The problem is these are perfectly legal search engine queries. No matter how you "sanitize" the queries, that won't help, because they contain valid requests. The vulnerablity lies at the side of the indexing program, not the query/search/display one. The indexer indexes things it shouldn't. Files inaccessible normally through httpd are accessible in the search database.
A method I see for that would be running the indexing by piping it through httpd, make even local indexing go the same way remote indexing is being done - not indexing/var/www/... but http://localhost/. This way the indexer won't be able to access anything else common user can.
Im pretty sure the indexing server on Windows won't return 'search results' for files you dont have permissions to list. The problem and vulnerablity lies in definition of "you". The indexing program runs on privledges of a local user with direct access to the harddrive. Listing directory contents, reading user-readable files. "you" are the user, like one behind the console, maybe without access to sensitive system files, but with access to mostly everything in the htroot tree the administrator hasn't blocked using the OS permissions, not the httpd features. As a webpage visitor "you" are "guest", filtered through httpd, with all httpd restrictions applied. No directory listing, obscure blocking methods (.htaccess, config files, redirects, CGI wrapping) working. Your access is limited to what httpd lets you do, not just what the OS does. Now if you access the search engine database, you can see mostly everything the engine saw, including things it wouldn't see if it was running through httpd, not directly accessing the filesystem.
It's about laws you're not entitled to know about but you are bound with.
This one is mostly harmless. But it's just a step away...
Imagine such a law: Any visitor to an anti-government website is considered traitor of the country, subject to arrest and lawsuit, without right to a lawyer, with methods of interrogation like tortures allowed, bound with secret about everything they see or hear, including this law.
Now this law comes into effect, except it's not being published anywhere. Just the same as the "ID check" - you don't get a chance to know it exists possibly until after you've violated it. The agents are free to drag you out of your house and keep you imprisoned for months, then eventually kill you and nobody can do anything about it, they can't even know what happened to you. And it's all fine in the eyes of law - and nobody can protest because nobody knows, and those who know, by knowing are bound by secret, or they violate the law and are subject of prosecution.
That's the method of rule of totalitarian government. Laws you don't know about until it's too late. And of course laws made up on the spot, just as binding because nobody can verify they were made up on the spot...
Hey, it's not like he's going to pilot the plane! Plus, say, I'm with my friend. He has the license and he will drive, but he's without cash. So I show my credit card and pay for the rental. I'm not going to drive. Won't my CC and his license suffice?
If you are not one of those open source developers who lives in their parents' basement, then donations of money in support of the product are what you have to rely on. (This also assumes that you are not doing any other revenue-generating work.) Blue-eyed people with a spot on the right side of the nose, and advanced case of rabies aren't allowed inside (and so are all blacks and jews). Most of people who write free software fall in the two classes you described, great most in the latter. There are few redundant who really would depend on your money - and then still writing FOSS is a good way for them to fill their portfolio and increase chances of getting a job.
Donations often are a driver of new functionality. In extreme cases, people often donate together with a request for the developer to add in a particular feature. Sure, if they asked me for GUI for getpic, probably some $50 behind the request would motivate me enough, even taking a day or two off from my work. But $5 donation even in my poor country would be a nice gesture, but nothing more. Want to help me? Order a comission of my paid job.
In most cases they would be more grateful for a neat patch with some feature, for some words of praise, and especially with success stories of their software. I wrote this little piece of crap. Okay, it got obsoleted really fast, it does the job but isn't anything great and there's practically no audience. But then I found this blog entry (fish link) and felt really special:) It's what makes such projects great, people's gratitude. Not money. Just the fact that you're the hero.
A deeper problem that Wiki shares with Britanica is that it tries to impose a single systematization of knowledge. This is fine for areas where there is no controversy. Where controversy is active the result is either a tug of war between extreemes or some bland statement that takes no position.
This is wrong: Wikipedia works on these things very actively. Check the article on Zoophilia to see example where NPOV (Neutral Point Of View) was achieved without loss to the quality of the article. The rule is simple: If consensus can't be achieved, best of voices/arguments of all sides are published and it's up to the reader to decide which one they prefer. Something hardly ever happens in Britannica: If some "expert" has his own agenda to push, there's no way to achieve NPOV, if there is some kind of argument going on, encyclopedia either takes one side or does what you said: leaves a short, bland statement. No way to discuss things, no way to explain differences, no chance for rebuttal of fallacious arguments.
http://www.keil.com/c51/c51_opt.htm Not all that impressive list. More like clean-up after VERY sloppy programming plus standard compiler work, than optimization of sensibly written code. Note no expression optimization. (major pain, a=a/2 won't be RR A but DIV AB), no redundant code check, several other more advanced optimizations missing. This would make bad code perform somewhat less bad, but it won't make decent, readable code run like optimized one.
still, how does that influence you as a person? Are these actions somehow evil? Are they somehow limiting your freedom? Nobody forces you to get there, to read my stories or to dress up as a furry, so what makes you hate us so much? If that's not your thing, why can't you just ignore it?...or maybe you're just jealous of us having a good time and getting laid on regular basis?
