Comment Corrections and Clarifications (Score 2, Interesting) 4
From the article: Vladimir Rigenco boasted about speeding on an online car forum called 5 Series Forums, not on a Facebook group page, as originally reported.
Submission + - Facebook speeding boast leads to conviction (www.cbc.ca) 4
Meshach writes: In Canada a nineteen year old man has lost his driving license for six months and is facing one year of probation after the police arrested him for dangerous driving as a result of a post of facebook. The tip apparently came from an uninvolved American who saw the post bragging about how fast he went and called the Canadian authorities.
Scaling Algorithm Bug In Gimp, Photoshop, Others 368
Wescotte writes "There is an important error in most photography scaling algorithms. All software tested has the problem: The Gimp, Adobe Photoshop, CinePaint, Nip2, ImageMagick, GQview, Eye of Gnome, Paint, and Krita. The problem exists across three different operating systems: Linux, Mac OS X, and Windows. (These exceptions have subsequently been reported — this software does not suffer from the problem: the Netpbm toolkit for graphic manipulations, the developing GEGL toolkit, 32-bit encoded images in Photoshop CS3, the latest version of Image Analyzer, the image exporters in Aperture 1.5.6, the latest version of Rendera, Adobe Lightroom 1.4.1, Pixelmator for Mac OS X, Paint Shop Pro X2, and the Preview app in Mac OS X starting from version 10.6.) Photographs scaled with the affected software are degraded, because of incorrect algorithmic accounting for monitor gamma. The degradation is often faint, but probably most pictures contain at least an array where the degradation is clearly visible. I believe this has happened since the first versions of these programs, maybe 20 years ago."
Man Tracked Down and Arrested Via WoW 464
kabome writes with this excerpt from a story about an alleged drug dealer who was located by law enforcement thanks to World of Warcraft:
"Roberson’s subpoena was nothing more than a politely worded request, considering the limits of his law enforcement jurisdiction and the ambiguity of the online world. 'They don’t have to respond to us, and I was under the assumption that they wouldn’t,' said Roberson. ... Blizzard did more than cooperate. It gave Roberson everything he needed to track down Hightower, including his IP address, his account information and history, his billing address, and even his online screen name and preferred server. From there it was a simple matter to zero in on the suspect's location."
Submission + - Securing PHP Web Applications
Michael J. Ross writes: "The owners and the developers of typical Web sites face a quandary, one often unrecognized and unstated: They generally want their sites' contents and functionality to be accessible to everyone on the Internet, yet the more they open those sites, the more vulnerable they can become to attackers of all sorts. In their latest book, Securing PHP Web Applications, Tricia and William Ballad argue that PHP is an inherently insecure language, and they attempt to arm PHP programmers with the knowledge and techniques for making the sites they develop as secure as possible, short of disconnecting them from the Internet.
The book was published by Addison-Wesley on 26 December 2008, under the ISBN 978-0321534347. The publisher maintains a Web page for the book, where visitors will find a detailed description, the table of contents, and a sample chapter ("Cross-Site Scripting," Chapter 10) only three pages in length — undoubtedly a record. That is essentially all one will find on that Web page. Most technical publishers offer far more information on the Web pages for each one of their books — such as the preface and index online, updates to the book's content (including reported errata, confirmed and otherwise), descriptions of the chapters, information about and pictures of the author(s), feedback from readers and the media, and, perhaps most valuable of all, the sample code used in the given book. (However, that is less of a factor with this particular book, since it does not contain much sample code.) Many such publisher pages even have links to book- or technology-specific forums, where readers can post questions to the authors, and read other people's questions and the replies. Addison-Wesley, like all of the Pearson Education imprints, has through the years proven quite sparing with the supplementary online content, thereby no doubt reducing the number of prospective readers and other traffic to their sites.
Despite its fairly modest length (336 pages) in comparison to the average programming book being published these days, Securing PHP Web Applications tries to cover a sizable number of topics, in five parts, which encompass 17 chapters: general security issues; error handling; system calls; buffer overflows and sanitizing variables; input validation; file access; user authentication; encryption and passwords; sessions and attacks against them; cross-site scripting; securing Apache and MySQL; securing IIS and SQL Server; securing PHP; automated testing; exploit testing; designing a secure application; and hardening an existing application. The book concludes with an epilogue on professional habits to improve the security of one's applications, an appendix describing additional resources, a glossary, and an index. Throughout the book, the authors illustrate key ideas with the use of a sample application — in this case, a Web-based guest book.
