As I understood it (I don't use port knocking), it's the practice of setting up your firewall to log connection attempts on certain ports. Nothing actually listens on this port though. You define a sequence of port numbers to which a failed connection must be attempted (TCP), and that done, connect to your secure service. The secure service verifies that the logs show your IP running the correct sequence of failed connections, and if so, allows you to connect. I didn't think it relied on UDP at all.
Each host only requested once every 4 minutes (like clockwork). Filtering based on high activity would have not been feasible since my regular users generate a lot more hits per user than this. The problem was that there were ~25,000 zombies in the attack, generating a total of over 6000 hits a minute. I'm certain there's a way to write a module for apache to filter out based on the error I noticed in the request headers, but it was easier to put "if (detect_request_errors()) exit();" at the top of my common.php file. I'm not specifically saying what the error in the request was in case my attacker (who I never figured out, I still have no idea why I was even attacked) reads this comment, I don't want them going, "Aah, that's how he foiled me" hehe.
A lot of these exploits are typically ancient worms that someone has managed to not clean off their computer. If it's not an ancient worm, it's probably a zomibe in someone's hoarde.
The problem with these two (most common) scenarios that the person who owns the computer isn't the real perpetrator, and the ability to track the perp down requires much more work than a simple whois lookup of the offending IP.
Most attacks you see are going to be automated and launched on a wide scale. There are thousands and thousands of compromised Windows machines out on the net that are being used by people such as spammers and crackers for their dirty work.
Lock your box down. Don't allow root to log in on SSH. Lock SSH and other sensitive services down to specific IP address blocks if you can. If you can't, investigate port knocking if you can do that. If you can't even go that far, investigate implementing a lockout policy for failed login attempts.
Unless you see a single host being the source of a large pile of offensive behavior, chances are these are machines in a zombie hoarde. If it is limited to a single IP or a few IP's in a single C class, contact the ISP's abuse department *politely* (remember these are folks like you in jobs like yours, if you go in with guns blazing, they're less likely to help) and provide as much information as you can regarding the nature of the attack. Then firewall off the offending IPs.
I used to aggressively track intrusion attempts and spam. I had a little PHP/MySQL tool I wrote where I could log these things, dumping in offending logs (or spam source), and it'd extract the culprit IP address, and once a day go through, looking up abuse addresses on whois and mailing a digest of the day's activities for that ISP to them.
Ultimately I probably got about a 1% response rate from the ISP's (excluding auto-responses). After ~6 months of this, and about 40,000 records in my database, I started some statistical analysis. It turns out that there were no significant outliers for abusive activity from any given ISP (considering the size of that ISP's net blocks). Basically every intrusion attempt was some kind of zombie. There were probably a few by-hand attempts, but these are typically so low profile that there's no easy way to distinguish them from the hoardes.
Some time later I was the recipient of a DDoS attack. Someone's zombie hoarde decided to repeatedly visit a page on my website that turns out to be a bit resource intensive to generate (my code is open source, so whoever devised this probably knew that). Every day, ~25,000 IP's each requested the same page every 4 minutes (+/- a few seconds I suppose for network latency). 375,000 hits an hour = 9,000,000 bogus hits a day. Day to day this number fluctuated, and the ISP's involved in the attack kept changing. It was obvious to me that whoever was driving the attack wasn't exposing the entire zombie hoarde to me at any given point because of how the ISP's involved kept shifting around. I figured he probably had a script set up to launch X number of zombies every day, and they probably had commands to execute for ~24 hours. The number was always pretty close to 25,000, never over, but usually more than 24,500.
Ultimately the attack lasted about a month. I figured out a simple way to distinguish the zombie computers from legitimate users based on an error in the request headers, and I could just exit() at the top of my site for those who exhibited this error. I also logged the attempts I blocked, and was left with over 900,000 distinct IP addresses once the attack finally stopped.
My point in all of that is that there *are* zombie hoardes out there, and it's the zombie hoardes that are most likely to compromise you. There's little you can do about it because getting a single IP from a hoarde firewalled off or cleaned up won't slow down your real attacker who was going to use a different zombie the next day anyhow.
In turns out that an alien message designed to last millenia should be 'inside a large number of self-replicating, self-repairing microscopic machines programmed to multiply and adapt to changing conditions', otherwise known as living cells. Are we the message?
