The electric companies (other utilities as well, but electric in particular) have been getting it both ways for some time. They have a lock on providing most - if not all - of their services for their market, and government is generally unwilling to investigate their actions when they use their power to abuse customers. I recall in a previous home of mine, one winter the temperature wasn't as cold as predicted, which led to less need for heating energy. The power companies hence made less money, which they made up for by forcing a subsidy on the customers. Customers who tried to contest the subsidy (which raised their monthly bill) were threatened with disconnect and collections.

Now that solar is becoming a viable option - even if just to reduce the electric bill - the power companies are seeking ways to prevent it from hitting them. Eventually they will follow the same path that the insurance industry took with "health care reform" and dictate to the government a giant handout for themselves.

The stock market has been, for quite some time now, a casino for the wealthy. I was one of many who knew that it was drastically overvalued but had no way to make money on that knowledge. Even to short sell, based on the insane IPO price, required vastly more expendable money than I or most others had.

This sounds like the same kind of wisdom we saw from people tripping over each other to buy facebook stock on opening day, paying obscene sums for stock that subsequently tanked on the market. It seems like he's just trying to play the opposite argument now in hopes that he might be able to look less stupid.

Too bad he's just as wrong as his type was before.

The wrong mechanism (a semi-persistent environment) is being used to transfer what should have transient data. That is a vulnerability in the spec.

Hm. Okay, I'll buy that argument.

In practice, if the CGI developer follows best security practices it shouldn't be a more significant problem than any other "untrusted input" path, and whatever invokes the CGI does have the option of cleaning up the environment instead of accepting the default, but it's fair to say there's a flaw in the spec.

I know that RTFA is passe' here, but if we even take a look at the abstract (which shoudl be publicly available to all) we see a key point here:

We already know that a large portion of our country is repeatedly fed biased misinformation on this topic and told to distrust anyone who represents an opposing viewpoint. If we tried this on something that is less of a political football, we would likely see very different results. I would doubt that anywhere near as many people would doubt scientists telling them about research on gravity or the spheroid shape of our planet.

The fact is that bash allows external entities to poison environment variables ahead of invocation, causing unintended behavior in bash when it is launched as a child process.

Well, it's not that it allows external entities to poison the environment, it's that it gives the finger to that basic secure programming practice where you should just assume that externally provided input is tainted data.

(you could say that there is a design vulnerability in CGI - and I would agree about that).

Debatable.

There's nothing in the CGI specification that requires or suggests that there needs to be any kind of intermediary in handling the reqests aside from the web server. The environment is a perfectly legitimate way of passing data, and if the web server calls the CGI safely (i.e. pipe()/fork()/exec()) there's no reason for a transient interpreter like bash to get involved. And, aside from security, the performance hit of invoking a shell just to launch another program makes it a bit silly to do it any other way.

And I'd point out that it's possible to explicitly control the environment of a subprocess (i.e. execle()), so anything calling a CGI program can at least sanitize things to minimize any damage. Not that the CGI should depend on the caller to sanitize things, of course.

On the other hand, the environment is a perfectly stupid way to pass code around.

I haven't bothered with the sound. I tried it a few times in dosbox and generally - at least on my thinkpad - the sound would work for about 30 seconds and then never a sound again after that. I didn't personally see it worth additional effort.

It could be that my memories of SC2K are clouded by rose-tinted glasses. However I am pretty sure that the Win9x version I had was able to run in a window at any of a choice of resolutions. I can't get dosbox to give me that freedom; I start it from dosbox and it insists on going full screen (I probably need to RTFM to solve this one but haven't done so yet) with a rather poor resolution. I know some people love to see pixelated buildings the size of aircraft carriers; I'm the opposite and want to see as many buildings as possible while still being able to resolve individual ones.

