I actually do a bunch of security consulting for PHP based stuff. A great deal of the issues stems from the very beginning of the PHP language itself. Being designed to be as easy as possible without regard to security has kind of made it the Microsoft of scripting langages. They have not built on insecure code, but rather entire concepts that are inherently insecure (fopen() wrappers that open nearly every data connection they're fed, register globals, SQL string concatenation) and have even for a long time endorsed and taught users those concept.
Instead of changing concepts midway through they have added security layers and APIs that need to be *explicitly* set - meaning that like Windows (was?) they have a policy of being open per default and having to be explicitly made secure, instead of closed by default and enabling only what you need.
That's what I think Stefan Esser means when he says "safer from the inside". Many things in PHP are inherently flawed and can only be remedied through changes in concept and nothing else.
Add to that stuff like $GLOBALS overwrite (more details here) that are/were essentially a WONTFIX. No wonder Essner is getting frustrated.
The only thing I can think of right now would be JBoss Portal ( http://www.jboss.org/products/jbossportal ). It doesn't have many of those fancy features but should be easily extensible.
If you see this and ponder buying this card for your game servers first try optimizing the Linux kernel. 1000 Hz ticks, big kernel lock preemption and other latency patches actually does wonders to ping times (and I do not mean ICMP echo or similar but ping packets answered by the game) and latency.
Many games have their own interesting capabilities for performance tuning. For instance Counter Strike 1.6 has the -pingboost setting which will switch between select() and alert() syscalls (10 ms reduction) or processing a frame for every packet. Other games have similar tuning options that will enhance performance. Then there's also tuning your network settings.
By the way, as far as I remember this Killer NIC is just some kind of offload engine. How *exactly* does this increase performance when most game specific packets are simple UDP packets that performance-wise are not as demanding as TCP packets (less checksums, no window scaling and other options easily tunable etc.)?
Bild, Germany's "most influential" newspaper that to some extent can be compared to England's The Sun, produced by the Axel Springer Imperium, started doing this some time ago. EUR 500 are offered for every image they print. Bild received lots of criticism because they regularly print reader-submitted content that clearly violates personal rights and freedoms. Take for example this picture of EMT workers treating an accident victim (blurred and censored by the linked website, not Bild). The subject of this post ready "Bild pays curious onlookers and voyeurs".
In addition Bild does hardly any additional background checking and verification of images which leads to the publication of other people's intellectual property, funny images found everywhere on the internet, screen grabs of TV shows or sometimes even resubmissions of images previously featured in Bild with different captions. Unless Yahoo and Reuters get their fact checking straight this might have a higher signal to noise ratio than they'd expect and lots of potential for embarassment as well as lawsuits.
Why is America so damn currupt? I mean, what kind of threat does the RIAA see in a simple Russian web site, hosted in Russia, operated in Russia and completely legal over there that they are so intimidated to fucking *lobby* your government into forcing Russia to sign a contract that explicitly states the closing of this web site. Remember, we're not talking about one of the many business contracts between Russia and the US but rather conditions to their application to the World Trade Organization. The World Trade Association! This is so absurd I can't possibly believe this.
AllOfMP3.com made me purchase music for $45 within two months which is exactly $45 more than what I have spent over the last couple of years. They offer exactly what I want in the format I want for a price I find highly attractive. The RIAA is not even losing money on this since they could just have applied for their fair share of the profits by filling out a form or two at the Russian broadcasting association. Now that it will be shut down they very likely won't see a cent from me again for a long time.
What pisses me off the most is the fact that I am not even an American. Why exactly do *I* have to suffer from your style of government where you apparently can purchase politicians for a dime a dozen? I couldn't even write a letter to your senators or congressmen since a vote is all that they care for and I can not cast a vote in your country.
At least there appears to be a loop hole: Apart vom closing allofmp3.com and generally limiting piracy there is no mention of actual business names or concepts. What would prevent the allofm3.com team from opening a similar business once Russia is member of the WTO? Russia could argue that allofmp3.com is down as stated in the contract and moreofmp3.com is a legal Russian business.