The first chapter, which is the only one in the first part of the book, is rather brief, but does prime the reader for all the material that follows, because it explains the inherent security problems of Web applications, and explains the dangers of some of the inadequate measures that naive programmers can take, such as security through obscurity, and the common belief that hackers only go after major Web sites.
Chapter 2 focuses on error handling, but begins with an example of SQL injection, and how effective it can be against the first iteration of the guest book application code. The most potentially confusing part of the discussion is when the authors show an SQL injection attack that perverts an INSERT statement by injecting it with an SQL command to drop a table, and the two commands are separated by a semicolon. But then instead of discussing how multiple SQL statements can be separated by semicolons (well, depending upon one's server settings), they instead discuss separating PHP commands was semicolons, but not SQL commands. Nonetheless, readers will find some good advice on handling unexpected input and using a centralized error-handling mechanism, even if quite simple. Also, the question of whether or not to accept HTML in user input, is briefly addressed. However, the material would be more useful if the authors were to explain specifically when htmlspecialchars() should be used instead of htmlentities(). Also, the option of using standard bulletin board codes (such as [b]bold[/b]) should have been mentioned, if only briefly with references to outside resources. At the bottom of page 22, the bare regex following a !"~" is not valid PHP (or even Perl, which it much more resembles). Lastly, one should not follow the recommendation of providing absolutely no feedback to the user as to what characters were invalid in the text they entered. Hackers gain nothing from being told the obvious, that HTML tags are not allowed; but legitimate users will be incensed when told only that the system didn't understand their input, with no indication as to how to make it acceptable.
In the third chapter, the authors explain the obvious danger of using unsanitized user input within a call to the operating system, such as exec() or system(). The discussion here assumes that you are on a *nux server, not Windows. Two PHP commands are suggested for sanitizing user input, as well as the option and advantages of building a custom API that is limited to only the system calls that should ever be executed within your Web application. On page 33, their test code appears to assume that register_globals has been enabled (so the GET variables in the malicious URL are automatically instantiated and set to the values in the URL), which is disappointing for a book on PHP security, since the dangers inherent in register_globals are so severe that it is now disabled by default, is deprecated in PHP version 5.3.0, and will be completely removed in version 6.
In Chapter 4, readers get an overview of program and data storage on a computer, including buffers, stacks, and heaps, as groundwork for learning what buffer overflows are and how hackers can try to exploit them to execute database and operating system statements, including using your server as a staging point for remote exploits and denial-of-service attacks. The fifth chapter dovetails nicely with the previous one, because it discusses input validation, which is a key component of avoiding boundary condition attacks. The authors explain the importance of validating tainted data, using character length and regular expressions. One simple countermeasure to such attacks that the authors fail to mention, is simply setting a maximum input length ("maxlength") on HTML "input" tag fields. After all, most entry fields on forms are input tags — not textarea tags, for which the maxlength attribute only specifies wrapping. Using maxlength does not prevent manipulation of POST values, but does prevent the less knowledgeable attacker from overflowing input tag fields.
Chapter 6 explains the risks in working with local and remote files, and why it is critical to not allow mischievous users do such tricks as inserting a pathname in a filename, when your code is expecting only a simple filename. Unfortunately, some of the code and claims in this chapter are suspect: On page 70, the value of $path_to_uploaded_files is missing a needed trailing forward slash. The suggested method of processing malicious file paths could be made much more simple and secure with the use of basename(). The file_get_contents() attack shown on page 71 again seems to assume that register_globals is enabled; even if it were enabled, the exploit wouldn't work because $file is always set to a value in the script code. The authors seemingly believe that GET variables can override anything in a script. Nonetheless, their advice about handling user-uploaded files is spot on.