I got in the habit of writing "readable but inefficient" code, taking care that my constructs don't get too sophisticated for the optimizer but then depending on gcc -O3 thoroughly. And then it happened I had to program 8051 clone. Then I learned there are no optimizing compilers for '51, that I'm really tight on CPU cycles, and that I simply don't know HOW to write really efficient C code. Ended up writing my programs in assembler...
May I ask you... I'm perfectly satisfied with my old ink. It's been in trade for some 8 years now. Why didn't the price go down? Why can't I safely buy cheap cartridges with "economy class" old ink, but pay for research that saves me extra 5 seconds of waiting for the printout, but costs me 15 minutes of work at my workplace to pay extra?
I really don't see a difference between quality or speed of, say, HP850C and the newest model. The only difference I see the old cartridge is 15ml and the new one is 5, the old one lasts me for a year, the new one for 2 months, the old one is refillable, the new one isn't, and they cost about the same. But the old printer isn't supported. Once it breaks, I won't be able to have it fixed and will have to buy new crap.
I don't care about new, revolutionary inks. I want the same, old, good ones. And I don't want to see them go.
Sorry to say, but Snopes.com is extremely biased pro-american conservative site. (just compare the proportion of pro-Bush "Trues" and anti-Bush "falses")
1) Pencil leads made of actual lead don't snap. Their writing properties are worse than those made of graphite (still readable enough though), but they are practically unbreakable. So no risk of snapping off, no lead particles, no burning either. A metal-cased graphite pencil is perfectly fire-proof and pretty much break-proof. True both graphite and lead are conductors, but so are almost all items made of metal, and there were quite a few of them. Only snap-off pieces could eventually get into the electronics, but lead doesn't snap so no problem. 2) There was enough of easily flammable materials in the cabin so they would catch fire by themselves in atmosphere of pure oxygen. Not that it would matter, the astronaut wouldn't live long in pure oxygen either.
And before you start about how poisonous lead is, people were using lead-based pencils for hundreds of years before they were replaced by graphite ones.
No joking here. An old question, what's the best accountant's answer to "how much is 2+2" is "whatever you'd like it to be."
Custom Enterprise Resource Planning software sometimes includes parts no boss would want the IRS or other authorities to know. With Open Source they become blatantly obvious. In this case Security Through Obscurity is the only safe model.
Sure a HONEST resource planning software can be open source. But it won't ever make the company as successful as one with some... extras.
Actually, I like it. Let it be Beta. It doesn't only mean "if it has a bug, it's not our fault". It also means "if it has a bug, report it and we'll try to fix it ASAP."
Get a Final. Don't expect bugfixes till next major number beta, unless you want to backport patches from CVS tree yourself. Get a Beta. Expect bugfixes before next Beta and certainly before Final.
Or, get a Beta and know it's NOT granted to work flawlessly and suitable for production environment. Give it a try, but don't use it for anything important - you have been warned. If you use Final and it breaks, you have all the rights to complain, maybe even sue. But that's a "Shouldn't Happen" event.
Of course you MAY use Beta in mission critical situations. On your own risk, and be ready to take all the blame:)
So, pick a treshold length. Password of 4 chars is almost immediately crackable. Password of 6 takes days. Password of 10 is practically uncrackable except of dictionary attacks. So require the user to give 6-letter password, but store 9-char one, with 3 chars randomly generated. Get the login process to crack - brute force the remaining 3 characters at each login. The user doesn't have to worry about a lengthy, difficult password, the cracker has to run attack against non-dictionary, full ascii range one. Simply make the password verification process more computationally intensive. Delay of 1s at login time is nothing. Delay of 1s between tries of dictionary / brute force attack is deadly for the process.
You misinterpreted the folder name meaning. The folder gets replaced together with its hidden contents whenever you remove it because without it, MSIE wouldn't be able to render pages properly, missing its underlying HTML rendering engine which is being placed there.
"We really [wanted] to go dial down the emotion, dial down the rhetoric, have a more fact-oriented approach and dial up the pragmatic analysis of solutions."