I recall a 2-parter of The Next Generation where they discovered an ancient alien message encoded in the DNA across dozens of worlds, which reprogrammed the tricorder to emit a holographic message of peace.
So if Star Trek is to be believed, we won't discover this message for another 400 years, but we'll have to race the Klingon and Romulan empires for the discovery (psst, Captain Piccard, here's your chance for a head start!). At the end of the ordeal, everyone will share a few moments of sage unity before returning to their obtuse ways.
Style over substance. Verbosity doesn't affect validity.
Your definition of tautology didn't quite line up with the mine, which was just needless repetition. I suspected your definition and mine didn't line up, which is why I looked it up, and why I linked dictionary.com.
Tautology
1.
a. Needless repetition of the same sense in different words; redundancy.
b. An instance of such repetition.
2. Logic. An empty or vacuous statement composed of simpler statements in a fashion that makes it logically true whether the simpler statements are factually true or false; for example, the statement Either it will rain tomorrow or it will not rain tomorrow.
But let's accept the definition you deliver which is presented later in the page as a tertiary definition: "A repetition of the same meaning in different words; needless repetition of an idea in different words or phrases; a representation of anything as the cause, condition, or consequence of itself..."
You correctly imply that insecure apps *should* have their reliance on insecurity broken. Since you and I agree that this is correct behavior, you can only be talking about the service pack unintentionally breaking functionality (bugs in the service pack). Since the service pack is still in release candidate status, it's meaningless to debate this. That's the purpose of release candidates. Microsoft is correctly pushing back the release date until these issues can be addressed. It's not appropriate to criticise them for this behavior since it is desirable (unless it was done on a final release).
I'm not sure what your original point was now when bathed in the light of your further commentary. I assume you're smart enough to not criticise bugs in pre-release code, but you state you're not criticising functionality intentionally broken to address security concerns, so perhaps there's a third classification of issue which I'm not grasping in my eruditious cluelessness.
I'm not sure which comment you're referring to as tautology, but I have to assume that you're referring to the comment about amputating a growth. This may be tautological, but it's also referred to as a moral or a summary example. It's a common and effective form of rhetoric to first rebut a statement with a topical demonstration of an example that voids the original premis; then summarize the underlying principle in the scope of a much shorter example (presented as a truism) which demonstrates the principle itself on another topic. The overall effect being a demonstration that the original premis is wrong, and it's wrong in more than just the specific example presented; instead it's incorrect across a wide berth of similar situations.
However, rebutting my statement based on a tautology present in it is a logical fallacy known as Style Over Substance. You don't address the logic in the statements I made, rather you attack the manner in which they were delivered. Even if delivered poorly, their truth and applicability aren't affected.
Ultimately it remains that OS service packs serve a greater purpose than maintaining reverse compatibility: they fix bugs on the OS level (just as appliation service packs address bugs on the application level). If these bugs are being taken advantage of by an application and the application now breaks, that is still desirable behavior on the part of the OS service pack.
In this case the approach Microsoft took to many of the areas which they are fixing in this service pack was wrong initially. They incorrectly advised developers to use tools that have since been proven impossible to appropriately secure. It's very unfortunate that fixing these issues will kneecap many existing applications, but I for one am very glad Microsoft has decided to address the underlying issues despite the pain it'll cause.
I'll take exception to that statement. If the OS has a security bug that leads to (eg) arbitrary root (or administrator) priviliges for an unpriviliged user, and an application takes advantage of this to not require a user to be an admin to perform functions that are otherwise reserved for priviliged users, then it's a security bug, and patching it is the right thing to do even if it breaks some applications. Period.
Maintaining 100% reverse compatibility is not always the right solution. Some times you have to amputate a growth even if it takes an arm with it.
Doesn't it depend on different serial numbers if you want to get a count of a particular product? The counting is necessary for inventory control as well as automatic checkout, the two main features which rfid brings to the market.
Also, I believe most proms can only be written to arbitrarily once (break certain connections w/ no way to reconnect them). But that doesn't make the data tamper-resistant. In the case of RFID, you might just want to flip the serial numbers all to be the same (eg, 00000000000000) where they were previously different, thus causing all those items to identify as one (they'll all answer simultaneously with the same data).
