fix whiney warnings that have no real world effect?
I knew somebody would pop up with this misconception. Did you know that the web has already been through this — not once but twice — and proven you wrong?
Netscape 2 was quite aggressive when it came to guessing when ampersands were mistakenly unencoded. Cue lots of people not bothering to do things correctly, and saying things exactly like you are — "What's the point? It makes no difference!"
Then Netscape 3 came out. It wasn't as aggressive as Netscape 2. All those people who cut corners had to rush to fix all of their pages. All the people who did it correctly the first time around didn't have to do any extra work.
Now Netscape 3 still guessed a little bit — if you left off the semicolon, it would pick up on it and guess correctly. So lots of the dumb people from the previous example didn't learn their lesson, and skipped the semicolon.
Can you guess what happened? Yep, that's right, Netscape 4 came out and broke all their pages again. And all the people who did things correctly laughed at them.
Sure, if you don't bother to do things right, today's major browsers will probably guess that you're an idiot and work around your bugs. But there's certainly no guarantee that tomorrow's browsers will do so. When you can do things correctly right now for no effort, why on earth would you risk incurring extra work in the future? Is it really so difficult to type & instead of &?
Also, they use <br/> in HTML 4 and it is telling them that they shouldn't do that because some web browsers will think it's wrong.
No, it's not telling them that some browsers will think it's wrong, it's telling them it is wrong. Validators don't check to make sure browsers can understand your document, they check if you have made any syntax errors. Writing <br/> in an HTML document is wrong, regardless of any particular browser's handling of it.
It's awful, especially as these are easy errors that can be fixed without any problem whatsoever. The vast majority of errors are:
XHTML syntax for empty elements in an HTML page.
Unencoded ampersands.
Forgetting required attributes like alt and type.
Forgotten end tags.
These are the kind of things any new developer would be able to fix in half an hour on his first day on the job. This demonstrates not that they cannot write valid code, but that they don't bother to check. It's like a newspaper editor not bothering to use a spelling checker — sloppy.
I've been able to "apt-get install sun-java5-jdk" for a couple of years now on Debian and Ubuntu.
And the reason for that is that Sun grants special permission to Linux and OpenSolaris distributions to do so under the DJL. From the FAQ:
What is the Operating System Distribution License for Java (a.k.a. the "Distro License for Java" or DLJ)?
The DLJ is a license created specifically for individuals and communities who want to distribute Sun's binary Java Development Kit (JDK) or Java Runtime Environment (JRE) with a Linux or OpenSolaris Operating System (OS) distribution.
See FreeBSD listed there? Have a look around the site, every single mention of operating systems permitted under this agreement is specifically scoped to Linux and OpenSolaris only. That's why Ubuntu has a head-start on FreeBSD, not because they are better at packaging.
how has Java being closed source affected you personally
I installed ejabberd, an Erlang-based Jabber server on FreeBSD this week from ports. For some reason it needed a JDK to install. Normal ports installation didn't work because FreeBSD doesn't have a distribution license. I had to download the file manually, put it in the right directory, then go back to the Sun website, register an account there, log in, download a timezone update, and put that in the right directory too. Only at that point could I install it. And I didn't even want Java in the first place!
The whole process was pointless (it's not like my manual downloading gained Sun anything worthwhile) and felt like a throwback to downloading Slackware floppy disk images back in the early 90s. Every other piece of software I've installed through ports has been downloaded and installed automatically, like it should. But because of this idiotic imaginary property idea, I've got to mess around trying to make the computer happy instead of it doing work for me. This is 2008, I shouldn't have to jump through hoops for bullshit reasons.
As for users installing drivers, have you ever had to install a driver in Windows?
Of course. You are talking as if it's rare for a Windows user to have to install a driver. That's far from true.
And when you did, how many times did you have to recompile the kernel? I know I had to do it most recently in Gutsy to install nVidia binary-only drivers and although not difficult it's something I wouldn't expect my grandma to do (or to be happy about).
As it happens, I've just installed Gutsy on this very computer, and it has an nVidia card in it. The number steps it took to install the driver? Zero. It came with open-source drivers that handled the card just fine. I didn't have to tell it anything about my hardware, it figured it all out on its own and set things up automatically with no input from me necessary.
Then, fiddling in the settings, which the stereotypical grannies would never do, I bumped up the graphical effects to something that required the proprietary driver. It told me it needed to install a new driver, and then went ahead and did it. No kernel recompiling, no editing of config files, no commands to run in a terminal, it Just Worked.