I'm into sexology as a hobby and have researched lots of fetishes and uncommon preferences over the years (and am well aware that nobody's going to believe me). There's many sites out there involving all kinds of "youth" fetish. The objectionable content - if legal - is most likely one of those:
- Very young, just turned 18: boring hardcore with models who just became legal. - Impersonated minor: Adult women with phyiscal traits similar to underage girls (very small breasts, petite figure, no pubic hair) clothed like a little girl and "cute" hair style (pony tail etc.). Most of this is is hardcore and usually involves role playing (incest, innocence, etc.) - Real Lolita and Naturalism: This really borders pedophile erotica. Girls and young women, undressed, playing at the beach, at nudist camps etc etc. As long as this does not imply any eroticism in itself it is legal, since depicting nudity without apparent sexual background is legal at any age.
By the way, lusting for a fully developed 17 year-old is definitely not pedophilia, as pedophilia involves sexual undevelopment. What you describe is rather ephebophilia.
Also, by spreading static content across four different hostnames, site operators can achieve dramatic improvements in perceived performance.
I've worked with heavily loaded servers that serve many pictures per page and can confirm that this does decrease perceived load time, but it does have its drawbacks. Pushing the concurrent browser requests to num_hostnames * browser_default on the same physical host, you'll have to increase the maximum concurrent requests of your web server, which can badly increase system load and lead to easy slashdotting situations. Only do this if you can modify those settings, know what your server is capable of and are not limited by bandwidth as this can also quickly fill your tubes. And as the article states: only do this with small objects or you might be under heavy load in no time.
8. Investigators were at Oktoberfest the day they taught pre Windows XP forensics.
Against common American belief, Bavaria is not part of Austria. That's Germany you're thinking of. I want to make it clear that our police force does *not* require special events to get drunk.
It actually is. It's just picky who it calls its friend, which in my opinion is a good thing.
> [...] or the installer will dump core.
I prefer this to a message box which kindly informs me that "Error -178" has happened without further details. I also once tried to get an iPod working on Windows on a friend's computer. I have very extensive Windows troubleshooting experience but after 6 hours of troubleshooting still could not figure out the problem. A reinstall mysteriously helped. Long story short, when things fail my operating system allows me to deeply trouble shoot every aspect of it. When the shit hits the fan I want to be able to open the fan to remove the mess.
I'm a student at the University of Technology in Vienna, Austria. Since we're lots of students it wouldn't be feasible grading the assignments of a few hundred people by hand.
Some courses use an online grading facility where students just log in, submit their assignments over a web interface and receive an email how they scored. Some other courses give you a shell account on a UNIX box. Your programs are expected to compile in this environment and you can submit subdirectories of your home directory using tools they have written themselves. This concept is used from simple java classes in Inruduction to Programming to simulated CORBA stock trading clients and servers in Distributed Systems.
As far as I have seen everything behind the scenes is fully automated. Some systems just run your class in a sandbox with a java security manager, feed the application several test inputs, compare the output and error handling to the specifications of the assignment and assign scores based on that. Others invoke your classes via Reflection and run about 20 - 50 JUnit test cases against some components as well as the entire application. You get an email with simple descriptions of the test cases, whether the specific test case went through OK or failed and if available exceptions that were triggered.
As for cheating: they used different test cases all the time, some were to some extent randomized so that static output wouldn't work. They also use similarity checking tools to find suspiciously similar submissions and asked students whose submissions got flagged to come and explain the code to them (afair there was a discussion about such similarity checking tools on ask slashdot not too long ago). The tests of such courses contain simple questions about the environment and tools they should have used to see whether they have written the code themselves.
I'd recommend you to write such an automated grading tools yourself. It shouldn't take more than some simple JUnit tests and a bit of perl code to set up a clean environment, run the tests, evaluate the results and write them to a database. Just don't forget to set up a java security manager so that nothing can compromise the test environment and restore any resources like files and databases the submissions have to access to their default state in case someone screwed up. Or you could do it the academic way and get grad students to do all the work.
