I was curious, and looked it up on the Bureau of Labor and Statistics website. If I'm reading that right, Civilian Labor Force, Employed, Percent of Population peaked in 2000 at 64.4%, which is 5% higher than 2000 levels.
Looking at the wikipedia definitions (especially that third image), I think the interesting metric is the employment-to-population ratio (i.e. all employed people over all people, eligible to work or not). That default view does show a 5% drop since about mid-2008 that never recovered. It was previously around 60% in the early eighties (if you adjust the graph to start from the earliest available year, 1948).
Other interesting stuff can be found in this PDF of charts. For example, on page 17 it shows that most of the layoffs in 2008/2009 were permanent, not temporary.
Thanks for leading me to look at this stuff; it's rather interesting.
For the DMCA takedowns, yes we can - they are at https://github.com/github/dmca (it's in the second-to-last paragraph). I don't think they're allowed to for the NSLs. I didn't spot any listings for other forms of takedowns.
It appears that the massive majority (>5000, according to https://github.com/github/dmca... ) is one project; judging by Google results of the repo name, it's some Chinese e-commerce site's source code. Not sure why people would be so interested in forking it that there's that many copies floating around...
But they're not blocking those advertisers from their advertising network; they blocking it from the browser end. Yes, that means Chrome can block a web site for not manually filtering ads being provided by Google.
They have release channels that don't require the signed code.
That's the alpha version ("aurora"); the release version (and the beta) enforces signing, last I heard. They said something about having an unbranded version that doesn't require signing, but as far as I can tell from browsing around ftp.mozilla.org it doesn't actually exist.
They don't have anything that is actually expected to work for everyday browsing that doesn't enforce signing.
That sounds more like kexec, where the running kernel is replaced (which also means existing processes are all killed). This newfangled thing is for live patching, where everything (including userland) stays up.
The DOS part you are talking about works because it isn't doing multitasking; effectively, each app is the kernel as it runs. For later examples of this, any 386 or higher version of Windows (3.11 WFW, 95,...) did basically the same thing.
FWIW, that third-party comment is actually first-party (Lennart Poettering goes by mezcalero on LWN).
As for systemd... I rather like it as a process/services/cgroups manager. I just wish they didn't cram everything else into the same project; I feel (without their extensive implementation experience) that having separated components with stable interfaces between them leads to a better user experience since people can try newer versions of various bits and switch back while bugs get fixed. The important part here being the stable interfaces... and well, Linux userland people, beyond a few notable exceptions like glibc, don't seem to believe in that.
Systemd as an init system / process spawning thing is kinda nice, actually. (I'm using it on OpenSUSE; tried Arch very briefly. Used it on Debian/Jessie for a bit because gdm3 needed it to let me login.)
Part of the systemd hate is from things that probably shouldn't live in the same project. People would probably be okay with it as a separate resolverd or something, but... having that coupled to systemd is just strange. One of the strong points of systemd is the ability to start services from a variety of triggers (socket activation, etc.); why can't it be an external project (with the same authors) that gets triggered at the right times? udev, maybe... not sure.
Is there a particular reason to block reading (search) instead of writing, given a highly suspect origin? That is, they can enable search and disable mail/plus/whatever, right?
I guess my question boils down to, what advantage does SEO pieces of shit get from searching Google? The only thing I can think of off the top of my head is to check if their SEOing was successful. That doesn't seem overly useful to me (but then, I've never tried to look at that).
Pretty sure they're running on Androids guts, so kinda? (I think they took out the UI/Java/whatever layers and are using the Linux kernel that Android uses, plus their own UI layer. See info on Gonk.)
Re:They KNEW about this vulnerability?
on
GitHub Hacked
·
· Score: 1
There are two groups of developers here.
Ruby on Rails, the framework, had developers that knew about this general class of vulnerabilities - it's easy to write code that ends up being buggy.
GitHub, the web site (that runs on Rails, and hosts the Rails source repository), knew about the general class of vulnerabilities but not that they had these particular instances of them.
It appears that Homakov tried to get Rails to change the defaults so that these things can't happen unless you ask for them, and was rejected as making the framework more difficult for prototyping use; the opinion on the bug was something along the lines of "the developer using the framework should be protecting against this". He then demonstrated in frustration that this was a bad default, since GitHub is one of the leading sites using the framework and is developed by people generally thought of as knowing what they are doing.
It appears that this has worked and the opinion of the framework developers have changed, and no real damage was done, other than possibly reputation.
GitHub, overall, seemed to be collateral damage.
P.S. I don't think GitHub is open source; Ruby on Rails is.
