It never ceases to amaze me that web designers will take a page that contains utilitarian information (like sports scores) that needs to presented in legible, dense, organized fashion and insist on bloating it with useless junk until it's unusable crap that takes forever to load, eats resources, doesn't work in a lot of browsers, and inflicts their idea of "style", no matter how hideous, on users.

This is one of those cases. Yahoo Sports has apparently failed to notice that the ideal design model for a sports page can be found in any decent newspaper: scores up front, box scores inside, stories to follow. Simple. Easy. Fast-loading. Quick to code. Works in any browser including the text-only ones. Easy to generate from scripts. Easy to parse. Fast to update. Dirt-simple and thus hard to break.

In other words, the antithesis of this crap, which looks like something an art-school sophomore just in from an all-night binge would cook up....and is, unfortunately increasingly typical of sites that aren't content to just use designs that work, but feel the need to change things...because change.

You know, we had a "free" Internet long before the advertising filth showed up and began polluting it. They are expendable, although they would certainly like you to believe that they're not. "Oh noooes the free sites could go away with advertising!!"

Yes, they could. So what?

Newcomers (anyone who didn't have an address ending in .ARPA is new) are directed to study the history of the 'net. Those of adequate perception will quickly realize that it was flourishing WITHOUT the hordes of imbeciles, WITHOUT the masses of illiterates, WITHOUT the tracking and ads and spam. Our mistake was not crushing these out of existence with ruthless ferocity as soon as they appeared: every ignorant newbie should have been flamed to oblivion, every spammer's business destroyed. We were far too nice and far too tolerant, and thus...look at what we have now. But it didn't have to turn out that way. And it still doesn't. The situation is fixable.

Ads don't reach because I have those sites firewalled or null-routed. I don't care to look at them or have my extremely valuable time and resources wasted by them. Nor do I wish to be exposed to the malware and other attacks carried by an increasing number of them. I recommend this same approach to others: block them at your network perimeter: ALL of them. Yes, this will have consequences -- good consequences. It passes the "what if everyone did it? test because if that happened it would starve the ad networks of revenue and deprive of the resources they require to engage in ever-more-intrusive tracking and data collection on Internet users. Everyone won't do that, of course: but those who do will reap at least some of the benefits. Perhaps that will be enough. I certainly hope so.

Let's put aside for a moment that Twitter is one of the very stupidest things to come along in quite some time: a service for illiterate chimpanzees with attention-deficit disorder, as nobody of worth or value would bother reading or writing 140 characters at a time. Let's just pretend, for the sake of argument, that it's a useful service worth defending.

First, putting money into the pockets of its adversaries is idiotic.

Second, pretending that content/context filtering based on examination of their CURRENT methods will work TOMORROW is equally idiotic. (This is a recurring mistake among many wanna-be anti-spammers: they blithely presume that spammers will sit on their hands while countermeasures are developed and deployed, even though the multi-decade history of spammers demonstrates conclusively that they will not.)

Third, pretending that countermeasures which may be temporarily successful against a subset of spammers will enjoy long-term success against a significantly larger set of spammers is wishful thinking. (This is another recurring mistake among the wanna-be's: they don't realize that they've targeted the least-competent spammers. They're too busy patting themselves on the back to realize that all they've really accomplished is to clear the playing field for the professionals.)

Fourth, these researchers have failed -- completely -- to account for the presence of spammer allies inside Twitter. It is of course short-sighted, naive and very stupid to neglect this, since it's obvious on inspection that a nonzero number of Twitter staff are complicit in spamming activities. (And why not? The chances they'll be caught are tiny. The extra income is tax-free. And they can take multiple payoffs from multiple people for doing the same thing. Unless one wishes to make the patently absurd argument that 100.000% of Twitter employees are incorruptible, which of course is laughable and instantly disqualifies the speaker from serious conversation.)

The bottom line is that Twitter made a fundamental error before they even launched: they failed to perform an adversarial analysis, to ask themselves "how can our service be abused?" and then modify the design to deal with as many answers to that as possible. (This is hardly unique: many others have made the exact same mistake. Some are making it today.) Their failure to perform this analysis BEFORE finalizing design and deployment means that they're now left trying to backfill it. That has never worked. It's not working now. It's not going to work. So this little endeavor represents merely some feeble half-hearted attempt to deal with a tiny piece of an enormous problem...and event that attempt is doomed to fail as soon as spammers find it to be an inconvenience.

Your are making the mistake of imagining that the person who discovered this flaw owes Xerox something.

He does not.

He discovered the information, and he is free to (a) remain silent (b) tell Xerox (c) tell the press (d) tell everyone (e-z) anything else he likes. He might CHOOSE (b) but he is certainly under no obligation to do so, and it is of course incorrect for anyone to fault him if he does not choose (b).

We see this same mistake being made by the inferior minds who advocate the farsical concept of "responsible disclosure" when it comes to security issues. There is no such thing. There never has been. It's simply a fabrication by the mouthpieces of corporations who fret about bad publicity or negative impact on their stock price. Those who say they practice it are conceited and arrogant: they are making the foolish mistake of presuming that they, and they alone, possess this information, even though that's almost certainly not true. (What one can discover, another can discover.)