1) Cool down. 2) Stop using bullshit language (like the untranslated) and speak understandably [he apparently failed this step] 3) Add up pluses and minuses of the problem, disregard emotions. 4) Pick stuff that REALLY will JUST work (as opposed to "fail in the most spectacular and impressive way" [see Windows Media Desktop presentation]") 5)??? [a bloody armageddon against the Marketing dept] 6)Profit!!!
No, try to ask something that gives insight. Don't try to test what if a viper bites its own tongue - that won't happen. You CAN'T have this question answered in a honest manner by a Microsoft representative.
Want a real answer? 1) Yes, $$$. 2) Yes. More profit from moron 20% of the potential customers believing the lies and paying for crappy product, and remaining 80% seeing through them and leaving, than 99.9% believing the the truth and turning away, and 0.1% despite all the facts still buying stuff.
The products can't stand on their own, and letting them fall would be a huge financial loss.
My vote: "against". A yes/no question giving no real insight and trying to trick the opponent into saying something that will sound silly. The problem is the difference of platform quality will show when the administrators are both equally skilled on their respective platforms. And schools of administration of Linux and Windos are so different, that it's impossible to compare skills of the two, it's impossible to tell whether they are "equally skilled" - the factors you CAN measure are compound ones - i.e. how smoothly the systems run (downtimes, reboots, intrusions etc) and if you take two system-administrator sets that run equally well, it's still impossible to tell if that's because of the admins or because of the software. So, answer 1) "I agree admin skill is essential" - "so why do you claim Windows is better than Windows then?" Answer 2) "I disagree, software is the ultimate factor" - "so you say Windows administered by a crappy admin will run better than Linux with a good admin? What a piece of crap!"
20s across Earth 2 days for the distance between Sun and Earth 1800 years to move between Solar System and Proxima Centauri 43 million years to cross the Galaxy.
Yes... but that "generic word" limits you to your domain strictly. Using unique word and gaining world recognition gives you protection in ALL domains. I can create "apple candies" (duh, obviously!), "apple" clothes, name a car "apple" and such. But if I tried to produce tiny jelly beans called "Microsoft", I'd have my ass sued (and go bankrupt, nobody buing them from fear of poisoning) Still, whoever used the brand name outside my domain before the company gains world recognition, can keep the trademark. (see the Linux washing powder:)
The problem is these are perfectly legal search engine queries. No matter how you "sanitize" the queries, that won't help, because they contain valid requests. The vulnerablity lies at the side of the indexing program, not the query/search/display one. The indexer indexes things it shouldn't. Files inaccessible normally through httpd are accessible in the search database.
/var/www/... but http://localhost/. This way the indexer won't be able to access anything else common user can.
A method I see for that would be running the indexing by piping it through httpd, make even local indexing go the same way remote indexing is being done - not indexing
Im pretty sure the indexing server on Windows won't return 'search results' for files you dont have permissions to list.
The problem and vulnerablity lies in definition of "you".
The indexing program runs on privledges of a local user with direct access to the harddrive. Listing directory contents, reading user-readable files. "you" are the user, like one behind the console, maybe without access to sensitive system files, but with access to mostly everything in the htroot tree the administrator hasn't blocked using the OS permissions, not the httpd features.
As a webpage visitor "you" are "guest", filtered through httpd, with all httpd restrictions applied. No directory listing, obscure blocking methods (.htaccess, config files, redirects, CGI wrapping) working. Your access is limited to what httpd lets you do, not just what the OS does. Now if you access the search engine database, you can see mostly everything the engine saw, including things it wouldn't see if it was running through httpd, not directly accessing the filesystem.
It's about laws you're not entitled to know about but you are bound with.
This one is mostly harmless. But it's just a step away...
Imagine such a law: Any visitor to an anti-government website is considered traitor of the country, subject to arrest and lawsuit, without right to a lawyer, with methods of interrogation like tortures allowed, bound with secret about everything they see or hear, including this law.
Now this law comes into effect, except it's not being published anywhere. Just the same as the "ID check" - you don't get a chance to know it exists possibly until after you've violated it. The agents are free to drag you out of your house and keep you imprisoned for months, then eventually kill you and nobody can do anything about it, they can't even know what happened to you. And it's all fine in the eyes of law - and nobody can protest because nobody knows, and those who know, by knowing are bound by secret, or they violate the law and are subject of prosecution.
That's the method of rule of totalitarian government. Laws you don't know about until it's too late. And of course laws made up on the spot, just as binding because nobody can verify they were made up on the spot...
Hey, it's not like he's going to pilot the plane!
Plus, say, I'm with my friend. He has the license and he will drive, but he's without cash. So I show my credit card and pay for the rental. I'm not going to drive. Won't my CC and his license suffice?