Do you happen to know how the drive-by PDF exploit manages to keep root, then? I'm curious as I don't see how arbitrary code execution via a PDF vulnerability differs from arbitrary code execution via a cable - what sort of magic allows the former case to bypass the security checks that the latter can't duplicate?
That particular comparison keeps getting reposted as the proof that Theora is feasible.
Theora may or may not be comparable in quality to H.264, but that comparison doesn't tell me either way. It completely ignores the H.264 encoding process, which means that Theora has the advantage of taking however long it needs to compress things. Lots of things involve a time/space (memory or disk) trade off, that needs to be taken into account too.
I don't particularly like the licensing issues around H.264 / MPEG*, but that doesn't mean I am willing to take an unfair comparison either.
(Caveat: I'm a C++ programmer, working on code that has lots of macros.)
The debugger. You can mouseover variables in the source view, and it shows the data (reliably, and points to concrete classes). It lets you switch between threads easily, and shows backtraces you double click on to get to the relevant source code. It uses a normal GUI file browser to let you choose symbols to load, if you haven't set it up beforehand (also via a GUI), and warns when it's out of date. With lots of annoying config file hacking, it can let you display structures in a custom manner.
The closest I've seen on Linux was insight, and that was quite a few years ago (maybe it's improved since?). GDB has a huge barrier to entry, and being line-input based means there's no organization (I don't want my code to be displayed in the same place as my backtrace or my local variables). DDD doesn't reliably display my data, and when it does manage to do so visualizes anything C++ horribly.
I've tried KDevelop (3 and 4) a while back; it absolutely hated dealing with things that has an external build system (i.e. it doesn't work as a pure debugger). Debugging C++ in Eclipse was a joke when I tried it (the one time I did have to work on Java, though, it was pretty nice).
As a reference, I code in Komodo/Eclipse/vim (all on the same code base, depends on what I feel like), on a project that uses autoconf/gmake. That applies to both win32 (via msys+msvc) and Linux. I use MSVC as a pure debugger, not as a code editor.
Odd, your updates should end up in the sandbox (and due to AMO being silly, used to also mean your whole extension ends up on the sandbox, instead of having a last-reviewed version public).
This is of course assuming you haven't been marked as trusted; people who were on AMOv1 were grandfathered in, though I understand that's been mass-removed recently. Other "trusted" authors include google and various mozilla employees, AIUI (but unconfirmed).
They actually appear to embed the ad code directly into the page (you can see which campaigns the ads are for; the one that hit me was for Vonyage, near the bottom of the page). In my case, it wrote a weakly obfuscated script that redirected the whole page to sex-and-the-city.cn (... err, yeah) which redirected to protection-check07.
Poor NYT, they now have a special rule in my ad filters.
Umm, sounds like MS is complying with the BSD license to me! They're keeping the copyright statement in, and presumably anybody who gets a copy of whatever BSD licensed source in ftp.exe would still get the original BSD bits under BSD. For the second clause (copyright notice for the binary), see http://support.microsoft.com/kb/306819 maybe? (Yes, the Windows XP release notes.)
They're quite free to add non-BSD licensed bits to it, of course, and still be compliant. They're also quite free to ship binaries under a different license. All that doesn't change the license of the original source code.
What's not okay is removing the original copyright / license. (There was an attempt to do so in one of the patches to the Linux kernel a while back; uproar ensued, the change never went in.)
IE4 was also, IMHO, superior to NS4. Heck, I think IE3 was about on par. (I started with whichever Netscape had the throbbing giant blue N, in Windows 3.1 using Trumpet WinSock.) In fact, I believe we had specifically gotten a copy of IE4 on CD (separate from Windows 95) from some magazine or other to upgrade.
Seriously, causing the whole page to reload when you resize the window? WTF, Netscape?
And then the crapware installers would drop things into Firefox's main directory, instead of being an addon. Oops, now you can't even disable them!
Yes, some other piece-of-crap already tried that; removing it involved manually finding the.jar and the.manifest and killing them in the Firefox install.
Slashdot Mirror
I was curious, and looked it up on the Bureau of Labor and Statistics website. If I'm reading that right, Civilian Labor Force, Employed, Percent of Population peaked in 2000 at 64.4%, which is 5% higher than 2000 levels.
Looking at the wikipedia definitions (especially that third image), I think the interesting metric is the employment-to-population ratio (i.e. all employed people over all people, eligible to work or not). That default view does show a 5% drop since about mid-2008 that never recovered. It was previously around 60% in the early eighties (if you adjust the graph to start from the earliest available year, 1948).