I know nobody is going to actually read this and that complementing the editors is against the group-think, but still: a big thank you to Roblimo, Billy West, Kevin Day and the people who posted the questions. I really enjoyed reading this interview.
I recently asked Akamai about a streaming solution that was to happen at the same time of the WM. I could only discuss a completely hypothetical scenario that according to them would have used a few hundred TB of traffic. They said even though elevated traffic levels it wouldn't be a problem.
The only issues I can see would be saturated pipes of ISPs that oversold their available bandwidth and didn't prepare for major Internet events. All major upstream providers and content delivery networks should already have taken this into consideration and be prepared for the burst usage.
Either that or hordes of geeks leaving the basement to declare jihad on all those infidels abusing their precious bandwith for non-science-fiction or porn related activities.
I have made really good experiences with Thermaltake cases, especially their Armor and Kandalf series. Good quality, easy to use and with lots of handy features. It's also easy to do some custom modding like water cooling and passive cooling as well as cutting out parts of the case because they have lots of space and are damn stable.
Their only real disadvantage is their weight. Many people forget to consider that a ~19 kg (40 pound, empty) case isn't exactly easy to take to LAN parties. Though with that weight comes a high degree of robustness that has often shown to be very valuable.
About two years ago being a Gentoo user I tried FreeBSD and never went back. Everything just works very nicely. It worked right "out of the box" but unlike many Linux distributions that are considered easy to use it doesn't abstract away too many things from the user so I can still implement my own changes without any hassle.
Installing GNOME or KDE is already possible and is actually quite trivial. What TFA is really talking about is implementing all the extra stuff that makes life a little easier like hald that's required for GNOME or KDE to autodetect hardware. Things like automatic detection of USB devices already exist and work great in FreeBSD, it's just not compatible to what KDE and GNOME require.
The big question is: can it be used to not only fix scarred tissue but also the issues of chronic heart diseases, for example enlarged hearts? There's many, many people with chronic diseases who urgently need some kind of replacement heart or way to fix them up as soon as possible.
I know somebody who is one of the leading psychologists researching compliance and quality of life pre-op and post-op of heart transplant patients. I also know many patients myself and hope this method will be able to help many of them.
Right now if your heart is "broken" transplantation is often your only chance to survive. The big issue as the article stated is the long time before a fitting heart is available to the patient and many people die on the waiting list. And I'm not talking about days or weeks - it can take some years before you get a new heart and even then it might be rejected by your body and will have to be removed.
Many patients will receive an artificial hart ( essentially a small pump inside of you with tubes leading to a small constantly ticking device outside of your body ). As cool as it might sound to geeks it's not too pleasant having to be near a power outlet all of the time or your heart might run out of battery. And because it's a mechanical device it also damages your blood cells. This is the best working method right now because before artificial hearts people had to endure living with a damaged heart for years, which is a very devastating experience ( imagine being out of breath for minutes because you just stood up from a chair ).
A lot of research has already gone into this and there are already many known possible methods ( for instance genetically modified pig hearts that could be implanted into humans ) any many new to come. What's really needed though is a working replacement for your heart made out of your own stem cells so people won't have rejection issues and have to take immunesuppressives for the rest of their lives making them prone to infections.
By the way, there's noting as satisfying as a 50 year old guy you got to know as a broken man who could hardly talk and being completely exhausted just from sitting showing you his new daughter with his wife who he impregnated shortly after his transplant. He had to wait for a new heart for way over a year and was very close to death but I'd say it was worth it.
They started off being cheaper than Intel at comparable quality and pricing to achieve decent brand recognition and market penetration. Then they ignored the clock speed war for some time while Intel was still only focused on clock speed and couldn't change their production easily. Using this advantage AMD beat Intel to 64bit processors, quality and pricing AND continued the clock speed war naming their processors so that they appear to be clock rates ( AMD 64 3200+ etc. ).
I actually don't understand how until now Intel could sustain all of AMD's pressure except for marketing and lobbying, since for some time now AMD processors are faster, cheaper, support 32 and 64 bit natively ( and gain performance by their 64bit design even in native 32bit mode ) AND are way cooler, more silent and energy efficient than most - not all I must add - Intel processors.
