Parent makes a good point. We need infrastructure upgrades either way -- wind or nuclear. The thing is, conventional nuclear is here today, and mini nuclear is just about ready to go. Either has substantially better near-term carbon-reduction potential than anything else. Beyond the initial carbon savings that come directly from power manufacturing, given some grid investment and a surge in nuclear output, fully electric cars would actually be practical much sooner than is the case now.
If catastrophic, carbon-fueled global warming is seriously an imminent reality, I don't get why "...Environmentalists are not happy with the President's new trend" on mini-nuclear reactors (as this article asserts, anyway). If environmentalists were clamoring for nuclear power, I would probably believe that they believed catastrophic, carbon-fueled man-made global warming was real. As it stands, I can only think that those who actively oppose nuclear power don't really think so.
Space, via railgun.
The Journal of Aerospace Engineering has a recent abstract for a space rail gun.
[...]The estimations and computations show the possibility of making this project a reality in a short period of time (for payloads which can tolerate high g-forces). The launch will be very cheap at a projected cost of $3 - $5 per pound.
If we could send it into the sun, that might quiet the critics who would otherwise say, "but you're polluting space!"
I've finally come to the opinion that locking is unnecessarily expensive, and doesn't tend to enhance collision handling capabilities beyond a simple concurrency timestamp check.
The poster really only needs to answer one question: What should happen when a user attempts to save a record that another user has modified? There are only so many options: (1) Reject the change and warn, or accept the change silently, or accept the change with a warning, then (2) refresh the data silently, or warn about losing changes and optionally refresh the data, or refresh to a shadow copy and offer merge possibilities.
The pattern I use in my own ORM tools is to simply reject and warn when a user attempts to save a stale object (as determined by the concurrency timestamp which is part of every object's state). Then it's up to the implementer to warn about losing changes, optionally refresh the data, and finally offer merge possibilities when the amount of potentially lost work is significant. It's easy, it scales, and it doesn't leave orphan locks.
The unspoken question is, why not design a user workflow that avoids synchronization issues instead of contriving Rube Goldbergesque concurrency schemes to handle them?
I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.
Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/.
This is probably the most important (and most likely to be overlooked) point in the whole issue. Artists cannot opt-out. Even artists who have never heard of SoundExchange and have never received a check *from* them are generating revenue *for* them.
This might just be a good issue around which to construct a test case for the judicial system. With good legal counsel close at hand, create a station which exclusively plays content that is offered under a suitably free license (http://openmusic.linuxtag.org/, http://www.danosongs.com/, insert your better suggestion ___ here), or where your station has a separate agreement with the artist, or where the artist is not receiving royalties from SoundExchange (and perhaps thinks he/she should be on the basis that SE has collected them from broadcasters).
Publicize, grow, attract attention belligerently.
SoundExchange *seems* to claim to represent all of these scenarios under the "no opting out" doctrine. There is no music "outside of their catalog" as they have no catalog, just an "all your music are belong to us" clause.
In the first two cases, open licenses and individual agreements *should* trump SE's doctrine. If so, then it's time to set about creating a clearinghouse method for mass producing "individual" agreements.
In the third case, SE is ripping off artists in a sense, and shouldn't be able to get away with it. Many small indie artists haven't a clue about SE or how to get royalties from them. Yet SE *keeps* royalties for artists who don't know how to claim them. Existing under a "no opt out" charter is reason enough that the onus should be on SE to notify artists & rightsholders of royalties they have coming.
[...] Still a pretty good savings, until everyone has one of these and the cost of electricity doubles. Too bad the greens don't want us building any more power plants.
Some Cap-and-Trade type legislation will probably double the cost of electricity long before everyone has one of these; at present, you can't really make any reliable long-term ROI calculations having energy costs as a large variable.
Too bad, too... this is one delicious car, and the first non-conventional powertrain I'd actually consider buying. Great job by Tesla; they hit just about every note I personally want in a full-size sedan (an unfortunately neglected market segment for green-power/clean-power vehicles).
To commit to a vehicle like this though, I'd need a world with long-term, ubiquitous, relatively cheap electricity (clean would be nice too), and with all the political incentives right now favoring scarce, dirty electricity (politicians and bureaucrats can print currency around and profit better from that commodity), I'm a little too risk-averse to make such a gamble.
