Yup, they sure do. Not only is HTML5 video in ads happening a lot more these days, some sites insert the ads in-line with the article making it difficult for adblock software to distinguish them from graphs and other things that are part of the article.

I've got adblock installed in chrome, but not firefox yet. For some reason some sites think I'm on a chromebook when I use chrome, instead of DragonFly, which I find hilarious. Adblock in firefox is next.

No flash for ages. Last thing I would ever do. HTML5 or nothing, baby! I complain to sites like Pandora that still have flash requirements for certain browsers, but not for others.

-Matt

We finally get video and sound working properly and it's just been driving me BATTY when I have 30 firefox tabs open and can't figure out which one is making all the noise.

My absolute favorite is actually when a video site has video ads on the side bars that play over the video in the article. Sometimes more than one at once.

On the bright side, it finally caused me to get off my duff and map the mute and volume keys into X.

-Matt

Here's what we know about this most recent "story" so far: http://www.dailykos.com/story/...

Oh, and explain to me again why this is on /. ? I thought this site was about tech and tech-related news. Could it be there's rank partisanship among the editorial staff? I mean, I can't recall seeing any front-page stories here about the comprehensive corruption of, say, Wisconsin Governor Scott Walker who, among other things, installed a secret WiFi router in his office so he could exchange email out of sight of mandatory records keeping laws. I mean, that's tech-related, right? Right??

It's not just his uncanny command of the dictionary (or dictionaries!) that makes Nigel a champion. He has an incredibly calm demeanor across the board. He is unflappable, regardless of tile draws or opponent's plays. The ability to focus on the next play and the strategic situation, without distraction, is critical to winning in a long tournament.

Actually, I think in a scrabble competition, they don't rely on luck of the draw - the video basically showed all the competitors with a set of tiles pre-arranged on a rack (presumably in a fixed order), a scrabble board, and a scoring pad. Each competitor takes tiles from the rack, in order, then places them on the board and scoring himself.

There's no competitor, and no random drawing - this is to eliminate "luck" from the actual competition so it's down to skill. Not sure if they can peek at upcoming tiles for strategy.

But it's a pure skill based competition - every presumably gets the same tiles in the same order, and they play the tiles as how they wish per the rules. There's no luck element, so you can't blame bad tiles for your loss. It's down to you, your current rack of tiles, and your ability to plan ahead to score the letter/word bonuses. And your ability to form words. There may be a time limit as well.

Apparently, Words with Friends changes the scoring of some letters to make it more exciting, so WwF is not a pure Scrabble clone. And because the bonuses are different and scoring is different, a good scrabble player is not necessarily a good WwF player because the strategies involving bonuses and word positions and value are different.

If only there were some type of a device that could provide unlimited communication wirelessly over a large area with only a small initial investment...

The investment is not small, actually.

First, you can make use of FRS and other systems that are license-free, but limited in range and well, public and subject to interference from other users.

If you want your own system (e.g., private frequencies to avoid interference, or use encryption, etc), you'll have to apply for a commercial band allocation, pay the license fee for the frequencies, then buy a whole set of radios and have them tuned to your allocation. Oh yeah, you have to have your allocation renewed.

But doing so lets you set up repeater networks so you can get better coverage of your campus.

Doing this, is not a small investment (commercial radios aren't cheap, frequencies aren't cheap, repeaters and installation aren't cheap). So depending on the need, you might not want to make the investment. It may be cheaper to actually use a cellphone and pay for service, which also saves the hassle of battery chargers for the radios, battery banks for charging them en masse, etc, especially if it's only a few people. Plus, the person needing to reach the mobile user just has to a regular phone, he doesn't have to find a radio (which is surprisingly hard if someone is out and about, and the other guy is in a regular office).

I never did post anything back to an ISP. I assumed the result would be what you saw in practice. Also, if it were "state sponsored", they would ignore it. If it were somebody trying to find a portal that would circumvent the "Great Firewall of China" [which I'd be in favor of], posting back might just "out" them [to the government].

I just got sshd patched/reinstalled. I just reverified that it disallows login/pw from public IP but allows login from local LAN on accounts that have no pubkey. So, I opened the firewall for sshd [it had been firewalled for two days]. It took exactly five hours for the first script kiddie to show up.

