Reading comprehension fail or professional troll? MS said they invited Google to a joint bid for the Novell deal. That's not the $4.5 billion Nortel deal.
Eben Moglen on taking back control over your data, privacy and freedom in the age of cloud services.
Summary: - Don't accept any cloud services that come with free spying, free built-in man in the middle attack (Facebook as the worst offender, GMail and many other services mentioned as other examples) - Thus avoid lock-in, avoid anyone limiting your mobility and freedom, stop being exploited and spied upon. - Instead of centralized services use P2P (or federated services), protected by strong encryption - A $29.90 plug-in, power-supply-sized appliance (the "freedom box") providing these services, and much more (VoIP telephony, TOR, etc.) at home.
I think this is an indicator that a lot of people would like to own/operate a business, and have an entrepreneurial spirit, but are too bogged by the realities of risk and especially legal burden to carry out their entrepreneurial instinct in real life. Imagine how many jobs we could create if people felt safe enough to be able to play these games in the real world.
I'm not really touching this potato, maybe you're running into some quirks / unfortunate query. Just some quick questions: - Why don't you have a PK / any index in the address table? - Did you try a different syntax (e.g. WHERE vs. JOIN ON)? - Did you try setting different indexes? Tried forcing a specific index?
Yahoo and other sites rely on databases of geo data. E.g. databases mapping IP ranges to geographical locations.
There are a few providers of such databases and they constantly need to update their databases to fix issues as the one reported by you.
E.g. notify http://www.quova.com/
For the extreme case there's eLocutor. It was designed for Stephen Hawking who can only push a single button. But it also has a mode for users that can control arrow keys in addition to a single button.
I don't know the field at all and I don't know eLocutor but from an article. Maybe it has a huge learning curve and is thus inappropriate as a short-term solution.
Often something that might require hundreds of lines of code in PHP4 can be done with just a few in PHP5. The SimpleXML parser is probably the best example. Can you think of anything else?
Exceptions. Any larger, serious PHP application needs error codes and/or exceptions. In Gallery 2 we emulate exceptions by means that are compatible with PHP 4 and PHP 5 and we'll be able to save tons of code by moving to real exceptions.
Or PHP 6 compatibility. We won't be able to move forward, making the application compatible with PHP 6, unless we break compatibility with PHP 4. With the first release of PHP 6 seeing the light around the end of 2007, the move to PHP 5 comes at the right time.
Enabling a user-defined PHP error handler without a major performance hit. Due to PHP 4 compatibility, we have tons of E_STRICT level PHP warnings, mostly about the missing "static" keyword because we have a lot of static class functions. The user-defined PHP error function gets called for all errors/warnings/notices, even if they're suppressed. It's the job of the function to ignore all such calls. But the sheer number of those calls slow our application down under PHP 5 by ~5%. Which is why we enable our PHP error handler only under PHP 4 by default. Yes, one can design an application mostly without any static class functions and work around other E_STRICT warnings, but it doesn't make your life as application developer any easier.
And there are many more smaller things.
These are just some examples from our project. I'm sure every larger project has their specific issues with PHP 4.
If this is about the buffer overflow in JNLP ("Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability"), then the fix has already been released with JRE 5 Update 12 and the latest JRE 6 update.
Adobe isn't open-sourcing any of the server/data access/interop components.
HTTPService is included in the SDK. It's primitive and slower compared to Flash remoting using RemoteObject but it gets you started. That having said, it would be really nice if RemoteObject was included in the SDK since there are already some FLOSS components for the server-side part of the remoting.
I think you underestimate the significance of this announcement. True, Adobe isn't open-sourcing Flash. But open-sourcing the Flex (MXML) compiler and SDK is still very important.
MXML compiles into.swf (which runs in the normal Flash runtime). You won't get open-source Flash runtimes, but the compiled.swf files will be 100% open-source whereas right now,.swf files compiled from MXML still contain statically linked, non-FLOSS components in the same binary as your own (FLOSS) code.
Also, you'll be able to extend MXML since you get the sources and the rights to change the compiler.
I guess I still won't be able to release any MXML+.swf code under the GPL though.
Right now, I picked the LGPL since our main project (some web application) is licensed under the GPL.
You can't release any MXML/.swf under the GPL if you depend on any of its built-in features that it needs to compile into the.swf binary.
Sidenote: If the compiled.swf only includes normal Flash features that are part of the runtime, your.swf/source can still be released under the GPL.
Since there's the incompatibility between the GPL and the MPL, I will still have to use the LGPL for my own MXML code. If the Flex SDK was released under the GPL, this problem would have gone away as well.
Re:Okay, I'll be the first to ask.
on
Web 2.0 Under Siege
·
· Score: 2, Informative
You're right, they're right. It's from March 12th, 2007 and it's a different issue than the one I mentioned before.
Putting the JSON data into comment tags or Google's while() approach sound like good defense mechanisms.
Also, using auth tokens in addition to cookies can defeat most scenarios as well (just ensure not to return a valid auth token in any replies that don't require a valid auth token already).
