't think I needed to update my kernel, but I want USB support for later on, so it's kindof necessary. apt-get install ogle, run the included install-illegal-decss-library.sh script that it told me I needed. Run ogle from the supplied menu shortcut, open and play the DVD. Once you know what you're looking for, it's remarkably simple.
I have 200+ CD's. I had most of them MP3'd before at 192 bitrate, but now I'm using abcde with oggenc -q7 for VBR OGGfiles averaging 200-250kbps since the quality is better. I own 20-40 DVD's. I want to stuff my DVD's to my harddrive because I'm basically a geek with too much hard-drive space.:^)
I bought all my PC parts in pieces following the specifications given by those nifty Spindl3top people (hi lucas:^). Including Black Slot-loading DVD, and Black LCD display. Most of it came from directron.com, or harddrive.com. Got Quake 3 and the Matrix Orbital LCD display from linuxcentral.com. Bought all of the $9.99 linux games I could from EBGames, and some of the newer ones from TuxGames. I need to buy the 'Loki Installer' for RTCW because I bought RTCW from BestBuy since couldn't wait any longer after I finally got all my hardware talking to each other.
As a technology pragmatist, I recognize that there are a multitude of competing video container formats (mov, avi, mpg) with multiple supported codecs. I don't know which tools are mature on which platform, and what quality/stability issues remain to be ironed out, which is why I asked slashdot in the first place.:^)
Looks like I came to the right place since there are a bunch of high-quality responses and no "check google you dumbass" postings.;^)
Does anyone remember the old game "animal"? While not exactly what you're looking for, you might be able to repurpose it.
Here is a log of some output: I think I'll try a guess now... Is your animal a Elephant? no
I give up! You win! What was your animal? Dog
I need a yes-or-no question so I can later tell the difference between a Elephant and a Dog. Does it have a trunk? what would be the answer be for a Dog? no what would be the answer be for a Elephant? yes
I now know 3 animals!
Want to play again? yes
Think of an animal. Press [Enter] or [Return] to continue...
Does it have a long neck? no Does it have a trunk? no
I think I'll try a guess now... Is your animal a Dog? no
I give up! You win! What was your animal? Monkey
I need a yes-or-no question so I can later tell the difference between a Dog and a Monkey. Is it a biped? what would be the answer be for a Monkey? yes what would be the answer be for a Dog? no
The big question with regards to version control and the kernel is that some people want an open system where many people can check code into a central location, but from reading kt.zork.net for a while, it seems that many of the develepors use CVS for their own trees, but don't want to start down the slippery slope of letting just anyone grab/checkin/checkout cvs copies of their current working copies (not guaranteed to keep your HD safe).
I can't find any example links right now, and I might be mis-remembering it, so somebody more knowledgeable should add their thoughts.
To those who think that morale simulation, and non-unit specific control is best, take a look at MS's Close Combat. You order different squads around, who almost never do what you want them to do unless it's specifically in their best interest. Quite entertaining, and very, very difficult.
To those who think that resource gathering sucks, take a look at "Z" or "Steel Soldiers". Most of the maps that I remember are symmetrical, and you battled for individual control of territories, each territory giving you X points of resources per turn. Theoretically, each started with exactly the same resources, terrain, and position, so individual tactics are key.
Speaking of individual tactics, Jagged Alliance (also available for linux) is unbelievable. Probably one of my favorite games of all time, it combines minor role-playing, economics, big freakin' guns, and turn-based strategy. My biggest annoyance with real-time strategy games is that they were too much "real-time", and not enough "strategy". JA2 neatly solves the first problem by making combat turn-based, and everything else is as fast/slow as you want it.
There are tons and tons of cool games from even just a few years ago- while their graphics aren't 3D rendered, the gameplay is definitely timeless.
The PICS system, circa 1996, was designed specifically for this. I don't think it's a new idea, although looking for an example PICS tag, it seems like they've begun to make it unnecessarily complex, with a turing complete lisp-language. A little bit of an overkill if you are just looking to make a "no this page doesn't have porn" button.
It seems that Postgres uses more command line tools rather than MySQL using commands that are built in to the client (psql in your example). You're right about the whole 'familiarity' thing... I'll have to go dig around and find more doc's again this weekend, and see if I can get a "hello database" application running with PHP and Postgres.
I still like the doc's on MySQL's website better though!;^)
Find me a link, or point me to the docs that tells me what to do after typing apt-get install postgresql postgresql-client that will get me set up with a user called "web", and a database called "webdata" that I can use from PHP.