Part 4 of the book focuses on user security. The first of its chapters covers user authentication and authorization — combining the two for their sample application — and starting with usernames and passwords. Access denial due to invalid username or password is supposedly illustrated by Figure 7.2, but all that it illustrates is that a concept that needs no visual depiction is not made more clear by trying to represent it with a confusing image. The authors provide a thorough discussion of authentication purposes and methods, as well as password encryption and strength. Yet they provide no rationale for setting the default values for usernames, passwords, and e-mail addresses to " " simply because the columns are non-nullable. After all, a record would only be added to the table if those values were known. Also, in their validateUsernamePassword() function, they've mistakenly commented out the first "return FALSE;" and they create unused variables $username and $password.
Chapter 8 provides an overview of various types of encryption, particularly for passwords, and some recommendations for PHP-supported algorithms. One blemish in this discussion is the claim that the longer the key for decryption, the longer it will take for your application to load the data (presumably the encrypted text) — which doesn't make sense. Also, their password() and login() functions reference class member names of an object not yet defined or explained. Code out of context like this can be confusing to the reader.
Sessions are a key component of maintaining and securing the identity of an authenticated user as she goes from one page to another in your PHP application. In Chapter 9, the authors describe the three major categories of session attacks: fixation, hijacking, and injection. The next chapter addresses cross-site scripting (XSS), but runs only three pages, and provides no examples of an XSS attack, which would have been helpful for the reader to understand how such an attack could try to compromise his PHP code, and what sort of malicious code to look for in his site. However, references to four open source XSS filtering projects are provided, in case the reader would like to learn more about them.
The fifth part of the book is devoted to securing whichever server environment on which you choose to host your application — Apache and MySQL, or IIS and Microsoft SQL Server, as well as PHP. In the chapter on PHP, the authors present the Zend Core release of PHP, which can save developers time in installing components of the LAMP stack, and also save them from reinventing the wheel, by using the Zend Framework. Other techniques for hardening PHP are discussed. Chapters 14 and 15 explain how to use automated testing and exploit testing, to increase your application's security, using powerful exploit testing tools — free and proprietary.
The sixth and final part of the book contains two chapters, which purportedly discuss the advantages of designing security into a new application right from the start, and how to improve security in an application that has already been built. In the former chapter, the authors stress the importance of balancing no design ("Skip reading Slashdot for one day...") and too much design (i.e., stalling). But the material mostly consists of the basics of designing a Web application, with no new information on security, and concludes with a brief reiteration of security principles detailed in earlier chapters. The latter chapter offers some good advice on having separate development and test environments, in addition to the production environment. The principles expounded in each of the two chapters, do not overlap at all, and yet together they apply equally to new applications under development just as much as they do to finished applications; splitting the principles up does not make sense.
Sadly, the book does not live up to its potential. In general, much of the sample code is sloppy, as exemplified by the instances noted above. The authors and the technical reviewers should have tested the attacks, and thereby found which ones don't work. Even the HTML should not be used by any new Web developer as an example of quality code that adheres to leading standards. In the HTML that they have their sample PHP code generate, the tag attribute values are in single quotes, and not double, which means all of that code would need to be changed to make it compliant with XHTML 1.0. Moreover, by choosing to use single quotes for both the attribute values and the PHP strings, the authors end up having to escape every single attribute value quote mark, which wastes space and looks ridiculous. They repeat this at the end of Chapter 6, but this time with all double quotes. Also, some of the technical decisions are rather odd, such as their setting those default values to spaces in the user table, noted earlier. A few terms are used strangely, as well, such as their statement that IIS's footprint is the number of entry points to it; actually, a Web server software's footprint generally refers to how much memory it consumes. Every chapter ends with a summary, titled "Wrapping It Up," none of which add any value to the book. There are at least three technical errata in the book that should have been caught: spaces in "u + rwx, go + rx" (page 76), and the invalid addresses "www.blog/modsecurity.org" (page 215) and "www.ballad-nonfiction/SecuringPHP/" (page 288; adding ."com" does not fix it).
On the other hand, the book's marketing copy claims that "Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals..." and that is certainly a fair claim. Most of the explanations are straightforward and informative. As a side note, kudos to Addison-Wesley for printing this book on recycled paper; one can only hope that all publishers adopt that policy.