No, I'm not a drooling fanboy. Until about two years ago I was a pentium customer. I'd switch any time if Intel managed to produce a processor that's cheap, performant and does not require ex[t|p]ensive cooling to achieve said performance under stress load because it's already close to melting ( 70C, 158F ) when idle.
Slashdot Mirror
Can confirm at least freezing (no segfault yet) on OOo 2.0.3 on FreeBSD
Instead of changing concepts midway through they have added security layers and APIs that need to be *explicitly* set - meaning that like Windows (was?) they have a policy of being open per default and having to be explicitly made secure, instead of closed by default and enabling only what you need.
That's what I think Stefan Esser means when he says "safer from the inside". Many things in PHP are inherently flawed and can only be remedied through changes in concept and nothing else.
Add to that stuff like $GLOBALS overwrite (more details here) that are/were essentially a WONTFIX. No wonder Essner is getting frustrated.
And I just started emerging it on Gentoo 2 months ago...
The only thing I can think of right now would be JBoss Portal ( http://www.jboss.org/products/jbossportal ). It doesn't have many of those fancy features but should be easily extensible.
If you see this and ponder buying this card for your game servers first try optimizing the Linux kernel. 1000 Hz ticks, big kernel lock preemption and other latency patches actually does wonders to ping times (and I do not mean ICMP echo or similar but ping packets answered by the game) and latency.
Many games have their own interesting capabilities for performance tuning. For instance Counter Strike 1.6 has the -pingboost setting which will switch between select() and alert() syscalls (10 ms reduction) or processing a frame for every packet. Other games have similar tuning options that will enhance performance. Then there's also tuning your network settings.
By the way, as far as I remember this Killer NIC is just some kind of offload engine. How *exactly* does this increase performance when most game specific packets are simple UDP packets that performance-wise are not as demanding as TCP packets (less checksums, no window scaling and other options easily tunable etc.)?
In addition Bild does hardly any additional background checking and verification of images which leads to the publication of other people's intellectual property, funny images found everywhere on the internet, screen grabs of TV shows or sometimes even resubmissions of images previously featured in Bild with different captions. Unless Yahoo and Reuters get their fact checking straight this might have a higher signal to noise ratio than they'd expect and lots of potential for embarassment as well as lawsuits.
Why is America so damn currupt? I mean, what kind of threat does the RIAA see in a simple Russian web site, hosted in Russia, operated in Russia and completely legal over there that they are so intimidated to fucking *lobby* your government into forcing Russia to sign a contract that explicitly states the closing of this web site. Remember, we're not talking about one of the many business contracts between Russia and the US but rather conditions to their application to the World Trade Organization. The World Trade Association! This is so absurd I can't possibly believe this.
AllOfMP3.com made me purchase music for $45 within two months which is exactly $45 more than what I have spent over the last couple of years. They offer exactly what I want in the format I want for a price I find highly attractive. The RIAA is not even losing money on this since they could just have applied for their fair share of the profits by filling out a form or two at the Russian broadcasting association. Now that it will be shut down they very likely won't see a cent from me again for a long time.
What pisses me off the most is the fact that I am not even an American. Why exactly do *I* have to suffer from your style of government where you apparently can purchase politicians for a dime a dozen? I couldn't even write a letter to your senators or congressmen since a vote is all that they care for and I can not cast a vote in your country.
At least there appears to be a loop hole: Apart vom closing allofmp3.com and generally limiting piracy there is no mention of actual business names or concepts. What would prevent the allofm3.com team from opening a similar business once Russia is member of the WTO? Russia could argue that allofmp3.com is down as stated in the contract and moreofmp3.com is a legal Russian business.
I have checked out his source code. There is an SQL injection attack that lets everybody assume every user's identity!
And this is why you DO NOT post all your information to an untrusted site. QED.
I'm into sexology as a hobby and have researched lots of fetishes and uncommon preferences over the years (and am well aware that nobody's going to believe me). There's many sites out there involving all kinds of "youth" fetish. The objectionable content - if legal - is most likely one of those:
- Very young, just turned 18: boring hardcore with models who just became legal.