With MySQL its:
apt-get install mysql-server mysql-client
vim/usr/share/doc/mysql-server/README.Debian (because apt-get told me to)
mysqladmin -uroot password 'newpassword'
mysql -uroot -pnewpassword
CREATE DATABASE webtest;
USE webtest; CREATE TABLE test ( blah INTEGER NOT NULL );
GRANT ALL PRIVILEGES ON webtest.* TO web@localhost IDENTIFIED BY 'some-password'; (found the syntax by searching the mysql manual on mysql.com)
exit
mysql -uweb -pwebtest webdata
I spent a few hours one weekend trying to perform these equivalent operations with pgsql, etc. Granted I work with MySQL every day, but I wanted to try out PostgreSQL and see how it compares. It took me forever to find out that I needed to 'su' to user postgres in order to connect to the freaking database! Grr.
I'm willing to try, but somebody needs to point me to the right parts of some manual, FAQ, or HOWTO... because dammit if I didn't actually go and do just what I said I would do above to make sure that it worked, and now I have an installation of MySQL running in less than 5 minutes.
Although I feel obligated to add another job-type: The network dude that keeps apache, the mailserver, and php running on multiple virtual domains with inter-server databases and backup systems. They're important too.:^)=
3. The Network Dude: 4: Set up your own [linux/windows 2000 server edition] box
5: Install [Apache/IIS], [PHP/ASP/JSP], and [MySQL/PostgreSQL/MSSQL/Oracle] onto it.
6: Read all about TCP/IP protocols, DNS, MX-Records, routes, routers, etc.
7: Read all about your webserver, and how to keep it secure
8: Learn awk, sed, and perl.
One of these routes will cost you $1000+, the other will cost you $0.00+:^)=
With the shortage of trained labor, I'm sure it'd be easy to get a job as a truck-driver in the U.S., delivering gasoline to needy people across the nation. Therefore, we should take advantage of the fact that front-facing window tint is illegal, and tie face-recognition software to all of those "red-light cameras" in order to prevent a future catastrophe involving 25k gallon fuel trucks and large buildings.
After all, the risk of letting people drive large steel cans around on our nations lifeblood of highways far outweighs any right to privacy or anonymity which American citizens don't have.
Oh, and banks/financial institutes are at risk too. Lets wire face-recognition into the existing ATM's and teller counters to secure our precious economy.
We already give up freedoms when driving, by requiring that all drivers be licensed. We also require that everyone obey certain laws.
90% of our laws are for a good reason, sacrificing individual freedoms for public safety. So maybe lawmakers do have a point in wanting to restrict crypto, etc. But imagine a world where you didn't need a license to drive, and you could carry around large amounts of money w/o being a suspected drug dealer. Are the compromises in freedoms worth the benefits?
Take a look at Nilsimsa. It appears that it is designed to
grep through a huge amount of messages
detect "duplicate" messages by a sloppy checksumming algorithim
bounce those "duplicate" messages in the future
Most of the time, these duplicate messages will be spam, but if this little proggie had a human touch behind it, the future would seem a lot better. I would implement the filtering/bouncing as a "bulk mail" folder, much like yahoo does. Sometimes I'll find a few newsletters in that folder which I honestly did subscribe to, and I wouldn't be surprised if some sort of bulk-filter accidentally picked up on those too.
A lot of interactive websites can take user input (like slashdot did when you typed in your comment). A lot of times, they'll even redisplay it for you (like when you click preview).
Most of the time, when you let users type something, you don't mind showing it back to them (they typed it after all). But with cross-site scripting, when you visit www.haxor.com, they'll provide you a link to www.phpnuke.org, but take advantage of the fact that phpnuke.org will display whatever that user has typed in.
Normally this isn't a problem, but there are people who are really good with javascript that can basically email your cookies to somebody@haxor.com after you've clicked that link. Once they've got your cookies, they can usually pretend to be you- submitting comments, stories, etc. Changing passwords. On PHPNuke, this isn't such a bad thing, but I wouldn't want anybody messing with me on my online banking site.
Take a look at the previous example. I mailed the Nuke authors about 3 months ago telling them about the above problem. No response. Don't use Nuke for anything you want to be secure. The explanation of what just happened is that search.php displayed whatever "query" contained. I stuck a few special bits of html (ie a close bracket) into their search box. When it got re-displayed, I prematurely exited their input field. This gave me free reign to put nifty red font tags onto their page. Imagine that it was evil javascript instead.