Even if you're just talking about wanting to steal one expensive thing, you could garble the serial number of that thing (even assuming that they're not individually serialized, but have a single code per type of product), you could just burn a few bits that were formerly 1's to 0's, and likely cause the RFID to return a code not recognized by the inventory/billing system. The system can't raise an alarm in this case since products you bought from neighboring stores in a strip mall will return product codes not recognized in another store (my wife's new dress from Dress Barn isn't going to have a recognizable code in Sears Hardware). Unrecognized codes therefore have to be ignored.
We'll just release poorly thought out technology that promises things older tech's can't deliver, but make sure not to put in the press releases that mayhem can ensue from its use. Then when someone discovers this, we'll just see to it that it's illegal to own equipment capable of performing these operations (despite their otherwise legitimate uses), and so we have protected our customers by giving them a false sense of security while sacrificing another tiny bit of essential liberty.
Because that's an expensive operation to perform on a completely unfunctional eye:-). There's 0% chance of success because she's not optically blind in the eye, she's neurologically blind in it. The nerves never grew when she was a kid.
It all falls back to "God helps those who help themselves." Guy sits on his roof during a raging flood. A helicopter offers him assistance, he says, "God will save me." A boat offers him assistance, he says, "God will save me." A canoe offers him assistance, he says, "God will save me."
In Heaven, he asks God, "Why didn't you save me?" God says, "I sent a helicopter a boat and a canoe, what did you want?"
I wouldn't call it hell, but it's certainly a fair inconvenience. I can get around fine with out my glasses so long as I don't have to read anything, including billboards. Objects make out in time for me to respond to them, though I lose depth perception, and driving would be unsafe solely for the difficulty in discerning distance in an instant between me and the car in front of me who suddenly slammed on his brakes.
I'd love to be able to do things like go swimming, or ride a roller coaster and see what I'm doing.
I'd love to fall asleep watching TV and not wake up later with my glasses painfully pushed in to my face, and fear of breaking them like that.
I'd love to go out wearing nice looking sunglasses. My current glasses don't look too bad as sunglasses, I bought some that specifically come with magnetic clipons, but the only problem is that standard glasses (unless out of fashion 80's style glasses) leave openings on the periphery of your vision, and the sun is quite good at shining through those openings, it really reduces your vision quite a bit since all you're doing when that happens is darkening the center of your vision as your irises contract based on the sunlight coming in through the sides.
I'd love to be able to rub my eyes after a few hours of work and not have to push my glasses out of the way.
I'd love to not have to worry about breaking my glasses and becoming stranded some place (eg, at work, 1.5 hour drive is much too far w/ depth perception issues).
These things are worse for my wife who, while she doesn't have coke bottle glasses, can simply not function with out her glasses.
It's all minor stuff, none of it's hell, but there are reminders every day. I have friends who read signs and such that I can't even with a fresh prescription (who are not far-sighted and can read tiny print as well as or better than me). I'm envious of that.
I've been eagerly consuming laser vision information as it's available (I read every comment within my threshold on this thread so far), but I'm a coder by profession, and by desire. With out my vision, I would not only be unable to do my job, I'd be unable to do my hobby, or engage in my stress relief and entertainment activities. I can afford lasik: my wife and I are both working professionals who are quite comfortable in our mortgage and have no kids, but until I get real objective statistics on the results, I'm not willing to risk it.
My wife is completely blind in one of her eyes too, if they screw up even one eye on her, she's completely blind (thus doubling her chances of complete failure).
With out releasing sensitive patient data, they could easily publish records indicating vision measurements before, after at 1 month, after at 6 months, and after measurements at each interval that the outfit doing the surgery re-tests, as well as listing complications.
This would enable an objective study to be published which says, "There's an W percent chance of worsening your vision, X percent of bettering your vision but not making the target vision, Y percent chance of actually getting better than targeted vision, and Z percent chance of complications arising (eg, night halos at A%, night depth perception loss at B%, etc). On average patients reported C% increase in vision strength."
That information, over >10,000 patients is what I really need to make a good decision this way. If chance of complication / worsening is 0.05%, I'll be sitting in an office tomorrow making my appointment. If it's 5%, I'll stick with what I got.
