He says things were back to normal at myspace within a few hours, but I remember at the time that the system was highly unstable for a few weeks after the incident was supposedly cleaned up.
To be fair the site is frequently unstable, so I think that suggesting that the stability issues were soley relating to this attack is a little harsh.
I too create sites where people can control content, and do interesting things, Personally I would be angry at being subjected to an attack like this - but after it had been cleaned up and I was calm again I would be genuinely greatful.
Responsible disclosure would be best, since it would avoid the "angry phase", but I can understand why people don't go in for it.
There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.
The way it works is:
Google sends the a form to you with a hidden "auth string".
When you make a request back you send the same auth-string/token with the request.
If the login cookie is invalid then the request is denied.
If the login cookie is valid and the auth-string was correct the results are sent back.
If the auth-string was missing then you know the request was forged.
This is the difference between http://example.com/logout and http://example.com/logout/124rkjfldf for example - The former is insecure since example.net could include that link in an image source; whereas the latter example uses a token appended to the URL - if the submission doesn't have the correct token then it can be denied.
The US is really good at this. Particularly useful when there's only two of you and the bar is packed with no space at the bar itself, because you avoid long gaps in the conversation while one of you goes to get the round in.
That is certainly true, but I find that I'd be more inclined to have table-service in a large group since there is a lot more effort required to remember the orders in a round, and to physically carry them back to the table.
Although, as a Scot, standing at the bar is one of the few times when it is OK to randomly chat to strangers with no real excuse/desire. Something that I missed when I was in American bars - you sit at your table, people fetch you drinks, and you don't end up randomly chatting to people at the next table. It feels more like drinking in your house with a friend or two.
Given the choice I'd like to have the option of reading mail, surfing the internet, and using a computer whilst on holiday, but I can live without it.
I guess there are two questions here:
Can you go away with no network access.
Should you be contactable by work / reading work mail whilst away.
The first I'd say "yes I can, but I don't want to". I find that with no net connection I do miss it, things like looking up actors on IMDB if I've been to the cinema, etc, so I would prefer to take a laptop away with me for any trip lasting for more than 5 days - but I'm not addicted enough to require it.
The second? No, definitely not. I made the decision early-on that if I'm not actively at work then I will not check work mail. I'm happy enough to work the occasional long day, if there is a big job/release/whatever on, but as a matter of policy when I'm not at work I don't expect to be contacted by colleagues. If they want me to be on call or otherwise available during my evenings and weekends I expect to be paid a lot of money for it. A lot of money.
Even if I get curious about whether a long operation scheduled to run overnight has succeeded or not I'll rarely ever check up on it. When I'm not at work I'm not at work.
I've done work for a few companies who tried to hang on to their legacy software forever, usually vertical apps. None were successful with the strategy. Usually it's a lazy CEO/CFO who's afraid of change, or a profound misunderstanding the economics of IT. And, when these companies eventually break down and replace the app, they usually screw it up one way or the other.
On a more serious note, yes you're entirely correct. It might not be easy to change, and people will be confused but it is the right thing to do almost all of the time.
That way I can get an album for a cheap/fair price, and don't feel like I'm supporting a company which has the idea of value-add meaning "Won't play unless you install our windows-only rootkit".
I'd pay more for albums from companies who would stop being so litigous, such as not suing people who post lyrics online, for the rare time when I hear a track I like on the radio and miss the name.
I like music. I listen to music almost 24x7 when awake, but I won't support companies who sue at the drop of a hat, and try to restrict things we can do with out purchases.
God knows there are enough used record stores I could probably buy a new CD a day for the rest of my life and still find new interesting tunes.
Most of my cuts come from clumsyness, or that annoy curved region at the very back of the head. Still I've had years of practise and I generally get by just fine so long as I don't leave it too many days between shaving.
(I try to be dedicated and do it daily, but I just don't have the patience every morning!)
I don't have a lady at the moment, but certainly over the years I've come close to being married.
Every time the conversation about engagement/wedding rings has been raised I've told my partner of the history of diamonds. After that none of them have wanted to get one. I regard that as a good thing.
I can't imagine marrying somebody who, knowing the truth, would still want a diamond wedding ring.
Personally I've always liked platinum puzzle rings, but to be honest I'd buy a future anything they wanted, so long as it wasn't diamond.
My experience was an unsolicated offer out of the blue to interview with them.
My response "Yes I'd love to work for you. No I'm uninterested in relocation".
Re:This is just taking things too far
on
School Bans 'Tag'
·
· Score: 1
Yeah to be honest I can recall similar incidents, where people got injured and then the staff "weren't allowed" to give them painkillers due to strange rules.
