> I challenge someone to find an automated response to C/R.
I challenge you to justify using C/R, which abuses everyone who has their From: address forged. It's very simple, either find a way to implement C/R in-protocol, or don't use it at all. Once you have accepted the message, it is too late to go back.
And when I was working at a helpdesk and had to jump through all these little C/R hoops to respond to a customer... I worked those tickets dead last. Might be days before I get to you. You mail someone, you damn well better pre-emptively whitelist them out of the C/R loop.
Oh blah, nevermind, I realize now that that was about embedding URLs into HTML. I was under the impression that attributes (such as href) did not require such encoding, one of the reasons why the quotes around attribute values are more than a little strongly recommended? (and required in xml/xhtml). I won't pretend to know that spec enough to hazard a guess though.
The "unknown entity" errors aren't bogus; the unescaped ampersand character has NEVER been "legal" in URIs. User-agents have simply auto-escaped them for so long that not escaping them became standard practise.
Changing all those to & is trivial, yes, but no less necessary for proper validation than an unclosed <b> tag
You are aware that the ampersand is what separates query parts in the CGI spec, and & is a HTML entity, not a URL encoding? And that ampersand and semicolon are both considered equally "reserved" in the URI spec (CGI also allows for semicolon to separate args, which I personally prefer)
Last time I threw an RFC at someone, I ended up with egg on my face, but this one I'm rather confident with.
The syntax of http://host/?query is perfectly allowed. The path is "/". "http://host?query" is not really allowed if I read my BNF correctly, but it's not very unambiguous.
The query string syntax is totally undefined
The one thing the HTTP URL spec is specific about is that escaped characters in the "reserved" and "unsafe" sets (ampersand and semicolon) could be considered syntactically different than unescaped. Whatever "different" means in this context, who knows. Could be, not must be, since it simply excludes them from the requirement of being equivalent. To wit:
Characters other than those in the "reserved" and "unsafe" sets (see
RFC 2396 [42]) are equivalent to their ""%" HEX HEX" encoding.
HTTP URL's are woefully underspecified compared to, say, what a ASN.1 encoding would demand. For this reason, the robustness principle plays in.
It's interesting, but on firefox on a gigaherz machine, it crawls. Alpha blending is pretty, but damn slow -- web designers really need to avoid it for anything that moves and has to be re-composed frequently.
Funny thing, I'm looking at the CSS with the editcss sidebar for firefox, and I can't find where the translucency is defined. How's that work?
> This will probably get modded down - but this hack really does show the power of IE that you can deploy a script fix to browser problems.
What it shows is the power of DHTML behaviors. Microsoft has only ever used them for cutesy little hacks, but with them you can pretty much filter and transform selected elements into arbitrary HTML, including script elements. The closest thing mozilla has to this is XBL, which aside from being almost completely undocumented, is insanely difficult to write.
I understand the author of this hack has behaviors for mozilla... I'd be very interested in seeing that once the slashdotting stops. Assuming he still has any bandwidth quota left.
Slashdot has no respect for people who pay for their bandwidth. I swear, if slashdot made me pay for that kind of bandwidth, I'd put up a redirect to tubgirl instead.
http://www.bagley.org/~doug/shootout/slashhole.s ht ml
Anyone know where to find this slashhole hack? I suppose it's a simple referer filter, but I'm not familiar with how to install such a thing.
Given the toughness and other properties of carbon nanotubes, does the dust tend to be like graphite, and reasonably safe as an inhalation hazard (being heavy and all), or has any kind of toxicology testing been done with them? I'd hate to see carbon nanotube fragments becoming the next asbestos.
> He hasn't patented the idea of adverts in space, as the precis suggests, he's patented a device for displaying them. A fairly important distinction
Not really. Patents of this kind are granted to a description of an actual device, not an idea. One doesn't actually need to produce the device itself, and indeed some people have managed to sneak some ridiculous ideas through, including a few faster-than-light communication device patents and probably a perpetual motion machine or two (the patent office is normally quite good however at rejecting any 100% efficient or over-unity machine)
> Perl is now completely ubiquitous, and much more suited to scripting than/bin/sh. Why settle for anything less?
Not really -- perl can't pipe. You can call popen, and you can pipe multiple scripts to each other, but then you're really just writing a shell script in disguise. So I tend to write complicated bits in perl, then glue 'em all together with shell pipelines.
Suppose your server gets rooted and a bad guy gets your private key. You have to tell everyone who might go to your web site that the old certificate is no longer valid.
The good news is that there are certificate revocation lists out there. The bad news is that Internet Explorer, as of the last version I looked at, doesn't check them by default.