- Impersonated minor: Adult women with phyiscal traits similar to underage girls (very small breasts, petite figure, no pubic hair) clothed like a little girl and "cute" hair style (pony tail etc.). Most of this is is hardcore and usually involves role playing (incest, innocence, etc.)
- Real Lolita and Naturalism: This really borders pedophile erotica. Girls and young women, undressed, playing at the beach, at nudist camps etc etc. As long as this does not imply any eroticism in itself it is legal, since depicting nudity without apparent sexual background is legal at any age.
By the way, lusting for a fully developed 17 year-old is definitely not pedophilia, as pedophilia involves sexual undevelopment. What you describe is rather ephebophilia.
I've worked with heavily loaded servers that serve many pictures per page and can confirm that this does decrease perceived load time, but it does have its drawbacks. Pushing the concurrent browser requests to num_hostnames * browser_default on the same physical host, you'll have to increase the maximum concurrent requests of your web server, which can badly increase system load and lead to easy slashdotting situations. Only do this if you can modify those settings, know what your server is capable of and are not limited by bandwidth as this can also quickly fill your tubes. And as the article states: only do this with small objects or you might be under heavy load in no time.
http://www.infoq.com/errorna.jsp?path=%3Ca%20href= %22test%22%3Esddsfsdf%3C/a%3E
:)
Check your input
Against common American belief, Bavaria is not part of Austria. That's Germany you're thinking of. I want to make it clear that our police force does *not* require special events to get drunk.
Virtually. As in not really.
> Linux is *not* user friendly
It actually is. It's just picky who it calls its friend, which in my opinion is a good thing.
> [...] or the installer will dump core.
I prefer this to a message box which kindly informs me that "Error -178" has happened without further details. I also once tried to get an iPod working on Windows on a friend's computer. I have very extensive Windows troubleshooting experience but after 6 hours of troubleshooting still could not figure out the problem. A reinstall mysteriously helped. Long story short, when things fail my operating system allows me to deeply trouble shoot every aspect of it. When the shit hits the fan I want to be able to open the fan to remove the mess.
I'm a student at the University of Technology in Vienna, Austria. Since we're lots of students it wouldn't be feasible grading the assignments of a few hundred people by hand.
Some courses use an online grading facility where students just log in, submit their assignments over a web interface and receive an email how they scored. Some other courses give you a shell account on a UNIX box. Your programs are expected to compile in this environment and you can submit subdirectories of your home directory using tools they have written themselves. This concept is used from simple java classes in Inruduction to Programming to simulated CORBA stock trading clients and servers in Distributed Systems.
As far as I have seen everything behind the scenes is fully automated. Some systems just run your class in a sandbox with a java security manager, feed the application several test inputs, compare the output and error handling to the specifications of the assignment and assign scores based on that. Others invoke your classes via Reflection and run about 20 - 50 JUnit test cases against some components as well as the entire application. You get an email with simple descriptions of the test cases, whether the specific test case went through OK or failed and if available exceptions that were triggered.
As for cheating: they used different test cases all the time, some were to some extent randomized so that static output wouldn't work. They also use similarity checking tools to find suspiciously similar submissions and asked students whose submissions got flagged to come and explain the code to them (afair there was a discussion about such similarity checking tools on ask slashdot not too long ago). The tests of such courses contain simple questions about the environment and tools they should have used to see whether they have written the code themselves.
I'd recommend you to write such an automated grading tools yourself. It shouldn't take more than some simple JUnit tests and a bit of perl code to set up a clean environment, run the tests, evaluate the results and write them to a database. Just don't forget to set up a java security manager so that nothing can compromise the test environment and restore any resources like files and databases the submissions have to access to their default state in case someone screwed up. Or you could do it the academic way and get grad students to do all the work.
I know nobody is going to actually read this and that complementing the editors is against the group-think, but still: a big thank you to Roblimo, Billy West, Kevin Day and the people who posted the questions. I really enjoyed reading this interview.
