How would one ever contact a blogger if a site is down and no contact information remains? I suppose if you're lucky, you'll find something from the cache. It would be nice to know what methods the journalist had tried to contact Wang.
In any case, my belief is that the BBC journalist didn't try too hard. He might have sent an e-mail but didn't wait for a response. We should take into account there is a several hours time difference between Greenwich and Beijing. If he did wait for at least 24 hours, he would have found out that the site went back up.
Your belief that the hoax perpetrator intensionally made himself hard to reach is simply jumping to conclusion, just like the BBC reporter.
Since arguing the merits of one browser over another leads to no end, I hope this post would be somewhat refreshing to read.
Assuming a security measurement can sway users for switching from one browser to another, I propose the following measurement: multiply the number of vulnerabilities by market share, and call this the impact. At first glance, this is brutally unfair for IE, which continues to have the majority market share, but hear me explain.
Let's make another assumption. Suppose all competing browsers have vulnerabilities that lead to the same outcome, then the likelihood that script kiddies choose one browser over another to exploit is more or less determined by the browser's market share. Every vulnerability adds to this likelihood. Therefore, in the end, we end up summing a browser's market share a number of times that is the number of vulnerabilities for that browser. This is the same as multiplying number of vulnerabilities by market share. The result is a measurement of insecurity impact.
What happens if we adopt measuring impact for insecurity?
Since Firefox is a minority in browser market share, it can afford to have more bugs and be relatively secure. Its most critical vulnerabilities have lower impact than IE's equivalent. Suppose users then decide to switch to Firefox. The increase in Firefox market share means its vulnerabilities have higher impact. At one point, it becomes less secure than IE, and users start to switch back. We go back and forth and eventually reach an equilibrium. If users are perfectly "browser elastic" (have no resistence to switch browsers), then at the equilibrium, market share is inversely proportional to the number of vulnerabilities for all browsers. Of course, in the real life, things are never that simple, but let's keep things simple. It is good enough to point out that letting impact determine market share is more desirable than letting vulnerability count to determine market share.
How can the impact score improve current measurement of security?
We all know that some vendors like to play the optimist game by purposely reducing the severity of a vulnerability or even hiding it. If a certain highly popular browser vendor wants to manipulate the impact score, it has to to cheat a lot, and at one point this cheating will become painfully obvious. Hopefully, the risk of causing a scandal would limit the vendor's cheating to a degree that does not significantly variate the impact score.
Yes, indeed. I can imagine that the parents spend too much time performing the act of reproduction and not teaching their kids how to score a partner, so the kids have to look for some form of immediate gratification that is, so to speak, far from a long term solution.
Maybe someone noticed this phenomenon on consumers, but as you readily applied this on choices of programming languages, we can see this is definitely much broader. In general, people don't like to be shown that they're wrong. If one likes something so much to a point that he/she associates oneself to that object, that person feels the pain when the flaw to that object is pointed out.
What I find more painful on Slashdot is how someone tries to pound the merits of their favorite language on you in a way that makes me think "what programs did you actually write in that language?" As to having my favorite language criticised, I'm lucky enough that my favorite language is not that popular.;-)
"it seems to be done in the name of speed, and yet that very quest for faster communications is causing people to lose information and spend more time on pointless flame wars due to misunderstandings"
I think when an e-mail correspondence spins down to a flame, most people tend to spend even less time reading an e-mail. They could tell you they're wasting time with you, or that they're not interested in a fight. But the real reason is that doing something assuming the pain is never a motivator. How many times do you feel the pain seeing an e-mail landing on your INBOX, without even opening it, from that person who is arguing with you and trying to prove you wrong? It is natural that you don't spend much time on it. You have a life.
Of course this doesn't help if you're trying to get a message across, and your recipient is trying to spend as little time as possible on your e-mail. They often blame you for being ineffective in communication. The best thing I ever did when winding up in this situation is to drop the conversation, but I'm sure there are better ways to do it. I think this is definitely a case where prevention is more crucial than treatment.