Also interesting is part time workers as a percentage of all workers, which was a sharp (3%) increase in 2009 and slowly dropping off at 0.2% per year (eyeballing it).
Other interesting stuff can be found in this PDF of charts. For example, on page 17 it shows that most of the layoffs in 2008/2009 were permanent, not temporary.
Thanks for leading me to look at this stuff; it's rather interesting.
For the DMCA takedowns, yes we can - they are at https://github.com/github/dmca (it's in the second-to-last paragraph). I don't think they're allowed to for the NSLs. I didn't spot any listings for other forms of takedowns.
It appears that the massive majority (>5000, according to https://github.com/github/dmca... ) is one project; judging by Google results of the repo name, it's some Chinese e-commerce site's source code. Not sure why people would be so interested in forking it that there's that many copies floating around...
But they're not blocking those advertisers from their advertising network; they blocking it from the browser end. Yes, that means Chrome can block a web site for not manually filtering ads being provided by Google.
They have release channels that don't require the signed code.
That's the alpha version ("aurora"); the release version (and the beta) enforces signing, last I heard. They said something about having an unbranded version that doesn't require signing, but as far as I can tell from browsing around ftp.mozilla.org it doesn't actually exist.
They don't have anything that is actually expected to work for everyday browsing that doesn't enforce signing.
That sounds more like kexec, where the running kernel is replaced (which also means existing processes are all killed). This newfangled thing is for live patching, where everything (including userland) stays up.
The DOS part you are talking about works because it isn't doing multitasking; effectively, each app is the kernel as it runs. For later examples of this, any 386 or higher version of Windows (3.11 WFW, 95, ...) did basically the same thing.
An OS that isn't being used is perfectly stable and unified; when's the last time you've heard of a crash in BeOS?
FWIW, that third-party comment is actually first-party (Lennart Poettering goes by mezcalero on LWN).
As for systemd... I rather like it as a process/services/cgroups manager. I just wish they didn't cram everything else into the same project; I feel (without their extensive implementation experience) that having separated components with stable interfaces between them leads to a better user experience since people can try newer versions of various bits and switch back while bugs get fixed. The important part here being the stable interfaces... and well, Linux userland people, beyond a few notable exceptions like glibc, don't seem to believe in that.
Ah, down thread pointed at the fact that HGST was sold to a mix of WD and Toshiba. Bah. And no edit button.
Then someone will lament how IBM no longer makes drives.
I thought they still do, as HGST (that is, IBM sold the division to Hitachi at some point)?
Miss my DeathStar. Not sure; might have been a 75 GB disk...
Systemd as an init system / process spawning thing is kinda nice, actually. (I'm using it on OpenSUSE; tried Arch very briefly. Used it on Debian/Jessie for a bit because gdm3 needed it to let me login.)
Part of the systemd hate is from things that probably shouldn't live in the same project. People would probably be okay with it as a separate resolverd or something, but... having that coupled to systemd is just strange. One of the strong points of systemd is the ability to start services from a variety of triggers (socket activation, etc.); why can't it be an external project (with the same authors) that gets triggered at the right times? udev, maybe... not sure.
Is there a particular reason to block reading (search) instead of writing, given a highly suspect origin? That is, they can enable search and disable mail/plus/whatever, right?
I guess my question boils down to, what advantage does SEO pieces of shit get from searching Google? The only thing I can think of off the top of my head is to check if their SEOing was successful. That doesn't seem overly useful to me (but then, I've never tried to look at that).
Pretty sure they're running on Androids guts, so kinda?
(I think they took out the UI/Java/whatever layers and are using the Linux kernel that Android uses, plus their own UI layer. See info on Gonk.)
There are two groups of developers here.
Ruby on Rails, the framework, had developers that knew about this general class of vulnerabilities - it's easy to write code that ends up being buggy.
GitHub, the web site (that runs on Rails, and hosts the Rails source repository), knew about the general class of vulnerabilities but not that they had these particular instances of them.
It appears that Homakov tried to get Rails to change the defaults so that these things can't happen unless you ask for them, and was rejected as making the framework more difficult for prototyping use; the opinion on the bug was something along the lines of "the developer using the framework should be protecting against this". He then demonstrated in frustration that this was a bad default, since GitHub is one of the leading sites using the framework and is developed by people generally thought of as knowing what they are doing.
It appears that this has worked and the opinion of the framework developers have changed, and no real damage was done, other than possibly reputation.
GitHub, overall, seemed to be collateral damage.
P.S. I don't think GitHub is open source; Ruby on Rails is.