In all these cases, what we find are people who are afraid of the truth. They are afraid to speak it, afraid to hear it, afraid to have it propagated, afraid that others may have it: afraid, afraid, afraid. This is antithetical to the scientific method, to free speech, to forward progress: we must have the truth, no matter how inconvenient or unpleasant, if we're going to get anywhere.

I'm sure that some of the people at Xerox are furious about this. That's just too damn bad. If they want to find the root cause of their anger, they should look in a mirror, as it is their incompetence, sloppiness, laziness and negligence that has made all this happen.

Cloud providers always had (at least) one glaring security problem: their own employees. Those people always have some kind of access to customer instances -- logical, physical, network, something. Yes, those accesses can be restricted, logged, audited and so on...but anyone who has observed US business practices knows that costly measures like that are the first to be jettisoned when the race to the bottom begins. Managers will make the calculation that it's cheaper to risk an incident than to continuously pay the costs to avoid one, and they'll rely on lawyers to make it go away if/when it happens.

Now there's quite clearly a second threat: demands from federal agencies that are intrusive, exhaustive, secret, all-encompassing, (nearly) unchallengeable.

And that brings with it a third threat: this past week's disclosures have shown that numerous federal (and state) (and local) agencies are aware that the NSA and the DEA and others are clandestinely gathering data...and they alllllll want a piece of it. Eventually they're going to get it. (How do I know? Because it's never turned out any other way.) And some of them have absolutely horrible security track records of their own, which means they're going to leak it, lose it, and surrender it to the first bored hacker who comes along.

If you can't compute securely, you can't compute PERIOD. And we now find ourselves with multiple existence proofs showing that cloud computing is most certainly not secure. I really don't think it's much of a leap to suggest that it's going to get more insecure every day.

I think it would be wise to consider that perhaps the reason you had no warning was that Lavabit's operators also had no warning. (That is, no warning of the specific event which caused them to make the decision to shut down. Obviously they knew something was afoot, as we can see by the posted message from them.)

The operators of Lavabit have gone waaaaaay out on a limb for you today. They're risking ten years of work, their livelihood, their finances, and their freedom. I think -- even though this obviously inconveniences you and others -- you might want to give them a little slack. I think it's obvious on inspection that they're doing this on principle, and THAT is worthy of respect -- doubly so when many of their peers have chosen otherwise, as is now becoming more clear every day.

This is as beautiful an example of idiotic, worthless, counterproductive security theater as we've seen.

For starters, the implementation is something I'd expect from a drunk college sophomore who's been pulling C grades in CS courses. It's miserable. The most significant effects it's had have been to alarm, confuse, annoy and distract people -- some of whom were driving. Great idea, that last one: cause their cell phone to make a noise they've heard before so that it increases the probability they'll pick it up and look at it.

Second, the lack of detail is outrageously stupid. A recipient of this message who just happened to see such a vehicle might approach it because there's nothing in it warning them not to.

Third, sending it 24 hours later is idiotic. Any competent murdered would be in a different vehicle by then. (Once again, police assume that everyone is as stupid as they are. Most people aren't.)

Fourth, sending it multiple times ensures that many people will disable it. Way to go, alleged public safety officials.

Finally, the entire concept behind this is insane. Untrained civilians are poor observers (as anyone who's studied trial witness dynamics for even an hour knows). How many blue cars got reported because they might be Nissan Versas? (I have no idea what one of those looks like; hell, I didn't even know there was such a model.) How much manpower got diverted to deal with all those false reports instead of being used to pursue leads based on hard evidence?

This is just another case of lazy, sloppy, incompetent police work -- like we saw in Boston when they closed down the entire city and rolled armored vehicles through the streets to catch one frightened teenager and STILL couldn't manage to pull it off. It seems that the pigs in California only know how to drink coffee and shoot helpless unarmed civilians in the back -- something challenging, like tracking down a murderer, is far beyond their pitifully feeble minds.

Certainly nobody who's serious about security should use ANY closed-source OS; and Windows, having spent its entire lifetime proving repeatedly that it's incredibly brittle and incapable of withstanding even rudimentary attacks without numerous add-ons, should be the first to go.

But, that said: nothing that's happened this week has altered the situation. That is, this was all true last month and last year and last decade. NOBODY should have been using Windows then; nobody should be using it now.

Of course that's not how it's played out. Too many peoople are too unwilling to learn, to change, to grow, to use something different. They're not even willing to make trivial changes like (say) IE to Firefox. They want they want, and even if using their Windows system set them on fire once a month, they'd still want it.

There's no hope for those people. We need to stop trying. They're a lost cause. They will inevitably be hacked and phished, spammed and compromised. There's nothing we can do about it except stay clear of the damage. Our efforts need to be focused on the superior people with open minds, the people who can actually (gasp!) LEARN and THINK, the people who will adapt to change -- and not just today's changes, which might be "switch to Linux" but tomorrow's changes, which will be...well, we don't know what they'll be yet since it hasn't arrived.