If you are not one of those open source developers who lives in their parents' basement, then donations of money in support of the product are what you have to rely on. (This also assumes that you are not doing any other revenue-generating work.)
Blue-eyed people with a spot on the right side of the nose, and advanced case of rabies aren't allowed inside (and so are all blacks and jews).
Most of people who write free software fall in the two classes you described, great most in the latter. There are few redundant who really would depend on your money - and then still writing FOSS is a good way for them to fill their portfolio and increase chances of getting a job.
Donations often are a driver of new functionality. In extreme cases, people often donate together with a request for the developer to add in a particular feature.
Sure, if they asked me for GUI for getpic, probably some $50 behind the request would motivate me enough, even taking a day or two off from my work. But $5 donation even in my poor country would be a nice gesture, but nothing more. Want to help me? Order a comission of my paid job.
In most cases they would be more grateful for a neat patch with some feature, for some words of praise, and especially with success stories of their software. :) It's what makes such projects great, people's gratitude. Not money. Just the fact that you're the hero.
I wrote this little piece of crap. Okay, it got obsoleted really fast, it does the job but isn't anything great and there's practically no audience. But then I found this blog entry (fish link) and felt really special
A deeper problem that Wiki shares with Britanica is that it tries to impose a single systematization of knowledge. This is fine for areas where there is no controversy. Where controversy is active the result is either a tug of war between extreemes or some bland statement that takes no position.
This is wrong: Wikipedia works on these things very actively. Check the article on Zoophilia to see example where NPOV (Neutral Point Of View) was achieved without loss to the quality of the article. The rule is simple: If consensus can't be achieved, best of voices/arguments of all sides are published and it's up to the reader to decide which one they prefer. Something hardly ever happens in Britannica: If some "expert" has his own agenda to push, there's no way to achieve NPOV, if there is some kind of argument going on, encyclopedia either takes one side or does what you said: leaves a short, bland statement. No way to discuss things, no way to explain differences, no chance for rebuttal of fallacious arguments.
http://www.keil.com/c51/c51_opt.htm
Not all that impressive list. More like clean-up after VERY sloppy programming plus standard compiler work, than optimization of sensibly written code. Note no expression optimization. (major pain, a=a/2 won't be RR A but DIV AB), no redundant code check, several other more advanced optimizations missing. This would make bad code perform somewhat less bad, but it won't make decent, readable code run like optimized one.
still, how does that influence you as a person? Are these actions somehow evil? Are they somehow limiting your freedom? Nobody forces you to get there, to read my stories or to dress up as a furry, so what makes you hate us so much? If that's not your thing, why can't you just ignore it? ...or maybe you're just jealous of us having a good time and getting laid on regular basis?
Tell me please. Why do you hate us? It always made me wonder...
I got in the habit of writing "readable but inefficient" code, taking care that my constructs don't get too sophisticated for the optimizer but then depending on gcc -O3 thoroughly. And then it happened I had to program 8051 clone. Then I learned there are no optimizing compilers for '51, that I'm really tight on CPU cycles, and that I simply don't know HOW to write really efficient C code.
Ended up writing my programs in assembler...
May I ask you... I'm perfectly satisfied with my old ink. It's been in trade for some 8 years now. Why didn't the price go down? Why can't I safely buy cheap cartridges with "economy class" old ink, but pay for research that saves me extra 5 seconds of waiting for the printout, but costs me 15 minutes of work at my workplace to pay extra?
I really don't see a difference between quality or speed of, say, HP850C and the newest model. The only difference I see the old cartridge is 15ml and the new one is 5, the old one lasts me for a year, the new one for 2 months, the old one is refillable, the new one isn't, and they cost about the same. But the old printer isn't supported. Once it breaks, I won't be able to have it fixed and will have to buy new crap.
I don't care about new, revolutionary inks. I want the same, old, good ones. And I don't want to see them go.
Sorry to say, but Snopes.com is extremely biased pro-american conservative site. (just compare the proportion of pro-Bush "Trues" and anti-Bush "falses")
1) Pencil leads made of actual lead don't snap. Their writing properties are worse than those made of graphite (still readable enough though), but they are practically unbreakable. So no risk of snapping off, no lead particles, no burning either. A metal-cased graphite pencil is perfectly fire-proof and pretty much break-proof. True both graphite and lead are conductors, but so are almost all items made of metal, and there were quite a few of them. Only snap-off pieces could eventually get into the electronics, but lead doesn't snap so no problem.
2) There was enough of easily flammable materials in the cabin so they would catch fire by themselves in atmosphere of pure oxygen. Not that it would matter, the astronaut wouldn't live long in pure oxygen either.