Granting all your arguments for the sake of argument, what would be the limiting factor against this annexing power? In my experience, the further the power center gets away from the individual, the less responsive it is to individual needs. It may be that this is a good thing in your view... that the individual should subordinate his or her individual needs to the needs of society at large. In the current state of affairs, the limiting factor is the inconvenience of moving; if a city's fiscal penalties to its residents (compared to surrounding jurisdictions) aren't sufficiently harmful to overcome the costs of uprooting & moving, then the residents will endure them. If they are, then the city will have to take notice and take corresponding steps to lure residents back. These same factors apply at a lesser scale to the act of making a purchase, e.g. gas, cigarettes, automobiles and such.
I tend to think that cities often create the conditions that lead to crappy schools, higher unemployment, and higher unit taxes despite a higher population density (and thus presumably better economy of scale). I guess I'm wondering why you think it is that a large city as a system unto itself couldn't blow the doors off a nearby suburb (also as a system unto itself). As a city grows, if it's governed as you envision, shouldn't people want to move into it rather than away from it?
Perhaps North Carolina is upset because local business are closing due to the tax disparity?
Chicago infamously addressed an automobile tax disparity by forcing suburban car dealerships to collect City taxes. City dwellers could no longer escape the inordinate tax by buying in the suburbs; Chicago argued that place of residence, not place of purchase, determined the sales tax. Except, that is, for suburban dwellers who might have bought a car in the city. For them, it was the other way around. Now they're trying the same thing with *all* car rentals in the entire 6-county suburban area. (They *might* be driven into the city at some point, don'tcha know.)
Mightn't NC address the tax disparity by competing with the surrounding tax environment, or by using residence-based sources like real-estate taxes to shore up their shortfalls? People often feel it's their right to seek relief from (what they feel are) unfair or inordinate taxes by not purchasing in that jurisdiction. Without such competitive pressure, there is insufficient drive for any kind of fiscal responsibility by governments (though if you know of a better way to incent governments to efficiency, please share; I personally trust neither corporate leaders nor government leaders to innately have my financial best interests at heart). At any rate, if jurisdictions can start taxing beyond their boundaries left and right, we might as well just turn governing over to Bernie Madoff or Enron or Halliburton. At least then we'll know there's going to be a-screwin' coming our way.
Unfortunately, Amazon probably needed to demonstrate how serious they were, or NC might well have called their "bluff," leaving the affiliates out in the cold for much longer, if not permanently. Once some government erects a new law / regulation / tax / bureaucracy / program, it's harder to get rid of than mildew.
In fact, these things really are quite like an aggressive mildew. Do nothing, and they grow, advance, and encroach on your clean space. Work really really diligently and consistently, and you can sometimes beat them back to manageable levels. But get a little lazy once or twice, and boom... they're ba-ack, worse than ever.
If Amazon had merely warned their affiliates, there would be a big "yeah, right" factor on the affiliates' parts, and a big "yeah, right" factor on the legislators' parts. The tax might well pass, and Amazon's negotiating position would become that much weaker. Amazon *needs* big numbers of pissed off people -- really pissed off right this minute people -- to beat this thing. People who are merely imagining being pissed off in some potential future just don't act. Legislators need to see a thunderstorm, not a possible drizzle advisory; a storm of phone calls, not a flurry of tweets and a new Facebook group called "stop the tax."
With private economies shrinking but public spending expanding most everywhere, we are going to see more egregious tax grab strategies popping up more and more often over the coming months and years. The ones who don't get their pockets picked clean will be the ones who get brutal, or have someone get brutal on their behalf as Amazon did in this case.
She did, but the computers appeared as children & the police appeared as clowns in her dream, so she sent Scanlon on a wild goose chase through the carnival next to the day-care center.
Cable contracts aside, you'd think there'd have to be a revenue disparity for the network between ads aired on TV and those shown on Hulu or similar sites. Slashdotters might be ready to dump cable for online video options, but it's going to be a few years yet before the average Joe even has a PC hooked up to his TV.
On network TV, 30-second prime time ad slots can run $100K, $300K, $700K if you have a juggernaut show. From what I can gather, the CPMs run in the $12 - $25 range. I hear a 30-second slot on Hulu might yield $25 - $35 per thousand views. If my quick search results are remotely accurate, the question becomes one of revenue share.
How much of Hulu's CPMs do the keep, and how much do they pass on to the networks? I'd really be interested in the per-viewer economics of the different distribution channels from the networks' perspective.
