The Session ID attacks: does anyone have a provable incident where someone exploited a session from Site A to act as a user on Site B?
My understanding has always been this was a hypothetical set of attack.
None of the problems you list on your site are that extreme. In point of fact, I use almost none of them (for example, I have my own function for XML parsing, probably a leftover habit from every other language where parsing was my problem). Every language has its issues (buffer overruns, too much file system access, etc.).
People tell me this is why I graduated with a 3.5 instead of a 4.0. So much for two degrees getting me any respect, bastards.
I dunno. I never got deep into the exam fear thing. I figure, if you pissed away the semester that badly (or the material just whistled right over your head) then exam time is really too late to do anything about it.
Rest, fun and relaxation usually did the trick for me. I have a long history of acing big exams, and I generally lowered my effort and workload in order to pull it off.
One of the biggest achievements of modern science was placing a clear threshold of evidence before anything became Big Time Stuff.
String Theory is a regression to the ancient Greek disdain for handing instruments and tools. Surprise, it has thrown physics back to about the pace of discovery the Greeks kept, too.
You can theorize until the cows come home... in the end, prove it.
String Thoery isn't just bad in and of itself. It is bad because of the mentality it fosters: the notion that it is acceptable for science to be based on mathematical models that are based on other mathematical models and so forth.
Science isn't science until the rubber meets the road.
The main fault of PHP is that it lowers the educational cost of entry to the point that incompetent people can build functional but insecure code.
It's not PHP's fault. As a language it is more than capable of delivering security and stability. It just happens to not be idiot-proof while being quite idiot-accessible.
In that regard, its existence is no worse than the number of Windows machines running right now. Or for that matter, how many apps have been coded in Visual BASIC?
I've done C++, Perl and some Tomcat stuff... On the whole, it has been more worthwhile to take the time committed to those approaches and re-apply it tightening up PHP code.
Now, that's a huge qualifier, I admit -- a lot of noobs aren't going to do commit that time.
But, I think it's not necessarily the right characterization to blame a language for empowering stupid people. It's right to blame the stupid people.
One might think that if the matter were this serious, the police would do their job right. Because, maybe I'm high, but I'm pretty sure the librarian did her job right.
I fall down on the side of the original posting. Odds are, if he's like a lot of hardcore geeks, this IS what he used to do when he was bored.
And, if he is like some geeks, it's hard as hell or else just not interesting to do 90% of the stuff you listed.
I don't give a shit for dancing, because I think it's a useless expedinture of time. I've done horrible in relationships, because I think it's all useless emotional blackmail.
The "see a movie" advice is plain bad -- a good movie hasn't been released in years.
Arguably, coding is useless too, but it happens to be one of the useless things I can focus on and enjoy. I'd be surprised if this guy doesn't feel the same.
If that's the case, then I'd offer the company doesn't value you enough to make joining a startup worth the effort.
A startup is a very tricky business, and a type you can only participate in for a very narrow window of your career.
It means that your situation needs to match the company and vice-versa.
If they don't see the match as that important, then that's life. In that scenario, you're no better than the guy pulling French Fries out of the vat at McDonald's. So, the lesson is if your not a primary, be very wary of participating in a start-up that may require a great deal of your time.
Sorry, but in all seriousness, this is a mentality the average worker hasn't displayed in 30 years.
The market is dynamic in the U.S. In other words: we hire and fire like it's nothing. Didn't Slashdot the other day link to an article discussing this effect in the U.S. economy and its positive value?
As 1/4 of the business at the time, you should have demanded at least 1/4 of the business.
Taking pay at a startup is the easy way out. And I guarantee you it's why your employers didn't feel bad about letting you go -- they assumed the risks, you took a steady paycheck.
When I started my business, I offered a friend of mine who does graphics work for me the chance to get in on the ground level. He took a pass, and instead took pay. Now he bitches that he doesn't have a say in things.
Guess what? Tough shit.
That paycheck is a huge thing for a startup to fork over. It is money that could have been saved and risk that could have been transfered.
Surprise. Risk and reward are tight.
You skipped risk. Now rewards skip you.
Wanna protect yourself next time? Take a bigger risk and demand a bigger stake. No paycheck -- get the chunk of the business you feel your work constitutes.
1. Out of the box, decent browser support for non-square shapes without work-arounds. In the case of IE, any support at all would do. In the case of Firefox, cleaner support (particularly anti-aliasing), plus a wider range of shapes (nothing against rounded corners).