No, you're not crazy. If you are, then I am, too. People that say that are usually uninformed/unaware of what truly constitutes good security. IMO, security is relative to what you're trying to protect. Good security should be minimally intrusive to authorized users. People who bandy about the "crazy card" are most likely to implement systems that regular users try to circumvent (e.g. mandating a 30 character password with funky chars will just cause users to put the password on post-it notes). Note that for website logins, I use a different login for each site, and different funky password. Most of the time, the browser password manager takes care of the pain.

I have [being a systems/kernel programmer] have worked on some "security" projects, and some of the people I worked with were "crazy". By that I mean, they locked down the development environment to the point where it was almost unusable and productivity suffered. In addition to genuine security, they also subscribed to the "security through obscurity" doctrine. This seems to be typical, based on my experience, and what I've read about what Linus [Torvalds] has to say about them.

OTOH, I worked on a realtime broadcast quality realtime H.264 encoder. While everybody had a personal login, the lab encoders' root password were "password". We made this decision from day one that the test encoders were "test equipment", just like an oscilloscope. This was fine, because the entire lab subnet was triple firewalled and even if somebody had logged into root on the encoder, it would let them roach it, but not get access to anything that mattered like the CVS server, etc.

Here's a different type of "crazy" ...

Ironically, the only place where we had to use high security was in product shipments to our principal customer. Updates had both software changes and firmware changes [to custom hardware], which were QA'ed as a unit. But, this customer felt that software updates were okay, but that firmware updates were too "risky" [and that they knew better than we did]. So, they would apply the software changes but not the firmware ones, and then complain to customer support that "things were broken".

We were providing "enterprise grade" customer support [including onsite visits] and even after telling the customer to update the firmware they wouldn't do it. To solve this, we [engineering] made it [had to make it] impossible to do a piecemeal upgrade [with a nearly impossible to remember root password and disabling any override to the boot process].

Also, we had a rev numbering scheme that was X.Y.Z where Z was for simple/minor bug fixes. That same customer balked, thinking any change to Z was "a major change" [based on number of "dots"]. We solved this by shipping them the revs as 1.X.Y.Z and they were happy once again [blissfully unaware].

I'm probably going to be labelled crazy for what I say below. It's a rant about selinux in "targeted" mode, so you can skip it if you want.

selinux was designed [by the NSA] to provide security for gov't systems that have multiple levels and classifications. Confidential, secret, top secret, most secret, etc. And, need to know classifications like "noforn" [no foreign], "five eyes" [US, Canada, England, Australia, ???], etc. This is useful. An example would be applying this to the FBI. Not every FBI agent has need-to-know about every ongoing investigation.

But, nobody would use that stuff outside a government. So, selinux has the targeted mode. It is supposed to prevent access to things that can't be codified in ordinary file rwx permissions [owner, group, other] or ACLs. It is proffered as "you get better protection", but the real reason is to justify its inclusion in the mainline kernel.

But, selinux in targeted mode is: dumb, annoying, useless. For example, it has a specific rule to deny /home to apache [on the assumption that a web server should not have access to user home directories]. But, on my system, /home is the mount point for a separate large disk. Some of the subdirectories are just to hold large data (e.g. /home/database). I tried doing this with /bigdisk as the mount point, with /home as a loop mount [or symlink] to /bigdisk/home, but this created even more problems. I actually put the apache directories under /home/apache and selinux complained. I had to write a script to change selinux permissions to allow this. It was arcane/insane what needed to be done.

During my recent fedora upgrade [done via "fedup"], after reboot into the "install mode", selinux was there, but it was run in "permissive" mode. It was complaining at various points, but still allowed the action. To me, this is a scathing indictment if something like fedup feels the need to tell selinux to [effectively] STFU.

Honestly, I've never [personally] seen a single targeted mode selinux denial that wasn't a false positive [and couldn't be covered just as well with standard POSIX permissions or ACLs].

How about you?

The Chinese did not have electricity nor does anyone claiming to be an acupuncturist use electricity.

The "science" of acupuncture is not sticking needles in the body, it's sticking needles in the body and stimulating them. Traditionally, it was done by sticking the needles in your body and then using a candle to heat the needle.