To prevent cross-site scripting attacks, you must remember to escape all untrusted data before displaying it to a user. For PHP, it would be something like: [input type=text value="[?PHP echo htmlspecialchars($their_input); ?]"]
The htmlspecialchars function automagically kills all dangerous characters before writing the data, making it much more difficult to attack.
Yup. This just confirms my suspicions. When Napster was in full force, music sales were up. Now, Napster has been shut down and there is no easy way for people to exchange or try out new music. Correspondingly, record sales are down. I the words of that big bully kid on The Simpsons... Haaa Haaa!
The license must not discriminate against any person or group of persons.
* No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
Just an FYI, but it would just get really nasty if a lot of people started putting exclusion clauses, etc. in their licenses.
--Robert
Re:That's why I chose not to use PHP
on
PHP Security
·
· Score: 4
In php.ini:
error_reporting = E_ALL
register_globals = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
Make sure that your code works with the above configuration directives, and many of the security problems mentioned in the above article go away. Follow the author's recommendation about not allowing URL access in 'file' functions, and you're just about as safe as possible.
The reasion you want to turn magic quotes off is because it's impossible to tell in PHP whether a given string has been quoted already or not (ie: it's magic), especially when you're redisplaying posted information in an HTML form in order to allow the user to correct their mistakes.
Since typing out $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SESSION_VARS, $HTTP_COOKIE_VARS is a reeeeal mouthful to type over and over again, I took the liberty of making a function called 'gpc()' which will get a requested variable following the rules of Get/Post/Cookie ordering set in the ini file. Your globals namespace stays 100% unpolluted unless you specifically request that your variable comes from an insecure (get/post/cookie) request.
Just remember: htmlspecialchars, escapeshellcmd, and addslashes are your friends. Use them in the right places and trust no one.:^)=
100% agreement on the previous comment. All packages on debian must adhere to policy, which is not overbearing, but rational and well thought out. Plus since all packages in debian *must* follow policy, what you learn for one package applies directly to every other package on the system.
Part of policy is that every program must have a man page, which was very nice when I was first learning to use linux.
I have always had very good results from mailing the maintainers of packages. So far, I've traded emails with the maintainers of: xawtv, makedev, php4, gabber, and xserver-common (who in some cases were also the developers of the packages in question, not including miscellaneous bug reports).
I've only had to mail maintainers since I've been using the 'unstable' distribution (which has only crashed once), and it's usually just been a heads up that some library upgrade broke some other function that their code depended on. This is not a problem when dealing with the stable distribution because it does not change.
Before that, I was able to get all the help I needed from the debian IRC channels (all IRC programs come defaulted to the debian irc servers, another nice touch).
I'm sure that once I mail my latest buglet report to the maintainer of icecast-server (program is compiled with crypted password support, but configuration files default to storing non-crypted passwords) that it will be responded to promptly, and integrated into the next update of icecast.
One final bit of debian evangalization: debian (almost) invented the word Free (with a capital 'f') when talking about Free/Open/GPL software. All programs distributed with debian must allow redistribution, must come with source code, and must allow modification of that source code. (well, mostly- some exceptions apply). This means that I *OWN* all the software on my computer in a way that's ten times more real than any software that I've paid for (just so long as I'm willing to share).
Lest you think that debian is all a bed of roses, not all programs are up to date, packages are maintained based on whether somebody is interested or not. Sometimes the developer of one program will break other programs unless versions are kept relatively in-sync. And finally, since you didn't pay for it, you can't really complain to anyone when there is a problem. The only solution is to revert and/or retry.
All in all, I am very pleased with debian, it does it's job quietly, and does it well.
Slashdot Mirror
Hi. It's sacriligious, I know, but try out the latest Wine stuff (www.winehq.com) and you can run much good windows software even under linux.
:^)
Not being a big news kindof guy, though, News was basically invented under the *nix umbrellas, and I'm pretty sure there is some excellent newsreading software out there. Witness P.A.N. (which used to stand for "Pimp Ass Newsreader", which it still deserves the title). It's great and gets a perfect score according to the "good netiquette institute". How it handles pr0n/w4rez, I'm not sure, since I use debian, mostly.
--Robert
Just look at Kuro5hin.org ... it is not based on slashdot, but IMHO, that's a good thing. It manages to keep a pretty high S/N ratio even though people have never met. (Actually, some people, mostly in the UK do get together on the weekends, all organized through the site)
It attracts some seriously interesting journalistic content, and to my knowledge, noone has ever been paid for writing a story.
