I think this short snippet from Rasmus is priceless:

The point of the question here is if anybody remembers why we decided not
to parse command line args for the cgi version? I could easily see it
being useful to be able to write a cgi script like:

    #!/usr/local/bin/php-cgi -d include_path=/path

and have it work both from the command line and from a web context.

As far as I can tell this wouldn't conflict with anything, but somebody at
some point must have had a reason for disallowing this.

Yeah, passing arguments with full shell expansion to the bloody binary from the unsecure web sounds like a brilliant idea! Who would want to disallow that?!

It was pretty funny so far, but then I've seen this:

13-01: Vulnerability discovered, used to pwn Nullcon Hackim 2012 scoreboard
13-01: We discuss the issue with Nullcon admins, find out it is a php 0day
17-01: We contact security@php.net with a full report and a suggested patch
01-02: We ask PHP to confirm receipt, state our intent to hand off the vulnerability to CERT if progress is not made
01-02: PHP forwards vulnerability report to PHP CGI maintainer
23-02: CERT acknowledges receipt of vulnerability and attempts to contact PHP.
05-04: We ask CERT for a status update
05-04: CERT responds saying that PHP is still working on a fix
20-04: We ask CERT to proceed with disclosure unless a patch is imminent
26-04: CERT prepares draft advisory.
02-05: CERT notifies us that PHP is testing a patch and would like more time. we agree.
03-05: Someone posts a mirror of the internal PHP bug to reddit /r/netsec /r/opensource and /r/technology. It was apparently accidentaly marked public.

The PHP security people sat on this 0day remote code exploit for four months, ignoring multiple attempts to get them to fix this serious vulnerability. That makes me feel angry, sometimes incompetence is just not funny anymore.

The uncertainties are so large around life that currently noone can call "we will find life for sure" whimsical or optimistic compared to "we won't find life elsewhere for sure". It's just as uncertain.

I giggled like a schoolchild when I've read the next paragraph from that lecture:

And now we have the multimedia/communication hype: the best bits are those that just arrived from far away, and if you are not "on line", "on the Net", you just don't count, you are not of this world (which is virtual anyhow...). Apart from a change in vocabulary, it is the same hype, the same snake oil over and over again, and you can do me a favour by not getting excited by all the time you are supposed to save by switching to "home banking".

Sometimes very smart people can be mostly insightful, but very spectacularly wrong on some points.

Would you consider adding Flattr along Paypal to the donation options? I'd rather not support Paypal, but I would like to donate.

I would love to subscribe to Google, if they would promise not to track me or mandate UI constraints for me in return.

Google makes a fairly low amount of revenue per user, almost everyone on the internet would have no trouble paying it, if the micropayment and subscriber infrastructure were in place for that to happen.

It's not only a problem from the privacy standpoint, but also in terms of what kind of behaviour it encourages, from online services to journalism.

The paywalled model is utterly ridiculous for the internet and the ad/privacy supported model is utterly destructive. What we need is a honors system like paying for deadtree newspapers (except with user selectable amounts). It does not eliminate ads, but generates enough revenue to act as a counterweight, that makes it easier for the business owner to care about the readers / users of it's product.

The honors system needs to consist of fine grained enough micropayments so that different aspects of a service / product can be rewarded, I want to click a button on the page of a Guardian / Economist article if I thought it was any good, to create an incentive to write further good articles.

There are some micropayment providers that accomplish something similar already, but not nearly in a wide enough scope yet. One that I'm using (and won't name apart from this link) allows micropayments to almost any url, github projects, twitter users, individual tweets and other stuff, that is a good first step. It is still in infancy, but I'm using it because I want to vote with my wallet.

"If you're not paying for something, you're the product" is the mantra, but the often forgotten corollary to this statement is that whoever pays has the influence. I want to actively push the worldview of an open, honors system based internet so that we can have good content and freedom at the same time.

The real problem is that common applications request almost all of the permissions from the phone when the user installs them, to provide full functionality (importing contacts, etc.). The user's choice is between not installing the app and giving it those permissions.

What should be happening instead is: make the permissions user selectable, to be able to install the facebook app, but to prevent it from accessing anything I don't want. The app store / market rules should mandate that applications cope with the degradation of priviledges gracefully. The OS/app should display a popup when the user tries to do something that requires priviledges the app doesn't have, along the lines of "do you want to grant permission x to this application? [just this once] / [yes] / [no] / [don't ask again]"

It is inexcusable to let people pass judgement in matters they don't comprehend.

Not true. Appointment to the EP uses a system of degressive proportionality, under which seats are roughly proportional to the number of voters, but less so the smaller the country is. However, even in the extreme case of Luxembourg, the weight of the voter compared to the european average is 10.86x (last election), not over a thousand votes as you state. This is due to the fact that there is a minimum of 6 seats per country, probably a good idea to fairly represent the political differences in parties of a specific country.

Tor exit node based blocking has been used on various IRC servers to combat abuse for years and years now, The chinese might be doing something more fancy, but that only shows that they didn't go for the fairly easy and quick solution.