"Does this person have a propensity to crime? A history of violence? Is the target armed? Do they have a propensity to violence? What is the probability that I am being used to commit a crime? What is the probability that I am protecting a good person?"
If the founding fathers were alive today to see the scope of rights we have given up... well,..... they would die of disgust.
I think they would also be amazed at some of the rights we have gained (for example, the right to not be enslaved, and the right for pretty much everyone over 18 to vote).
How the hell can a trade secret be copywritten? It's two incompatable bits of laws
are you sure? perhaps copyright law is not useful for limiting dissemination of trade secrets, but afaik copyright law covers any new writing (and other forms of expression) not explicitly put under public domain by its author.
This email notification is a statement made under penalty of perjury that... the above-referenced comments, as part of http://www.slashdot.org, is posting proprietary material without express written permission.
Can slashdot ignore the letter because some of the referenced comments do not contain copyrighted material? Better yet, can Andover sue Microsoft for perjury?
I also posted something on that article that got lost in the shuffle: a link to an old slashdot article about a CERT advisory. Among other things, the advisory asked webmasters to escape/reject all html coming from site users, even if only that one user sees the content.
Open-source webserver Apache fixed its 404 not found page to escape the name of the URL, but most dynamic websites still haven't fixed all of their code.
Coincidentally, I had just been reporting a bunch of bugs about bugzilla (mozilla's bug-tracking system) not being careful with untrusted data when these slashdot articles come up. I'm actually more worried about attacks against mozilla's CVS system than its against its bug-tracking system, but I haven't looked for bugs there yet.
People with accounts on lots of services tend to recycle passwords, through laziness or ignorance. So if you can infer from someone's email what other services they use, you have a good chance of taking them over too.
remember the CERT advisory in february about untrusted people being able to make it seem like javascript code came from a trusted website? i was wondering when someone would start exploiting this seriously. almost every site with dynamic content that isn't completely controlled by the site's owner is vulnerable to similar attacks.
the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.
Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie.
what's wrong with using the password for a permanent cookie? someone with the cookie can do anything you can do (post comments, submit articles), so why is it a big deal if they have your password?
otoh, for something like web-based e-mail where you log in for a few minutes, you want the authentication gone when you leave the computer.
(i wonder what hotmail does if you check the "remember my password" option..)
The virus may affect apples (although I haven't heard of it affecting any of my work's ~1000 macs) but there's no way it can affect linux users who don't run email from root.
Right, it can only delete all of your personal files. How much harm could that be?
ALSO its a visual basic script, and linux don't run THAT, man.
That's true about this worm, but it's not a reason that linux can't be affected. Linux tools can run various other types of scripts.
I'd love to have this feature on a browser. Is there any chance that someone else could re-implement it? This is an open-source project, right?
Not necessary. Find your prefs.js file and add this at the end:
user_pref("imageblocker.enabled", true);
Note that if you want to go back later to turn it back off, it probably won't still be at the end of your prefs file because mozilla alphabetizes your prefs list each time you close the program.
Some of the people I have on my ICQ list put 1999 as their birthyear so they can reveal their birthday without giving away their age. I hope AOL skips these accounts.
(not meaning to imply that I agree with what they're doing in general)
allowing people to run visual basic scripts from email is dumb enough
umm, that's not what was happening. people are double-clicking the attachments. yeah, it would be nice if the e-mail program had a good way to distingish among "harmless text", "mostly harmless text" (might force a ctrl-alt-del at most), "executable script", and "binary executable".
(striking the above-quoted part of your sentence wouldn't kill your main point, though, which is really good: but now Gates is using his own shitty programming as an excuse to keep the company together)
If you would prefer not to have a unique genetic identifier, simply go to http://www.doubletwist.com/optout/. Your unique identifier will be replaced with the ASCII-to-DNA encoding of "OPT_OUT", and DoubleTwist will no longer track your actions and your descendants individually.
Should the Human Genome Project have used a viral license requiring that all derived works not have restrictions on distribution? That would have prevented credit disputes between the HGP and Celera (and may have even crippled Celera's effort to dominate, search this page for "more complete"), while possibly still allowing companies like DoubleTwist to get credit for their work on the sequence without bringing up all of the nasty patent problems.
As an added bonus, it wouldn't be too hard to name. It would be the HGPL. *ducks*
An L.A. Times article from yesterday says that "Over the next several days, a 2-year-old biotechnology company, Celera Genomics, is expected to announce that it has completed a version of the human genetic code." Does anyone suspect that this timing might not be a coincidence?
(A second article discusses credit disputes between the public effort and Celera.)