2. Proper support from IE for PNG transparency, or an equivalent format that everyone can accept. No workarounds. The ability to do 24-bit color layers with alpha would be a huge leap forward in design. In fact, it looks damned good when done in Firefox.
These are the two things that make me shake my head. PNG support, because it's just MS being stubborn and dumb. The non-suare thing because I'm not sure how long designers have to develop workarounds before the industry just makes the workdarounds out-of-the-box features.
More seriously, I just think that 3-D is overkill from a presentation standpoint.
Very few ideas ever really make good use of 3-D to convey new forms of meaning that 2-D cannot convey.
But, I'm still smarting about the flying cars -- promises were made, dagnabbit. Nearly a century of promises. Sure, they were promises made by old silent films, and cartoon characters, and really bored "futurists", and the flying car lobby... But... dammit. Promises were made, I tell ya.
"Scrubbing user data is important, but is what the whole thing hingles on?"
I overexmphasized that aspect, because that is the origin of a great deal of FUD.
In fairness, a well-scrubbed, poorly performing PHP program can be salvaged with brute force (better servers). A poorly scrubbed, well performing PHP program cannot because it is open to hacking.
Admittedly, in the first scenario, you still eventually have to confront cost. But, a lot of organizations will gladly pay that cost in order to avoid a discussion of programming your way out of the problem.
At the end of the day, good PHP code hinges on writing a good script t scrub all your GETs and POSTs.
Hell, I worked with a kid who had math and CS degrees (I hold two degrees, but neither degree is math or CS) and he littered his code with magic quotes.
The problem is that PHP is left in the wilderness. It's easy to learn, but too powerful to weild. But the C++ers talk it down, so there aren't enough people teaching the right way to use it.
PHP can be brilliant. It can also be a portal into hell.
But, ultimately, empowering new entries into the industry requires that we educate, not intimidate, them.
Slashdot Mirror
My understanding has always been this was a hypothetical set of attack.
None of the problems you list on your site are that extreme. In point of fact, I use almost none of them (for example, I have my own function for XML parsing, probably a leftover habit from every other language where parsing was my problem). Every language has its issues (buffer overruns, too much file system access, etc.).
Had the government finished SkyNet on time. Dammit.
I dunno. I never got deep into the exam fear thing. I figure, if you pissed away the semester that badly (or the material just whistled right over your head) then exam time is really too late to do anything about it.
Rest, fun and relaxation usually did the trick for me. I have a long history of acing big exams, and I generally lowered my effort and workload in order to pull it off.
String Theory is a regression to the ancient Greek disdain for handing instruments and tools. Surprise, it has thrown physics back to about the pace of discovery the Greeks kept, too.
You can theorize until the cows come home ... in the end, prove it.
String Thoery isn't just bad in and of itself. It is bad because of the mentality it fosters: the notion that it is acceptable for science to be based on mathematical models that are based on other mathematical models and so forth.
Science isn't science until the rubber meets the road.
It's not PHP's fault. As a language it is more than capable of delivering security and stability. It just happens to not be idiot-proof while being quite idiot-accessible.
In that regard, its existence is no worse than the number of Windows machines running right now. Or for that matter, how many apps have been coded in Visual BASIC?
I've done C++, Perl and some Tomcat stuff ... On the whole, it has been more worthwhile to take the time committed to those approaches and re-apply it tightening up PHP code.
Now, that's a huge qualifier, I admit -- a lot of noobs aren't going to do commit that time.
But, I think it's not necessarily the right characterization to blame a language for empowering stupid people. It's right to blame the stupid people.
I'm not adverse to this notion anymore than accepting that SF, CA needs rebuilt when bad things happen there, too.
One might think that if the matter were this serious, the police would do their job right. Because, maybe I'm high, but I'm pretty sure the librarian did her job right.
When those unaborted kids get old enough to commit crimes, the Governor in 20 years can blame the crimes on video games.
At what point do the people of Louisiana not stop stop and ask, "What are these jokers wasting our time and our dollars doing?"
Also ... does Apple have an underground robotics program? Because odds are that's where MS found the idea.
Some day Steve Jobs is going to be pissed. "Their Portable Artificial Assistant Machine looks suspiciously like our iRobot!"
One electrical short and your MS Bender does nothing but lounge around and drink beer all day.