Anecdotes can not be a good source of information. The squeaky wheels will pollute the dependability of this. People whose vision was ruined will want to warn others away from this and be very vocal. People who were astounding successes will want to praise the procedure and speak out. Anecdotes will only show us the statistical outliers, and what I'm more interested in is the inliers.
Likewise, if you install Apache in its default state and fail to stay on top of your patches, Apache is much less of a headache than IIS's reputation.
What I mean to say is that Apache in the worst case (aside from bad configurations, which are not ever the case by default) is more stable and secure than the most perfectly well groomed IIS install.
Frequently claims about Microsoft insecurity are attributed to its being the broadest target, and thus the most attractive and effective against which to write an exploit. That does not hold true for Apache vs IIS; Apache accounts for 2/3 of the server share (67.22%), while IIS holds a little over 1/5 (21.35%) (source).
Despite being the far minority in this category as far as deployed installations, it's still consistently the largest source of security problems.
Or you use the freely available Turck MM Cache which has similar or better performance compared to the commercial Zend engine, and provides memory resident caching besides just storing post-compile scripts.
Mozilla/Firefox don't make distinctions between remote and local file sources for scripting permissions. If you can do it locally, you can do it remotely. Getting the browser to display a cache file doesn't expose you any more than opening a page that contains the contents of that cache file.
It's not a remote exploit, it's just kinda a bug. I only say kinda, because there's not really any undesirable behavior going on, it's just a wierd thing you can do with your browser.
D2 has played fine for me under WineX, make sure you have an accelerated video driver. If you have an nvidia card, you won't by default, you'll have to get the driver from nvidia.com.
You'd think that given CS is the world's most popular online game, they'd have made running it a priority?
It's interesting. I hear this phrase applied to a lot of different games. Everquest, Mu Online, Final Fantasy, Counter Strike, and probably a few others.
This is not at all true for most games unless the game requires the same under Windows.
I have played a number of games that actually had improved framerates under WineX 3. It seems all that Windows backend stuff puts a higher tax on the system than most people realize, since the dev team for Windows focuses on making things feel responsive at the cost of overall performance. When it comes time to do purely heavy computations (such as in games), this approach costs CPU time that would otherwise have gone to the computation, ultimately resulting in lower framerates.
OpenGL games require very little emulation from the WineX engine since most of those calls are 1-to-1 Windows OpenGL to Linux OpenGL calls, and the performance cost is a fraction of a percent for these games. Almost all OpenGL games would perform better under WineX Linux than they do in their native Windows environment.
Even DirectX games which require a fair amount more emulation since DirectX and OpenGL do not line up on a call-to-call basis suffer very little if any performance loss for most games.
There are notable exceptions. American McGee's Alice was talked about elsewhere, and this relies heavily on kernel synchronization calls. Because of an architectural difference between Windows and Linux, there's no way to accomodate the same thing directly under Linux (there are other methods to accomplish the same tasks) with out a kernel patch, which is of course very unportable. Early reports state that Alice has a significant performance increase under the new WineX, "Cedega."
Also, some people are not aware that you must have an accelerated driver for your video card in order to do OpenGL with any level of performance. Basically for most systems, the driver you get by default is a non-accelerated driver, optimized for 2-D performance. The reason for this is that most card manufacturers (such as nVidia) have proprietary drivers which you need to download from the vendor themselves. Nvidia's are available here for 32 bit Intel processors. If you do not run an accelerated driver, you'll see terrible performance as all of the 3d and graphic computations are done by the CPU with out being able to use the video card for any of these tasks. It's akin to trying to run a game in Windows using the "Generic VGA Driver," but the difference is that Windows wouldn't let you do this at all since they have no software based GL emulation layer like Linux does. Linux will at least let you try to play the game.
Yeah, doing this will increase the bar for image theft, but a simple "ngrep GET" will snag the url to the full image, and even for a novice user, screen captures do a pretty good job. Watermarking images is the best bet since that's much harder to defeat.
Slashdot Mirror
As I understood it (I don't use port knocking), it's the practice of setting up your firewall to log connection attempts on certain ports. Nothing actually listens on this port though. You define a sequence of port numbers to which a failed connection must be attempted (TCP), and that done, connect to your secure service. The secure service verifies that the logs show your IP running the correct sequence of failed connections, and if so, allows you to connect. I didn't think it relied on UDP at all.