The sad part of all this is that the movie's not new. It's the same-old same-old. It always ends the same way, yet the stubborn keep doggedly replaying it hoping for some other outcome.

No, not a troll, just very aggravated that this conversation is apparently necessary. The lack of cognitive and research skiils among defenders of captchas is appalling; how can ANYONE be so amazingly ignorant as to not recognize that the only captchas that haven't been thoroughly defeated are those that aren't worth defeating -- because what they "defend" is so pitiful that not even spammers care about it?

As to your incorrect speculation on my background: I go back to ARPAnet days, kid. So I've earned the right to be a little snotty from time to time when faced with the kind of monumental ignorance on display in this discussion.

But you know what? If you want to blindly persist with your pathetic captchas and your laughable belief that they have any value at all: go right ahead. Just keep holding up tissue paper in front of a tank and hoping it'll work. I'm sure that'll work out just great for you.

There's a missing comment upthread which included half a dozen or so links (including one back to Slashdot) about projects that have quite, quite effectively demonstrated that captchas are worthless.

Of course anyone of even modest intelligence would be capable of doing their own homework and searching the web for things like "captchas defeated", then reading what they find. It's old news (years-old, in fact) by now, so there's plenty to read about. But then again, nobody of modest intelligence would even consider using captchas: that's the province of the lazy, the stupid, the ignorant, the worthless.

Here, I'll get you started: https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/

That's one of MANY. You should be able to find some of the rest in a few moments without further assistance from me.

Vastly superior methods for stopping spam have existed since well before captchas were invented. They still exist today. I've written about them at great length (elsewhere), as have others.

The problem is not that these methods don't exist, or aren't effective, or aren't well-understood; the problem is that people refuse to invest the effort to learn them. Captchas are a cheap, easy way out for those same people, and they take it because they're too lazy to bother actually (gasp!) LEARNING.

But you know what? Let's forget that I have more experience in this area than you could possibly guess. Don't take my word for it. Don't read the references I provided. Instead, why don't you consult the people who make it their business to defeat captchas: the spammers, the phishers, the malware distributors, the bad guys. Go read their mailing lists, their web sites, their message boards. I don't mean just one or two postings: I mean several thousand over several years, so that you can actually begin to get a sense of where they're at. You will find, if you actually do this modest bit of informal research, that they're way past all this. Captchas are merely a dot in their rear-view mirror, fading away into the distance.

They have precisely zero security value. Please see, for a brief introduction:

http://phys.org/news/2011-11-stanford-outsmart-captcha-codes.html
http://cintruder.sourceforge.net/
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
http://arstechnica.com/security/2008/04/gone-in-60-seconds-spambot-cracks-livehotmail-captcha/
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html

among others.

Nobody who actually understands the nature of the threat would even CONSIDER using captchas at this point.

Now...every now and then some poor naive fool stands up and says "But but but...they're working for us." No. They are not. You are simply not worthy of attack...yet. If you ever become a target, because someone has a grudge against you, or because you have an important resource, or merely because someone is bored, then if they are are at least minimally competent attackers, they will go right through your alleged "captcha" defenses without the slightest problem.

...I'm done. It's a pity, really; for all their misteps, Sun did some interesting, useful, innovative things. And during those parts of my career when I was working in education, they were generous with hardware, software, and time -- even when it wasn't clear that it would have a short-term benefit for Sun. They knew that down the road, we'd remember, and we'd spec their gear in proposals -- and we did.

But now? I've spent the last year excising Oracle products. I've decomissioned and sold off hardware, I've deinstalled software, I've cancelled support contract after support contract, I've done everything possible to remove all traces of Oracle from the operation. One might think that Oracle would care that a 30-year customer is leaving...but they don't. One might think Oracle would care that a multi-million dollar account is leaving...but they don't. One might think Oracle would care that they are poisoning the well (since I'm teaching everyone who works for me to avoid them, and why)...but they don't.

Oracle is well on its way to destroying, in a few short years, the work of decades.

They don't care.

The last time I was in her office (which was many years ago) I noticed the sign on her desk:

Don't postpone joy.

She didn't. From the gusto with which she threw herself into her work to the whimsy that led her to recycle a jet fighter's cockpit canopy as a window in her improvised mountain home, she never hesitated to find a smile or a laugh.

So if we've lost her -- and I hope we haven't -- then we've not only lost someone who's been the mentor to an entire generation of system admins, we've lost a unique, wonderful, fascinating person.

p.s. I'm well aware that there are co-authors of those books. I'm equally well aware that Evi did the heavy lifting.

You're correct that it should have been a criminal case, but I must take issue with your choice of punishmnent. Clearly, mere prison is inadequate; I recommend execution -- because it's the only way to guarantee they'll never do this again. Otherwise, while they're busy appealling this slap-on-the-wrist fine, they'll be setting up their next company, laundering the assets of their current one, and getting ready to shift operations so that they can pick up where they've left off.