This is no news and your next best AJAX implementation is only affected if they deliberately allow cross-domain calls.
As far as I understand this article - and it's very short on details - this only affects AJAX APIs / apps that are designed to be called from other domains.
Usually, an AJAX reply just contains data (XML, JSON, or in another format). But if the reply is actually valid JS, e.g. a callback function, you can include it via the script tag and call the returned callback function to read the cross-domain JS reply in JS and do something with it.
See here or here.
Bottom line: Don't expose any data / functionality through an API that allows cross-domain XHR unless you add additional precautions.
Similar to QEDWiki
on
Yahoo Pipes
·
· Score: 4, Interesting
The concept sounds very similar to QEDWiki demo video (demo video requires Flash).
QEDWiki is an IBM product based on the Zend Framework. You can create mash-ups and other things much like by drag and drop of components, all in your browser.
I'm not sure if this has been posted or linked on Slashdot before but the IPCC Final Report[PDF Warning] is public as of today. The BBC has a summary:
Probable temperature rise between 1.8C and 4C
Possible temperature rise between 1.1C and 6.4C
Sea level most likely to rise by 28-43cm
Arctic summer sea ice disappears in second half of century
Increase in heatwaves very likely
Increase in tropical storm intensity likely
It's a 20 page report and I know we're all really busy but I think this is the first document one can read and really catch up on what's been decided recently in the scientific community. FYI: These projections are for the 21st century (comparing measurements from the year 2000 with projection for the year 2099).
After RTFA, here's a summary: - Google owns (leases) tons of fiber, they control the bandwidth market. - Google plans to build a lot of large data centers in rural areas. - Google anticipates a massive growth in bandwidth usage due to p2p, youtube, etc. - ISPs will be faced with buying tons of new bandwidth OR contracting with Google to use / connent to the nearby data center directly.
No sir. Google needs a lot of servers for their services. Sure they profit from their local data centers as edge proxies the same way Akamai does, but the whole theory about controlling ISPs, targeting contracts with your local ISP etc. is BS. These data centers are used for their CPU / memory power and then to minimize latency.
This is a new report of a old vulnerability which isn't serious.
How is it not serious? Just because Cross-Site Request Forgery (XSRF) isn't used as wildly as other XSS yet doesn't mean it's not as severe.
BTW: I tested the test script on secunia.com with IE7 Beta 2 and it said my browser is not affected by this vulnerability. Yet, JavaScript is enabled.
It would be great if cross-site XML HTTP requests would be forbidden completely in JavaScript. It wouldn't solve XSS completely, but at least some advanced versions of XSRF (POST requests via JavaScript, GET request and reroute reply to other server,...).
Wibree isn't the only contender for use in wireless sensors, however. Zigbee is an ongoing standardization project and has similar characteristics to Wibree.
Look closer. This particular vulnerability doesn't use any special JavaScript or anything else; It's a simple redirect. The only way to fix it would be for Google to change something (such as by adding a referer check) in its preferences module, or for you to special-case this particular attack in your browser.
Referer checks are not robust enough.
Converting the controller to accept POST only (no GET) or adding a signature / nonce to the form would fix it.
Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!!
Slashdot Mirror
Reading comprehension fail or professional troll? MS said they invited Google to a joint bid for the Novell deal. That's not the $4.5 billion Nortel deal.
Google China stopped serving censored results. Source: The very same Wikipedia article you reference.
Eben Moglen on taking back control over your data, privacy and freedom in the age of cloud services.
Summary:
- Don't accept any cloud services that come with free spying, free built-in man in the middle attack (Facebook as the worst offender, GMail and many other services mentioned as other examples)
- Thus avoid lock-in, avoid anyone limiting your mobility and freedom, stop being exploited and spied upon.
- Instead of centralized services use P2P (or federated services), protected by strong encryption
- A $29.90 plug-in, power-supply-sized appliance (the "freedom box") providing these services, and much more (VoIP telephony, TOR, etc.) at home.
1. Freedom in the cloud: http://www.isoc-ny.org/?p=1338
(talk from February 2010)
2. How We Can Be the Silver Lining of the Cloud: http://penta.debconf.org/dc10_schedule/events/641.en.html
(talk from August 2010)
(I wrote this summary back in August 2010, so it's somewhat outdated.)
I think this is an indicator that a lot of people would like to own/operate a business, and have an entrepreneurial spirit, but are too bogged by the realities of risk and especially legal burden to carry out their entrepreneurial instinct in real life. Imagine how many jobs we could create if people felt safe enough to be able to play these games in the real world.
People are working on just that. For some inspiration, watch this irresistible TED talk: Jane McGonigal: Gaming can make a better world (20min).
My opinion changed when they stopped releasing text-only copies of public domain works through Google Books.
Care to substantiate that claim?
As far as I see, Public Domain books can be downloaded in the PDF and EPUB format, for free. And there's a plain text version.
Example: "The origin of species" By Charles Darwin
PS: Reposting this since I don't have mod points and the anonymous user's post is currently at 0.
I'm not really touching this potato, maybe you're running into some quirks / unfortunate query. Just some quick questions:
- Why don't you have a PK / any index in the address table?