Each host only requested once every 4 minutes (like clockwork). Filtering based on high activity would have not been feasible since my regular users generate a lot more hits per user than this. The problem was that there were ~25,000 zombies in the attack, generating a total of over 6000 hits a minute. I'm certain there's a way to write a module for apache to filter out based on the error I noticed in the request headers, but it was easier to put "if (detect_request_errors()) exit();" at the top of my common.php file. I'm not specifically saying what the error in the request was in case my attacker (who I never figured out, I still have no idea why I was even attacked) reads this comment, I don't want them going, "Aah, that's how he foiled me" hehe.
A lot of these exploits are typically ancient worms that someone has managed to not clean off their computer. If it's not an ancient worm, it's probably a zomibe in someone's hoarde.
The problem with these two (most common) scenarios that the person who owns the computer isn't the real perpetrator, and the ability to track the perp down requires much more work than a simple whois lookup of the offending IP.
Most attacks you see are going to be automated and launched on a wide scale. There are thousands and thousands of compromised Windows machines out on the net that are being used by people such as spammers and crackers for their dirty work.
Lock your box down.
Don't allow root to log in on SSH.
Lock SSH and other sensitive services down to specific IP address blocks if you can. If you can't, investigate port knocking if you can do that. If you can't even go that far, investigate implementing a lockout policy for failed login attempts.
Unless you see a single host being the source of a large pile of offensive behavior, chances are these are machines in a zombie hoarde. If it is limited to a single IP or a few IP's in a single C class, contact the ISP's abuse department *politely* (remember these are folks like you in jobs like yours, if you go in with guns blazing, they're less likely to help) and provide as much information as you can regarding the nature of the attack. Then firewall off the offending IPs.
I used to aggressively track intrusion attempts and spam. I had a little PHP/MySQL tool I wrote where I could log these things, dumping in offending logs (or spam source), and it'd extract the culprit IP address, and once a day go through, looking up abuse addresses on whois and mailing a digest of the day's activities for that ISP to them.
Ultimately I probably got about a 1% response rate from the ISP's (excluding auto-responses). After ~6 months of this, and about 40,000 records in my database, I started some statistical analysis. It turns out that there were no significant outliers for abusive activity from any given ISP (considering the size of that ISP's net blocks). Basically every intrusion attempt was some kind of zombie. There were probably a few by-hand attempts, but these are typically so low profile that there's no easy way to distinguish them from the hoardes.
Some time later I was the recipient of a DDoS attack. Someone's zombie hoarde decided to repeatedly visit a page on my website that turns out to be a bit resource intensive to generate (my code is open source, so whoever devised this probably knew that). Every day, ~25,000 IP's each requested the same page every 4 minutes (+/- a few seconds I suppose for network latency). 375,000 hits an hour = 9,000,000 bogus hits a day. Day to day this number fluctuated, and the ISP's involved in the attack kept changing. It was obvious to me that whoever was driving the attack wasn't exposing the entire zombie hoarde to me at any given point because of how the ISP's involved kept shifting around. I figured he probably had a script set up to launch X number of zombies every day, and they probably had commands to execute for ~24 hours. The number was always pretty close to 25,000, never over, but usually more than 24,500.
Ultimately the attack lasted about a month. I figured out a simple way to distinguish the zombie computers from legitimate users based on an error in the request headers, and I could just exit() at the top of my site for those who exhibited this error. I also logged the attempts I blocked, and was left with over 900,000 distinct IP addresses once the attack finally stopped.
My point in all of that is that there *are* zombie hoardes out there, and it's the zombie hoardes that are most likely to compromise you. There's little you can do about it because getting a single IP from a hoarde firewalled off or cleaned up won't slow down your real attacker who was going to use a different zombie the next day anyhow.
In turns out that an alien message designed to last millenia should be 'inside a large number of self-replicating, self-repairing microscopic machines programmed to multiply and adapt to changing conditions', otherwise known as living cells. Are we the message?
I recall a 2-parter of The Next Generation where they discovered an ancient alien message encoded in the DNA across dozens of worlds, which reprogrammed the tricorder to emit a holographic message of peace.