Not true - in the UK it is actually illegal to rip a CD in itunes.. format shifting is illegal.
That's not all ricebowl said though. He said that it was illegal to copy CDs for any purpose. That's what I'm disagreeing with.
It was only in 2003 that the law was amended to allow timeshifting (recording broadcasts) and make transient (in-memory) copies legal.
Yes, I'm aware of that. Transient copies are an example of one of the types of copying that is legal.
As for ripping in particular, like I said, that's debatable. You can read the law for yourself, I linked to it and it's far more authoritative and informative than a couple of soundbites in a news article. As far as I'm aware there is no case law that determines the boundaries of private study in this regard, if you know of any, please cite it.
in the UK I'm fairly certain that it's still, albeit perhaps only technically, illegal (sorry, I couldn't find a more authoritative source) to copy CDs for any purpose, whether for transfer to an iPod for practical purposes or simply as an archival backup.
No, that's wrong, there's a whole range of types of copying that are legal in the UK, described in Section 3 of the Copyright, Designs and Patents Act 1988. Whether they apply specifically to CD ripping for the purpose of enjoying music you own is debatable (depending on whether or not you consider it to be "private study"), but it's certainly not the blanket ban on copying you describe.
The argument made by the ExtJS team is that by having a web page that includes the ExtJS library constitutes a close binding, and that thus your entire web back-end must be GPL'd. This is, on the face of it, ridiculous.
Previously, they were arguing that it wasn't LGPL3ed, they were merely distributing it under the LGPL3's terms, by which they meant that they could tag on anti-commercial clauses. The terms of the LGPL3 mean you can strip those clauses and redistribute as plain LGPL3 if you wish, which somebody did, and it upset them.
Essentially, they were name-dropping the LGPL and claiming open-source status when what they really wanted was a non-open-source freeware license. Of course, if they came out and said this, they'd have a lot of upset contributors who have been duped into contributing to something they believed was open-source.
This bizarre interpretation of the GPL3 to mean that all of your website back-end needs to be open-sourced is another game in this style. They don't actually want the GPL3, because that includes commercial uses. They want a license where they can do their very best to make commercial use unappealing, while still being able to name-drop the GPL3 and tell people it is open-source without too many people calling them liars.
I wouldn't be surprised if they did that, after all they did a similar thing with GWA and URLs with query strings. But I can't help but think it's a silly path to take. It makes an "unwritten rule" of HTTP that certain magic strings are off-limits, and of course, no specification contains a list of these magic strings, you have to reverse engineer other software for them.
You can't ask newbies to install device drivers or recompile the kernel
You know, I remember a time when casual computer users used to make special boot floppies with special memory configurations just to play games. End-users can cope just fine with complexity. Linux hasn't been too complicated for at least a decade.
Now you can argue that Linux is more complicated than the competition, and that users prefer the least complicated options, but that's not the same thing as saying that Linux is too complicated. "Too complicated" means that end-users would be unable to use Linux even if it were the only option. That hasn't been true for a very long time.
And come on, average end-users don't have to recompile the kernel anyway. That's a stupid stereotype that brainless pundits say reflexively. Installing device drivers? Last time I checked, other systems need users to install drivers too.
In Ruby on Rails, adding "?methond=post" to the end of a url fakes a post, even though it is actually a GET, which I disabled in the company I work for. Not everyone is going to do that.
More precisely: Not everyone has been doing that. I'm sure when Google comes along and exposes all their bugs they will quickly take the hint.
I don't really see the problem. The developers who know what they are doing, like you, won't be adversely affected, while the incompetent developers have to scurry around fixing their bugs every time something like this happens.
The usual excuse for that is that they want a link — for aesthetic purposes, to put in an email, etc. If you're using a form anyway, those reasons disappear. I'm sure there are a few developers who screw this up, but it won't be anywhere near as common as the problems GWA uncovered.
Now all they need is something to read text in flash files and they've got something going.
They've indexed Flash for about four years now.
I bet they'll often get results they didn't intend to and expose data that's supposed to be protected and private.
No doubt. There are a lot of clueless developers out there who insist on ignoring security and specifications time and time again. I have no sympathy for people bitten by this, you'd think they'd have learnt from GWA that GET is not off-limits to automated software.
This won't post forms of that sort. In the blog post, they say that they are only doing this for GET forms, which are safe to automate as per the HTTP specification.
This is for things like product catalogue searches where you pick criteria from drop-down boxes. Not so common for run-of-the-mill e-commerce sites, but I've seen a lot on B2B sites.
once you introduce an element of ongoing human oversight into a free service, you're losing money on it.