The primary value of Securing PHP Web Applications is that it touches upon security topics that are often glossed over or completely neglected in other PHP security books and articles. This is important, because online miscreants will be searching out every possible chink in your Web site's armor. You should do the same, before they strike — and this book shows how.
Michael J. Ross is a freelance Web developer and writer."
The book was published by Addison-Wesley on 26 December 2008, under the ISBN 978-0321534347. The publisher maintains a Web page for the book, where visitors will find a detailed description, the table of contents, and a sample chapter ("Cross-Site Scripting," Chapter 10) only three pages in length — undoubtedly a record. That is essentially all one will find on that Web page. Most technical publishers offer far more information on the Web pages for each one of their books — such as the preface and index online, updates to the book's content (including reported errata, confirmed and otherwise), descriptions of the chapters, information about and pictures of the author(s), feedback from readers and the media, and, perhaps most valuable of all, the sample code used in the given book. (However, that is less of a factor with this particular book, since it does not contain much sample code.) Many such publisher pages even have links to book- or technology-specific forums, where readers can post questions to the authors, and read other people's questions and the replies. Addison-Wesley, like all of the Pearson Education imprints, has through the years proven quite sparing with the supplementary online content, thereby no doubt reducing the number of prospective readers and other traffic to their sites.
Despite its fairly modest length (336 pages) in comparison to the average programming book being published these days, Securing PHP Web Applications tries to cover a sizable number of topics, in five parts, which encompass 17 chapters: general security issues; error handling; system calls; buffer overflows and sanitizing variables; input validation; file access; user authentication; encryption and passwords; sessions and attacks against them; cross-site scripting; securing Apache and MySQL; securing IIS and SQL Server; securing PHP; automated testing; exploit testing; designing a secure application; and hardening an existing application. The book concludes with an epilogue on professional habits to improve the security of one's applications, an appendix describing additional resources, a glossary, and an index. Throughout the book, the authors illustrate key ideas with the use of a sample application — in this case, a Web-based guest book.
The first chapter, which is the only one in the first part of the book, is rather brief, but does prime the reader for all the material that follows, because it explains the inherent security problems of Web applications, and explains the dangers of some of the inadequate measures that naive programmers can take, such as security through obscurity, and the common belief that hackers only go after major Web sites.
Chapter 2 focuses on error handling, but begins with an example of SQL injection, and how effective it can be against the first iteration of the guest book application code. The most potentially confusing part of the discussion is when the authors show an SQL injection attack that perverts an INSERT statement by injecting it with an SQL command to drop a table, and the two commands are separated by a semicolon. But then instead of discussing how multiple SQL statements can be separated by semicolons (well, depending upon one's server settings), they instead discuss separating PHP commands was semicolons, but not SQL commands. Nonetheless, readers will find some good advice on handling unexpected input and using a centralized error-handling mechanism, even if quite simple. Also, the question of whether or not to accept HTML in user input, is briefly addressed. However, the material would be more useful if the authors were to explain specifically when htmlspecialchars() should be used instead of htmlentities(). Also, the option of using standard bulletin board codes (such as [b]bold[/b]) should have been mentioned, if only briefly with references to outside resources. At the bottom of page 22, the bare regex following a !"~" is not valid PHP (or even Perl, which it much more resembles). Lastly, one should not follow the recommendation of providing absolutely no feedback to the user as to what characters were invalid in the text they entered. Hackers gain nothing from being told the obvious, that HTML tags are not allowed; but legitimate users will be incensed when told only that the system didn't understand their input, with no indication as to how to make it acceptable.
In the third chapter, the authors explain the obvious danger of using unsanitized user input within a call to the operating system, such as exec() or system(). The discussion here assumes that you are on a *nux server, not Windows. Two PHP commands are suggested for sanitizing user input, as well as the option and advantages of building a custom API that is limited to only the system calls that should ever be executed within your Web application. On page 33, their test code appears to assume that register_globals has been enabled (so the GET variables in the malicious URL are automatically instantiated and set to the values in the URL), which is disappointing for a book on PHP security, since the dangers inherent in register_globals are so severe that it is now disabled by default, is deprecated in PHP version 5.3.0, and will be completely removed in version 6.