It looks like, at least for light direction computation, linear algebra is used intensively. If they use LAPACK for Java, then their program will at least attain the same efficiency as in MATLAB if not more efficient. MATLAB programs are interpreted, so they could not be more efficient than compiled code.
that impossibly perfect low-light picture taken by your photography class buddy
Still object or moving object? Low-light scenes can pretty much be compensated by large aperture and/or long exposure. Large aperture increases depth of field, and long exposure blurs moving objects. He could also use a high speed film that is more sensitive to light but results in more grain in the image. With experience, you can find a good balance between those three factors and take perfect pictures.
I'm sure you know all this stuff, since you've taken photography class. What I'm trying to say is he might know a trick or two that you could learn before you start accusing his pictures are fake.
Now, from what TFA discloses of the fraud detection algorithm---namely (1) anomalies in lighting direction, and (2) statistical correlation of "filled" pixels---it seems unlikely that adjusting color levels or contrast would be detected as fraud, so you could still post-process a badly exposed low-light picture and have it pass the detection. On the other hand, seemingly benign scratch or noise removal would trigger it.
Re:maybe not as serious as it seems ...
on
Cross Site Cooking
·
· Score: 1
How do you tell which host is in context when you run javascript in the address bar?
maybe not as serious as it seems ...
on
Cross Site Cooking
·
· Score: 1, Interesting
The exploit "Problem #3" won't work if the "victim" is already on virtual host. In this case, the web server would not recognize that it is hosting a site for evil.example.com and show the default site (if one is configured), not the desired site. For those who did not pay a premium to get a dedicated IP web hosting, this is a non-issue.
In general, I think cookies should only be allowed if the domain suffix of the cookie matches the host name---so www.example.com can set cookies for www.example.com and *.www.example.com, but not uwww.example.com, *.example.com, nor *.com. If you really want to let www.example.com set cookies for *.example.com, you should run a web server on example.com and put a trampoline script there to set the cookies for you. Or you could rename additional web servers *.www.example.com so they can all access the cookies set by www.example.com.
(I mean, really, those additional web servers are part of the world wide web of that domain, so they should all fall under the www domain.)
If this is still too restrictive, I think it is also viable to use, for example, additional DNS records or something like/robots.txt (/cookies.txt) to indicate that the host "example.com" accepts cookies set by certain hosts.
Users will have an incentive to use those user agents that honor additional cookie restrictions because it provides some guard against cross site scripting (cooking).
When you work, that's a different story. All your work and ideas belong to the company, so if he receives the credit on that external revenue---some third party organization and with SANS---for the company as a whole, then it is okay. But if he didn't acknowledge your work inside the company, say didn't mention your name in the company newsletter, then there is a problem.
What I'd do is whenever people talk about the script, you ask (assuming his name is John), "Oh, is that the script that John and I worked together on?" If you talk to other people, tell them the story, "hey, you know the security flaw that John and I discovered together? He's getting an interview with SANS. I'm happy this flaw is receiving some coverage." You don't want to ask for exclusive credit on that one particular thing, but to hint that you and John (and possibly others) have always worked together as a team; and as a team, you're proud of his work.
If you want to be more subtle, give him an opportunity to lie, saying he did everything himself. If you do this right, someone will recognize that he doesn't value teamwork, and this is a negative quality that can quickly send his work life downhill.
Don't go around telling people that John doesn't value teamwork, but make it self-evident. If your company doesn't care about teamwork, then that's another thing.:-/
I think it is more likely that some mischievous and malicious persons cloned our beloved slashdot editors, so they post these articles unbeknoweth to each other doing the same thing.
Are you talking about the upper bulge or the one below the waist? I think most homophobic movie executives are more offended by that lower bulge rather than the upper one.
Just looking a bit deeper, but not too much, I think JEP-0166 outlines a handshaking protocol, but actual binary data transmission takes place on other channels, say over rtp or rtcp. It looks like when handshaking (signalling) takes place, a list of possible channel candidates are offered, but it's not clear to me how the accepting party tells the initiating party which candidate is chosen.
I second that. I grew up with a childhood of occasional drills on air raid emergency, and I thought that was pretty bad. That is pretty much the closest relating experience about war that I have, but I can imagine war gets much worse than that. I know some people who have really bitter memories of war.
