"well, distributions backport security fixes, so 5.3.3 is secure on distro XYZ".

Are you aware of any analysis as to the extent that is actually true, ie for distro X or Y which patches really have been backported and which are skipped?

I had a quick poke about the W3Tech site and couldn't really see much of their methodology, especially in terms of how they identify PHP usage and what version is being used. I'd have though that if you looked at their PHP page there should be a not insignificant number where they can reasonably guess it's using PHP (due to file extensions in URLs perhaps) but not be able to identify the version being used.

I wonder how much your "% of installs that are secure" statistic could be inaccurate due to most (I'd hope) sites that care even slightly about security suppressing the Apache header PHP version information. Are they just missing from the W3Tech stats? It's possible that a significant number of the "secure" PHP installs could be invisible to your calculations because the sort of people who keep their software up to date are the same people who follow fairly basic server set up recommendations.

I suppose there are also questions as to what "insecure" means in practice. For bulk hosting sites running unknown third party code everything is critical but for a lot of sites running their own code whether they are actually "insecure" depends not only on what PHP does but also what their code does. Eg for the most recent PHP 5.4 release there is a fix for a fairly nasty looking bug in unserialize(), but (as I understand it) a site admin with a defined codebase might quite legitimately determine that they never use unserialize() on user generated data and not be in any rush to update if they have other things to be doing. PHP version 5.4.35 might be "insecure" for the purposes of your stats but may not be in practice someone's server if they know they don't use unserialize() in an exploitable fashion (or mcrypt).

None of the above should be interpreted as criticism of your analysis, just food for thought. I find what you have done very interesting and expect that even if there are 'hidden' secure servers, the number of insecure ones would still be alarmingly high.

Deleting all of Cosby's TV shows and movies would still be wrong as they are a part of our cultural history.

No one is doing that though, there is a difference between no longer promoting something and erasing it from history.

To stretch the Cosby link further, you might (quite reasonably) think things Cosby did in the past are funny and even have value beyond pure humour, as social commentary etc. If that were the case and you know someone who had been abused by Cosby, would you choose to put a Cosby video on for them and expect them to find it an enjoyable experience?

That is the situation MIT is in. They aren't just dealing with 'theoretical' students who might somehow be deprived of some value that only those videos can impart. They are dealing with real students actually effected by the situation at hand.

If you wouldn't knowingly ask someone you care about to be entertained by someone who had abused them, why would you expect MIT to ask someone to be educated by someone who harassed them?

If you can't separate presenter from content, that's your serious character flaw, leave the rest of us out of it.

If you were someone taking the course who had been harassed by him would you consider it a "serious character flaw" not to be able to "separate presenter from the content"?

I imagine a lot of people might find that difficult and wouldn't need to have a "serious character flaw" to struggle with it. I think it's entirely reasonable for MIT to ditch (and replace) the content if it means the effected people can continue on with their education without having the chap popping up in their courseware.

I don't think it makes sense to worry about the (theoretical) "students (...) punished by removing good lectures" and not consider the (evidently real) students actually effected by what has happened.

How does taking them down in any way help the victim(s)?

If they are still taking the courses or might want to continue on taking other courses that contained his videos it probably helps them not to have to sit through his lectures any more.

Probably not much for the average person.

However I think that if there are people he harassed taking the courses (or who might like to take further courses in future) then it isn't a bad idea to cut him out of them rather than ask those people to interact with him further, even relatively passively on video.

Even if the lectures are high quality, they probably aren't irreplaceable.

True, but how is that any different to the normal situation where the maximum amount is £20?

Arguably it could make the attack more worthwhile. The effort and hit rate involved might not make it worthwhile at low ticket amount (might as well have a real job) but could be worthwhile as the money starts going up.

Realistically though it sounds like the attacker needs a merchant account to benefit (and presumably enough legitimate volume to hide the fraudulent transactions in without raising suspicions). From the sounds of it the biggest problem would occur if you were actually overseas and you were using your card in cafes and the like. Then perhaps an unscrupulous vendor might be able to get close enough to charge your card without you noticing and you might not notice it as fraudulent when you got your statement.

That fell apart because Sony didn't anticipate what direction things would take, letting Apple overtake them along with just about everyone else.

I don't think that's quite right. Sony did anticipate the direction things were going take, they just tried to control it too tightly and had an overinflated idea of their own power to steer things. I think the Sony Network Walkman predates the iPod. I had an NW-MS9 and I think in many ways it (and the earlier versions) were ahead of their time. Tiny, digital, sleek, even the name "Network" hints and some anticipation of a future of medialess distribution.

However they utterly ballsed up the execution. Partly on the software side (the associated software was an absolute dog which seemed to go out of it's way to make things painful) but mostly because they were trying to own the future with their MagicGate DRM (which they even seemed to be trying to sell as something exciting for the consumer, though it was responsible for much of the pain in using the software) and codec restrictions.

Sony saw the future, they just wanted to own it and in trying to do so produced something that served them more than it served the buyer.

(Sorry)

Black Mirror is an absolutely awesome series (though perhaps series isn't the right word as each episode is standalone). Well worth watching.

I don't think it's unbelievable that the FBI (or whoever) were called. If a crime is suspected then I don't think it's unreasonable to report that suspicion. (Similarly in this recently reported case, I don't think it's unreasonable for authorities to be informed, it would possibly be more outrageous if there was a possible breach that authorities weren't informed about).

However the 'authorities' in question should be capable of responding to those reports in a sensible fashion.

That seems like a somewhat pessimistic view, a glance through the historical results shows some pretty solid songs (and some quirky ones) http://www.abc.net.au/triplej/... If course, they aren't all Bohemian Rhapsody's, but there's only ever been one if them.

Cryptic Letter Algorithm?

Picture this scenario. Ten guys and ten girls live together. All ten of the guys have slept with five of the girls in the house within the first ten days. That makes them promiscuous. However, five of the girls engaged in no sexual activity whatsoever. That gives us a 100% male promiscuity rate, and a 50% female promiscuity rate.

If we're going to discuss this properly then I think we need more info on any possible threesomes.

I think you are misunderstanding what I meant. In my example "Y" was the stationary AP, you as "A" can't see any packets from it directly because you are out of range, but you can see data being sent by "X" to "Y" (as "X" is in range of both you and "Y"). As I understand it by looking at the packets being sent to "Y" from "X" you can know enough about "Y" to add it to your geolocation data even if you haven't observed any data from it directly.

There's no need to ever actually connect to any network to map them, just slurp up SSID broadcasts, maybe channel and signal strength.

You don't need to 'connect' to them but IIRC there is some benefit to looking at the traffic beyond mere broadcasts. IE if you can see device X sending traffic to Y you can begin to imply the position of Y even if you can't see it that device yourself because it's too far away from you.

A <------ X <-------> Y

Moz might not be doing that and perhaps it isn't a "need" but if the goal is to get the best data it's not correct to say that deeper analysis than mere SSID broadcast doesn't have benefits. Of course if you are looking deeper then you should be paying attention to any possible privacy implications and avoiding recording anything that could be considered 'content'.