--Robert
From my experience (#114517, if slashdot links are blocked), the maintainers/programmers have been really helpful and professional. But bug reports are almost useless if the person submitting them doesn't take the time to do it right. Reporting bugs is almost an art, and if approached with a humble and helpful attitude can be very helpful.
--Robert
FYI: Fallout 1/2 for $9.95. Saw it in my local Fry's ad. Slashdot this game, please. It is excellent, and getting Fallout 1/2 for the same price is a great deal. According to the WineX people, Fallout 1 and 2 are both rated at "4", which means some glitches, but still very playable, possible installation weirdness.
Fresh and tasty Debian packages of WineX 2.0 (which supports Max Payne FLAWLESSLY) are available for the price of a $5 (1 month subscription). If I were you, I'd sign up for the 6 month plan. I did (it just ran out), and I have not been disapointed. If you do sign up, hook me up with the 'refer-a-friend' thing and reference 'ramses0' if you think about it.
--Robert
I am not a big user of the P2P programs, but my first guess would be to figure out which ports are being used by common P2P programs, and then throttle them down to 0.5kbps. The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly. :^)
As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.
--Robert
Try wine if you can (apt-get install wine on debian). If the normal wine doesn't work, see if you can pay $5 to transgaming and download their new WineX 2.0 packages. I think codeweavers also has a version of wine which is improved from the base distribution ... maybe $30 to try that one out, but I'm not sure.
I know it's probably not an option, but also investigate GNUCash. It seems like a dumb way to manage your finances at first, but it's pretty well implemented once you get used to the "double accounting" method (where $$$ goes into "A", and then you move it from "income A" into "expense B")
--Robert
Why bundle a distro when they are selling OS-less PC's? It makes much more sense for WalMart to say "Check out our fine selection of Linux distros" and then make an extra $20-$50. It's no good to replace the Microsoft tax with the Mandrake tax. Plus it gets new users used to paying for their distros. This will be the way everything moves to in the future, simply because nothing in this world is free, no matter how much you want to believe it. Sometimes costs can be "negligible", especially if you break it down on a per-user basis with a lot of users, but time == money, and bandwidth == money. Both of these have to be paid for.
--Robert
--Robert
After ironing out issues between the Adaptec/SCSI firmware and my DVD drive, it took ~2 hours to get my Linux box playing encrypted DVD's (with a little help from the friendly people in #debian).
/etc/lilo.conf; lilo; shutdown -r now; I don't think I needed to update my kernel, but I want USB support for later on, so it's kindof necessary. apt-get install ogle, run the included install-illegal-decss-library.sh script that it told me I needed. Run ogle from the supplied menu shortcut, open and play the DVD. Once you know what you're looking for, it's remarkably simple.
:^)
:^). Including Black Slot-loading DVD, and Black LCD display. Most of it came from directron.com, or harddrive.com. Got Quake 3 and the Matrix Orbital LCD display from linuxcentral.com. Bought all of the $9.99 linux games I could from EBGames, and some of the newer ones from TuxGames. I need to buy the 'Loki Installer' for RTCW because I bought RTCW from BestBuy since couldn't wait any longer after I finally got all my hardware talking to each other.
:^)
;^)
Basically, my process was: Bootable Debian 2.2 CD installation. apt-get install kernel-image-2.4.18-k7; vim
I have 200+ CD's. I had most of them MP3'd before at 192 bitrate, but now I'm using abcde with oggenc -q7 for VBR OGGfiles averaging 200-250kbps since the quality is better. I own 20-40 DVD's. I want to stuff my DVD's to my harddrive because I'm basically a geek with too much hard-drive space.
I bought all my PC parts in pieces following the specifications given by those nifty Spindl3top people (hi lucas
As a technology pragmatist, I recognize that there are a multitude of competing video container formats (mov, avi, mpg) with multiple supported codecs. I don't know which tools are mature on which platform, and what quality/stability issues remain to be ironed out, which is why I asked slashdot in the first place.
Looks like I came to the right place since there are a bunch of high-quality responses and no "check google you dumbass" postings.
--Robert
Does anyone remember the old game "animal"? While not exactly what you're looking for, you might be able to repurpose it.
Here is a log of some output:
I think I'll try a guess now...
Is your animal a Elephant? no
I give up! You win! What was your animal? Dog
I need a yes-or-no question so I can later
tell the difference between a Elephant and a Dog.