In Chapter 4, readers get an overview of program and data storage on a computer, including buffers, stacks, and heaps, as groundwork for learning what buffer overflows are and how hackers can try to exploit them to execute database and operating system statements, including using your server as a staging point for remote exploits and denial-of-service attacks. The fifth chapter dovetails nicely with the previous one, because it discusses input validation, which is a key component of avoiding boundary condition attacks. The authors explain the importance of validating tainted data, using character length and regular expressions. One simple countermeasure to such attacks that the authors fail to mention, is simply setting a maximum input length ("maxlength") on HTML "input" tag fields. After all, most entry fields on forms are input tags — not textarea tags, for which the maxlength attribute only specifies wrapping. Using maxlength does not prevent manipulation of POST values, but does prevent the less knowledgeable attacker from overflowing input tag fields.
Chapter 6 explains the risks in working with local and remote files, and why it is critical to not allow mischievous users do such tricks as inserting a pathname in a filename, when your code is expecting only a simple filename. Unfortunately, some of the code and claims in this chapter are suspect: On page 70, the value of $path_to_uploaded_files is missing a needed trailing forward slash. The suggested method of processing malicious file paths could be made much more simple and secure with the use of basename(). The file_get_contents() attack shown on page 71 again seems to assume that register_globals is enabled; even if it were enabled, the exploit wouldn't work because $file is always set to a value in the script code. The authors seemingly believe that GET variables can override anything in a script. Nonetheless, their advice about handling user-uploaded files is spot on.
Part 4 of the book focuses on user security. The first of its chapters covers user authentication and authorization — combining the two for their sample application — and starting with usernames and passwords. Access denial due to invalid username or password is supposedly illustrated by Figure 7.2, but all that it illustrates is that a concept that needs no visual depiction is not made more clear by trying to represent it with a confusing image. The authors provide a thorough discussion of authentication purposes and methods, as well as password encryption and strength. Yet they provide no rationale for setting the default values for usernames, passwords, and e-mail addresses to " " simply because the columns are non-nullable. After all, a record would only be added to the table if those values were known. Also, in their validateUsernamePassword() function, they've mistakenly commented out the first "return FALSE;" and they create unused variables $username and $password.
Chapter 8 provides an overview of various types of encryption, particularly for passwords, and some recommendations for PHP-supported algorithms. One blemish in this discussion is the claim that the longer the key for decryption, the longer it will take for your application to load the data (presumably the encrypted text) — which doesn't make sense. Also, their password() and login() functions reference class member names of an object not yet defined or explained. Code out of context like this can be confusing to the reader.
Sessions are a key component of maintaining and securing the identity of an authenticated user as she goes from one page to another in your PHP application. In Chapter 9, the authors describe the three major categories of session attacks: fixation, hijacking, and injection. The next chapter addresses cross-site scripting (XSS), but runs only three pages, and provides no examples of an XSS attack, which would have been helpful for the reader to understand how such an attack could try to compromise his PHP code, and what sort of malicious code to look for in his site. However, references to four open source XSS filtering projects are provided, in case the reader would like to learn more about them.
The fifth part of the book is devoted to securing whichever server environment on which you choose to host your application — Apache and MySQL, or IIS and Microsoft SQL Server, as well as PHP. In the chapter on PHP, the authors present the Zend Core release of PHP, which can save developers time in installing components of the LAMP stack, and also save them from reinventing the wheel, by using the Zend Framework. Other techniques for hardening PHP are discussed. Chapters 14 and 15 explain how to use automated testing and exploit testing, to increase your application's security, using powerful exploit testing tools — free and proprietary.
The sixth and final part of the book contains two chapters, which purportedly discuss the advantages of designing security into a new application right from the start, and how to improve security in an application that has already been built. In the former chapter, the authors stress the importance of balancing no design ("Skip reading Slashdot for one day...") and too much design (i.e., stalling). But the material mostly consists of the basics of designing a Web application, with no new information on security, and concludes with a brief reiteration of security principles detailed in earlier chapters. The latter chapter offers some good advice on having separate development and test environments, in addition to the production environment. The principles expounded in each of the two chapters, do not overlap at all, and yet together they apply equally to new applications under development just as much as they do to finished applications; splitting the principles up does not make sense.