So if Star Trek is to be believed, we won't discover this message for another 400 years, but we'll have to race the Klingon and Romulan empires for the discovery (psst, Captain Piccard, here's your chance for a head start!). At the end of the ordeal, everyone will share a few moments of sage unity before returning to their obtuse ways.
Style over substance. Verbosity doesn't affect validity.
Your definition of tautology didn't quite line up with the mine, which was just needless repetition. I suspected your definition and mine didn't line up, which is why I looked it up, and why I linked dictionary.com.
Tautology
1.
a. Needless repetition of the same sense in different words; redundancy.
b. An instance of such repetition.
2. Logic. An empty or vacuous statement composed of simpler statements in a fashion that makes it logically true whether the simpler statements are factually true or false; for example, the statement Either it will rain tomorrow or it will not rain tomorrow.
But let's accept the definition you deliver which is presented later in the page as a tertiary definition: "A repetition of the same meaning in different words; needless repetition of an idea in different words or phrases; a representation of anything as the cause, condition, or consequence of itself..."
You correctly imply that insecure apps *should* have their reliance on insecurity broken. Since you and I agree that this is correct behavior, you can only be talking about the service pack unintentionally breaking functionality (bugs in the service pack). Since the service pack is still in release candidate status, it's meaningless to debate this. That's the purpose of release candidates. Microsoft is correctly pushing back the release date until these issues can be addressed. It's not appropriate to criticise them for this behavior since it is desirable (unless it was done on a final release).
I'm not sure what your original point was now when bathed in the light of your further commentary. I assume you're smart enough to not criticise bugs in pre-release code, but you state you're not criticising functionality intentionally broken to address security concerns, so perhaps there's a third classification of issue which I'm not grasping in my eruditious cluelessness.
I'm not sure which comment you're referring to as tautology, but I have to assume that you're referring to the comment about amputating a growth. This may be tautological, but it's also referred to as a moral or a summary example. It's a common and effective form of rhetoric to first rebut a statement with a topical demonstration of an example that voids the original premis; then summarize the underlying principle in the scope of a much shorter example (presented as a truism) which demonstrates the principle itself on another topic. The overall effect being a demonstration that the original premis is wrong, and it's wrong in more than just the specific example presented; instead it's incorrect across a wide berth of similar situations.
However, rebutting my statement based on a tautology present in it is a logical fallacy known as Style Over Substance. You don't address the logic in the statements I made, rather you attack the manner in which they were delivered. Even if delivered poorly, their truth and applicability aren't affected.
Ultimately it remains that OS service packs serve a greater purpose than maintaining reverse compatibility: they fix bugs on the OS level (just as appliation service packs address bugs on the application level). If these bugs are being taken advantage of by an application and the application now breaks, that is still desirable behavior on the part of the OS service pack.
In this case the approach Microsoft took to many of the areas which they are fixing in this service pack was wrong initially. They incorrectly advised developers to use tools that have since been proven impossible to appropriately secure. It's very unfortunate that fixing these issues will kneecap many existing applications, but I for one am very glad Microsoft has decided to address the underlying issues despite the pain it'll cause.
I'll take exception to that statement. If the OS has a security bug that leads to (eg) arbitrary root (or administrator) priviliges for an unpriviliged user, and an application takes advantage of this to not require a user to be an admin to perform functions that are otherwise reserved for priviliged users, then it's a security bug, and patching it is the right thing to do even if it breaks some applications. Period.
Maintaining 100% reverse compatibility is not always the right solution. Some times you have to amputate a growth even if it takes an arm with it.
not every can of coke needs a different tag
Doesn't it depend on different serial numbers if you want to get a count of a particular product? The counting is necessary for inventory control as well as automatic checkout, the two main features which rfid brings to the market.
Also, I believe most proms can only be written to arbitrarily once (break certain connections w/ no way to reconnect them). But that doesn't make the data tamper-resistant. In the case of RFID, you might just want to flip the serial numbers all to be the same (eg, 00000000000000) where they were previously different, thus causing all those items to identify as one (they'll all answer simultaneously with the same data).