Does it have a trunk?
what would be the answer be for a Dog? no
what would be the answer be for a Elephant? yes
I now know 3 animals!
Want to play again? yes
Think of an animal.
Press [Enter] or [Return] to continue...
Does it have a long neck? no
Does it have a trunk? no
I think I'll try a guess now...
Is your animal a Dog? no
I give up! You win! What was your animal? Monkey
I need a yes-or-no question so I can later
tell the difference between a Dog and a Monkey.
Is it a biped?
what would be the answer be for a Monkey? yes
what would be the answer be for a Dog? no
I now know 4 animals!
Want to play again?
$ apt-cache show animals
--Robert
I can't find any example links right now, and I might be mis-remembering it, so somebody more knowledgeable should add their thoughts.
--Robert
To those who think that resource gathering sucks, take a look at "Z" or "Steel Soldiers". Most of the maps that I remember are symmetrical, and you battled for individual control of territories, each territory giving you X points of resources per turn. Theoretically, each started with exactly the same resources, terrain, and position, so individual tactics are key.
Speaking of individual tactics, Jagged Alliance (also available for linux) is unbelievable. Probably one of my favorite games of all time, it combines minor role-playing, economics, big freakin' guns, and turn-based strategy. My biggest annoyance with real-time strategy games is that they were too much "real-time", and not enough "strategy". JA2 neatly solves the first problem by making combat turn-based, and everything else is as fast/slow as you want it.
There are tons and tons of cool games from even just a few years ago- while their graphics aren't 3D rendered, the gameplay is definitely timeless.
--Robert
--Robert
...like the guy from myboot says, the first line of any conversation involving a cell-phone is "Where are you?"
:^)
This provide a handy way to stop that.
--Robert
Thanks for the response-
;^)
It seems that Postgres uses more command line tools rather than MySQL using commands that are built in to the client (psql in your example). You're right about the whole 'familiarity' thing... I'll have to go dig around and find more doc's again this weekend, and see if I can get a "hello database" application running with PHP and Postgres.
I still like the doc's on MySQL's website better though!
--Robert
With MySQL its:
I spent a few hours one weekend trying to perform these equivalent operations with pgsql, etc. Granted I work with MySQL every day, but I wanted to try out PostgreSQL and see how it compares. It took me forever to find out that I needed to 'su' to user postgres in order to connect to the freaking database! Grr.
I'm willing to try, but somebody needs to point me to the right parts of some manual, FAQ, or HOWTO ... because dammit if I didn't actually go and do just what I said I would do above to make sure that it worked, and now I have an installation of MySQL running in less than 5 minutes.
--Robert
Agreed with the prior comment.
:^)=
:^)=
Although I feel obligated to add another job-type: The network dude that keeps apache, the mailserver, and php running on multiple virtual domains with inter-server databases and backup systems. They're important too.
3. The Network Dude:
4: Set up your own [linux/windows 2000 server edition] box
5: Install [Apache/IIS], [PHP/ASP/JSP], and [MySQL/PostgreSQL/MSSQL/Oracle] onto it.
6: Read all about TCP/IP protocols, DNS, MX-Records, routes, routers, etc.
7: Read all about your webserver, and how to keep it secure
8: Learn awk, sed, and perl.
One of these routes will cost you $1000+, the other will cost you $0.00+
--Robert
After all, the risk of letting people drive large steel cans around on our nations lifeblood of highways far outweighs any right to privacy or anonymity which American citizens don't have.
Oh, and banks/financial institutes are at risk too. Lets wire face-recognition into the existing ATM's and teller counters to secure our precious economy.
We already give up freedoms when driving, by requiring that all drivers be licensed. We also require that everyone obey certain laws.
90% of our laws are for a good reason, sacrificing individual freedoms for public safety. So maybe lawmakers do have a point in wanting to restrict crypto, etc. But imagine a world where you didn't need a license to drive, and you could carry around large amounts of money w/o being a suspected drug dealer. Are the compromises in freedoms worth the benefits?
--Robert
Most of the time, these duplicate messages will be spam, but if this little proggie had a human touch behind it, the future would seem a lot better. I would implement the filtering/bouncing as a "bulk mail" folder, much like yahoo does. Sometimes I'll find a few newsletters in that folder which I honestly did subscribe to, and I wouldn't be surprised if some sort of bulk-filter accidentally picked up on those too.