True, but it'll take a really slow news year before anything DRM-related has people lining up in sufficient numbers to make politicians notice. I can't get a family member who *lost* all their DRMd music to care enough to change buying habits.
I wish some issues were as important in society as they are on/., but alas, such is not the case.
I'm honestly wondering whether it's you or reality that is so hilarious here. If the latter, I would hope that coffee a-plenty was spat upon the nearest conference table when that finding was delivered.
(If the former, then congrats on one of the best-crafted one-sentence tales I've seen in a long time...)
True 'nuff; the approach would simply cut the probability of a bot/botnet passing through the CAPTCHA at a usable rate. No sophistimacated algae-rhythm that I know of yet will effectively distinguish between malicious and benign humans.
That's a good start, but I'm not convinced that simple automation is dead here. This doesn't seem that difficult to me. I've put up live forms that have invalidated 100% of bot submissions, even without CAPTCHA. Granted, impressions are only in the tens of thousands, but still, *combined* with CAPTCHA, a few simple principles ought to suffice, even against concerted, distributed attacks:
0) Obviously, limit submission attempts per session to a humanly achievable rate. Sticky session IDs can be packed into hidden form fields, query strings, cookies, etc.
1) Anything that's worth guarding with a CAPTCHA should require a modern browser (CSS, cookies, javascript, DHTML). In my experience, over half of attempts can be weeded out by using a segregated approach with cookies: user submits -> set some server-encrypted cookie value -> modify value in client-side js -> repost in client-side js -> inspect during next http post.
2) You can still provide accessibility accommodations; just make sure *all* form submissions have frequency limitations that increase in severity with every failed attempt in a single session. What you can't do in cookies or js can still be done in hidden form fields and query string params. For a surprising majority of submissions (i.e. modern browsers or bots trying to imitate them), the simple requirement of a compliant js VM to modify form/cookie/querystring variables before submitting rules out bots right away.
3) For the modern browser version of the form, add numerous honeypot fields; use modern browser techniques to hide them by overlaying them. Making the overlaying element distant from the real one in the DOM tree, and/or add the real element (or all of them, or half of them, or a random assortment) using DHTML.
4) Randomize the IDs & DOM location of both real and honeypot inputs (store a distinguishing hash code or the like in a hidden form field, cookie, or on the query string).
5) Include hidden honeypot CAPTCHA images as well. Observe step 4 here. Also, use large images containing multiple CAPTCHA phrases, and use CSS to crop the image.
6) Vary the obfuscation techniques used in CAPTCHAs, e.g., sometimes fuzzy match on "name the object in the picture" (duck, DUCK, Duck, goose, swan, bird ok, everything else fails), or sometimes use animated gifs and display the challenge progressively instead of in a single frame, or sometimes ask the question in the image and put the answer right there with it! (Cheesy, but that one alone takes most current bots out of the running.)
7) Values in hidden honeypot fields are almost certainly from bots. Ditto for correctly decoded honeypot CAPTCHAs. Log this fact, and record it in a required cookie or hidden form field.
Yes, this is security by obscurity, and it's technically far from foolproof. Still, I would venture that a combination of techniques like this would bring the vast majority of bots' success rates well below the usability threshold. It's not hard to add complexity to a system like this, either. Nor is it hard to accumulate increasingly useful clues as to whether a submission is likely to be human or not.
I need to shut up now; this simple rant is more than enough for a software patent nowadays. Speaking of which, if anyone wants to codify this "method and system of Turing challenge obfuscation," I hereby release the above description under the licensee's choice of either the BSD license, or the "do what the fuck you want" license. Cheers.
That is a very, very good point. Before turning over the data, Google should open up a mechanism for every individual user who so chooses to file an appeal to the dissemination of their personal data.
Whatever Viacom needs to do, they can do sitting at a secure workstation under Google's control, with a network security officer standing over their shoulder at all times, and with logs of every query they run. Whatever data is relevant to their lawsuit they can print out in aggregate form.
Google could run a simple select * or equivalent, changing each name to a guid of some kind. This would allow analysis of all users, per user, if necessary (which is doubtful anyway), without revealing any identifying info.
That's a good point. To take it a step further, does the court order define the scope and format of the data Google must cough up? Do they have to make it easy to use? They could simply export a 2-column file with a pair of GUIDs identifying User:Video-View hits, then appeal ad-infinitum every additional bit of data that Viacom asks for.
"There, we gave you all of our users, along with their video watching data. Have a nice day."