Both IE and Mozilla both support OCSP. Mozilla does not have it turned on out of the box either.
The indispensable Bruce Schneier has pointed out a couple of other vulnerabilities. How does your browser know what signers make a certificate valid? It ships with a list of trusted signers. How secure is this list? It isn't. Schneier has pointed out in his newsletter that a virus could silently add an evil CA to the trusted list.
Better, just change one of the existing CA entries to use the same name and a different server and cert. Even hardcore cypherpunks aren't likely to catch something like that. Ultimately the answer is going to have to be loss mitigation and harm reduction: it'd be nice to see some technology solutions (or at least assistance) applied to the pessimistic assumption that WHEN your data IS compromised at some point, there's some help other than suspending, scrubbing, and possibly having to get a brand new digital identity.
Re:How do they decide which companies can do it?
on
EU Passes Nasty IP Law
·
· Score: 4, Insightful
> You want to arrest me? Fine, send the regular police. No problem there. Federal agents even.
Silly, you think corporations are going to send their own troopers after you? They will send the Feds, just ask the BSA, who has the real badge-carrying police kick down doors and bust locks.
It's the password part of userinfo that's been deprecated as a security risk, not the userinfo field. But there it is in the HTTP RFC, host and no userinfo. I'm developing a taste for crow.
> The Help command did exist in Unix, but it was the help system for sccs
The Help command exists in VMS, and let me tell you, it absolutely destroys the manpage system.
> For example when we grep on a file and don't find the pattern, grep does not generate any output
It sets a return code.
grep "foo" * || echo "not found"
You're not seriously suggesting end users use grep, are you? (ohh goody, let's teach 'em regexes, when you have to quote your term, when you need to use egrep...)
The command line shell is basically a lightweight programmers tool. No one expects nontechnical users to use it any more than microsoft expects them to write batch or VBS scripts. If you want a user friendly shell, I recommend you not build it on top of bourne shell's legacy.
THE STANDARD STATES THAT NO USER NAME OR PASSWORD IS ALLOWED IN HTTP URL'S.
Ooh look, he's shouting, he MUST be informative. Seriously, I'm trying to hold back the flames here, because I wholeheartedly think you deserve them as a representative sample of "loud, smug, abrasive and uninformed" that seems to dominate every time discussion of standards comes up. Oh, I guess I did flame, my bad.
RFC1738 is obsolete. In fact, it's obsolete by at least a couple revisions. Read RFC2616, then come back.
> Do developers out there voice the need to store binaries?
Hell yes. Worldforge has a media developers group that is using CVS, and they just hate it. The admin has to periodically go through and sweep out old media file versions because they're simply too big to keep all of them.
> Also, have there been many problems that required atomic commits? Can someone explain why this is important?
Very simple. If I change several files, and the changes depend on each other (happens every time one changes an API for instance), I damn well don't want one file changed and the others not changed if there's some problem -- I want it so my entire changeset can go through at once or not at all. CVS is probably the last SCM system in wide use now that doesn't support any notion of changesets. Right now in CVS, one usually ends up having to branch if they want their code appearing in the repository so others can work with it, then it has to get merged later while the project goes into a freeze. Meanwhile, conflicts just pile up in branches. This is no substitute for changesets.
> Also, Subversions says that it is much faster at things like tagging, but tagging is not a very frequent operation...
Says you. I do it literally every single day. It's called a daily build.
> It bothers me a bit that all the files are now in a big database.
You think a filesystem isn't a database? It bothers me more when all the files are on an ext2fs filesystem; hope that UPS has been checked recently. Perforce uses a database as well (in fact it's the same, berkeley db or some *dbm), and I've never heard of it eating a repository. Being able to change the db backend for subversion would be nice though. In fact I'd consider it pretty damn critical for any organization-wide SCM repository, since I'd want replication (read-only of course, I'm not that masochistic).
Welcome to slashdot btw. All your comments are in a database. I'm not sure how much of a case that makes for a database however...
I mean, really... google for "recipes". My personal favorite is epicurious, tho I often have to tone down the expensive and/or hard to get ingredients.
Lots of these places let you submit your own recipes, many let you rate and comment on them. There isn't much interest in an internet-wide p2p schema of recipes because, well, it's not really something that's needed such a trading scheme before. Use a blog, paste the recipe in, google will pick it up in a couple days.
I'm not sure what the challenge or barrier is here.
> getting a working visa IS hard. I had to wait 4 months to get one
4 months? You're dealing with a country's immigration here -- that's LIGHTNING fast. Shit, I had to wait nearly that long to get the Colorado DMV to give me a title (after a title bond) for my car when I forgot to get the transfer notarized.
