Forgot your password?

Comment: Re:So Sad (Score 1) 171

Santa Cruz was one of the earlier cities on the internet, thanks to UCSC. Today, access is ass. And they have one of the highest costs of living in the nation. It's often been one of the most-connected cities in the USA, for example it was part of Cricket territory. But today it's ass.

Too bad they couldn't give a rat's ass while I still lived there. The local ISPs are mostly awful. Even the ones that don't suck are slow, slow, slow.

What do you have against ass?

Comment: Re:It's not that hard to do it right (Score 1) 53

by amicusNYCL (#48173173) Attached to: Drupal Fixes Highly Critical SQL Injection Flaw

Sure but in Java you have things like Spring Framework, Hibernate, Java EE standards that have been around for a decade and they are rock-solid foundations to build upon.

To be fair, the mysqli extension in PHP which supports prepared statements has also been around for over a decade. But you can still go and find any number of tutorials teaching people how to write vulnerable queries by concatenating strings and using the deprecated mysql extension, and you can go to any PHP forum and find people posting questions about code which uses the same. And when you try to teach those people how to do it the correct way, roughly 95% of the time their response is along the lines of "I just need to make it work, then I'll learn about prepared statements." It's a failure of the programmers and tutorials far more than it is a failure of the language. It would be fantastic if PHP outright removed the mysql extension and the mysqli_query function, but that would break a ton of existing applications. And, even so, even when you point people to tutorials about prepared statements they gloss over everything and come back with code like:

$mysqli->prepare('SELECT * FROM table WHERE id=' . $_GET['id']);

Look, I used a prepared statement!

Like I said, it's a failure of the programmers who want the quick and easy way instead of the correct way.

Comment: Re:Heh (Score 5, Informative) 53

by amicusNYCL (#48155095) Attached to: Drupal Fixes Highly Critical SQL Injection Flaw

It looks like a feature where you could supply one placeholder in a prepared statement, but give it an array of values, and it would expand the placeholders to fit the array. So if the query was like this:

SELECT * FROM table WHERE id IN (:idlist)

and you passed an array with 3 values for idlist, it would replace the query like this:

SELECT * FROM table WHERE id IN (:idlist_1, :idlist_2, :idlist_3) ... then use the values in the array as the three values for those placeholders. It looks like the old code was using the keys from the data array, so instead of appending someting like "_1", it would append the actual key. So an attacker could put SQL code into the array keys and it would stick those (unchanged) into the query.

Here is the old code (without comments):

foreach (array_filter($args, 'is_array') as $key => $data) {
            $new_keys = array();
            foreach ($data as $i => $value) {
                $new_keys[$key . '_' . $i] = $value;
            $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

And the new code:

foreach (array_filter($args, 'is_array') as $key => $data) {
            $new_keys = array();
            foreach (array_values($data) as $i => $value) {
                $new_keys[$key . '_' . $i] = $value;
            $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

array_values will return an array with numeric indexes, which is what removes the vulnerability.

Comment: Re:It must be running out of fuel (Score 1) 81

by amicusNYCL (#48134505) Attached to: Secretive X-37B Military Space Plane Could Land On Tuesday

I don't see any claim that they "need" to bring it back, just that they "are" bringing it back. Considering that its stated mission is to test various technologies, maybe they want to change the payload out. Maybe the mission ended. Apparently the other two missions did not end because of a lack of fuel.

Comment: Re:when the president does it (Score 2, Insightful) 208

by amicusNYCL (#48098195) Attached to: Ross Ulbricht's Lawyer Says FBI's Hack of Silk Road Was "Criminal"

Today on Slashdot I learned that the only purpose of the constitution is to allow sex slaves in South Carolina and make it possible to steal Ohio from the Indians.

Thanks for that valuable analysis. No, no, don't bother with any citations, they aren't even remotely necessary. I'll just assume that Article V is all about sex slaves in South Carolina. Or the Ohio thing, whatever. I'm sure it's one of the two, anyway. I'll teach this to any child I can find. Now, if you'll excuse me, I need to go educate Facebook.

Comment: Re:Mod parent up. (Score 1) 191

by amicusNYCL (#48087013) Attached to: Belkin Router Owners Suffering Massive Outages

I don't know how much traffic Microsoft really sees (I assume it's quite a bit), or BofA would put out (probably a fair bit as well), but if I was running a network and saw a range of IPs pinging me all day every day I would be pretty hard pressed to not block them. I mean, why is Microsoft paying for BofA's internet connectivity testing?

Comment: Re:Systemd (Score 3, Interesting) 993

I'm missing part (ok, the vast majority) of this story, but if his software is such shit, then why are so many distros, who presumably enjoy when their operating systems run correctly, using his software? Is there actually a consensus on his software being shit, and if so, why do people use it? If not, why do people act like it's a foregone conclusion that his software is shit? To an outside observer this kind of looks like a shouting match amongst a huge group of egotistical assholes.

Comment: Re:that's racist! (Score 1) 242

by amicusNYCL (#48057707) Attached to: Senators Threaten To Rescind NFL Antitrust Exemption

There are over 1000 teams named after natives, in the hs - college- majors.

The vast majority of those names are descriptive though, not offensive. For example, Seminoles - (anglicized) name of a tribe; Blackhwaks - name of a chief; Indians, Braves, Chiefs - just describing an entire group or class (although "Indian" is a pretty stupid way to refer to them). A lot of high school or college teams use the names of tribes from the area (Chippewas, Choctaws, Apaches, Cherokees, Mohawks, etc). I don't think any of those are offensive. "Redskins" is completely different. If you think that term is not offensive, walk into a meeting of the National Congress of Native Americans and say "hey, how are you all you redskins doing today?" See how they react. It doesn't really matter if *you* find the name offensive or not. I wouldn't be offended if someone called me a redskin either, I would just sort of look at them kind of funny. It's clearly offensive to a large group of people, and they should change the name. Most colleges and high schools I think are fine using tribal names for their schools.

Although, maybe the Agawam High School Brownies might consider a name change. And the Aniak High School Halfbreeds might think about it also.

You know that feeling when you're leaning back on a stool and it starts to tip over? Well, that's how I feel all the time. -- Steven Wright