There's already ongoing human oversight going into these services. You think the servers don't require maintenance? You think the spam filters don't require ongoing work? And they aren't entirely free services, there are paid subscriptions, adverts, etc.
Remember, this isn't a case of manually approving each new account, this is a case of keeping an eye on the high signup bans. You can even skip most of that by ignoring dynamic IPs for home users that their spam filters already have information on. The workload for this kind of checking is tiny compared with most maintenance work.
That's why a good policy is to start off by flagging the high signup IPs for human review, whitelisting the legitimate ones, then instituting the default deny policy after all the current matches have been reviewed. If you are worried about legitimate people who change their network infrastructure and then get caught, perform human review of the bans after they have taken place.
Just because you automate banning, it doesn't mean there is no human oversight whatsoever or that false positives are a disaster.
Doesn't it potentially take up a LOT more room on a page than captcha?
Not really. You only need to show the pictures when somebody is submitting something.
Is there a way that spammers could figure out a way to divert the images to a human's malwared computer and have them do the choosing for the program? I thought I read about this somewhere as one way botnets were getting by captchas as well.
It's possible, I've heard it's done in exchange for free porn, but I think this is largely a myth than something carried out in practice though.
Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day
And Microsoft simply allow a new account to be registered every single minute of the day from a single IP address? Even when you cater to multiple users behind proxies you don't have to let that many through.
I suspect the 1400 estimate is the theoretical maximum, assuming no other countermeasures whatsoever. That's an unwarranted assumption, and the real figure is probably significantly lower.
I don't see any hypocrisy. The opinion that the law shouldn't be used to restrict people from sharing information does not oblige them to use their resources to distribute it. The opinion is not that they must do so, but merely that they should be able to do so if they want to.
Maybe your confusion is because you got the saying wrong. It's "Information wants to be free", and it's a statement about economics.
Don't get me wrong -- it's still a pain in the butt and it's wrong and probably an abuse of the legal system. But her freedom of speech isn't at risk. She could respond by just giving the documents requested. She shouldn't have to do so, but her speech is in no way at risk.
It's called a chilling effect. If this is upheld, it will send the message that if you criticise pseudo-science, you are in danger of being dragged before a court and having all your personal details examined for no good reason. It's an undue burden on speech that many people will not be willing to take just to speak out against some kooks.
Who gets the contract to do the fiber? How much should be paid to do this contract? Should everyone get it or only dense populations? How dense do the populations have to be? How do we pay for it, do we inflate the currency through debt or do we increase tax?
Who gets the maintenance contracts? How much do we pay for the maintenance contracts? How much maintenance should be spent on all fiber or should only dense populations get it? How dense do the populations have to be? How do we pay for it, do we inflate the currency through debt or do we increase tax?
Who gets to use the fiber? How much do we charge companies to use this fiber? How do we ensure its being used for the right purposes and companies aren't bidding for contacts and locking in those customers? Who is responsible for faults in the network? How are costs allocated?
All of these questions could be asked about roads, but very few people would take that as a sign that roads should be privatised. Do you complain that the government interferes in the road-building market?
1) mailing list confirmations can't be used by spammers to identify existing or non-existing e-mail addresses
2) spammers, unlike your test, will use spoofed From: headers, making the mail you got be bounced back to someone who wasn't involved in the first place
You can't have it both ways. If they use a forged From header, then they can't test whether an address exists or not. If they don't forge the From header so that they can validate the address, then there's no backscatter, because the spammer needs to pick up the reply.
3) yes, right now (1) isn't true for Google either
Wait, so of a three point list, one of the points is not a problem and another of the points is pointing out that the other point isn't a problem? It sounds like you have a chip on your shoulder or something.
Slashdot Mirror
I knew somebody would pop up with this misconception. Did you know that the web has already been through this — not once but twice — and proven you wrong?
Netscape 2 was quite aggressive when it came to guessing when ampersands were mistakenly unencoded. Cue lots of people not bothering to do things correctly, and saying things exactly like you are — "What's the point? It makes no difference!"
Then Netscape 3 came out. It wasn't as aggressive as Netscape 2. All those people who cut corners had to rush to fix all of their pages. All the people who did it correctly the first time around didn't have to do any extra work.
Now Netscape 3 still guessed a little bit — if you left off the semicolon, it would pick up on it and guess correctly. So lots of the dumb people from the previous example didn't learn their lesson, and skipped the semicolon.