You don't even need alien. Last I looked at RPM, it was simply an ar archive wrapped up in cpio. Nothing tricky about it, just odd choices of archivers, but ones any unix should have.
Slashdot Mirror
> I challenge someone to find an automated response to C/R.
... I worked those tickets dead last. Might be days before I get to you. You mail someone, you damn well better pre-emptively whitelist them out of the C/R loop.
I challenge you to justify using C/R, which abuses everyone who has their From: address forged. It's very simple, either find a way to implement C/R in-protocol, or don't use it at all. Once you have accepted the message, it is too late to go back.
And when I was working at a helpdesk and had to jump through all these little C/R hoops to respond to a customer
Oh blah, nevermind, I realize now that that was about embedding URLs into HTML. I was under the impression that attributes (such as href) did not require such encoding, one of the reasons why the quotes around attribute values are more than a little strongly recommended? (and required in xml/xhtml). I won't pretend to know that spec enough to hazard a guess though.
Changing all those to & is trivial, yes, but no less necessary for proper validation than an unclosed <b> tag
You are aware that the ampersand is what separates query parts in the CGI spec, and & is a HTML entity, not a URL encoding? And that ampersand and semicolon are both considered equally "reserved" in the URI spec (CGI also allows for semicolon to separate args, which I personally prefer)
Last time I threw an RFC at someone, I ended up with egg on my face, but this one I'm rather confident with.
> Try the ComplexSpiral demo
It's interesting, but on firefox on a gigaherz machine, it crawls. Alpha blending is pretty, but damn slow -- web designers really need to avoid it for anything that moves and has to be re-composed frequently.
Funny thing, I'm looking at the CSS with the editcss sidebar for firefox, and I can't find where the translucency is defined. How's that work?
> This will probably get modded down - but this hack really does show the power of IE that you can deploy a script fix to browser problems.
... I'd be very interested in seeing that once the slashdotting stops. Assuming he still has any bandwidth quota left.
What it shows is the power of DHTML behaviors. Microsoft has only ever used them for cutesy little hacks, but with them you can pretty much filter and transform selected elements into arbitrary HTML, including script elements. The closest thing mozilla has to this is XBL, which aside from being almost completely undocumented, is insanely difficult to write.
I understand the author of this hack has behaviors for mozilla
Slashdot has no respect for people who pay for their bandwidth. I swear, if slashdot made me pay for that kind of bandwidth, I'd put up a redirect to tubgirl instead.
s ht ml
http://www.bagley.org/~doug/shootout/slashhole.
Anyone know where to find this slashhole hack? I suppose it's a simple referer filter, but I'm not familiar with how to install such a thing.
Given the toughness and other properties of carbon nanotubes, does the dust tend to be like graphite, and reasonably safe as an inhalation hazard (being heavy and all), or has any kind of toxicology testing been done with them? I'd hate to see carbon nanotube fragments becoming the next asbestos.
> He hasn't patented the idea of adverts in space, as the precis suggests, he's patented a device for displaying them. A fairly important distinction
Not really. Patents of this kind are granted to a description of an actual device, not an idea. One doesn't actually need to produce the device itself, and indeed some people have managed to sneak some ridiculous ideas through, including a few faster-than-light communication device patents and probably a perpetual motion machine or two (the patent office is normally quite good however at rejecting any 100% efficient or over-unity machine)
I havent got the slightes t clue what you are talkin;g a<!ceramic>bou<!alabaster>t
> Perl is now completely ubiquitous, and much more suited to scripting than /bin/sh. Why settle for anything less?
Not really -- perl can't pipe. You can call popen, and you can pipe multiple scripts to each other, but then you're really just writing a shell script in disguise. So I tend to write complicated bits in perl, then glue 'em all together with shell pipelines.
(you had to see that one coming)
Suppose your server gets rooted and a bad guy gets your private key. You have to tell everyone who might go to your web site that the old certificate is no longer valid.
The good news is that there are certificate revocation lists out there. The bad news is that Internet Explorer, as of the last version I looked at, doesn't check them by default.
Both IE and Mozilla both support OCSP. Mozilla does not have it turned on out of the box either.
The indispensable Bruce Schneier has pointed out a couple of other vulnerabilities. How does your browser know what signers make a certificate valid? It ships with a list of trusted signers. How secure is this list? It isn't. Schneier has pointed out in his newsletter that a virus could silently add an evil CA to the trusted list.
Better, just change one of the existing CA entries to use the same name and a different server and cert. Even hardcore cypherpunks aren't likely to catch something like that. Ultimately the answer is going to have to be loss mitigation and harm reduction: it'd be nice to see some technology solutions (or at least assistance) applied to the pessimistic assumption that WHEN your data IS compromised at some point, there's some help other than suspending, scrubbing, and possibly having to get a brand new digital identity.