Why do the elderly often resist new ideas today? I figure it's either due to physical changes in the brain, or it's a rational decision that the time invested in learning new stuff wouldn't be worth it since they don't expect to be around much longer.
Well put. I'm in a technical profession, and each passing year my reduces my perception that the "new hotness" is either new or hot. When you get good with a hammer, everything starts to look like a nail, maybe?
Ideally they could obey the robots.txt at the time of archiving, and simultaneously grab a snapshot of the whois record. In the future, new robots.txts would by default only take away previously archived content if the domain hadn't changed hands. This would keep squatters from killing the archive, and the original copyright owner could always actively request removal of content if s/he matched the old whois record (though this would take manpower at archive.org, which is a problem).
Yeah, how exactly do pages go AWOL from archive.org? I've encountered that, plus pages suddenly acquiring META refresh tags (maybe through an external script or iframe?) that redirect to some domain squatter's site now. Extremely annoying. I'm going to have to mess around with wget to see what's in the markup, unless someone can suggest an easier way to get at such content.
Combining a bookmarking / chaching service would be really handy. Furl fits that bill, doesn't it?
With a foreign war going on, energy prices spiraling out of control, a credit crisis in housing, a slumbering real-estate market... why on earth should we tolerate our congress squandering its time and committing scarce government resources to stuff like this? Creating a free stop-loss department for the entertainment industry is *not* a government priority... or at least it shouldn't be. How about we fund NASA, or Fermi, or try to defuse the Social Security time bomb?
People's senators and reps need to know that their votes on this and similar initiatives will inform us about what their priorities are; a vote for this is a vote against [the children|education|science|social security solvency|etc.]
Yes, of course the initiative is just plain wrong, and the reasons why are important too. Congress-critters, though, seem to think in terms more like the above. The governing class most always seems to see expanding government and creating agencies like this as a Good Thing(tm), so philosophical arguments for or against this stuff may not be as digestible to them as simply saying "hey, in political commercials next time around, a Yea vote on this will make you look like you prefer this not-so-popular thing to popular things that are short on funding."
Slashdot Mirror
Parent makes a good point. We need infrastructure upgrades either way -- wind or nuclear. The thing is, conventional nuclear is here today, and mini nuclear is just about ready to go. Either has substantially better near-term carbon-reduction potential than anything else. Beyond the initial carbon savings that come directly from power manufacturing, given some grid investment and a surge in nuclear output, fully electric cars would actually be practical much sooner than is the case now.
If catastrophic, carbon-fueled global warming is seriously an imminent reality, I don't get why "...Environmentalists are not happy with the President's new trend" on mini-nuclear reactors (as this article asserts, anyway). If environmentalists were clamoring for nuclear power, I would probably believe that they believed catastrophic, carbon-fueled man-made global warming was real. As it stands, I can only think that those who actively oppose nuclear power don't really think so.
[...]The estimations and computations show the possibility of making this project a reality in a short period of time (for payloads which can tolerate high g-forces). The launch will be very cheap at a projected cost of $3 - $5 per pound.
If we could send it into the sun, that might quiet the critics who would otherwise say, "but you're polluting space!"
Good points.
I've finally come to the opinion that locking is unnecessarily expensive, and doesn't tend to enhance collision handling capabilities beyond a simple concurrency timestamp check.
The poster really only needs to answer one question: What should happen when a user attempts to save a record that another user has modified? There are only so many options: (1) Reject the change and warn, or accept the change silently, or accept the change with a warning, then (2) refresh the data silently, or warn about losing changes and optionally refresh the data, or refresh to a shadow copy and offer merge possibilities.
The pattern I use in my own ORM tools is to simply reject and warn when a user attempts to save a stale object (as determined by the concurrency timestamp which is part of every object's state). Then it's up to the implementer to warn about losing changes, optionally refresh the data, and finally offer merge possibilities when the amount of potentially lost work is significant. It's easy, it scales, and it doesn't leave orphan locks.
The unspoken question is, why not design a user workflow that avoids synchronization issues instead of contriving Rube Goldbergesque concurrency schemes to handle them?
+1.
I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.
Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/.
This is probably the most important (and most likely to be overlooked) point in the whole issue. Artists cannot opt-out. Even artists who have never heard of SoundExchange and have never received a check *from* them are generating revenue *for* them.
