O2 is responsible for ensuring that their pages are authenticated. Regardless of how a URL is known to Google, it should be free to crawl it. There are only two ways Google can know whether it is allowed to have it's content: robots.txt (which is a mere hint) and authentication handled by the site.
Googlebot doesn't have a cookie to authenticate itself so a proper site will simply tell it to log in or go away when accessing private pages, or simply not show anything marked private on pages that include content with different access levels.
Try a more direct approach: e-mail to blog. MMS is expensive, if you're going to post anywhere near twenty pictures a month from your phone you'll probably be better of with a plan that allows regular e-mail - for this task alone.
The devices are available and affordable, the service plans are available and affordable and plenty of affordable software is available.
There is even software (Shozu, Nokia Share Online) to allow all this directly over HTTP, removing even another step. On top of that, on smartphones these services even integrate into the phone interfaces to allow one-click uploads directly after taking the picture.
(I ended up writing my own e-mail solution because I don't want to depend on third-party hosting site and hookinto my own software. But it's really not that difficult to check an IMAP box for e-mail, fetch picture attachments and store them in a CMS.)
Their site is not suitabled secured, usually it would require a mobile number and pin code but this 16-digit code circumnavigates this requirement.
I'd like to clarify this a bit to avoid that people think of the 16-digit code itself as insecure.
Any site built with performance in mind has a similar setup: you authenticate yourself through the main site, but the content is on a delivery network. This network serves static files and by design doesn't handle the dynamics of authentication (cookies, HTTP auth).
The idea is that using hard-to-guess ID tokens gives enough privacy: even if you were to guess or systematically scan them, you would get random content at best - you wouldn't have any information about the uploader or the context.
Users with access to the content can of course republish it in ways that bypass the authentication, but that's true for all on-line content: once access has been granted to an authenticatied and authorised user, security becomes a matter of trust.
The use of such IDs is not 100% secure but it's a good trade-off because ordinarily you have to be authenticated before you learn a specific ID.
The real problem with the O2 site is the lack of authentication on the pages referencing the hard-to-guess IDs, not the use of IDs themselves.
(The robots.txt omission isn't the real problem either, of course.)
It doesn't frighten me at all, really. The whole point is that using a false name isn't just violating the terms of service in this context, but that using a false name is an attempt (deliberate or not) to bypass an authorisation scheme (user privacy options), allowing access to data otherwise not available.
The alternative is us bitching about doubtful privacy guarantees from social networking sites.
While it is true that you always have the back-up option of not paying your credit card bill, in reality the CC company has the power to wreck your credit report, preventing you from owning a home or even getting a job.
Wait, wait, what now?! You need a good credit report to get a job?
In the same way, its not being Christian that is the problem here, but his statements in regards to a good proportion of the people who may attend the keynote and the hell-ward direction he indicates for them.
Your analogy is flawed. You're arguing that just because skin colour doesn't imply racism, Christianity doesn't imply a belief in hell for those who don't walk with Jesus. While it does, in fact that's probably the most prominent characteristic of Christianity. Merely being a Christian is making the statement
What I would expect is that this will be useful for many people and that there is no drawback in using (yet another) Google service especially not if Adsense or Analytics already let Google track your visitors.
If there are reasons for not to use it (privacy, control), you probably already know this of yourself because you have carefully picked where to host your site (possibly in-house) and/or partnered with a CDN (even if just S3) to optimise content delivery. Or you have an intranet application where there is hardly any advantage for this.
Basically, you won't use this if you believe you know what you're doing, which you (yes, you) and me both do.
Remember, this is the new and improved government that measures productivity!
It's a shame most of us haven't been alive long enough to remember when government was about quality, not quantity.
Here in Holland it's basically the same: the performance target for the police is a certain of amount of parking tickets, instead of reducing the number of parking violations.
First of all a little rant: what's with all the off-topic noise?