Ok, they could have a six month period where various security experts can audit the source. Not too tough really. This team could even release the source bit by bit, as it had been audited.
So what happens when they find out that a Windows 98 box can be caused to execute arbitrary code remotely by sending it some bogus TCP/IP packets? Is the fixed code released without any indication that it had been changed? Does MS put a fix on windowsupdate.microsoft.com at the same time the fixed code is released?
Including the hidden API that manages to crash the entire browser everytime there is a link that points to either (at least) file://C:\con\con or file://C:\nul\nul. That is the secret that I want to know.
That API was removed (see bugzilla bug 29079), so you'll need to find another undocumented API next time you want to crash Windows. Don't worry, it won't be that difficult.
If you want to sell cars you advertise on the cars page.
Net Perceptions would claim that that isn't always the most effective way to sell products. One example I heard was that if someone buys a towel in a B&M retail store, NP would recommend that the customer be asked "Would you also like to look at our vacuum cleaners?" There were claims of increased sales through this method (can't find the article that used this example).
Profile frequent-item combinations to identify top-selling item combinations and who is buying them, track ad and non-ad item set combinations, and determine the best and worst seasonal item promotion combinations.
I think they mean 64 bytes. Considering that most "Web quality" video looks like its producers had only 48 bytes, iMovie's "Web quality" video should be pretty good.
Slashdot Mirror
--
Is the target a member of The Party?
--
I think they would also be amazed at some of the rights we have gained (for example, the right to not be enslaved, and the right for pretty much everyone over 18 to vote).
--
are you sure? perhaps copyright law is not useful for limiting dissemination of trade secrets, but afaik copyright law covers any new writing (and other forms of expression) not explicitly put under public domain by its author.
--
This email notification is a statement made under penalty of perjury that
Can slashdot ignore the letter because some of the referenced comments do not contain copyrighted material? Better yet, can Andover sue Microsoft for perjury?
--
Open-source webserver Apache fixed its 404 not found page to escape the name of the URL, but most dynamic websites still haven't fixed all of their code.
Coincidentally, I had just been reporting a bunch of bugs about bugzilla (mozilla's bug-tracking system) not being careful with untrusted data when these slashdot articles come up. I'm actually more worried about attacks against mozilla's CVS system than its against its bug-tracking system, but I haven't looked for bugs there yet.
--
--
--
good point.
--
the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.
--
what's wrong with using the password for a permanent cookie? someone with the cookie can do anything you can do (post comments, submit articles), so why is it a big deal if they have your password?
otoh, for something like web-based e-mail where you log in for a few minutes, you want the authentication gone when you leave the computer.
(i wonder what hotmail does if you check the "remember my password" option..)
--
Right, it can only delete all of your personal files. How much harm could that be?
ALSO its a visual basic script, and linux don't run THAT, man.
That's true about this worm, but it's not a reason that linux can't be affected. Linux tools can run various other types of scripts.
--
Not necessary. Find your prefs.js file and add this at the end:
user_pref("imageblocker.enabled", true);
Note that if you want to go back later to turn it back off, it probably won't still be at the end of your prefs file because mozilla alphabetizes your prefs list each time you close the program.
--
(not meaning to imply that I agree with what they're doing in general)
--
umm, that's not what was happening. people are double-clicking the attachments. yeah, it would be nice if the e-mail program had a good way to distingish among "harmless text", "mostly harmless text" (might force a ctrl-alt-del at most), "executable script", and "binary executable".
(striking the above-quoted part of your sentence wouldn't kill your main point, though, which is really good: but now Gates is using his own shitty programming as an excuse to keep the company together)
--
what's the difference between "due to a configuration error" and "due to double-clicking a
--
--
--
As an added bonus, it wouldn't be too hard to name. It would be the HGPL. *ducks*
--
(A second article discusses credit disputes between the public effort and Celera.)
--
So what happens when they find out that a Windows 98 box can be caused to execute arbitrary code remotely by sending it some bogus TCP/IP packets? Is the fixed code released without any indication that it had been changed? Does MS put a fix on windowsupdate.microsoft.com at the same time the fixed code is released?
--
That API was removed (see bugzilla bug 29079), so you'll need to find another undocumented API next time you want to crash Windows. Don't worry, it won't be that difficult.
--
--
Net Perceptions would claim that that isn't always the most effective way to sell products. One example I heard was that if someone buys a towel in a B&M retail store, NP would recommend that the customer be asked "Would you also like to look at our vacuum cleaners?" There were claims of increased sales through this method (can't find the article that used this example).
From http
--
--