This might just be a good issue around which to construct a test case for the judicial system. With good legal counsel close at hand, create a station which exclusively plays content that is offered under a suitably free license (http://openmusic.linuxtag.org/, http://www.danosongs.com/, insert your better suggestion ___ here), or where your station has a separate agreement with the artist, or where the artist is not receiving royalties from SoundExchange (and perhaps thinks he/she should be on the basis that SE has collected them from broadcasters).
Publicize, grow, attract attention belligerently.
SoundExchange *seems* to claim to represent all of these scenarios under the "no opting out" doctrine. There is no music "outside of their catalog" as they have no catalog, just an "all your music are belong to us" clause.
In the first two cases, open licenses and individual agreements *should* trump SE's doctrine. If so, then it's time to set about creating a clearinghouse method for mass producing "individual" agreements.
In the third case, SE is ripping off artists in a sense, and shouldn't be able to get away with it. Many small indie artists haven't a clue about SE or how to get royalties from them. Yet SE *keeps* royalties for artists who don't know how to claim them. Existing under a "no opt out" charter is reason enough that the onus should be on SE to notify artists & rightsholders of royalties they have coming.
[...] Still a pretty good savings, until everyone has one of these and the cost of electricity doubles. Too bad the greens don't want us building any more power plants.
Some Cap-and-Trade type legislation will probably double the cost of electricity long before everyone has one of these; at present, you can't really make any reliable long-term ROI calculations having energy costs as a large variable. Too bad, too... this is one delicious car, and the first non-conventional powertrain I'd actually consider buying. Great job by Tesla; they hit just about every note I personally want in a full-size sedan (an unfortunately neglected market segment for green-power/clean-power vehicles). To commit to a vehicle like this though, I'd need a world with long-term, ubiquitous, relatively cheap electricity (clean would be nice too), and with all the political incentives right now favoring scarce, dirty electricity (politicians and bureaucrats can print currency around and profit better from that commodity), I'm a little too risk-averse to make such a gamble.
Granting all your arguments for the sake of argument, what would be the limiting factor against this annexing power? In my experience, the further the power center gets away from the individual, the less responsive it is to individual needs. It may be that this is a good thing in your view... that the individual should subordinate his or her individual needs to the needs of society at large. In the current state of affairs, the limiting factor is the inconvenience of moving; if a city's fiscal penalties to its residents (compared to surrounding jurisdictions) aren't sufficiently harmful to overcome the costs of uprooting & moving, then the residents will endure them. If they are, then the city will have to take notice and take corresponding steps to lure residents back. These same factors apply at a lesser scale to the act of making a purchase, e.g. gas, cigarettes, automobiles and such.
I tend to think that cities often create the conditions that lead to crappy schools, higher unemployment, and higher unit taxes despite a higher population density (and thus presumably better economy of scale). I guess I'm wondering why you think it is that a large city as a system unto itself couldn't blow the doors off a nearby suburb (also as a system unto itself). As a city grows, if it's governed as you envision, shouldn't people want to move into it rather than away from it?
Perhaps North Carolina is upset because local business are closing due to the tax disparity?
Chicago infamously addressed an automobile tax disparity by forcing suburban car dealerships to collect City taxes. City dwellers could no longer escape the inordinate tax by buying in the suburbs; Chicago argued that place of residence, not place of purchase, determined the sales tax. Except, that is, for suburban dwellers who might have bought a car in the city. For them, it was the other way around. Now they're trying the same thing with *all* car rentals in the entire 6-county suburban area. (They *might* be driven into the city at some point, don'tcha know.)
Mightn't NC address the tax disparity by competing with the surrounding tax environment, or by using residence-based sources like real-estate taxes to shore up their shortfalls? People often feel it's their right to seek relief from (what they feel are) unfair or inordinate taxes by not purchasing in that jurisdiction. Without such competitive pressure, there is insufficient drive for any kind of fiscal responsibility by governments (though if you know of a better way to incent governments to efficiency, please share; I personally trust neither corporate leaders nor government leaders to innately have my financial best interests at heart). At any rate, if jurisdictions can start taxing beyond their boundaries left and right, we might as well just turn governing over to Bernie Madoff or Enron or Halliburton. At least then we'll know there's going to be a-screwin' coming our way.
Unfortunately, Amazon probably needed to demonstrate how serious they were, or NC might well have called their "bluff," leaving the affiliates out in the cold for much longer, if not permanently. Once some government erects a new law / regulation / tax / bureaucracy / program, it's harder to get rid of than mildew.