> You want to arrest me? Fine, send the regular police. No problem there. Federal agents even.
Silly, you think corporations are going to send their own troopers after you? They will send the Feds, just ask the BSA, who has the real badge-carrying police kick down doors and bust locks.
The cops work for the corps. Not for you.
It's the password part of userinfo that's been deprecated as a security risk, not the userinfo field. But there it is in the HTTP RFC, host and no userinfo. I'm developing a taste for crow.
The Help command exists in VMS, and let me tell you, it absolutely destroys the manpage system.
> For example when we grep on a file and don't find the pattern, grep does not generate any output
It sets a return code.You're not seriously suggesting end users use grep, are you? (ohh goody, let's teach 'em regexes, when you have to quote your term, when you need to use egrep...)
The command line shell is basically a lightweight programmers tool. No one expects nontechnical users to use it any more than microsoft expects them to write batch or VBS scripts. If you want a user friendly shell, I recommend you not build it on top of bourne shell's legacy.
THE STANDARD STATES THAT NO USER NAME OR PASSWORD IS ALLOWED IN HTTP URL'S.
Ooh look, he's shouting, he MUST be informative. Seriously, I'm trying to hold back the flames here, because I wholeheartedly think you deserve them as a representative sample of "loud, smug, abrasive and uninformed" that seems to dominate every time discussion of standards comes up. Oh, I guess I did flame, my bad.
RFC1738 is obsolete. In fact, it's obsolete by at least a couple revisions. Read RFC2616, then come back.
> Just so you know, that practice is called dumping and it is illegal.
Unadulterated horseshit. Look up "loss leader" sometime. Here, since we just had a story about the web obviating encyclopedias: clickie-googlie
Sir, where do you get your information from? Real player is a fine codec, and I for one have never had any problBUFFERING...
> Do developers out there voice the need to store binaries?
Hell yes. Worldforge has a media developers group that is using CVS, and they just hate it. The admin has to periodically go through and sweep out old media file versions because they're simply too big to keep all of them.
> Also, have there been many problems that required atomic commits? Can someone explain why this is important?
Very simple. If I change several files, and the changes depend on each other (happens every time one changes an API for instance), I damn well don't want one file changed and the others not changed if there's some problem -- I want it so my entire changeset can go through at once or not at all. CVS is probably the last SCM system in wide use now that doesn't support any notion of changesets. Right now in CVS, one usually ends up having to branch if they want their code appearing in the repository so others can work with it, then it has to get merged later while the project goes into a freeze. Meanwhile, conflicts just pile up in branches. This is no substitute for changesets.
> Also, Subversions says that it is much faster at things like tagging, but tagging is not a very frequent operation...
Says you. I do it literally every single day. It's called a daily build.
> It bothers me a bit that all the files are now in a big database.
You think a filesystem isn't a database? It bothers me more when all the files are on an ext2fs filesystem; hope that UPS has been checked recently. Perforce uses a database as well (in fact it's the same, berkeley db or some *dbm), and I've never heard of it eating a repository. Being able to change the db backend for subversion would be nice though. In fact I'd consider it pretty damn critical for any organization-wide SCM repository, since I'd want replication (read-only of course, I'm not that masochistic).
Welcome to slashdot btw. All your comments are in a database. I'm not sure how much of a case that makes for a database however...
I clicked on the link expecting commentary threads in elvish. Not a one. What kind of geeks are you?
> That's a standard Urban Legend, though it's more often a cookie recipe.
mughi, say hello to hook, line and sinker. hook, line and sinker, say hello to mughi.
(Search The, ah, Freakin Web)
... google for "recipes". My personal favorite is epicurious, tho I often have to tone down the expensive and/or hard to get ingredients.
I mean, really
Lots of these places let you submit your own recipes, many let you rate and comment on them. There isn't much interest in an internet-wide p2p schema of recipes because, well, it's not really something that's needed such a trading scheme before. Use a blog, paste the recipe in, google will pick it up in a couple days.
I'm not sure what the challenge or barrier is here.
> getting a working visa IS hard. I had to wait 4 months to get one
4 months? You're dealing with a country's immigration here -- that's LIGHTNING fast. Shit, I had to wait nearly that long to get the Colorado DMV to give me a title (after a title bond) for my car when I forgot to get the transfer notarized.
You don't even need alien. Last I looked at RPM, it was simply an ar archive wrapped up in cpio. Nothing tricky about it, just odd choices of archivers, but ones any unix should have.