Someone asks a question about the security of XP. Everyone replies about each and every aspect of XP except security issues! Didn't we do the XP sucks threads before?
Okay, back to the issue at hand:
I'm pretty sure that the security won't be much different than that of previous Microsoft products or any other software product in general.
Yes, there will be bugs and problems with security. Microsoft has probably paid more attention to problems than they used to, just like they did with Windows 2000, but that only partially helps. Software releases have bugs. Period.
If it is a minor one, it might be fixed. If it's regular, it will be fixed some day. If it's big, it will be fixed and rather soon. If it's huge and does what you fear/describe, it will be fixed ASAP.
There are not so many precautions you can take, really, since no software company holds itself liable for any of its products. The best thing you can do to avoid the risk is simply by not using it.
If for whatever reason you are forced to use it or think the benefits outweigh the risks, you might want to look into some sort of insurance contract in case things go very very wrong.
I am sure insurance companies will insure you against horrible software plagues, they seem to insure almost anything including not getting any snow or sun on respectivily winter and summer holidays.
if you don't want to hear other people's conversations, why are you out in public?
To see a movie? A stand up comedian? Ballet?
Besides, people tend to speak louder on the telephone and might end up in endless "yes, yes, oh no, yes" rituals for some people. Normal conversation usually is less irritating and more diverse so it falls back as background noise (in a restaurant for example).
If a property owner installs such a goodie, there should be legislation that he will provide telephone access in case of an emergency.
Sometimes a phone call from a theatre or restaurant can be life-saving. Of course most of these places have traditional phone lines available as well, but these should be easily accessible.
It would however be perfect if such a device could jam incoming signals but still allow people to make (important) phonecalls. (On the other hand, what if the doctor is in the theatre and he needs to come to the hospital ASAP because he is the only one who can... argh!)
Slashdot Mirror
No, it's not Google's fault.
O2 is responsible for ensuring that their pages are authenticated. Regardless of how a URL is known to Google, it should be free to crawl it. There are only two ways Google can know whether it is allowed to have it's content: robots.txt (which is a mere hint) and authentication handled by the site.
Googlebot doesn't have a cookie to authenticate itself so a proper site will simply tell it to log in or go away when accessing private pages, or simply not show anything marked private on pages that include content with different access levels.
Try a more direct approach: e-mail to blog. MMS is expensive, if you're going to post anywhere near twenty pictures a month from your phone you'll probably be better of with a plan that allows regular e-mail - for this task alone.
The devices are available and affordable, the service plans are available and affordable and plenty of affordable software is available.
There is even software (Shozu, Nokia Share Online) to allow all this directly over HTTP, removing even another step. On top of that, on smartphones these services even integrate into the phone interfaces to allow one-click uploads directly after taking the picture.
(I ended up writing my own e-mail solution because I don't want to depend on third-party hosting site and hookinto my own software. But it's really not that difficult to check an IMAP box for e-mail, fetch picture attachments and store them in a CMS.)
Their site is not suitabled secured, usually it would require a mobile number and pin code but this 16-digit code circumnavigates this requirement.
I'd like to clarify this a bit to avoid that people think of the 16-digit code itself as insecure.
Any site built with performance in mind has a similar setup: you authenticate yourself through the main site, but the content is on a delivery network. This network serves static files and by design doesn't handle the dynamics of authentication (cookies, HTTP auth).
The idea is that using hard-to-guess ID tokens gives enough privacy: even if you were to guess or systematically scan them, you would get random content at best - you wouldn't have any information about the uploader or the context.
Users with access to the content can of course republish it in ways that bypass the authentication, but that's true for all on-line content: once access has been granted to an authenticatied and authorised user, security becomes a matter of trust.
The use of such IDs is not 100% secure but it's a good trade-off because ordinarily you have to be authenticated before you learn a specific ID.
The real problem with the O2 site is the lack of authentication on the pages referencing the hard-to-guess IDs, not the use of IDs themselves.
(The robots.txt omission isn't the real problem either, of course.)