And before you start about how poisonous lead is, people were using lead-based pencils for hundreds of years before they were replaced by graphite ones.
No joking here. An old question, what's the best accountant's answer to "how much is 2+2" is "whatever you'd like it to be."
Custom Enterprise Resource Planning software sometimes includes parts no boss would want the IRS or other authorities to know. With Open Source they become blatantly obvious. In this case Security Through Obscurity is the only safe model.
Sure a HONEST resource planning software can be open source. But it won't ever make the company as successful as one with some... extras.
Actually, I like it. Let it be Beta.
:)
It doesn't only mean "if it has a bug, it's not our fault". It also means "if it has a bug, report it and we'll try to fix it ASAP."
Get a Final. Don't expect bugfixes till next major number beta, unless you want to backport patches from CVS tree yourself.
Get a Beta. Expect bugfixes before next Beta and certainly before Final.
Or, get a Beta and know it's NOT granted to work flawlessly and suitable for production environment. Give it a try, but don't use it for anything important - you have been warned. If you use Final and it breaks, you have all the rights to complain, maybe even sue. But that's a "Shouldn't Happen" event.
Of course you MAY use Beta in mission critical situations. On your own risk, and be ready to take all the blame
So, pick a treshold length. Password of 4 chars is almost immediately crackable. Password of 6 takes days. Password of 10 is practically uncrackable except of dictionary attacks. So require the user to give 6-letter password, but store 9-char one, with 3 chars randomly generated. Get the login process to crack - brute force the remaining 3 characters at each login. The user doesn't have to worry about a lengthy, difficult password, the cracker has to run attack against non-dictionary, full ascii range one. Simply make the password verification process more computationally intensive. Delay of 1s at login time is nothing. Delay of 1s between tries of dictionary / brute force attack is deadly for the process.
Oh, the editor confused the icons. Not this but this .
You misinterpreted the folder name meaning. The folder gets replaced together with its hidden contents whenever you remove it because without it, MSIE wouldn't be able to render pages properly, missing its underlying HTML rendering engine which is being placed there.
C:\>COPY CON: FILENAME.TXT
Only Pussies Use Notepad
Wordpad Suxx!
^Z
C:\>
"We really [wanted] to go dial down the emotion, dial down the rhetoric, have a more fact-oriented approach and dial up the pragmatic analysis of solutions."
1) Cool down.
2) Stop using bullshit language (like the untranslated) and speak understandably [he apparently failed this step]
3) Add up pluses and minuses of the problem, disregard emotions.
4) Pick stuff that REALLY will JUST work (as opposed to "fail in the most spectacular and impressive way" [see Windows Media Desktop presentation]")
5)??? [a bloody armageddon against the Marketing dept]
6)Profit!!!
No, try to ask something that gives insight. Don't try to test what if a viper bites its own tongue - that won't happen. You CAN'T have this question answered in a honest manner by a Microsoft representative.
Want a real answer?
1) Yes, $$$.
2) Yes. More profit from moron 20% of the potential customers believing the lies and paying for crappy product, and remaining 80% seeing through them and leaving, than 99.9% believing the the truth and turning away, and 0.1% despite all the facts still buying stuff.
The products can't stand on their own, and letting them fall would be a huge financial loss.
My vote: "against". A yes/no question giving no real insight and trying to trick the opponent into saying something that will sound silly. The problem is the difference of platform quality will show when the administrators are both equally skilled on their respective platforms. And schools of administration of Linux and Windos are so different, that it's impossible to compare skills of the two, it's impossible to tell whether they are "equally skilled" - the factors you CAN measure are compound ones - i.e. how smoothly the systems run (downtimes, reboots, intrusions etc) and if you take two system-administrator sets that run equally well, it's still impossible to tell if that's because of the admins or because of the software.
So, answer 1) "I agree admin skill is essential" - "so why do you claim Windows is better than Windows then?"
Answer 2) "I disagree, software is the ultimate factor" - "so you say Windows administered by a crappy admin will run better than Linux with a good admin? What a piece of crap!"
20s across Earth
2 days for the distance between Sun and Earth
1800 years to move between Solar System and Proxima Centauri
43 million years to cross the Galaxy.
...only 0.2% c
Yes... but that "generic word" limits you to your domain strictly. Using unique word and gaining world recognition gives you protection in ALL domains. :)
I can create "apple candies" (duh, obviously!), "apple" clothes, name a car "apple" and such. But if I tried to produce tiny jelly beans called "Microsoft", I'd have my ass sued (and go bankrupt, nobody buing them from fear of poisoning)
Still, whoever used the brand name outside my domain before the company gains world recognition, can keep the trademark. (see the Linux washing powder