Sadly, the book does not live up to its potential. In general, much of the sample code is sloppy, as exemplified by the instances noted above. The authors and the technical reviewers should have tested the attacks, and thereby found which ones don't work. Even the HTML should not be used by any new Web developer as an example of quality code that adheres to leading standards. In the HTML that they have their sample PHP code generate, the tag attribute values are in single quotes, and not double, which means all of that code would need to be changed to make it compliant with XHTML 1.0. Moreover, by choosing to use single quotes for both the attribute values and the PHP strings, the authors end up having to escape every single attribute value quote mark, which wastes space and looks ridiculous. They repeat this at the end of Chapter 6, but this time with all double quotes. Also, some of the technical decisions are rather odd, such as their setting those default values to spaces in the user table, noted earlier. A few terms are used strangely, as well, such as their statement that IIS's footprint is the number of entry points to it; actually, a Web server software's footprint generally refers to how much memory it consumes. Every chapter ends with a summary, titled "Wrapping It Up," none of which add any value to the book. There are at least three technical errata in the book that should have been caught: spaces in "u + rwx, go + rx" (page 76), and the invalid addresses "www.blog/modsecurity.org" (page 215) and "www.ballad-nonfiction/SecuringPHP/" (page 288; adding
On the other hand, the book's marketing copy claims that "Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals..." and that is certainly a fair claim. Most of the explanations are straightforward and informative. As a side note, kudos to Addison-Wesley for printing this book on recycled paper; one can only hope that all publishers adopt that policy.
The primary value of Securing PHP Web Applications is that it touches upon security topics that are often glossed over or completely neglected in other PHP security books and articles. This is important, because online miscreants will be searching out every possible chink in your Web site's armor. You should do the same, before they strike — and this book shows how.
Michael J. Ross is a freelance Web developer and writer."
Why Your Pop-Up Blocker Doesn't Work Anymore 653
An anonymous reader writes "If you've noticed that pop-up ad windows seem to have made an unwelcome return into your life, it's because they're not using the same easily blockable technology as before. The Adimpact system uses DHTML to annoy you, and there's no immediate prospect of a solution."
Watch the Obama Inauguration With Moonlight 197
bigmonachus writes "Miguel de Icaza has posted on his blog that linux users will be able to watch the Obama inauguration using Moonlight. Just go to the Moonlight download page to get it. He also said that some Microsoft engineers worked hard last night to make this happen."
Open-Source DRM Ready To Take On Big Guns 520
Barence writes "An open-source digital rights management (DRM) scheme says it's ready to supplant Apple and Microsoft as the world's leading copy protection solution. Marlin, which is backed by companies such as Sony and Samsung, has just announced a new partner program that aims to drive the DRM system into more consumer devices. 'It works in a way that doesn't hold consumers hostage,' Talal Shamoon told PC Pro. 'It allows you to protect and share content in the home, in a way that people own the content, not the devices.' When asked about the biggest problem of DRM — that customers hate it — he argued that 'the biggest problem with DRM is people have implemented it badly. Make DRM invisible and people will use it.'"
US's First Internet Votes To Be Cast This Friday 143
longacre writes "If you thought online voting in America was a distant pipe dream (nightmare?), think again: the nation's first Internet-based voting system goes online this Friday, just days after the release of the Damning Report On Sequoia E-Voting Machine Security we discussed yesterday. In the first real world run of the Okaloosa Distance Ballot Piloting (ODBP) test program, election officials from Okaloosa County, Florida have set up kiosks in Germany, the UK and Japan where 600-700 absentee voters — mostly military personnel — are expected to cast ballots. Security experts still have many questions, of course, particularly on the potential for interception of voting data while it travels across oceans (via 'secure VPN'), the security of the kiosks ('hardened laptops' with no hard drives and other sensitive components disabled) and the security of the three data centers (one of which is itself housed overseas, in Barcelona, Spain), not to mention the fact that Florida doesn't exactly have a stellar record when it comes to vote counting. Florida's Dept. of State also has a fairly detailed outline of ODBP's components and processes [PDF]."