It doesn't frighten me at all, really. The whole point is that using a false name isn't just violating the terms of service in this context, but that using a false name is an attempt (deliberate or not) to bypass an authorisation scheme (user privacy options), allowing access to data otherwise not available.
The alternative is us bitching about doubtful privacy guarantees from social networking sites.
While it is true that you always have the back-up option of not paying your credit card bill, in reality the CC company has the power to wreck your credit report, preventing you from owning a home or even getting a job.
Wait, wait, what now?! You need a good credit report to get a job?
Let me know when you find out. :-)
It seems that every piece of technology gets accused of this.
That's because the constant is our stupidity, not the technology showcasing it.
No. People are perfectly free to believe that a being exists who thinks non-believers, homosexuals and other sinners belong in eternal hell.
However it might not be a bad idea to make it punishable to actually worship and attempt to assist such a creature (fictional or not).
Your analogy is flawed. You're arguing that just because skin colour doesn't imply racism, Christianity doesn't imply a belief in hell for those who don't walk with Jesus. While it does, in fact that's probably the most prominent characteristic of Christianity. Merely being a Christian is making the statement
Fattening white pigs both mocking and mimicking Europe have actually been around since the fifteenth century.
(Official recognition not until 1776 though.)
(Laugh, please. I don't really hate Americans, only obese people.)
What I would expect is that this will be useful for many people and that there is no drawback in using (yet another) Google service especially not if Adsense or Analytics already let Google track your visitors.
If there are reasons for not to use it (privacy, control), you probably already know this of yourself because you have carefully picked where to host your site (possibly in-house) and/or partnered with a CDN (even if just S3) to optimise content delivery. Or you have an intranet application where there is hardly any advantage for this.
Basically, you won't use this if you believe you know what you're doing, which you (yes, you) and me both do.
And here in Holland the proverb goes "Rather than Adobe, a doobie". (True every day...)
It's a shame most of us haven't been alive long enough to remember when government was about quality, not quantity.
Here in Holland it's basically the same: the performance target for the police is a certain of amount of parking tickets, instead of reducing the number of parking violations.
*Four* digits? Wow, this site sure has grown during my trip to New Zealand.
You don't need to be older than 26. It just helps if you read Fish & Chips before Slashfdot came along.
Someone asks a question about the security of XP. Everyone replies about each and every aspect of XP except security issues! Didn't we do the XP sucks threads before?
Okay, back to the issue at hand:
I'm pretty sure that the security won't be much different than that of previous Microsoft products or any other software product in general.
Yes, there will be bugs and problems with security. Microsoft has probably paid more attention to problems than they used to, just like they did with Windows 2000, but that only partially helps. Software releases have bugs. Period.
If it is a minor one, it might be fixed. If it's regular, it will be fixed some day. If it's big, it will be fixed and rather soon. If it's huge and does what you fear/describe, it will be fixed ASAP.
There are not so many precautions you can take, really, since no software company holds itself liable for any of its products. The best thing you can do to avoid the risk is simply by not using it.
If for whatever reason you are forced to use it or think the benefits outweigh the risks, you might want to look into some sort of insurance contract in case things go very very wrong.
I am sure insurance companies will insure you against horrible software plagues, they seem to insure almost anything including not getting any snow or sun on respectivily winter and summer holidays.
To see a movie? A stand up comedian? Ballet?
Besides, people tend to speak louder on the telephone and might end up in endless "yes, yes, oh no, yes" rituals for some people. Normal conversation usually is less irritating and more diverse so it falls back as background noise (in a restaurant for example).
Sometimes a phone call from a theatre or restaurant can be life-saving. Of course most of these places have traditional phone lines available as well, but these should be easily accessible.
It would however be perfect if such a device could jam incoming signals but still allow people to make (important) phonecalls. (On the other hand, what if the doctor is in the theatre and he needs to come to the hospital ASAP because he is the only one who can... argh!)