We have to build a mechanism to automatically update things. We did not do that. The right way to design, if we were to update things an updating protocol that automatically updates itself so when the next version comes up it knows where to find the next version rather than having to wait for a Windows update or whatever.
Actually, newer windows versions (Vista and later) use Microsoft's online Certificate Trusts Lists which allows exactly this. Microsoft revoked the DigiNotar certificate without issuing a real Windows update:
On August 29, 2011, Microsoft removed the trust from one DigiNotar root certificate by updating the Microsoft CTL. Why is Microsoft releasing an update?
Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List to validate the trust of a certification authority. As a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.
So what about when DEP is not even available? Many older computers don't have CPUs with NX-bit support. AMD has only had them since AMD64 and Intel since later Pentium 4 iterations. There are enough boxes with those CPUs still running fine.
That doesn't make sense:
1. Google serves all ads within Google.com from that same domain. No cross-site scripting anywhere, so nothing for the XSS filter to block.
2. For external sites (AdSense), disabling the XSS filter on Google.com won't help either: the external site would have to disable it. Otherwise anyone could just disable the XSS filter on their own domain and hack away on other sites.
That doesn't really make sense; if XSS is screws up their system, why disable IE's protection for it? The only reason must be that the XSS protection is flawed.
Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.
And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.
There have been several beta releases for Internet Explorer 7 and 8. Still no need for nightly builds: if it's not release quality, why publish it at all?
In open source projects, nightly builds are mostly a service for developers/testers as well. And since everybody can help improve the code, having more people test can certainly be beneficial.
What if they'd just release their rendering engine, with a very simple UI which only lets testers enter a URL? After all, most of the problems are in IE's rendering engine, not in its UI. That would solve the problem of journalists etc. looking at it as a real product.
Now, I do doubt the usefulness. We can't improve the code like we can with open source projects. Giving feedback about the rendering engine isn't all too useful either, because the IE team cares about standards nowadays and uses many tests themselves (W3C testsets, Acid3, CSS3.info). They already know the bugs, so the only thing we could conclude with a nightly is how far along they are.
How will the ballot screen work? Will it redirect to the chosen browser maker's website, will it download an installer? If so, that'd be way too much work for 'simple' users and they'll just close the ballot screen leaving IE as the default browser.
Also, I can't help thinking that there must be a prettier way to make this ballot screen (outside of IE, preferably!).
"Larger content (Concatenated SMS, multipart or segmented SMS or "long sms") can be sent using multiple messages, in which case each message will start with a user data header (UDH) containing segmentation information. Since UDH is inside the payload, the number of characters per segment is lower: 153 for 7-bit encoding, 134 for 8-bit encoding and 67 for 16-bit encoding." -- from Wikipedia
So, in this case it's 134 bytes and not 140 since the payload probably doesn't fit in a single 140 bytes.
SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.
Well, I think Google would rather not lose that 1% market share because users that can't figure out how to fix their network. Try explaining your grandmother that because of her IPv6 connectivity Google isn't working while she can go to CNN's site perfectly.
No; your DNS server resolves the domain names at Google, so technically they're correct (although it may be a bit confusing). The idea is that ISPs with proper IPv6 can register their DNS servers so that Google will give out AAAA records to those DNS servers. Google can't help a single user since there's no way for them to influence the DNS query.
I still think that it'd be great if maybe OpenDNS or a similar service would provide an option to get AAAA records for Google.
To qualify for Google over IPv6, your network must have good IPv6 connectivity to Google. Multiple direct interconnections are preferred, but a direct peering with multiple backup routes through transit or multiple reliable transit connections may be acceptable. Your network must provide and support production-quality IPv6 networking and provide access to a substantial number of IPv6 users. Additionally, because IPv6 problems with users' connections can cause users to become unable to access Google if Google over IPv6 is enabled, we expect you to troubleshoot any IPv6 connection problems that arise in your or your users' networks.
Simply said, some networks may have borked IPv6 which would mean that users will be unable to access Google. I can understand that they're doing this before rolling it out to everyone. Maybe there could be something like OpenDNS for IPv6 so that more advanced users have a choice?
Paying bills is usually done by wiring money using the bank's online banking interface (or paper) or by automatic billing through the bank account. Credit cards aren't used to pay bills; paying in stores is usually done with debit cards (Maestro) or credit cards (but people rarely use them).
The online system is used only to purchase over the web; it's way more popular than credit cards (everybody has a bank account and fees are low). The API system works a bit like PayPal.
I live in the Netherlands and wiring money is completely free of charge here. Everybody has a bank account and uses it to pay their bills.
The most popular internet payment system here is one that wires money from the customer to the merchant, with an instant verification that payment was successful (like most payment systems) and with only very small fees (lower than credit card processors charge).
What do we need Sun's Java for when we've got IcedTea, which is essentially Sun's Java with patented code (and other parts which could not be open-sourced) re-written?
Is Sun's release better in any way?
Slashdot Mirror
This research was presented by n.runs at the 28th Chaoas Communication Congress: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html.
The presentation was recorded and can be viewed at http://www.youtube.com/watch?v=R2Cq3CLI6H8.
Actually, newer windows versions (Vista and later) use Microsoft's online Certificate Trusts Lists which allows exactly this. Microsoft revoked the DigiNotar certificate without issuing a real Windows update:
(http://technet.microsoft.com/en-us/security/advisory/2607712)
So what about when DEP is not even available? Many older computers don't have CPUs with NX-bit support. AMD has only had them since AMD64 and Intel since later Pentium 4 iterations. There are enough boxes with those CPUs still running fine.
Since InnoDB (the only proper storage engine in the default MySQL distribution) is owned by Oracle already, why bother?