More modern acupuncture uses needles with a bit of flammable material opposite the pointy end - the needle Is inserted into the body, and the material lit, which channels the heat to the point.

Electro-acupuncture stimulates using electricity, using probes connected to the needles.

Acupuncture is about the stimulation, not just the jabbing of needles.

Plus another problem is that this is one "accupuncture pressure point". IIRC, there are scores, if not hundreds of the bastard things on a human body.

This study proves accupuncture is valid about as much as the fact that pork can transfer inimical biotic agents from pigs to humans causing the latter to become sick or even die is proof that the Old Testament is valid knowledge.

Actually, there's plenty of scientific studies done to show acupuncture does work. The real question is no one knows why. Western medicine thought it was the placebo effect (which is a valid explanation).

And the science of acupuncture isn't jabbing needles randomly into the body - but jabbing the needle and stimulating them at the right locations. Traditionally, this was called intersections of chi, but that's just like explaining it as the aether. These intersections did not come about instantly - it's happened over many thousands of years of jabbing people until things started happening and it got studied. (The scientific method is old, acupuncture is just as old.). Now, everyone's explained it as "chi" and the balance of life, but that doesn't mean there's no valid scientific reason for it.

Again, we do not know why. You have to remember that acupuncture, also called Traditional Chinese Medicine (TCM) is actually regarded by western medicine as a potentially valid form of treatment.

Once again, we seem to be in complete agreement. I did the enhanced logging for amusement [That's why the logger never did a fail2ban equivalent]. Sometimes, I do "tail -f logfile" to watch the fun in realtime.

For a while, I've been considering paring down and packaging up my scripting environment for this and publishing it on github. The sshd patch and setup/modification of the config files [including changing the selinux attributes :-(] is all done by a perl script (as is the logger).

The only wrinkle is that all users have to have set things up to use pubkey via ssh-keygen. For example, the public keys for my laptop and smartphone are entered into my .ssh/authorized_keys file on my desktop [and vice-versa]. Easy for me, since I'm the only user. Harder, if you've got an installed user base that may not have done this.

My desktop system uses two dictionary words for the password to my personal account and root account. I've grepped the log, and the kiddies never even came close. However, because I am using these words, that's why I added pubkey only for ssh access--just to be safe.

I had to firewall ssh because I just went from fedora 20 to 21 and would have been running an unpatched sshd. I just completed a reposync, so now I have the correct openssh sources and can rebuild/reactivate

Interestingly, although the kiddie attacks can come from anywhere in the world, they are predominantly from China. The whois info for non-Chinese IP's is somewhat spotty, but the ones in China have full/accurate information. Seems like the Chinese government wants to track everything back to a name.

I was considering adding automatic whois lookup, with abuse@blah.com scraping, and then send the applicable part of the logs automatically [with a copy to the FBI :-) :-) :-)]

Because DragonFly defaults to public key only operation. No passworded access is allowed unless the user explicitly enables it, and we've recommended against enabling it for years now.

-Matt

Your data correlates with mine and I've been logging for years [I have 450,000 log entries at present and I have a non-published IP address, not tied to any DNS, so my traffic will be lower--just so I can login to my desktop from Starbuck's using my laptop]. More on this logger and my security config below.

Apparently, the keyboard interactive problem has been known [by Redhat] since at least July 2013, see https://access.redhat.com/solu... and it sets ChallengeResponseAuthentication to "no" to specifically disable keyboard interactive.

I added a line to /etc/pam.d/xsshd with pam_exec.so so I could invoke a custom logger I wrote. I also have CRA set to "no" [I can't remember where I found this originally]. The logger also adds a random delay, to slow down the script kiddies. Although not required, I've patched sshd to post the real bad password to the logger. The default action is to use a standard junk one if the username is invalid [to prevent timing attacks]. Since I add a random delay, the pw obliteration isn't required.

I've also use /etc/security/access.conf [used by PAM] to allow password logins from the local console or virtual terminal, X11, and local LAN. All else is denied.

Thus, ssh can only use pubkey authentication, so even if a valid login/pw combo is presented, it will fail.