- mike
Ajax n : a mythical Greek hero; a warrior who fought against Troy in the Iliad
Now you'd just have to tell your visitors why according to your dictionary a Greek hero can help me looking up words...
The only issues I can see would be saturated pipes of ISPs that oversold their available bandwidth and didn't prepare for major Internet events. All major upstream providers and content delivery networks should already have taken this into consideration and be prepared for the burst usage.
Either that or hordes of geeks leaving the basement to declare jihad on all those infidels abusing their precious bandwith for non-science-fiction or porn related activities.
Their only real disadvantage is their weight. Many people forget to consider that a ~19 kg (40 pound, empty) case isn't exactly easy to take to LAN parties. Though with that weight comes a high degree of robustness that has often shown to be very valuable.
About two years ago being a Gentoo user I tried FreeBSD and never went back. Everything just works very nicely. It worked right "out of the box" but unlike many Linux distributions that are considered easy to use it doesn't abstract away too many things from the user so I can still implement my own changes without any hassle.
Installing GNOME or KDE is already possible and is actually quite trivial. What TFA is really talking about is implementing all the extra stuff that makes life a little easier like hald that's required for GNOME or KDE to autodetect hardware. Things like automatic detection of USB devices already exist and work great in FreeBSD, it's just not compatible to what KDE and GNOME require.
The big question is: can it be used to not only fix scarred tissue but also the issues of chronic heart diseases, for example enlarged hearts? There's many, many people with chronic diseases who urgently need some kind of replacement heart or way to fix them up as soon as possible.
I know somebody who is one of the leading psychologists researching compliance and quality of life pre-op and post-op of heart transplant patients. I also know many patients myself and hope this method will be able to help many of them.
Right now if your heart is "broken" transplantation is often your only chance to survive. The big issue as the article stated is the long time before a fitting heart is available to the patient and many people die on the waiting list. And I'm not talking about days or weeks - it can take some years before you get a new heart and even then it might be rejected by your body and will have to be removed.
Many patients will receive an artificial hart ( essentially a small pump inside of you with tubes leading to a small constantly ticking device outside of your body ). As cool as it might sound to geeks it's not too pleasant having to be near a power outlet all of the time or your heart might run out of battery. And because it's a mechanical device it also damages your blood cells. This is the best working method right now because before artificial hearts people had to endure living with a damaged heart for years, which is a very devastating experience ( imagine being out of breath for minutes because you just stood up from a chair ).
A lot of research has already gone into this and there are already many known possible methods ( for instance genetically modified pig hearts that could be implanted into humans ) any many new to come. What's really needed though is a working replacement for your heart made out of your own stem cells so people won't have rejection issues and have to take immunesuppressives for the rest of their lives making them prone to infections.
By the way, there's noting as satisfying as a 50 year old guy you got to know as a broken man who could hardly talk and being completely exhausted just from sitting showing you his new daughter with his wife who he impregnated shortly after his transplant. He had to wait for a new heart for way over a year and was very close to death but I'd say it was worth it.
I especially like AMD's strategy.
They started off being cheaper than Intel at comparable quality and pricing to achieve decent brand recognition and market penetration. Then they ignored the clock speed war for some time while Intel was still only focused on clock speed and couldn't change their production easily. Using this advantage AMD beat Intel to 64bit processors, quality and pricing AND continued the clock speed war naming their processors so that they appear to be clock rates ( AMD 64 3200+ etc. ).
I actually don't understand how until now Intel could sustain all of AMD's pressure except for marketing and lobbying, since for some time now AMD processors are faster, cheaper, support 32 and 64 bit natively ( and gain performance by their 64bit design even in native 32bit mode ) AND are way cooler, more silent and energy efficient than most - not all I must add - Intel processors.
No, I'm not a drooling fanboy. Until about two years ago I was a pentium customer. I'd switch any time if Intel managed to produce a processor that's cheap, performant and does not require ex[t|p]ensive cooling to achieve said performance under stress load because it's already close to melting ( 70C, 158F ) when idle.
This time the small box is white instead of black.