That doesn't make sense:
1. Google serves all ads within Google.com from that same domain. No cross-site scripting anywhere, so nothing for the XSS filter to block.
2. For external sites (AdSense), disabling the XSS filter on Google.com won't help either: the external site would have to disable it. Otherwise anyone could just disable the XSS filter on their own domain and hack away on other sites.
That doesn't really make sense; if XSS is screws up their system, why disable IE's protection for it? The only reason must be that the XSS protection is flawed.
Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.
And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.
There have been several beta releases for Internet Explorer 7 and 8. Still no need for nightly builds: if it's not release quality, why publish it at all?
In open source projects, nightly builds are mostly a service for developers/testers as well. And since everybody can help improve the code, having more people test can certainly be beneficial.
In recent interviews, the IE team explained that they run many testsets (W3C sets, Acid3, CSS3.info) themselves anyway. They have also contributed a lot of new tests to W3C (e.g. http://blogs.msdn.com/ie/archive/2009/01/27/microsoft-submits-thousands-more-css-2-1-tests-to-the-w3c.aspx). They ask for feedback about their tests. The only thing we can do to improve IE is to make sure there's enough test coverage.
What if they'd just release their rendering engine, with a very simple UI which only lets testers enter a URL? After all, most of the problems are in IE's rendering engine, not in its UI. That would solve the problem of journalists etc. looking at it as a real product.
Now, I do doubt the usefulness. We can't improve the code like we can with open source projects. Giving feedback about the rendering engine isn't all too useful either, because the IE team cares about standards nowadays and uses many tests themselves (W3C testsets, Acid3, CSS3.info). They already know the bugs, so the only thing we could conclude with a nightly is how far along they are.
The package is called 'aria2', the command 'aria2c'.
Example usage:
aria2c http://releases.ubuntu.com/9.10/ubuntu-9.10-desktop-i386.iso http://releases.ubuntu.com/9.10/ubuntu-9.10-desktop-i386.iso.torrent
Since the Ubuntu BitTorrent-page is not yet updated, here are the links to the official torrents:
http://releases.ubuntu.com/9.10/ubuntu-9.10-desktop-i386.iso.torrent
http://releases.ubuntu.com/9.10/ubuntu-9.10-desktop-amd64.iso.torrent
http://releases.ubuntu.com/9.10/ubuntu-9.10-netbook-remix-i386.iso.torrent
http://releases.ubuntu.com/9.10/ubuntu-9.10-server-i386.iso.torrent
http://releases.ubuntu.com/9.10/ubuntu-9.10-server-amd64.iso.torrent
http://releases.ubuntu.com/9.10/ubuntu-9.10-alternate-i386.iso.torrent
http://releases.ubuntu.com/9.10/ubuntu-9.10-alternate-amd64.iso.torrent
"SUSE Studio is currently available to invited users only. Request an invitation on our user sign in page, and we'll send you an email soon!"
How will the ballot screen work? Will it redirect to the chosen browser maker's website, will it download an installer? If so, that'd be way too much work for 'simple' users and they'll just close the ballot screen leaving IE as the default browser.
Also, I can't help thinking that there must be a prettier way to make this ballot screen (outside of IE, preferably!).
You're correct. And to complete it:
So, in this case it's 134 bytes and not 140 since the payload probably doesn't fit in a single 140 bytes.
SMS has a limit of 160 characters, not 140. Twitter has a 140-character limit because of its SMS-interface which leaves 20 characters for commands etc. in addition to the message.
Well, I think Google would rather not lose that 1% market share because users that can't figure out how to fix their network. Try explaining your grandmother that because of her IPv6 connectivity Google isn't working while she can go to CNN's site perfectly.
No; your DNS server resolves the domain names at Google, so technically they're correct (although it may be a bit confusing). The idea is that ISPs with proper IPv6 can register their DNS servers so that Google will give out AAAA records to those DNS servers. Google can't help a single user since there's no way for them to influence the DNS query.
I still think that it'd be great if maybe OpenDNS or a similar service would provide an option to get AAAA records for Google.
From Google:
To qualify for Google over IPv6, your network must have good IPv6 connectivity to Google. Multiple direct interconnections are preferred, but a direct peering with multiple backup routes through transit or multiple reliable transit connections may be acceptable. Your network must provide and support production-quality IPv6 networking and provide access to a substantial number of IPv6 users. Additionally, because IPv6 problems with users' connections can cause users to become unable to access Google if Google over IPv6 is enabled, we expect you to troubleshoot any IPv6 connection problems that arise in your or your users' networks.
Simply said, some networks may have borked IPv6 which would mean that users will be unable to access Google. I can understand that they're doing this before rolling it out to everyone. Maybe there could be something like OpenDNS for IPv6 so that more advanced users have a choice?
Paying bills is usually done by wiring money using the bank's online banking interface (or paper) or by automatic billing through the bank account. Credit cards aren't used to pay bills; paying in stores is usually done with debit cards (Maestro) or credit cards (but people rarely use them). The online system is used only to purchase over the web; it's way more popular than credit cards (everybody has a bank account and fees are low). The API system works a bit like PayPal.
I live in the Netherlands and wiring money is completely free of charge here. Everybody has a bank account and uses it to pay their bills. The most popular internet payment system here is one that wires money from the customer to the merchant, with an instant verification that payment was successful (like most payment systems) and with only very small fees (lower than credit card processors charge).
Wow, that sounds like wiring money to a bank account!
I'm using Namecheap; they're reselling eNom and never had any problems with them. Domains are $9.29 and often less with coupon codes.
So which university in the Netherlands is this? One of the 3TUs or another one?
What do we need Sun's Java for when we've got IcedTea, which is essentially Sun's Java with patented code (and other parts which could not be open-sourced) re-written? Is Sun's release better in any way?