Do you happen to know how the drive-by PDF exploit manages to keep root, then? I'm curious as I don't see how arbitrary code execution via a PDF vulnerability differs from arbitrary code execution via a cable - what sort of magic allows the former case to bypass the security checks that the latter can't duplicate?
That particular comparison keeps getting reposted as the proof that Theora is feasible.
Theora may or may not be comparable in quality to H.264, but that comparison doesn't tell me either way. It completely ignores the H.264 encoding process, which means that Theora has the advantage of taking however long it needs to compress things. Lots of things involve a time/space (memory or disk) trade off, that needs to be taken into account too.
I don't particularly like the licensing issues around H.264 / MPEG*, but that doesn't mean I am willing to take an unfair comparison either.
(Caveat: I'm a C++ programmer, working on code that has lots of macros.)
The debugger. You can mouseover variables in the source view, and it shows the data (reliably, and points to concrete classes). It lets you switch between threads easily, and shows backtraces you double click on to get to the relevant source code. It uses a normal GUI file browser to let you choose symbols to load, if you haven't set it up beforehand (also via a GUI), and warns when it's out of date. With lots of annoying config file hacking, it can let you display structures in a custom manner.
The closest I've seen on Linux was insight, and that was quite a few years ago (maybe it's improved since?). GDB has a huge barrier to entry, and being line-input based means there's no organization (I don't want my code to be displayed in the same place as my backtrace or my local variables). DDD doesn't reliably display my data, and when it does manage to do so visualizes anything C++ horribly.
I've tried KDevelop (3 and 4) a while back; it absolutely hated dealing with things that has an external build system (i.e. it doesn't work as a pure debugger). Debugging C++ in Eclipse was a joke when I tried it (the one time I did have to work on Java, though, it was pretty nice).
As a reference, I code in Komodo/Eclipse/vim (all on the same code base, depends on what I feel like), on a project that uses autoconf/gmake. That applies to both win32 (via msys+msvc) and Linux. I use MSVC as a pure debugger, not as a code editor.
Yep, that's his personal blog (in fact, explicitly not listed in Planet Mozilla by his choice).
The background is trees - he recently bought a nice wooden house somewhere; there's blog posts about that too.
Odd, your updates should end up in the sandbox (and due to AMO being silly, used to also mean your whole extension ends up on the sandbox, instead of having a last-reviewed version public).
This is of course assuming you haven't been marked as trusted; people who were on AMOv1 were grandfathered in, though I understand that's been mass-removed recently. Other "trusted" authors include google and various mozilla employees, AIUI (but unconfirmed).
They actually appear to embed the ad code directly into the page (you can see which campaigns the ads are for; the one that hit me was for Vonyage, near the bottom of the page). In my case, it wrote a weakly obfuscated script that redirected the whole page to sex-and-the-city.cn (... err, yeah) which redirected to protection-check07.
Poor NYT, they now have a special rule in my ad filters.
Umm, sounds like MS is complying with the BSD license to me! They're keeping the copyright statement in, and presumably anybody who gets a copy of whatever BSD licensed source in ftp.exe would still get the original BSD bits under BSD. For the second clause (copyright notice for the binary), see http://support.microsoft.com/kb/306819 maybe? (Yes, the Windows XP release notes.)
They're quite free to add non-BSD licensed bits to it, of course, and still be compliant. They're also quite free to ship binaries under a different license. All that doesn't change the license of the original source code.
What's not okay is removing the original copyright / license. (There was an attempt to do so in one of the patches to the Linux kernel a while back; uproar ensued, the change never went in.)
Please don't use ftp.mozilla.org! That's the server used for things like nightly builds and other testing machinery.
Instead, please use the mirror network, http://releases.mozilla.org/pub/mozilla.org/firefox/releases/namoroka/alpha1/
Besides... linking to latest-trunk/ and pretending it's a release is always bad.
IE4 was also, IMHO, superior to NS4. Heck, I think IE3 was about on par. (I started with whichever Netscape had the throbbing giant blue N, in Windows 3.1 using Trumpet WinSock.) In fact, I believe we had specifically gotten a copy of IE4 on CD (separate from Windows 95) from some magazine or other to upgrade.
Seriously, causing the whole page to reload when you resize the window? WTF, Netscape?
And then the crapware installers would drop things into Firefox's main directory, instead of being an addon. Oops, now you can't even disable them!
Yes, some other piece-of-crap already tried that; removing it involved manually finding the .jar and the .manifest and killing them in the Firefox install.
http://code.google.com/p/parchment/ does that, yes. Well, not quite - it's a Z-machine interpreter.
In that case the correct solution is probably something along the lines of "learn how to install VMWare so you can host a Windows VM".