Scientists To Post Individuals' DNA Sequences To Web 219
isBandGeek() writes "With shocking disregard to their personal privacy, at least 10 people volunteered to release their entire medical records and DNA sequences in order to get their DNA decoded and analyzed. 'They include Steven Pinker, the prominent Harvard University psychologist and author, Esther Dyson, a trainee astronaut and Misha Angrist, an assistant professor at Duke University. They have each donated a piece of skin to the project at Harvard University and agreed to have the results posted on the internet. The three are among the first 10 volunteers in the Personal Genome Project, a study at Harvard University Medical School aimed at challenging the conventional wisdom that the secrets of our genes are best kept to ourselves. The goal of the project is to speed medical research by dispensing with the elaborate precautions traditionally taken to protect the privacy of human subjects."
Researchers Discover The Most Creative Time of Day
154
Creativity is least likely to strike in the afternoon, according to a survey that suggests office workers have little chance of solving problems after lunch. A poll of 1,426 people showed that a quarter of us stay up late when seeking inspiration. Taking a shower or just sitting in the bathroom proved to be a popular way of getting the creative juices flowing. The survey found that 10:04pm was the most creative time, while 4:33pm was the least. I'll think of something funny to write here later.
Yahoo Changes User Profiles, To Massive Outrage 255
Wiseleo writes "Yahoo decided to massively screw up their entire userbase by changing all user profiles to blank. No warning, no automated way to get data back, and other unwanted changes. The blog has such choice quotes as 'We know this has been a rough transition for some of you and, and are committed to helping you use, understand, and (hopefully) enjoy your new profile,' and, 'We also know lots of you worked hard on your old profiles and want your data. If you feel like you're missing data, we've saved a copy of your old profile (and alias) and our Customer Care team can retrieve this information. You won't, however, be able to revert back to your old profile format, but you will be able to get any data that you think is missing. To do this, please go here to contact Customer Care.' There were 850 comments posted, all negative, on the first day. There are hundreds more today. There is even more outrage on the Yahoo Messenger blog."
Hacker Admits To Scientology DDoS Attack 275
lbwbl writes with news that a New Jersey man will plead guilty to one felony count of 'unauthorized impairment of a protected computer' for his distributed denial of service attacks on Scientology websites as part of 'Anonymous' earlier this year. From Wired:
"He faces a likely sentence of 12 to 18 months in prison based on stipulations in his plea agreement, which also obliges him to pay $37,500 in restitution. ... Friday's case, in US District Court in Los Angeles, marks the first prosecution of an Anonymous member for a series of attacks against the Church of Scientology that began in mid-January. The secretive religious group strayed into Anonymous' sights after trying to suppress the publication of a creepy Tom Cruise video produced for Scientology members."
Opera Develops Search Engine For Web Developers 31
nk497 writes "The Metadata Analysis and Mining Application (MAMA) doesn't index content like a standard search engine, but looks at markup, style, scripting and the technology behind pages. Based on those existing MAMA-ed pages, 80.4 per cent of sites use cascading style sheets (CSS), while the average web page has 47 markup errors and 16,400 characters. Should you want to know which country is using the AJAX component XMLHttpRequest the most, MAMA can tell you that it's Norway, with 10.2 per cent of the data set."
Additional coverage is available at Computerworld, and a deeper explanation is up at Opera's Dev site.
Playstation Network Gets Revised, More Restrictive ToS 75
LordDax writes "Sony just rolled out their new Terms of Service for the Playstation Network. The new ToS features additions about the Master & Subaccount relationship, specifically that you can only 'legally' create a sub account for your own child. No friends allowed. Where it really gets interesting is when you get to the additions to section 3.0 Community Code of Conduct. You now can't tell anyone your real name, where you live or basically anything besides your PSN ID. The new ToS also brings to light that SCEA is going to be monitoring every piece of communication and activitiy, and reserves the right to remove any content or communication they find objectionable without having to tell you in interests of SCEA, its users, or licensors. Another addition is: 'Some content may be provided automatically without notice when you sign into PSN. Such content may include automatic updates or upgrades which may change your current operating system, cause a loss of data or content or cause a loss of functionalities or utilities.'"