Even if you're just talking about wanting to steal one expensive thing, you could garble the serial number of that thing (even assuming that they're not individually serialized, but have a single code per type of product), you could just burn a few bits that were formerly 1's to 0's, and likely cause the RFID to return a code not recognized by the inventory/billing system. The system can't raise an alarm in this case since products you bought from neighboring stores in a strip mall will return product codes not recognized in another store (my wife's new dress from Dress Barn isn't going to have a recognizable code in Sears Hardware). Unrecognized codes therefore have to be ignored.
I think that's the danger being proposed here.
Legislation.
We'll just release poorly thought out technology that promises things older tech's can't deliver, but make sure not to put in the press releases that mayhem can ensue from its use. Then when someone discovers this, we'll just see to it that it's illegal to own equipment capable of performing these operations (despite their otherwise legitimate uses), and so we have protected our customers by giving them a false sense of security while sacrificing another tiny bit of essential liberty.
Because that's an expensive operation to perform on a completely unfunctional eye :-). There's 0% chance of success because she's not optically blind in the eye, she's neurologically blind in it. The nerves never grew when she was a kid.
It all falls back to "God helps those who help themselves." Guy sits on his roof during a raging flood. A helicopter offers him assistance, he says, "God will save me." A boat offers him assistance, he says, "God will save me." A canoe offers him assistance, he says, "God will save me."
In Heaven, he asks God, "Why didn't you save me?" God says, "I sent a helicopter a boat and a canoe, what did you want?"
I wouldn't call it hell, but it's certainly a fair inconvenience. I can get around fine with out my glasses so long as I don't have to read anything, including billboards. Objects make out in time for me to respond to them, though I lose depth perception, and driving would be unsafe solely for the difficulty in discerning distance in an instant between me and the car in front of me who suddenly slammed on his brakes.
I'd love to be able to do things like go swimming, or ride a roller coaster and see what I'm doing.
I'd love to fall asleep watching TV and not wake up later with my glasses painfully pushed in to my face, and fear of breaking them like that.
I'd love to go out wearing nice looking sunglasses. My current glasses don't look too bad as sunglasses, I bought some that specifically come with magnetic clipons, but the only problem is that standard glasses (unless out of fashion 80's style glasses) leave openings on the periphery of your vision, and the sun is quite good at shining through those openings, it really reduces your vision quite a bit since all you're doing when that happens is darkening the center of your vision as your irises contract based on the sunlight coming in through the sides.
I'd love to be able to rub my eyes after a few hours of work and not have to push my glasses out of the way.
I'd love to not have to worry about breaking my glasses and becoming stranded some place (eg, at work, 1.5 hour drive is much too far w/ depth perception issues).
These things are worse for my wife who, while she doesn't have coke bottle glasses, can simply not function with out her glasses.
It's all minor stuff, none of it's hell, but there are reminders every day. I have friends who read signs and such that I can't even with a fresh prescription (who are not far-sighted and can read tiny print as well as or better than me). I'm envious of that.
I've been eagerly consuming laser vision information as it's available (I read every comment within my threshold on this thread so far), but I'm a coder by profession, and by desire. With out my vision, I would not only be unable to do my job, I'd be unable to do my hobby, or engage in my stress relief and entertainment activities. I can afford lasik: my wife and I are both working professionals who are quite comfortable in our mortgage and have no kids, but until I get real objective statistics on the results, I'm not willing to risk it.
My wife is completely blind in one of her eyes too, if they screw up even one eye on her, she's completely blind (thus doubling her chances of complete failure).
With out releasing sensitive patient data, they could easily publish records indicating vision measurements before, after at 1 month, after at 6 months, and after measurements at each interval that the outfit doing the surgery re-tests, as well as listing complications.
This would enable an objective study to be published which says, "There's an W percent chance of worsening your vision, X percent of bettering your vision but not making the target vision, Y percent chance of actually getting better than targeted vision, and Z percent chance of complications arising (eg, night halos at A%, night depth perception loss at B%, etc). On average patients reported C% increase in vision strength."
That information, over >10,000 patients is what I really need to make a good decision this way. If chance of complication / worsening is 0.05%, I'll be sitting in an office tomorrow making my appointment. If it's 5%, I'll stick with what I got.