I hope people are able to see that whatever Marxist Hacker says is a blatant, egregious attempt at demonizing China, possibly for somebody's political agenda. There really is nothing to see here. Please move on.
The introduction on sIFR also says one should not sIFRize every blocks of text because it is going to be slow. sIFR is meant to provide nice looking headlines in a few selected places, and one should not put more than 20 sIFRized blocks in a page.
This article on "anatomy of web fonts" concerns readability, which applies mostly to body text---something that sIFR recommends against using it for.
There is a few tricks in the bag for a package maintainer to avoid this situation. If your program is dependent on a library that recently has a security update which fixes a vulnerability of the program, you can simply make your program package require the newer library version and bump up your package's release number, which forces your program to be updated as well.
Then when the package manager installers a new package for your program, and if the program runs a service, the post-install script of the package would restart the service. So rest assured, your hole is plugged.... not that an anonymous coward is really interested in getting a response.
This is essentially what Unix does, but not many people understand this.
What happens when you upgrade a package?
Package manager removes the files of the old package.
Package manager unpacks files from a new package.
Repeat until all packages are upgraded.
When an opened file is removed from the file system, its directory entry is removed, but the inode stays on disk as long as the file stays open. So old libraries remain on disk as long as old programs are using them, which essentially creates a parallel world of different library versions---one accessible from the file system, and the other accessible from existing running programs with open file descriptors. When the program restarts, it then uses the new library.
And why can't urinals in the great United States have electronic infrared sensors in place of those flush handles, like all those third world countries have?
Oh, silly me. I forgot that it'salreadypatented. At least now some of us can go on our marry ways to argue about intellectual property.
not to say that Microsoft has to, every once in a while, give their existing customers this "warm and fuzzy feeling" and feel good about using Microsoft products.
it's like cigarettes. the cigarette companies know this is bad for you, but they want you to feel good smoking cigarettes.
Slashdot Mirror
How would one ever contact a blogger if a site is down and no contact information remains? I suppose if you're lucky, you'll find something from the cache. It would be nice to know what methods the journalist had tried to contact Wang.
In any case, my belief is that the BBC journalist didn't try too hard. He might have sent an e-mail but didn't wait for a response. We should take into account there is a several hours time difference between Greenwich and Beijing. If he did wait for at least 24 hours, he would have found out that the site went back up.
Your belief that the hoax perpetrator intensionally made himself hard to reach is simply jumping to conclusion, just like the BBC reporter.
Since arguing the merits of one browser over another leads to no end, I hope this post would be somewhat refreshing to read.
Assuming a security measurement can sway users for switching from one browser to another, I propose the following measurement: multiply the number of vulnerabilities by market share, and call this the impact. At first glance, this is brutally unfair for IE, which continues to have the majority market share, but hear me explain.
Let's make another assumption. Suppose all competing browsers have vulnerabilities that lead to the same outcome, then the likelihood that script kiddies choose one browser over another to exploit is more or less determined by the browser's market share. Every vulnerability adds to this likelihood. Therefore, in the end, we end up summing a browser's market share a number of times that is the number of vulnerabilities for that browser. This is the same as multiplying number of vulnerabilities by market share. The result is a measurement of insecurity impact.
What happens if we adopt measuring impact for insecurity?
Since Firefox is a minority in browser market share, it can afford to have more bugs and be relatively secure. Its most critical vulnerabilities have lower impact than IE's equivalent. Suppose users then decide to switch to Firefox. The increase in Firefox market share means its vulnerabilities have higher impact. At one point, it becomes less secure than IE, and users start to switch back. We go back and forth and eventually reach an equilibrium. If users are perfectly "browser elastic" (have no resistence to switch browsers), then at the equilibrium, market share is inversely proportional to the number of vulnerabilities for all browsers. Of course, in the real life, things are never that simple, but let's keep things simple. It is good enough to point out that letting impact determine market share is more desirable than letting vulnerability count to determine market share.
How can the impact score improve current measurement of security?