We're screwed either way, because the telecoms are hellbent on dragging their feet.
No regulation is going to make them stop.
I'm all for neutrality, but if the service providers choose to be assholes, there isn't a good means to stop them.
The government needs the telecoms (to spy on us) more than they need any of us or our votes (thanks to Diebold).
It would serve no practical purpose, but it would be funny to do.
Is that the NYT now cares about any "open" anything. In 20 more years, they might even vaguely get the concept.
And, if he is like some geeks, it's hard as hell or else just not interesting to do 90% of the stuff you listed.
I don't give a shit for dancing, because I think it's a useless expedinture of time. I've done horrible in relationships, because I think it's all useless emotional blackmail.
The "see a movie" advice is plain bad -- a good movie hasn't been released in years.
Arguably, coding is useless too, but it happens to be one of the useless things I can focus on and enjoy. I'd be surprised if this guy doesn't feel the same.
This is what the guy likes. Give him a break.
A startup is a very tricky business, and a type you can only participate in for a very narrow window of your career.
It means that your situation needs to match the company and vice-versa.
If they don't see the match as that important, then that's life. In that scenario, you're no better than the guy pulling French Fries out of the vat at McDonald's. So, the lesson is if your not a primary, be very wary of participating in a start-up that may require a great deal of your time.
The market is dynamic in the U.S. In other words: we hire and fire like it's nothing. Didn't Slashdot the other day link to an article discussing this effect in the U.S. economy and its positive value?
As 1/4 of the business at the time, you should have demanded at least 1/4 of the business.
Taking pay at a startup is the easy way out. And I guarantee you it's why your employers didn't feel bad about letting you go -- they assumed the risks, you took a steady paycheck.
When I started my business, I offered a friend of mine who does graphics work for me the chance to get in on the ground level. He took a pass, and instead took pay. Now he bitches that he doesn't have a say in things.
Guess what? Tough shit.
That paycheck is a huge thing for a startup to fork over. It is money that could have been saved and risk that could have been transfered.
Surprise. Risk and reward are tight.
You skipped risk. Now rewards skip you.
Wanna protect yourself next time? Take a bigger risk and demand a bigger stake. No paycheck -- get the chunk of the business you feel your work constitutes.
They had to be one of the 15 republics that broke off from the former Soviet Union.
Or perhaps that's the Commonwealth of Independent States.
2. Proper support from IE for PNG transparency, or an equivalent format that everyone can accept. No workarounds. The ability to do 24-bit color layers with alpha would be a huge leap forward in design. In fact, it looks damned good when done in Firefox.
These are the two things that make me shake my head. PNG support, because it's just MS being stubborn and dumb. The non-suare thing because I'm not sure how long designers have to develop workarounds before the industry just makes the workdarounds out-of-the-box features.
Very few ideas ever really make good use of 3-D to convey new forms of meaning that 2-D cannot convey.
But, I'm still smarting about the flying cars -- promises were made, dagnabbit. Nearly a century of promises. Sure, they were promises made by old silent films, and cartoon characters, and really bored "futurists", and the flying car lobby ... But ... dammit. Promises were made, I tell ya.
Oh, hell! No one cares when some geezer drives a non-flying car through a market. It's no big deal. Society will adjust.
It's time that we draw a line in the sand: no further development on the 3D browser until a commercially viable flying car hits the market.
I overexmphasized that aspect, because that is the origin of a great deal of FUD.
In fairness, a well-scrubbed, poorly performing PHP program can be salvaged with brute force (better servers). A poorly scrubbed, well performing PHP program cannot because it is open to hacking.
Admittedly, in the first scenario, you still eventually have to confront cost. But, a lot of organizations will gladly pay that cost in order to avoid a discussion of programming your way out of the problem.
Some people pay twice as much and get half the speed because they're too far out.
It's stupid, and Verizon does very little to fix it.
There is no reason to believe they will do a better job with handling bandwidth across their entire system.
Hell, I worked with a kid who had math and CS degrees (I hold two degrees, but neither degree is math or CS) and he littered his code with magic quotes.
The problem is that PHP is left in the wilderness. It's easy to learn, but too powerful to weild. But the C++ers talk it down, so there aren't enough people teaching the right way to use it.
PHP can be brilliant. It can also be a portal into hell.
But, ultimately, empowering new entries into the industry requires that we educate, not intimidate, them.
Godammit. It's just a bunch of geeks.