Anecdotes can not be a good source of information. The squeaky wheels will pollute the dependability of this. People whose vision was ruined will want to warn others away from this and be very vocal. People who were astounding successes will want to praise the procedure and speak out. Anecdotes will only show us the statistical outliers, and what I'm more interested in is the inliers.
Likewise, if you install Apache in its default state and fail to stay on top of your patches, Apache is much less of a headache than IIS's reputation.
What I mean to say is that Apache in the worst case (aside from bad configurations, which are not ever the case by default) is more stable and secure than the most perfectly well groomed IIS install.
Frequently claims about Microsoft insecurity are attributed to its being the broadest target, and thus the most attractive and effective against which to write an exploit. That does not hold true for Apache vs IIS; Apache accounts for 2/3 of the server share (67.22%), while IIS holds a little over 1/5 (21.35%) (source).
Despite being the far minority in this category as far as deployed installations, it's still consistently the largest source of security problems.
Or you use the freely available Turck MM Cache which has similar or better performance compared to the commercial Zend engine, and provides memory resident caching besides just storing post-compile scripts.
It's not my fault your world orbits a ball of fire.
Mozilla/Firefox don't make distinctions between remote and local file sources for scripting permissions. If you can do it locally, you can do it remotely. Getting the browser to display a cache file doesn't expose you any more than opening a page that contains the contents of that cache file.
It's not a remote exploit, it's just kinda a bug. I only say kinda, because there's not really any undesirable behavior going on, it's just a wierd thing you can do with your browser.
I don't recall having any issues along this line at all, though it's been ~6 months since I played any games from Linux.
D2 has played fine for me under WineX, make sure you have an accelerated video driver. If you have an nvidia card, you won't by default, you'll have to get the driver from nvidia.com.
You'd think that given CS is the world's most popular online game, they'd have made running it a priority?
It's interesting. I hear this phrase applied to a lot of different games. Everquest, Mu Online, Final Fantasy, Counter Strike, and probably a few others.
Hey, I'm trying.
This is not at all true for most games unless the game requires the same under Windows.
I have played a number of games that actually had improved framerates under WineX 3. It seems all that Windows backend stuff puts a higher tax on the system than most people realize, since the dev team for Windows focuses on making things feel responsive at the cost of overall performance. When it comes time to do purely heavy computations (such as in games), this approach costs CPU time that would otherwise have gone to the computation, ultimately resulting in lower framerates.
OpenGL games require very little emulation from the WineX engine since most of those calls are 1-to-1 Windows OpenGL to Linux OpenGL calls, and the performance cost is a fraction of a percent for these games. Almost all OpenGL games would perform better under WineX Linux than they do in their native Windows environment.
Even DirectX games which require a fair amount more emulation since DirectX and OpenGL do not line up on a call-to-call basis suffer very little if any performance loss for most games.
There are notable exceptions. American McGee's Alice was talked about elsewhere, and this relies heavily on kernel synchronization calls. Because of an architectural difference between Windows and Linux, there's no way to accomodate the same thing directly under Linux (there are other methods to accomplish the same tasks) with out a kernel patch, which is of course very unportable. Early reports state that Alice has a significant performance increase under the new WineX, "Cedega."
Also, some people are not aware that you must have an accelerated driver for your video card in order to do OpenGL with any level of performance. Basically for most systems, the driver you get by default is a non-accelerated driver, optimized for 2-D performance. The reason for this is that most card manufacturers (such as nVidia) have proprietary drivers which you need to download from the vendor themselves. Nvidia's are available here for 32 bit Intel processors. If you do not run an accelerated driver, you'll see terrible performance as all of the 3d and graphic computations are done by the CPU with out being able to use the video card for any of these tasks. It's akin to trying to run a game in Windows using the "Generic VGA Driver," but the difference is that Windows wouldn't let you do this at all since they have no software based GL emulation layer like Linux does. Linux will at least let you try to play the game.
In Soviet Windows, OS crashes YOU!
One problem with this approach is that it does not work well for binary files.
Yeah, doing this will increase the bar for image theft, but a simple "ngrep GET" will snag the url to the full image, and even for a novice user, screen captures do a pretty good job. Watermarking images is the best bet since that's much harder to defeat.
P.S. Regarding the eject on the keyboard, please see a comment I posted elsewhere. I'm genuinely curious what the answer is.