We all know that some vendors like to play the optimist game by purposely reducing the severity of a vulnerability or even hiding it. If a certain highly popular browser vendor wants to manipulate the impact score, it has to to cheat a lot, and at one point this cheating will become painfully obvious. Hopefully, the risk of causing a scandal would limit the vendor's cheating to a degree that does not significantly variate the impact score.
Funny I can't find anything about that. Did you just make it up?
Unfortunately it is the same language as your favorite language. :(
"... It should be their fucking parent's job."
Yes, indeed. I can imagine that the parents spend too much time performing the act of reproduction and not teaching their kids how to score a partner, so the kids have to look for some form of immediate gratification that is, so to speak, far from a long term solution.
You know, I saw that evil grin of yours, but I still have to say,
Gee, I didn't even tell you what language it is.
Maybe someone noticed this phenomenon on consumers, but as you readily applied this on choices of programming languages, we can see this is definitely much broader. In general, people don't like to be shown that they're wrong. If one likes something so much to a point that he/she associates oneself to that object, that person feels the pain when the flaw to that object is pointed out.
;-)
What I find more painful on Slashdot is how someone tries to pound the merits of their favorite language on you in a way that makes me think "what programs did you actually write in that language?" As to having my favorite language criticised, I'm lucky enough that my favorite language is not that popular.
"it seems to be done in the name of speed, and yet that very quest for faster communications is causing people to lose information and spend more time on pointless flame wars due to misunderstandings"
I think when an e-mail correspondence spins down to a flame, most people tend to spend even less time reading an e-mail. They could tell you they're wasting time with you, or that they're not interested in a fight. But the real reason is that doing something assuming the pain is never a motivator. How many times do you feel the pain seeing an e-mail landing on your INBOX, without even opening it, from that person who is arguing with you and trying to prove you wrong? It is natural that you don't spend much time on it. You have a life.
Of course this doesn't help if you're trying to get a message across, and your recipient is trying to spend as little time as possible on your e-mail. They often blame you for being ineffective in communication. The best thing I ever did when winding up in this situation is to drop the conversation, but I'm sure there are better ways to do it. I think this is definitely a case where prevention is more crucial than treatment.
It looks like, at least for light direction computation, linear algebra is used intensively. If they use LAPACK for Java, then their program will at least attain the same efficiency as in MATLAB if not more efficient. MATLAB programs are interpreted, so they could not be more efficient than compiled code.
that impossibly perfect low-light picture taken by your photography class buddy
Still object or moving object? Low-light scenes can pretty much be compensated by large aperture and/or long exposure. Large aperture increases depth of field, and long exposure blurs moving objects. He could also use a high speed film that is more sensitive to light but results in more grain in the image. With experience, you can find a good balance between those three factors and take perfect pictures.
I'm sure you know all this stuff, since you've taken photography class. What I'm trying to say is he might know a trick or two that you could learn before you start accusing his pictures are fake.
Now, from what TFA discloses of the fraud detection algorithm---namely (1) anomalies in lighting direction, and (2) statistical correlation of "filled" pixels---it seems unlikely that adjusting color levels or contrast would be detected as fraud, so you could still post-process a badly exposed low-light picture and have it pass the detection. On the other hand, seemingly benign scratch or noise removal would trigger it.
How do you tell which host is in context when you run javascript in the address bar?
The exploit "Problem #3" won't work if the "victim" is already on virtual host. In this case, the web server would not recognize that it is hosting a site for evil.example.com and show the default site (if one is configured), not the desired site. For those who did not pay a premium to get a dedicated IP web hosting, this is a non-issue.
/robots.txt (/cookies.txt) to indicate that the host "example.com" accepts cookies set by certain hosts.
In general, I think cookies should only be allowed if the domain suffix of the cookie matches the host name---so www.example.com can set cookies for www.example.com and *.www.example.com, but not uwww.example.com, *.example.com, nor *.com. If you really want to let www.example.com set cookies for *.example.com, you should run a web server on example.com and put a trampoline script there to set the cookies for you. Or you could rename additional web servers *.www.example.com so they can all access the cookies set by www.example.com.