--Robert
Most of the time, when you let users type something, you don't mind showing it back to them (they typed it after all). But with cross-site scripting, when you visit www.haxor.com, they'll provide you a link to www.phpnuke.org, but take advantage of the fact that phpnuke.org will display whatever that user has typed in.
Normally this isn't a problem, but there are people who are really good with javascript that can basically email your cookies to somebody@haxor.com after you've clicked that link. Once they've got your cookies, they can usually pretend to be you- submitting comments, stories, etc. Changing passwords. On PHPNuke, this isn't such a bad thing, but I wouldn't want anybody messing with me on my online banking site.
Take a look at the previous example. I mailed the Nuke authors about 3 months ago telling them about the above problem. No response. Don't use Nuke for anything you want to be secure. The explanation of what just happened is that search.php displayed whatever "query" contained. I stuck a few special bits of html (ie a close bracket) into their search box. When it got re-displayed, I prematurely exited their input field. This gave me free reign to put nifty red font tags onto their page. Imagine that it was evil javascript instead.
To prevent cross-site scripting attacks, you must remember to escape all untrusted data before displaying it to a user. For PHP, it would be something like: [input type=text value="[?PHP echo htmlspecialchars($their_input); ?]"]
The htmlspecialchars function automagically kills all dangerous characters before writing the data, making it much more difficult to attack.
--Robert
Yup. This just confirms my suspicions. When Napster was in full force, music sales were up. Now, Napster has been shut down and there is no easy way for people to exchange or try out new music. Correspondingly, record sales are down. I the words of that big bully kid on The Simpsons... Haaa Haaa!
Don't you think that's funny?
--Robert
http://www.debian.org/social_contract#guidelines
* No Discrimination Against Persons or Groups
The license must not discriminate against any person or group of persons.
* No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
Just an FYI, but it would just get really nasty if a lot of people started putting exclusion clauses, etc. in their licenses.
--Robert
In php.ini:
:^)=
error_reporting = E_ALL
register_globals = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
Make sure that your code works with the above configuration directives, and many of the security problems mentioned in the above article go away. Follow the author's recommendation about not allowing URL access in 'file' functions, and you're just about as safe as possible.
The reasion you want to turn magic quotes off is because it's impossible to tell in PHP whether a given string has been quoted already or not (ie: it's magic), especially when you're redisplaying posted information in an HTML form in order to allow the user to correct their mistakes.
Since typing out $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SESSION_VARS, $HTTP_COOKIE_VARS is a reeeeal mouthful to type over and over again, I took the liberty of making a function called 'gpc()' which will get a requested variable following the rules of Get/Post/Cookie ordering set in the ini file. Your globals namespace stays 100% unpolluted unless you specifically request that your variable comes from an insecure (get/post/cookie) request.
Just remember: htmlspecialchars, escapeshellcmd, and addslashes are your friends. Use them in the right places and trust no one.
--Robert
Part of policy is that every program must have a man page, which was very nice when I was first learning to use linux.
I have always had very good results from mailing the maintainers of packages. So far, I've traded emails with the maintainers of: xawtv, makedev, php4, gabber, and xserver-common (who in some cases were also the developers of the packages in question, not including miscellaneous bug reports).
I've only had to mail maintainers since I've been using the 'unstable' distribution (which has only crashed once), and it's usually just been a heads up that some library upgrade broke some other function that their code depended on. This is not a problem when dealing with the stable distribution because it does not change.
Before that, I was able to get all the help I needed from the debian IRC channels (all IRC programs come defaulted to the debian irc servers, another nice touch).
I'm sure that once I mail my latest buglet report to the maintainer of icecast-server (program is compiled with crypted password support, but configuration files default to storing non-crypted passwords) that it will be responded to promptly, and integrated into the next update of icecast.
One final bit of debian evangalization: debian (almost) invented the word Free (with a capital 'f') when talking about Free/Open/GPL software. All programs distributed with debian must allow redistribution, must come with source code, and must allow modification of that source code. (well, mostly- some exceptions apply). This means that I *OWN* all the software on my computer in a way that's ten times more real than any software that I've paid for (just so long as I'm willing to share).
Lest you think that debian is all a bed of roses, not all programs are up to date, packages are maintained based on whether somebody is interested or not. Sometimes the developer of one program will break other programs unless versions are kept relatively in-sync. And finally, since you didn't pay for it, you can't really complain to anyone when there is a problem. The only solution is to revert and/or retry.
All in all, I am very pleased with debian, it does it's job quietly, and does it well.
--Robert