Can you guess what happened? Yep, that's right, Netscape 4 came out and broke all their pages again. And all the people who did things correctly laughed at them.
Sure, if you don't bother to do things right, today's major browsers will probably guess that you're an idiot and work around your bugs. But there's certainly no guarantee that tomorrow's browsers will do so. When you can do things correctly right now for no effort, why on earth would you risk incurring extra work in the future? Is it really so difficult to type & instead of &?
No, it's not telling them that some browsers will think it's wrong, it's telling them it is wrong. Validators don't check to make sure browsers can understand your document, they check if you have made any syntax errors. Writing <br/> in an HTML document is wrong, regardless of any particular browser's handling of it.
It's awful, especially as these are easy errors that can be fixed without any problem whatsoever. The vast majority of errors are:
These are the kind of things any new developer would be able to fix in half an hour on his first day on the job. This demonstrates not that they cannot write valid code, but that they don't bother to check. It's like a newspaper editor not bothering to use a spelling checker — sloppy.
And the reason for that is that Sun grants special permission to Linux and OpenSolaris distributions to do so under the DJL. From the FAQ:
See FreeBSD listed there? Have a look around the site, every single mention of operating systems permitted under this agreement is specifically scoped to Linux and OpenSolaris only. That's why Ubuntu has a head-start on FreeBSD, not because they are better at packaging.
I installed ejabberd, an Erlang-based Jabber server on FreeBSD this week from ports. For some reason it needed a JDK to install. Normal ports installation didn't work because FreeBSD doesn't have a distribution license. I had to download the file manually, put it in the right directory, then go back to the Sun website, register an account there, log in, download a timezone update, and put that in the right directory too. Only at that point could I install it. And I didn't even want Java in the first place!
The whole process was pointless (it's not like my manual downloading gained Sun anything worthwhile) and felt like a throwback to downloading Slackware floppy disk images back in the early 90s. Every other piece of software I've installed through ports has been downloaded and installed automatically, like it should. But because of this idiotic imaginary property idea, I've got to mess around trying to make the computer happy instead of it doing work for me. This is 2008, I shouldn't have to jump through hoops for bullshit reasons.
Of course. You are talking as if it's rare for a Windows user to have to install a driver. That's far from true.
And when you did, how many times did you have to recompile the kernel? I know I had to do it most recently in Gutsy to install nVidia binary-only drivers and although not difficult it's something I wouldn't expect my grandma to do (or to be happy about).
As it happens, I've just installed Gutsy on this very computer, and it has an nVidia card in it. The number steps it took to install the driver? Zero. It came with open-source drivers that handled the card just fine. I didn't have to tell it anything about my hardware, it figured it all out on its own and set things up automatically with no input from me necessary.
Then, fiddling in the settings, which the stereotypical grannies would never do, I bumped up the graphical effects to something that required the proprietary driver. It told me it needed to install a new driver, and then went ahead and did it. No kernel recompiling, no editing of config files, no commands to run in a terminal, it Just Worked.
That's not all ricebowl said though. He said that it was illegal to copy CDs for any purpose. That's what I'm disagreeing with.
Yes, I'm aware of that. Transient copies are an example of one of the types of copying that is legal.
As for ripping in particular, like I said, that's debatable. You can read the law for yourself, I linked to it and it's far more authoritative and informative than a couple of soundbites in a news article. As far as I'm aware there is no case law that determines the boundaries of private study in this regard, if you know of any, please cite it.
No, that's wrong, there's a whole range of types of copying that are legal in the UK, described in Section 3 of the Copyright, Designs and Patents Act 1988. Whether they apply specifically to CD ripping for the purpose of enjoying music you own is debatable (depending on whether or not you consider it to be "private study"), but it's certainly not the blanket ban on copying you describe.
Previously, they were arguing that it wasn't LGPL3ed, they were merely distributing it under the LGPL3's terms, by which they meant that they could tag on anti-commercial clauses. The terms of the LGPL3 mean you can strip those clauses and redistribute as plain LGPL3 if you wish, which somebody did, and it upset them.
Essentially, they were name-dropping the LGPL and claiming open-source status when what they really wanted was a non-open-source freeware license. Of course, if they came out and said this, they'd have a lot of upset contributors who have been duped into contributing to something they believed was open-source.
This bizarre interpretation of the GPL3 to mean that all of your website back-end needs to be open-sourced is another game in this style. They don't actually want the GPL3, because that includes commercial uses. They want a license where they can do their very best to make commercial use unappealing, while still being able to name-drop the GPL3 and tell people it is open-source without too many people calling them liars.