(I mean, really, those additional web servers are part of the world wide web of that domain, so they should all fall under the www domain.)
If this is still too restrictive, I think it is also viable to use, for example, additional DNS records or something like
Users will have an incentive to use those user agents that honor additional cookie restrictions because it provides some guard against cross site scripting (cooking).
At /., people love using mod points without getting paid.
When you work, that's a different story. All your work and ideas belong to the company, so if he receives the credit on that external revenue---some third party organization and with SANS---for the company as a whole, then it is okay. But if he didn't acknowledge your work inside the company, say didn't mention your name in the company newsletter, then there is a problem.
:-/
What I'd do is whenever people talk about the script, you ask (assuming his name is John), "Oh, is that the script that John and I worked together on?" If you talk to other people, tell them the story, "hey, you know the security flaw that John and I discovered together? He's getting an interview with SANS. I'm happy this flaw is receiving some coverage." You don't want to ask for exclusive credit on that one particular thing, but to hint that you and John (and possibly others) have always worked together as a team; and as a team, you're proud of his work.
If you want to be more subtle, give him an opportunity to lie, saying he did everything himself. If you do this right, someone will recognize that he doesn't value teamwork, and this is a negative quality that can quickly send his work life downhill.
Don't go around telling people that John doesn't value teamwork, but make it self-evident. If your company doesn't care about teamwork, then that's another thing.
I think it is more likely that some mischievous and malicious persons cloned our beloved slashdot editors, so they post these articles unbeknoweth to each other doing the same thing.
whether an offered kind of food looks appealing
No, that depends on whether you're hungry.
Are you talking about the upper bulge or the one below the waist? I think most homophobic movie executives are more offended by that lower bulge rather than the upper one.
Just looking a bit deeper, but not too much, I think JEP-0166 outlines a handshaking protocol, but actual binary data transmission takes place on other channels, say over rtp or rtcp. It looks like when handshaking (signalling) takes place, a list of possible channel candidates are offered, but it's not clear to me how the accepting party tells the initiating party which candidate is chosen.
I second that. I grew up with a childhood of occasional drills on air raid emergency, and I thought that was pretty bad. That is pretty much the closest relating experience about war that I have, but I can imagine war gets much worse than that. I know some people who have really bitter memories of war.
I hope people are able to see that whatever Marxist Hacker says is a blatant, egregious attempt at demonizing China, possibly for somebody's political agenda. There really is nothing to see here. Please move on.
The introduction on sIFR also says one should not sIFRize every blocks of text because it is going to be slow. sIFR is meant to provide nice looking headlines in a few selected places, and one should not put more than 20 sIFRized blocks in a page.
This article on "anatomy of web fonts" concerns readability, which applies mostly to body text---something that sIFR recommends against using it for.
A laser orifice scanner would work well, a new breakthrough in biometric identification! Can also report diagnostics of hemorrhoid.
There is a few tricks in the bag for a package maintainer to avoid this situation. If your program is dependent on a library that recently has a security update which fixes a vulnerability of the program, you can simply make your program package require the newer library version and bump up your package's release number, which forces your program to be updated as well.
... not that an anonymous coward is really interested in getting a response.
Then when the package manager installers a new package for your program, and if the program runs a service, the post-install script of the package would restart the service. So rest assured, your hole is plugged.
What happens when you upgrade a package?
When an opened file is removed from the file system, its directory entry is removed, but the inode stays on disk as long as the file stays open. So old libraries remain on disk as long as old programs are using them, which essentially creates a parallel world of different library versions---one accessible from the file system, and the other accessible from existing running programs with open file descriptors. When the program restarts, it then uses the new library.
And why can't urinals in the great United States have electronic infrared sensors in place of those flush handles, like all those third world countries have?
Oh, silly me. I forgot that it's already patented. At least now some of us can go on our marry ways to argue about intellectual property.
not to say that Microsoft has to, every once in a while, give their existing customers this "warm and fuzzy feeling" and feel good about using Microsoft products.
it's like cigarettes. the cigarette companies know this is bad for you, but they want you to feel good smoking cigarettes.