I see lots of people logging on to check FB from work, which is tolerated in my office as long as it's not excessive. Video ads would kill that. It's the same as email - gmail presents a nice discreet screen, the ads are unobtrusive and it looks enough like work. I'm happy using that, but say Yahoo email? No. Loads of flashing animated ads lighting up the page? Ridiculous, and not subtle.

I think the concept is OK, it's just the pricing that's wrong.

The old boxed software model forced companies like Adobe and Microsoft to bring out upgrades every year to 18 months. That meant coming up with enough new features to convince people to upgrade, leading to bloat. The subscription model could work, if it meant vendors could concentrate instead on patching, bug fixes, quality support and adding relevant features rather than unnecessary bells and whistles.

OK, it probably won't work like that in practice, but the potential is there.

It's the pricing that seems a bit off. I think it does need to come down, and be more flexible in terms of mixing and matching products. I did sign up when it was discounted in the UK, and it's led me to play with indesign and illustrator, but I can't see me using them much. They could break it down into categories:

• Photographers - Lightroom and Photoshop
• Designers - InDesign, Illustrator, Acrobat
• Videographers - Premiere and the other video tools.
• Developers - Dreamweaver, Flash builder

Allow users to pick any package for, say £10/month, any 2 for £20 or all of them for £25. I've deliberately picked a top price point about half the current level as well - it should be a price point that is no more than the old total cost (initial licence + upgrades) over a minimum of four years.

Yeah, when I'm reading the BBC news website in Starbucks it's vital that it's over a VPN or SSL. Not.

Public wi-fi should be fine to use. Most email now uses encrypted connections, and beyond that just teach people the rule of thumb that if you don't know what you're doing (i.e. can't confirm it's secure), it's best to avoid using sites that you log on to when using public wi-fi.

And no, you can't stop it, but that's because it's impossible to identify. Do you block google image search? Only have whitelisted sites? Other than that, it's impossible to block, but can be made hard enough that most people won't bother.

Coming late to this, but drinks are one thing. Food at the desk is messy, and potentially smelly. I don't want to sit next to someone having a microwave curry, or some fish abomination, and stinking the office out. Not allowing you to eat at your desk isn't micromanaging you - it's putting a rule in place to stop inconsiderate bastards pissing off their colleagues (and sometimes nauseating them). Rather than say "no smelly food" and leave it open to argument and accusations, it's easier and fairer to just provide a separate area to eat.

I still buy physical copies of photographic magazines. The better ones, such as Black and White Photography here in the UK, have concentrated on pretty decent quality reproductions, and I'd rather have a print magazine to flip through over breakfast before I inflict a day in front of a computer screen on my eyes.

Yes the comparison is silly.

However, I do have to take issue with Reader being a simple viewer. Yes, if you only ever used it one machine. For many users, though, the value is in syncing across multiple devices so you can access feeds on your phone/tablet/multiple PCs. That requires a central server.

Reader is to RSS what web based mail is to email. Yes, there are alternatives, but so far I know I'm yet to find one that does as good a job of just keeping out of the way.

I agree, long walks and cycling are where I do most of my creative thinking. The activity requires little mental effort and gives me time to let my mind wander. Running is different - I only took it up recently, and I'm still at the point where all of my mental effort has to go into breathing and keeping going (and 5K is my current limit). Even that is great, though, as it's the only time I'm completely switched off from other thoughts other than when I'm asleep, so I think it helps to clear my mind.

Whitelisting - thank you, describes what I meant perfectly.

I know it's not always easy, but most data input into web forms is quite straightforward. The application should not be checking whether the data is invalid - it should be checking that it's valid. That's a subtle distinction, and I'm probably going to fail to explain it! The critical thing is to allow only that data that is valid for the question being asked. Most of the time restricting the input to a certain length and only allowing specific characters should be enough, and wherever possible limit input to predefined selections (dropdowns, checkboxes). Apart from avoiding vulnerabilities, validation is critical to ensuring the data is useful and minimises the need for data cleansing later on.

Where extended free format data is required, it should still be as simple as controlling the length of the data, the character set in use and making sure it's correctly quoted.

Probably true, but it's sad that in 2013 we're still talking about Bobby Tables! It's still an application code issue rather than strictly a database issue.

I agree it needs fixing, and even said that it's important to have security at every layer, my point was really that a number of other security measures will already have failed before the database is vulnerable. And yes, in many cases the web server will be the application server, but I'd hope that's a design that's limited to less than critical systems...

In a truly paranoid environment the only internal access to the database will be via bastion hosts, not direct from individual desktops...

I see lots of comments about needing to know the vulnerability right now, and even panic about taking servers down until it's fixed. I can't help feeling that if that's your reaction you're doing it wrong.

In any internet facing production environment, the front end web servers will be the only place that can be attacked. They should be in a DMZ and only be accessing application servers via a firewall, which in turn access the database. Access to the database would only be allowed from the application servers, and the application servers shouldn't be able to run any random SQL. All inputs should be verified before passing to the database. It's kind of hard to see how, in a well designed system, the database is at risk. Nothing uncontrolled should be reaching it.

Of course it's important to have security at every layer, but if an attack can get as far as exploiting code vulnerability in the database I'd say there's a bigger problem somewhere further up the chain.

Internal attacks are another matter, but again, access controls should be ensuring that only those who really need access to the database have access to the database. Those people will be able to do enough damage without needing exploits, so again, code vulnerability at that level should be something of a non-issue.

Takes a special kind of dumb to manage this!

Or rather, you got what you were looking for but not what was relevant to this conversation?

It's just a shame Hunter S. Thompson isn't around to read and comment on this.