On the contrary, I think it's Windows that has been taking the desktop market through the back door, for quite a while now. Roughly, without lube.
I wouldn't be surprised if they did that, after all they did a similar thing with GWA and URLs with query strings. But I can't help but think it's a silly path to take. It makes an "unwritten rule" of HTTP that certain magic strings are off-limits, and of course, no specification contains a list of these magic strings, you have to reverse engineer other software for them.
You know, I remember a time when casual computer users used to make special boot floppies with special memory configurations just to play games. End-users can cope just fine with complexity. Linux hasn't been too complicated for at least a decade.
Now you can argue that Linux is more complicated than the competition, and that users prefer the least complicated options, but that's not the same thing as saying that Linux is too complicated. "Too complicated" means that end-users would be unable to use Linux even if it were the only option. That hasn't been true for a very long time.
And come on, average end-users don't have to recompile the kernel anyway. That's a stupid stereotype that brainless pundits say reflexively. Installing device drivers? Last time I checked, other systems need users to install drivers too.
More precisely: Not everyone has been doing that. I'm sure when Google comes along and exposes all their bugs they will quickly take the hint.
I don't really see the problem. The developers who know what they are doing, like you, won't be adversely affected, while the incompetent developers have to scurry around fixing their bugs every time something like this happens.
The usual excuse for that is that they want a link — for aesthetic purposes, to put in an email, etc. If you're using a form anyway, those reasons disappear. I'm sure there are a few developers who screw this up, but it won't be anywhere near as common as the problems GWA uncovered.
They've indexed Flash for about four years now.
No doubt. There are a lot of clueless developers out there who insist on ignoring security and specifications time and time again. I have no sympathy for people bitten by this, you'd think they'd have learnt from GWA that GET is not off-limits to automated software.
This won't post forms of that sort. In the blog post, they say that they are only doing this for GET forms, which are safe to automate as per the HTTP specification.
This is for things like product catalogue searches where you pick criteria from drop-down boxes. Not so common for run-of-the-mill e-commerce sites, but I've seen a lot on B2B sites.
There's already ongoing human oversight going into these services. You think the servers don't require maintenance? You think the spam filters don't require ongoing work? And they aren't entirely free services, there are paid subscriptions, adverts, etc.
Remember, this isn't a case of manually approving each new account, this is a case of keeping an eye on the high signup bans. You can even skip most of that by ignoring dynamic IPs for home users that their spam filters already have information on. The workload for this kind of checking is tiny compared with most maintenance work.
That's why a good policy is to start off by flagging the high signup IPs for human review, whitelisting the legitimate ones, then instituting the default deny policy after all the current matches have been reviewed. If you are worried about legitimate people who change their network infrastructure and then get caught, perform human review of the bans after they have taken place.
Just because you automate banning, it doesn't mean there is no human oversight whatsoever or that false positives are a disaster.
They were specifically talking about a single bot:
That means that Ars was saying that a spammer with millions of bots can sign up billions of Live Hotmail accounts in a day.
Not really. You only need to show the pictures when somebody is submitting something.
It's possible, I've heard it's done in exchange for free porn, but I think this is largely a myth than something carried out in practice though.
And Microsoft simply allow a new account to be registered every single minute of the day from a single IP address? Even when you cater to multiple users behind proxies you don't have to let that many through.
I suspect the 1400 estimate is the theoretical maximum, assuming no other countermeasures whatsoever. That's an unwarranted assumption, and the real figure is probably significantly lower.
I don't see any hypocrisy. The opinion that the law shouldn't be used to restrict people from sharing information does not oblige them to use their resources to distribute it. The opinion is not that they must do so, but merely that they should be able to do so if they want to.
Maybe your confusion is because you got the saying wrong. It's "Information wants to be free", and it's a statement about economics.
It's called a chilling effect. If this is upheld, it will send the message that if you criticise pseudo-science, you are in danger of being dragged before a court and having all your personal details examined for no good reason. It's an undue burden on speech that many people will not be willing to take just to speak out against some kooks.
All of these questions could be asked about roads, but very few people would take that as a sign that roads should be privatised. Do you complain that the government interferes in the road-building market?
You can't have it both ways. If they use a forged From header, then they can't test whether an address exists or not. If they don't forge the From header so that they can validate the address, then there's no backscatter, because the spammer needs to pick up the reply.
Wait, so of a three point list, one of the points is not a problem and another of the points is pointing out that the other point isn't a problem? It sounds like you have a chip on your shoulder or something.