For most of the minor scrapes we had a couple of teachers with first aid training, and for the bigger injuries I can recall people being ferried to the casualty department of the local hospital - or in one case an ambulance being called for.
This is just taking things too far
on
School Bans 'Tag'
·
· Score: 2, Insightful
Yes some children are going to play games and get injured, but this is insane.
I chipped two of my front teeth when I fell over in school aged 11, but my parents would have been laughed at had they decided to sue the school.
I'm sure there are probably (too many) rules about schools nowadays relating to who is in charge, or responsible for the pupils, etc. But at the end of the day accidents happen when you're a child.
Its about time people stopped talking to lawyers at the drop of a hat. Sadly it seems that even the UK is going in that direction.
Anethetise passengers, strip them down, scan them, pack them in fire retardant survival packs, then load them on to a cargo plane. Problem solved.
Just like the transportation we see in the commercial "airliner" in The Fifth Element?
I actually thought that was very cool. Get onboard, go to sleep, and wake up when you've arrived.
Sitting idle on an 11 hour flight must be one of the dullest times I've ever spent in my life. Especially if we keep having more and more restrictions placed on us. The temporary "no food", and "no books" restrictions earlier this year made me pleased I'll not have to fly anywhere distant soon.
I have audited many many programs. Never once have I been ignored, or had to argue the case for anything I found and reported.
Still I know its not easy to write secure code, even with my auditing experience I've still released code with exploitable holes. You need to get everything right every time, the attacker only has to find one hole to take over...
It appears to work with no false positives at all, however I admit I don't check the logfiles very often. The best I can say is that I've never seen it make a mistake, and nobody has every complained to me about it either.
Keyword filtering is one option but if your list gets compromised then people will just use other words.
One thing I've done on my site is bayasian filtering of new comments.
Since I have a database full of "good" comments and I have a seperate list of all the comments users have reported as "trollish/offensive" I can use those two corpuses (corpii?) to filter against.
Any anonymous comment which scores more for troll than for good gets rejected with an error telling the user their comment was dropped and they should register as a user if they wish to post it.
Question: What if I wanted to share the desktop with the guy sitting there? Is that possible?
By default, I believe, you'd receive a new desktop each time you connected to a VNC server. However using software such as x11vnc you can certainly share the currently visible desktop, or just a window from it.
I wrote this simple guide last year which should document the process a little.
Slashdot Mirror
For a start you could see this site in my profiley link.
I also manage a couple of minor social sites which are public but "local".
To be fair the site is frequently unstable, so I think that suggesting that the stability issues were soley relating to this attack is a little harsh.
I too create sites where people can control content, and do interesting things, Personally I would be angry at being subjected to an attack like this - but after it had been cleaned up and I was calm again I would be genuinely greatful.
Responsible disclosure would be best, since it would avoid the "angry phase", but I can understand why people don't go in for it.
Wasn't the Monopoly game initially stolen? There is some interesting interesting history behind it at the very least..
I'm surprised at how old the game is.
If you can read some of the code on the daily WTF and feel the horror and the "F" - then your code is not bad.
Some of them are quite wiley..
There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.
The way it works is:
This is the difference between http://example.com/logout and http://example.com/logout/124rkjfldf for example - The former is insecure since example.net could include that link in an image source; whereas the latter example uses a token appended to the URL - if the submission doesn't have the correct token then it can be denied.
I wrote about this here, when I updated my site to work like this.
That is certainly true, but I find that I'd be more inclined to have table-service in a large group since there is a lot more effort required to remember the orders in a round, and to physically carry them back to the table.
Although, as a Scot, standing at the bar is one of the few times when it is OK to randomly chat to strangers with no real excuse/desire. Something that I missed when I was in American bars - you sit at your table, people fetch you drinks, and you don't end up randomly chatting to people at the next table. It feels more like drinking in your house with a friend or two.
Here's a little cheat sheet for uptimes in percentage per-year:
90% - 876 hours (36.5 days)
95% - 438 hours (18.25 days)
99% - 87.6 hours (3.65 days)
99.9% - 8.76 hours
99.99% -52.56 minutes
("five nines")
99.999% - 5.256 minutes
Finally,
99.9999% - 31.536 seconds
Given the choice I'd like to have the option of reading mail, surfing the internet, and using a computer whilst on holiday, but I can live without it.
I guess there are two questions here:
The first I'd say "yes I can, but I don't want to". I find that with no net connection I do miss it, things like looking up actors on IMDB if I've been to the cinema, etc, so I would prefer to take a laptop away with me for any trip lasting for more than 5 days - but I'm not addicted enough to require it.
