Best action story Iâ(TM)ve ever read and one the most flowing books.

The Courier: 10/10. Excellent performances, production, set, costume, lighting, and sound design. True to the spirit and history of the time. Did I mention performances? A masterâ(TM)s class in facial acting.

Absolutely! I drink a LOT of coffee (black, strong, no sugar), and I also love IPAs, the higher the IBU the better. In fact, I don't really notice the bitterness anymore, I notice the flavour of both coffee and beer. It's sort of like how one notices the flavour of spicy food after adjusting to the heat of the spice (which I have done and love).

For years, CRA, the Canadian equivalent to the IRS, has been including Web Authentication Codes (WACs) with the annual notice of assessment, that is, their summary of your personal income tax submission, snail mailed to your address of record some weeks after you submit your personal tax return.

Your WAC changes every year. Without it, you cannot access your account in CRA's online systems.

And it isn't enough: You also need your SIN and the amount recorded on a particular line of your return (or notice, I cannot remember which).

Now here is where my memory gets hazy: Once you register for online access, I think they might send a one-time code to your address, which is required to activate your account.

The only way to subvert this system is to tamper with postal delivery, which means fraudsters must take specific, intentional action and break multiple federal laws (postal acts, the income tax act, etc.). There ain't no easy to guess stuff in the Canadian system. The bar is sufficiently high, the risks to fraudsters very high, i.e., hard time.

There is an implication that Dijkstra was wrong about the goto - the implication being based on how conservatively it is used.

Perhaps it is wiser to conclude that the goto is used so conservatively because Dijkstra was right and that programmers have, in general, taken his wisdom to heart and avoided the goto except for those instances where, properly documented, it is the best tool for the job.

(By prophylactic prediction I mean the sort of warning or planning that completely forestalls the danger predicted, through awareness, preparation, etc. Kind of like the Y2K non-event.)

Really? You've been sending him checks for your share of this mass education, have you? While a professor and occasional host of science programs, his job is no more to explain things to the masses than mine, or yours.

Hey, I'm not saying the practices that make people vulnerable are wise - just that they exist and that unless positive steps are taken to test and, where necessary, fix, systems will be vulnerable. After all, we are seeing reports of the vulnerability being exploited in the wild, so we know there are affected systems out there. If we've done our jobs right, they won't be ours - but we cannot just hope that we've done our jobs right - and we do need to advise management that a) we're aware of the issue, b) we did our jobs right, and c) we're double checking, just to be safe.

Folks, for what it's worth, here is a management briefing I wrote this morning. Please feel free to re-use, but please do give proper attribution. Please do comment and correct as appropriate.

Summary: Briefing for management on activities to minimize impacts of the "shellshock" computer vulnerability.

Status: Testing underway. Our initial scans and appraisals are that our public-facing systems are likely not subject to shellshock. NOTE: The situation is fluid, due to the nature of the vulnerability. Personnel are also reaching out to hosting providers to assess the status of intervening systems.

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability "shellshock" since it affects computer command interpreters known as shells.

How does it work? Command interpreters, or "shells", are the computer components that allow users to type and execute computer commands. Anytime a user works in a terminal window, they are using a command interpreter - think of the DOS command prompt. Some GUI applications, especially administrative applications, are in fact just graphical interfaces to command interpreters. The most common command interpreter on Linux and UNIX is known as the "bash shell". Within the last several days, security researchers discovered that a serious vulnerability has been present in the vast majority of instances of bash for the last twenty years. This vulnerability allows an attacker with access to a bash shell to execute arbitrary commands. Because many web servers use system command interpreters to fulfill user requests, attackers need not have physical access to a system: The ability to issue web requests, using their browser or commonly-available command line tools, may be enough.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a "web server" in the sense of a server providing content of interest to the casual or "normal" user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

What is the primary risk? There are two, data loss and system modification. By allowing an attacker to execute arbitrary commands, the shellshock vulnerability may allow the attacker to both obtain data from a system and to make changes to system configuration. There is also a third risk, that of using affected systems to launch attacks against other systems, so-called "reflector" attacks: The arbitrary command specified by the attacker could be to direct a network utility against a third machine.

How easy is it to detect the vulnerability? Surprising easily: A single command executed using ubiquitous system tools will reveal whether any particular web device or web server is vulnerable.

What are we doing? Technical personnel are using these commands to test all web servers and other devices we manage and are working with hosting providers to ensure that all devices upon which we depend have been tested. When devices are determined to be vulnerable, a determination is made whether they should be left alone (e.g., if they are not public facing and patches are either not yet available or would be disruptive at this time, or if there are other mitigations or safeguards in place), patched (e.g., if patches are available and are low impact), or turned off (e.g., if patches are not available, risk is high, and the service is not mandate critical).

Updates to this briefing will provided as the situation develops.

I've known for 30 years that I was colour confused, it was diagnosed during my pre-hire medical at IBM. I've always described it symptomatically, as in "certain pinks and purples appear grey, my favourite brown shirt is green, but occasionally, I'll see a hint of green". And I've long thought that my CC was partly influenced by diet (the shirt would be greener after meals in certain restaurants, but I could never pin down the magic ingredient combo).

I have it on good authority that Mars is red, but I see it as a faint light of undetermined colour.

I had my eyes checked last week. I said all of the above to the examiner. He said something along the lines of "Huh, I've never heard of that before".

Then I described how I have a hard time scooping the yard: I have to work really hard to see the shit for the grass, but when I do, it becomes more obvious. There isn't enough contrast for me to pick it out without cognitive effort, but with said effort it becomes clear.

"Huh", he said, "It sounds like you have a very mild form of red-green colour blindness".

Interesting. I've never had a problem with traffic lights, red is one of my favourite colours, and I love the infinite variety of greens of spring. But picking a cardinal out in a dark green tree is tough - do-able, but tough. It's much easier in a light green tree.

So two weeks ago I would have answered "different form" but today I chose "mild R-G".

As my daughter would say, "That was a great old man story, thanks for sharing".

This was on HN a few days ago; my comment there was the same: In the case of LastPass, the headline is misleading and a little fearmongery.

There were two issues with LastPass and NEITHER affected its storage of persistent passwords, that is, neither affected the feature the vast majority of us use passwords managers for!

One concerned a targeted attack against one-time passwords (OTP), the other concerned bookmarklets, which are used by less than 1% of the user base, according to LastPass. Personally I didn't know either feature existed until I read the LastPass blog entry about these two vulnerabilities.

A truer headline would have been Vulnerabilities found in less-frequently used features of LastPass; persistent site password storage unaffected".

Yeah, /. needs both an edit function and a +1.

Just a little nit: Her title is Madam Justice Fenlon, so your expression of gratitude needs a tweak. :->

If you are being spied upon by CSEC or GCHQ, you are being spied by the NSA - and the Aussies and the Kiwis - and vice versa.

Reading about ECHELON left as an exercise for the reader.

We have a c.2003 52" Viera and love it.

The brightness is not an issue: it's on the North wall of the living room, facing a large window, and if it is "too sunny", I close the drapes. Done.

The viewing angle is amazing. Sunday night suppers are often prepared standing at the counter "just this side" of the family room, watching football.

I've stayed away from L[CE]D TVs because plasma just seemed like a better solution.

And now they will go the way of Betamax.

Silly consumers, believing hype and myth, buying poorer tech, and not saving a whole lot doing it....

Oops, posted on wrong thread. Mea culpa.

Off topic indeed.