- Did you try a different syntax (e.g. WHERE vs. JOIN ON)?
- Did you try setting different indexes? Tried forcing a specific index?
Yahoo and other sites rely on databases of geo data. E.g. databases mapping IP ranges to geographical locations.
There are a few providers of such databases and they constantly need to update their databases to fix issues as the one reported by you.
E.g. notify http://www.quova.com/
For the extreme case there's eLocutor. It was designed for Stephen Hawking who can only push a single button. But it also has a mode for users that can control arrow keys in addition to a single button.
I don't know the field at all and I don't know eLocutor but from an article. Maybe it has a huge learning curve and is thus inappropriate as a short-term solution.
These are just some examples from our project. I'm sure every larger project has their specific issues with PHP 4.
If this is about the buffer overflow in JNLP ("Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability"), then the fix has already been released with JRE 5 Update 12 and the latest JRE 6 update.
MXML compiles into
Also, you'll be able to extend MXML since you get the sources and the rights to change the compiler.
I guess I still won't be able to release any MXML+.swf code under the GPL though.
- Right now, I picked the LGPL since our main project (some web application) is licensed under the GPL.
- You can't release any MXML/.swf under the GPL if you depend on any of its built-in features that it needs to compile into the
.swf binary.
- Sidenote: If the compiled
.swf only includes normal Flash features that are part of the runtime, your .swf/source can still be released under the GPL.
Since there's the incompatibility between the GPL and the MPL, I will still have to use the LGPL for my own MXML code. If the Flex SDK was released under the GPL, this problem would have gone away as well.Just read the original advisory. TFA didn't link to it.
You're right, they're right. It's from March 12th, 2007 and it's a different issue than the one I mentioned before.
Putting the JSON data into comment tags or Google's while() approach sound like good defense mechanisms.
Also, using auth tokens in addition to cookies can defeat most scenarios as well (just ensure not to return a valid auth token in any replies that don't require a valid auth token already).
No, that's the vulnerability. This allows other domains to get the data when the applications don't want to share it.
The news here is that the "additional precautions" that most Ajax libraries take are ineffective.
Where did you read this in the article? The article has no details. Or do you have another source?This is no news and your next best AJAX implementation is only affected if they deliberately allow cross-domain calls.
As far as I understand this article - and it's very short on details - this only affects AJAX APIs / apps that are designed to be called from other domains.
Usually, an AJAX reply just contains data (XML, JSON, or in another format). But if the reply is actually valid JS, e.g. a callback function, you can include it via the script tag and call the returned callback function to read the cross-domain JS reply in JS and do something with it.
See here or here.
Bottom line: Don't expose any data / functionality through an API that allows cross-domain XHR unless you add additional precautions.
The concept sounds very similar to QEDWiki demo video (demo video requires Flash).
QEDWiki is an IBM product based on the Zend Framework. You can create mash-ups and other things much like by drag and drop of components, all in your browser.
- Probable temperature rise between 1.8C and 4C
- Possible temperature rise between 1.1C and 6.4C
- Sea level most likely to rise by 28-43cm
- Arctic summer sea ice disappears in second half of century
- Increase in heatwaves very likely
- Increase in tropical storm intensity likely
It's a 20 page report and I know we're all really busy but I think this is the first document one can read and really catch up on what's been decided recently in the scientific community. FYI: These projections are for the 21st century (comparing measurements from the year 2000 with projection for the year 2099).After RTFA, here's a summary:
- Google owns (leases) tons of fiber, they control the bandwidth market.
- Google plans to build a lot of large data centers in rural areas.
- Google anticipates a massive growth in bandwidth usage due to p2p, youtube, etc.
- ISPs will be faced with buying tons of new bandwidth OR contracting with Google to use / connent to the nearby data center directly.
No sir. Google needs a lot of servers for their services. Sure they profit from their local data centers as edge proxies the same way Akamai does, but the whole theory about controlling ISPs, targeting contracts with your local ISP etc. is BS. These data centers are used for their CPU / memory power and then to minimize latency.
BTW: I tested the test script on secunia.com with IE7 Beta 2 and it said my browser is not affected by this vulnerability. Yet, JavaScript is enabled.
It would be great if cross-site XML HTTP requests would be forbidden completely in JavaScript. It wouldn't solve XSS completely, but at least some advanced versions of XSRF (POST requests via JavaScript, GET request and reroute reply to other server,
Because the Referer can be suppressed and some users do that actively, e.g. in Opera, it's an easy option.
You can't count on it.
@nonce: Of course. I just sketched the normal approach to securing sites from Cross Site Request Forgery.
I know BT and ZigBee (about ZigBee), but never heard about Wibree. I'm pretty disappointed that Nokia wants to go with this proprietary approach.
Anyway, there's a lot going on in IEEE 802.15 (Personal Area Network).
Referer checks are not robust enough.
Converting the controller to accept POST only (no GET) or adding a signature / nonce to the form would fix it.
Same thought here. Maybe someone who followed Apostolos Argyris work could comment on this.