The second? No, definitely not. I made the decision early-on that if I'm not actively at work then I will not check work mail. I'm happy enough to work the occasional long day, if there is a big job/release/whatever on, but as a matter of policy when I'm not at work I don't expect to be contacted by colleagues. If they want me to be on call or otherwise available during my evenings and weekends I expect to be paid a lot of money for it. A lot of money.
Even if I get curious about whether a long operation scheduled to run overnight has succeeded or not I'll rarely ever check up on it. When I'm not at work I'm not at work.
But There is no need to change it!
On a more serious note, yes you're entirely correct. It might not be easy to change, and people will be confused but it is the right thing to do almost all of the time.
I remember loving the music collection included with the various Wipeout games , people like Prodigy and FSOL.
Even now I think of those first when it comes to soundtrack albums for games - I know I bought a couple of albums, second-hand.
Its easy to turn them down when the conditions of accepting include relocation though.
Sure some people could do it, but I wouldn't.
I think if they hadn't understood the importance of it they wouldn't have kept it classified.
I too buy CDs, but only ever second hand.
That way I can get an album for a cheap/fair price, and don't feel like I'm supporting a company which has the idea of value-add meaning "Won't play unless you install our windows-only rootkit".
I'd pay more for albums from companies who would stop being so litigous, such as not suing people who post lyrics online, for the rare time when I hear a track I like on the radio and miss the name.
I like music. I listen to music almost 24x7 when awake, but I won't support companies who sue at the drop of a hat, and try to restrict things we can do with out purchases.
God knows there are enough used record stores I could probably buy a new CD a day for the rest of my life and still find new interesting tunes.
I agree .. as a fellow head-shaver.
Most of my cuts come from clumsyness, or that annoy curved region at the very back of the head. Still I've had years of practise and I generally get by just fine so long as I don't leave it too many days between shaving.
(I try to be dedicated and do it daily, but I just don't have the patience every morning!)
I don't have a lady at the moment, but certainly over the years I've come close to being married.
Every time the conversation about engagement/wedding rings has been raised I've told my partner of the history of diamonds. After that none of them have wanted to get one. I regard that as a good thing.
I can't imagine marrying somebody who, knowing the truth, would still want a diamond wedding ring.
Personally I've always liked platinum puzzle rings, but to be honest I'd buy a future anything they wanted, so long as it wasn't diamond.
My experience was an unsolicated offer out of the blue to interview with them.
My response "Yes I'd love to work for you. No I'm uninterested in relocation".
Yeah to be honest I can recall similar incidents, where people got injured and then the staff "weren't allowed" to give them painkillers due to strange rules.
For most of the minor scrapes we had a couple of teachers with first aid training, and for the bigger injuries I can recall people being ferried to the casualty department of the local hospital - or in one case an ambulance being called for.
Yes some children are going to play games and get injured, but this is insane.
I chipped two of my front teeth when I fell over in school aged 11, but my parents would have been laughed at had they decided to sue the school.
I'm sure there are probably (too many) rules about schools nowadays relating to who is in charge, or responsible for the pupils, etc. But at the end of the day accidents happen when you're a child.
Its about time people stopped talking to lawyers at the drop of a hat. Sadly it seems that even the UK is going in that direction.
Just like the transportation we see in the commercial "airliner" in The Fifth Element?
I actually thought that was very cool. Get onboard, go to sleep, and wake up when you've arrived.
Sitting idle on an 11 hour flight must be one of the dullest times I've ever spent in my life. Especially if we keep having more and more restrictions placed on us. The temporary "no food", and "no books" restrictions earlier this year made me pleased I'll not have to fly anywhere distant soon.
Ahhh but if she wasn't prepared to go out on dates, hang around with him, etc, she'd not be perfect would she?!
I have audited many many programs. Never once have I been ignored, or had to argue the case for anything I found and reported.
Still I know its not easy to write secure code, even with my auditing experience I've still released code with exploitable holes. You need to get everything right every time, the attacker only has to find one hole to take over...
It appears to work with no false positives at all, however I admit I don't check the logfiles very often. The best I can say is that I've never seen it make a mistake, and nobody has every complained to me about it either.
(For reference the code is built on top of the perl Algorithm::NaiveBayes module.)
Keyword filtering is one option but if your list gets compromised then people will just use other words.
One thing I've done on my site is bayasian filtering of new comments.
Since I have a database full of "good" comments and I have a seperate list of all the comments users have reported as "trollish/offensive" I can use those two corpuses (corpii?) to filter against.
Any anonymous comment which scores more for troll than for good gets rejected with an error telling the user their comment was dropped and they should register as a user if they wish to post it.
By default, I believe, you'd receive a new desktop each time you connected to a VNC server. However using software such as x11vnc you can certainly share the currently visible desktop, or just a window from it.
I wrote this simple guide last year which should document the process a little.