My understanding was that the other SimCity titles had no "victory" scenarios. I recall there were some versions (the Super NES version of SimCity comes to mind) that did have various (often amusing) failure scenarios where the game would not allow you to continue. I bought copies of SimCity 2000 and SimCity 4 through gog.com recently and started up SC2K recently in emulation and it works quite well. For some odd reason their release of SC2K installs through windows but runs through DOS.

I think I may have managed to find a copy of "Streets of Sim City" somewhere as well; I don't know if you remember that one but it lets you drive (or fly!) your city. I thought it was a clever idea but I haven't seen how good it is in execution.

And I really wish I could get RoboSport working, as well; that was a favorite of mine from the same group.

That depends. I have gotten into this discussion many times here on slashdot before. It is important to distinguish literal (or "classical") atheism from what represents atheism today. The literal definition of atheism is "without faith" or "without beliefs". However many people who call themselves atheists today explicitly demonstrate a belief in the absence of a deity.

A good way to model this is as a set of vectors. If a person rooted in their faith has a vector of magnitude 1 and a given direction, a modern atheist essentially has the same vector magnitude but the opposite direction. A classical atheist, by comparison, would have a vector of magnitude zero.

The importance of this is that many of the soviets were actually modern atheists, concerned with removing religion from their country. A classical atheist would not care about other peoples' faith(s).

Similarly your notion of atheism as

Distinguishes modern from classical. A modern atheist is often driven by their desire to remove others from their faith because they believe their faith in the absence of a god to be superior. A classical atheist would not waste time on it. An excellent example of the classical atheist in the modern society is Dr. Neill deGrasse Tyson; he simply doesn't care about other peoples' faith - yet he does not call himself an atheist either because he is aware of how loaded that term is in the current situation.

I could name three, but they're just coordinates. This issue is human beings elevating places to unreasonable significance.

I am in awe of the hair.

That is an excellent idea, there. One change I would make to that suggestion though is to just do an install that doesn't include an x server (ie, either a "server" linux install [ubuntu server is OK though not great for this] or FreeBSD). Then you don't have to waste time and storage space installing a service that you're not going to run.

Another possible change on it would be to use a compact flash card in a CF->IDE (or CF->SATA, depending on the age of the laptop) adapter. I like to keep things internal as much as possible to reduce the likelihood of the storage getting knocked out physically by accident.

That part is easy to address with dyndns or various other services.

That depends on what you need. If all you need is to host a static website, the security concerns are actually pretty minimal. If you want php and a lot of goodies plus remote login and what-have-you then your concerns grow quickly.

Perhaps I underestimated the traffic volume for your web site, then. I know if my site is down occasionally (my personal server at home pulls five nines without much effort but there are sporadic things beyond my control like power / internet losses) it isn't a big deal.

I wouldn't be so sure of that. Again, if it is just a static page you could set up a really basic box (think mini-ITX) with as few moving parts as possible and your power consumption will be less than if you go to work and forget to turn off your coffee maker on the way out the door. I can tell you that the power consumption of my web server at home (an old P4 desktop I got for free some time ago) makes no notable difference on our monthly power bill.

You may have seen some of my JEs over the years where I have mocked the various attempts to compromise my home system via ssh. If I bothered to either change my ssh port or disable ssh entirely I would have basically zero attempts - I leave it where it is primarily out of laziness and my occasional needs to check in to my system remotely for various work-related functions.

You neglected your second - and more profound - assumption.

You have to have bash installed as well in order to be vulnerable. Not every linux install installs bash by default.

In other words, you are comparing an OS that has a vulnerable shell by default (OS X) with an OS that has a vulnerable dhcp by default (Linux) and making an assumption that the Linux install has the vulnerable shell as well.

I mean, I live in a low crime neighborhood. Thanks for pointing out the crime of having offered up "southern conservative". Indeed, I live south of the Potomac, and embrace the traditional "conservative" values of individual liberty, equality before the law and private property that are currently under such systematic attack by godless Commie sodomites. Guilty.