In fact, these things really are quite like an aggressive mildew. Do nothing, and they grow, advance, and encroach on your clean space. Work really really diligently and consistently, and you can sometimes beat them back to manageable levels. But get a little lazy once or twice, and boom... they're ba-ack, worse than ever.
If Amazon had merely warned their affiliates, there would be a big "yeah, right" factor on the affiliates' parts, and a big "yeah, right" factor on the legislators' parts. The tax might well pass, and Amazon's negotiating position would become that much weaker. Amazon *needs* big numbers of pissed off people -- really pissed off right this minute people -- to beat this thing. People who are merely imagining being pissed off in some potential future just don't act. Legislators need to see a thunderstorm, not a possible drizzle advisory; a storm of phone calls, not a flurry of tweets and a new Facebook group called "stop the tax."
With private economies shrinking but public spending expanding most everywhere, we are going to see more egregious tax grab strategies popping up more and more often over the coming months and years. The ones who don't get their pockets picked clean will be the ones who get brutal, or have someone get brutal on their behalf as Amazon did in this case.
She did, but the computers appeared as children & the police appeared as clowns in her dream, so she sent Scanlon on a wild goose chase through the carnival next to the day-care center.
Cable contracts aside, you'd think there'd have to be a revenue disparity for the network between ads aired on TV and those shown on Hulu or similar sites. Slashdotters might be ready to dump cable for online video options, but it's going to be a few years yet before the average Joe even has a PC hooked up to his TV.
On network TV, 30-second prime time ad slots can run $100K, $300K, $700K if you have a juggernaut show. From what I can gather, the CPMs run in the $12 - $25 range. I hear a 30-second slot on Hulu might yield $25 - $35 per thousand views. If my quick search results are remotely accurate, the question becomes one of revenue share.
How much of Hulu's CPMs do the keep, and how much do they pass on to the networks? I'd really be interested in the per-viewer economics of the different distribution channels from the networks' perspective.
[...] I would think it was an overreach, but 20 years from now?
"I would think it was an overreach, but 2 years from now?"
There, fixed that for ya.
True, but it'll take a really slow news year before anything DRM-related has people lining up in sufficient numbers to make politicians notice. I can't get a family member who *lost* all their DRMd music to care enough to change buying habits.
I wish some issues were as important in society as they are on /., but alas, such is not the case.
I'm honestly wondering whether it's you or reality that is so hilarious here. If the latter, I would hope that coffee a-plenty was spat upon the nearest conference table when that finding was delivered.
(If the former, then congrats on one of the best-crafted one-sentence tales I've seen in a long time...)
True 'nuff; the approach would simply cut the probability of a bot/botnet passing through the CAPTCHA at a usable rate. No sophistimacated algae-rhythm that I know of yet will effectively distinguish between malicious and benign humans.
Oh, and nice sig by the way.
That's a good start, but I'm not convinced that simple automation is dead here. This doesn't seem that difficult to me. I've put up live forms that have invalidated 100% of bot submissions, even without CAPTCHA. Granted, impressions are only in the tens of thousands, but still, *combined* with CAPTCHA, a few simple principles ought to suffice, even against concerted, distributed attacks:
0) Obviously, limit submission attempts per session to a humanly achievable rate. Sticky session IDs can be packed into hidden form fields, query strings, cookies, etc.
1) Anything that's worth guarding with a CAPTCHA should require a modern browser (CSS, cookies, javascript, DHTML). In my experience, over half of attempts can be weeded out by using a segregated approach with cookies: user submits -> set some server-encrypted cookie value -> modify value in client-side js -> repost in client-side js -> inspect during next http post.
2) You can still provide accessibility accommodations; just make sure *all* form submissions have frequency limitations that increase in severity with every failed attempt in a single session. What you can't do in cookies or js can still be done in hidden form fields and query string params. For a surprising majority of submissions (i.e. modern browsers or bots trying to imitate them), the simple requirement of a compliant js VM to modify form/cookie/querystring variables before submitting rules out bots right away.
3) For the modern browser version of the form, add numerous honeypot fields; use modern browser techniques to hide them by overlaying them. Making the overlaying element distant from the real one in the DOM tree, and/or add the real element (or all of them, or half of them, or a random assortment) using DHTML.
4) Randomize the IDs & DOM location of both real and honeypot inputs (store a distinguishing hash code or the like in a hidden form field, cookie, or on the query string).