From what I've seen in the logs, it isn't just common/simple passwords that get tried. It becomes obvious that some systems have been hacked, the /etc/passwd and /etc/shadow files have been taken, and the passwords cracked offline [e.g. via rainbow tables, etc.]. They are now being replayed from a database of known/valid combos. I've seen certain user/pw combos from years ago that show up again recently. Not just a single combo, but an entire sequence of them in the same exact order.

This actually provides a signature of the attacker that can be tracked. It appears there is some black market for these databases as they're too specific to be just "let's come up with a list of most probable common passwords". They're hoping that person A (using password B) created a login on system C and the person reused the login/pw on other systems (e.g. D)

The [Chinese] script kiddies are getting dumber [or smarter]. My logger used to do random delay of up to 40 seconds. This slowed them down and because they can only attack so many systems in parallel, this helped the victim community at large. It also prevented them from trying thousands of passwords/second on my system [which they did by having hundreds of separate ssh sessions].

Eventually, the "replay" list gets exhausted and the attacker moves on [possibly showing up years later, sometimes from a different IP address]. But, lately, if the delay is over a certain amount, the request gets timed out by the attacker and they will repeat the same login/pw in an infinite loop. This prevents them from progressing through their list, but it also means they will never stop hammering my system [because the list never gets exhausted]. So, now, I've set the delay to a smaller value, that still delays, but doesn't trigger the infinite loop.

That holds true for most people, but sometimes you are dragged into something you don't want to. For example, if you are minding your own business running a convenience store and some guys come in with guns demanding money, and out of fear for your life, you shoot first and kill one of them. Now you have to spend the rest of your life in jail for something that you never premeditated or wanted to have happen.

That has happened before. And even weirder cases where the family of the criminal has sued homeowners that shot for killing their family member.

Heck, firing at someone in your house may or may not be legal - it's legal if they present to you a threat to you or your family, but not if they're unarmed, retreating, etc. So shooting a guy going after your family is legal, but if he's running away with his back to you, it's not.

And even worse, given it's a really busy few seconds, no one is really sure.

Two, 20 years ago MS actively encouraged copying Windows and users sharing those copies for free. Bill Gates actually said something along the lines of "it's better for people to use pirated copies of Windows then to buy the competitions software"

What a change from 20 years previous to that where the infamous Bill Gates' Open Letter to Hobbyists was released where he decried the open sharing and "piracy" of his software.

Yes, I know about the NAVAIDs, but they identify at 5 WPM and the airman's charts print the dots and dashes next to the waypoint. And there might still be runway aids that say a few letters, also at 5 WPM, but it's always the same letters for left and right and the outer, middle, and inner marker. Pilots learn the sounds for each.

Until you try to read them in the dark. I printed out a cheat sheet of nearby navaids with the dots and dashes enlarged, because a red lamp has the ability to fade them out.

In fact, pilots are not expected to know Morse code - they are expected to use the dots and dashes. So much so you can actually get in trouble with a CFI if you DO happen to know Morse. Then you have to explain, slowly, to them that yes, you did identify the station - you didn't look at the chart because you know what it was supposed to be. But yeah, it's a good way to fail a checkride

And I expect Morse to be continually used as it's more user-friendly - if you're tuning up a navaid, the beeps will go into the background if you're interrupted by ATC. If they used voice then it's highly annoying trying to separate the two without hitting buttons on your comm panel.

VT220 attached to a server via serial cable.
Great for having a log running, or accessing the bootloader.

It's rumored that a big part of the reason Apple has stuck with one-button mice is that, if you're not relying on context menus, multiple buttons are largely unnecessary for normal productivity uses, and not having multiple buttons deters developers from putting important functions in context menus.

That's actually a big part of it.

By having a single button, UI designers are forced to expose features somewhere somehow, which allows for exploration. You can have a context menu, but everything in it must be accessible elsewhere.

Because on Windows, some poor UI designs are such that you get a blank window, and that's it. If you want to do anything, it's right-click this, right-click that.

Heck, Microsoft even has shift-right-click and alt-right-click exposing new options. (Shift-Right-Click, "Open Command Window Here" is so useful...). Now just how is a user supposed to realize that modifier-clicking does stuff too?!