The UK government has in fact authorized the IWF to look at child pornography.

If you don't believe me, read for yourself:

http://www.cps.gov.uk/Publications/docs/mousexoffences.pdf

I am all for punishing the bad guys and everything, but how would US authorities have jurisdiction over an attack that happened on Estonia from Russia? Can they prove that it crossed American networks?

While it does involve having thousands of addresses, this kind of thing is pretty easy to automate, given what your goals are. For example, I use this tool to determine which country my visitors are in and display the relevant contact information (show the French address to people in France, the Belgian one to people in Belgium, etc). I have a cron job set up to update the database once a week; it is fully automatic and very reliable.

If you need to be more specific, this guy has a php class that can supposedly give you information as specific as city, or you can write your own using the db you can download here, although I can't personally vouch for either. You could also parse the hostnames in your server and only allow service providers in your area.

Also, google code has a really good tutorial for a client side application if your server is limited in its capabilities.

Either way, it sounds from the summary like you have access to a database of ip address ranges you want to allow. Just set up a cron job to download it and parse it.

IANAL, but I believe that unless it happens on the high seas and involves forcefully robbing or commandeering a vessel, from a strict legal point of view it is not piracy.

As a former infantryman, I can tell you that you are really over thinking this. Rugged means more than just hard to break. It also means that it is a single piece (so he can't loose part of it) and that those pieces are easily replaceable.

Forget the charger, and get him something nice that runs on AAs. Lots of military equipment, such as the AN/PRC-14 night vision goggles or the little radios that squads carry around, run on AAs and so he is sure never to have a shortage. You literally have boxes of these things just floating around where ever you go. They aren't that heavy, they are virtually unbreakable, and he will have to carry some anyway. When I was in, guys bought electric shavers that ran on AAs expressly for this reason.

Besides, his unit will appreciate him not flipping a mirror out for all to see whenever he wants to listen to music.

Be careful with this, though, because a lot of places you wouldn't expect don't support the + sign. For example, when I had to renew my SSL cert after the debian ssl debacle, I had a problem: the email I used was me+thawte@gmail.com. Thawte has no problem sending junk email to this address, and they accepted it just fine when I initially accepted the cert, but when I went to renew the it, their system was silently dropping the plus and throwing an error when I tried to confirm the reissue.

Their technical support was no help either. After talking with some douche called "Jeremy E", he simply informed me that the best he could do was change the address to me.thawte@gmail.com, which of course is equivalent to methawte@gmail.com and not my address. He then did this without waiting for my approval and sent the reissue information to some total stranger (I tried to register it, it was taken). I never did get them to change the address, nor to reissue the cert.

You would think that a business like SSL certs that charges extortionate (hundreds of dollars) prices for something that an automated system does would have a working email system, but no. I ended up having to buy a new cert from another company.

By the way, THAWTE AND VERISIGN SUCK

Lots of tracking software has ways to account for people like you. Xiti, for example, loads both a script and a small image. They err on the side of caution and assume that people who load the image but not the script have fairly restrictive settings. So, Xiti tells me that after filtering out bots 2% of my users have js dis-activated, although I believe that the actual percentage is lower. If I assume that all of those users have flash disabled and combine that with the fact that Javascript-based Google analytics tells me that 3% of my users either don't have Flash or that it doesn't recognize their flash version, at most 5% of my visitors don't have Flash and the actual number is probably a small fraction of that.

In general, I do not advocate the use of Flash in web design, but you cannot deny that it is nearly ubiquitous.

At least for your own site, google analytics will not only tell you what proportion of users have flash installed but also which version.

For example, on my sites (4 medium/smallish commercial sites with around 1000 visits per day each) 45% of users have Flash 10.0 r12, 53% have some version of Flash 9, and 3% have "not set," which is probably split between users with no Flash and users with something that blocks GA's data collection (things such as no script could do this, but I think this is unlikely as noscript has google whitelisted by default).

So, for my sites, the number of users without Flash installed is probably between 0 and 3%. I think it is closer to 3% than 0, but anybody else's guess is as good as mine.

The point is, the overwhelming majority of users have flash.

That tidbit aside, I must say that IMHO using Flash is for anything but movies and games is incredibly bad form. There is no reason whatsoever to have flash menus, navigation or anything else that can be handled in html, css or javascript. Flash destroys accessibility, distracts from your message and is just annoying for visitors.

I dare say that very few of us here are qualified to make that statement, probably including you, my good sir. In fact, I believe that this trial is happening because a large number of lawmakers, layers, and judges in the Sweden can't even answer that question yet. We will soon see if they are breaking the law in Sweden or not, though.

Dude, are you trolling? Why can we not discuss this issue without some idiot like you hijacking the thread? Look, copyright infringment is not theft. You can argue the im/morality of copyright infringement all you want, and I and many others might agree with you if you argue that it is wrong and can support the statement.

However, copyright infringement and theft are not the same fucking thing already. Jesus.

exactly right.

Honestly, if the OP is in the situation where he is trying to find and patch holes, it would probably be a better idea to do a little homework and start the project over again and use good security techniques when writing.

It is not that hard, really. You just have to remember never to trust user input. That means that you filter all of it, you don't rely on cookies for access control, and you don't trust the variables that the browser sent you (such as $_SESSION['http_referer']).

As far as filtering is concerned, remember that php has a lot of filters at your disposal (just remember to strip new lines out of email addresses yourself, the filter misses that one). Another word of warning: if you are echoing user input out onto a page, it is much easier to use bb syntax than allow html tags through strip tags: the danger is that an attacker can get javascript attributes the filter and it is better just to avoid it.

I have 50 accounts for 20 or so users spread across 4 domains that use google apps for domains. Although google apps is not perfect, I have never once heard of the kind of issues you are describing. I would posit that the issue is your client.

However, I agree that google apps is not appropriate for a large organization such as a school. It works for us because we are small enough that simply relying on individual email users to back up their gmail accounts once a week in case google should go bankrupt is more cost effective than anything else. The uptime that we have had from google apps is better than anything we can do in house for a similar price.