5) Include hidden honeypot CAPTCHA images as well. Observe step 4 here. Also, use large images containing multiple CAPTCHA phrases, and use CSS to crop the image.
6) Vary the obfuscation techniques used in CAPTCHAs, e.g., sometimes fuzzy match on "name the object in the picture" (duck, DUCK, Duck, goose, swan, bird ok, everything else fails), or sometimes use animated gifs and display the challenge progressively instead of in a single frame, or sometimes ask the question in the image and put the answer right there with it! (Cheesy, but that one alone takes most current bots out of the running.)
7) Values in hidden honeypot fields are almost certainly from bots. Ditto for correctly decoded honeypot CAPTCHAs. Log this fact, and record it in a required cookie or hidden form field.
Yes, this is security by obscurity, and it's technically far from foolproof. Still, I would venture that a combination of techniques like this would bring the vast majority of bots' success rates well below the usability threshold. It's not hard to add complexity to a system like this, either. Nor is it hard to accumulate increasingly useful clues as to whether a submission is likely to be human or not.
I need to shut up now; this simple rant is more than enough for a software patent nowadays. Speaking of which, if anyone wants to codify this "method and system of Turing challenge obfuscation," I hereby release the above description under the licensee's choice of either the BSD license, or the "do what the fuck you want" license. Cheers.
That is a very, very good point. Before turning over the data, Google should open up a mechanism for every individual user who so chooses to file an appeal to the dissemination of their personal data.
Whatever Viacom needs to do, they can do sitting at a secure workstation under Google's control, with a network security officer standing over their shoulder at all times, and with logs of every query they run. Whatever data is relevant to their lawsuit they can print out in aggregate form.
Google could run a simple select * or equivalent, changing each name to a guid of some kind. This would allow analysis of all users, per user, if necessary (which is doubtful anyway), without revealing any identifying info.
That's a good point. To take it a step further, does the court order define the scope and format of the data Google must cough up? Do they have to make it easy to use? They could simply export a 2-column file with a pair of GUIDs identifying User:Video-View hits, then appeal ad-infinitum every additional bit of data that Viacom asks for.
"There, we gave you all of our users, along with their video watching data. Have a nice day."
The trick is to keep sifting the crap, so you don't miss that rare nugget of gold.
That's a good point, and a nice succinct way to sum it up.
Why do the elderly often resist new ideas today? I figure it's either due to physical changes in the brain, or it's a rational decision that the time invested in learning new stuff wouldn't be worth it since they don't expect to be around much longer.
Well put. I'm in a technical profession, and each passing year my reduces my perception that the "new hotness" is either new or hot. When you get good with a hammer, everything starts to look like a nail, maybe?
Or will those who hold to the ideology that age and maturity will see ideology as nonsense eventually abandon even that ideology as nonsense?
(sorry, had to...)
Ideally they could obey the robots.txt at the time of archiving, and simultaneously grab a snapshot of the whois record. In the future, new robots.txts would by default only take away previously archived content if the domain hadn't changed hands. This would keep squatters from killing the archive, and the original copyright owner could always actively request removal of content if s/he matched the old whois record (though this would take manpower at archive.org, which is a problem).
Very very good post.
With a foreign war going on, energy prices spiraling out of control, a credit crisis in housing, a slumbering real-estate market... why on earth should we tolerate our congress squandering its time and committing scarce government resources to stuff like this? Creating a free stop-loss department for the entertainment industry is *not* a government priority... or at least it shouldn't be. How about we fund NASA, or Fermi, or try to defuse the Social Security time bomb?
People's senators and reps need to know that their votes on this and similar initiatives will inform us about what their priorities are; a vote for this is a vote against [the children|education|science|social security solvency|etc.]
Yes, of course the initiative is just plain wrong, and the reasons why are important too. Congress-critters, though, seem to think in terms more like the above. The governing class most always seems to see expanding government and creating agencies like this as a Good Thing(tm), so philosophical arguments for or against this stuff may not be as digestible to them as simply saying "hey, in political commercials next time around, a Yea vote on this will make you look like you prefer this not-so-popular thing to popular things that are short on funding."
Or license a Windows Terminal Server with just as many concurrent CALs as they need for this one temporarily-incompatible app?
Price that out vs. converting all 720 physical computers to nonfree software from the OS up, and that for one app that will be compatible in a year.