Forgot your password?

Comment: Re:Also ban cars (Score 3, Insightful) 171

Yes, the rhetoric for this week's episode of "Theresa May had an idea" has been particularly silly.

The statistics trotted out over the past week or so make for interesting, if depressing, reading.

For example, the Commissioner of the Metropolitan Police, a very senior officer with counter-terrorism responsibilities, says they've been prevented on average one terrorist attack per year but so far this year it's been 4-5 already. (It's not clear whether this was in the specific context of "lone wolf" attacks, though.)

Just hours apart from that, we have Theresa May herself saying that almost 40 major terrorist attacks have been foiled since the 7/7 bombings, giving an average of about four per year. This means, she says, that the UK is facing the biggest terrorism threat in its history, which might be surprising to anyone who was around during the worst of the troubles with the IRA not so long ago. There are plenty of scary messages played over the PA system when you go through any major London railway station these days, but not frequent closures due to actual bomb threats and the like.

Also on Monday, there was a statement from Met Police Assistant Commissioner Mark Rowley citing 271 arrests resulting from counter-terrorism investigations so far this year. Their Commissioner seemed to be implying in the above statement that all of these had led to charges, too. What they don't seem to have mentioned anywhere in this week's PR campaign is how many such arrests ultimately lead to convictions, nor how many of those convictions (or the arrests or charges themselves) are actually for terrorism offences.

The combined budget for our security services reportedly remains somewhere around the £2B mark, not counting additional funding for counter-terrorism units within other organisations such as the police.

In other news, in 2013 (the last full year for which stats are available) there were 1,713 people killed on our roads, and a further 21,657 seriously injured, not to mention damage to the economy estimated in the £15-30B range as a result of the disruption due to incidents on the road. Would anyone like to guess what's been happening to the annual road safety publicity budget in recent years?

Comment: Re:Ads (Score 1) 301

by Anonymous Brave Guy (#48457701) Attached to: Google Launches Service To Replace Web Ads With Subscriptions

OK, so maybe I spend a lot of time reading Slashdot and want money for it. That doesn't mean you actually owe me anything for reading this post, which I have nevertheless taken the time to write, nor that it is unethical for you not to pay me. I simply don't have any reasonable expectation that by contributing a post and allowing Slashdot to publish it and you to read it, I will then be financially compensated.

Comment: Re:Already making waves (Score 1) 106

It would appear that these professionals with jobs had better learn to deal with moving targets.

Why? There is no commercial advantage in repeatedly expending resources updating your software or intranet sites just to keep pace with the whims of some browser maker.

Whatever certain browser makers would like to happen, as the likes of Windows XP, IE6, and later IE8 demonstrated very clearly, staying with software that works for an extended period is a viable and sometimes very attractive option, even if it comes with significant disadvantages in other respects. Large organisations often work with multi-year roll-out plans for new technologies that will affect many staff or critical business functions, and they aren't going to be the slightest bit impressed by a browser vendor shouting, "But we push new features every six weeks!"

Stability and compatibility no longer exist in the old fashioned way.

Sure they do. They just don't exist if you give your business to organisations like Google, and the kind of web developer that relies on bleeding edge frameworks and joining the dots has no idea how to provide them.

Of course, this is good for those of us who make a lot of money offering businesses better solutions to their real problems using tried and tested technologies. It's not as glamorous, but it sure pays well if you can help your clients get stuff done without technology issues they simply don't care about getting in the way all the time.

TL;DR: Google, Mozilla and their fans wish that professional organisations would see these new developments and choose to adopt Chrome or Firefox as a result. What really happens in many cases is that those organisations see these new developments and say "OK, we'll just stick with IE, which version do we pin at to keep everything working?" and then throw lots of money at organisations like Microsoft that understand the real world needs and provide long term support accordingly.

Comment: Re:Already making waves (Score 1) 106

Cisco has more than enough software devs to remedy this in a years time.

This is a huge problem with this whole debate. People who work on certain browsers want the rest of the world to just dump 20 years of software history, significant amounts of which is still in use and doing its job just fine today, and spend what would collectively be a vast amount of time and money rewriting everything just to run on this week's trendy platform instead.

Newsflash: Professionals with jobs to do value stability and backward compatibility. They probably value their tried and tested software a lot more than a flashy port to your "living standard" platform. They certainly value tried and tested software a lot more than your latest technique for animating SVGs in demos that still doesn't scale up enough to use it in real applications without becoming unusably slow anyway.

See also: Why IE is still so dominant in business browsing, even versions from several years ago, and why neither Firefox nor Chrome got much traction in business at all until they started playing nicely with grown-up sysadmin tools.

Comment: Re:Which 6? (Score 1) 106

This is all too true, unfortunately. Java plug-ins have become increasingly obnoxious about security in recent releases, to the point that software that used to work just fine is now very awkward to use, and both Google and Oracle keep saying things that boil down to "we'll stop it completely, sometime, maybe".

What everyone seems to forget is how many serious/critical vulnerabilities quietly get patched in the major browsers each update. Go ahead and check the change logs. Thinking browsers themselves won't simply take over as the target as they incorporate some of these new features directly is like thinking you're immune to malware because you run Linux.

Comment: Re:Ads (Score 1) 301

by Anonymous Brave Guy (#48456635) Attached to: Google Launches Service To Replace Web Ads With Subscriptions

It is not illegal to be a freeloader it just means that you take without giving back.

Nonsense. I also run web sites. None of them is ad-funded. Some of them don't generate any "revenue" at all beyond good will and sometimes entertaining or useful discussions with others who share my interests.

In short, I "give back" in exactly the way I "take".

Comment: Re:Dropping NPAPI broke VMware consoles on Linux (Score 1) 106

by cbhacking (#48456351) Attached to: Google Chrome Will Block All NPAPI Plugins By Default In January

Stupid and kludgey hack, but is it possible to solve this, at least to a degree, with Wine? Running either the Windows version of Flashplayer (in something like nspluginwrapper; I think I remember hearing about a way to do this though I never tried it) in a Linux browser, or running a full Windows browser (can Wine do that these days?) seems like it solves the problem. It introduces at least one problem, too, of course... but at least you *can* install updates instead of pinning to a version that will only get more outdated...

Comment: Re:cost/price per kW hour comparison is nonsense (Score 1) 516

by cbhacking (#48456193) Attached to: Rooftop Solar Could Reach Price Parity In the US By 2016

it's a near impossibility to site a solar panel on a sailboat that is entirely shade free for the entire length of the day

That's probably true of a reasonably-sized monohull, but Ocelot is a cat. Setup is 4x 120W Kyocera panels out over the dinghy davits (we have a lot of room back there and it doubles as a shade for the rear of the cockpit). You can read a bit more about them here (photos are outdated in general but we haven't modified the array since they were taken):

Having the panels so far aft and so high provided some protection from salt spray (enough that they don't need cleaning after any but the roughest passages, the kind where the whole boat needs a good rain rinse) and also kept them out of the line of most of our shadows. If the sun sets or rises directly in line with the panels and mast, then yes, we'll lose that panel, but this can often be remedied by running the boom out to one side (tied down with the jibe preventer) and letting the (relatively huge) sail protector swing the boat a few degrees away from pointing dead into the wind. By anywhere close to the hours when the sun is at full power, even our slightly-raked mast just isn't far enough back to shade the panels. (As a side note, it occurs to me that this may explain why the ramp up to full power took longer in the morning than evening; if the easterly winds meant the panels were occasionally shaded in the early morning, we'd only have 3/4 the nominal power production for that much insolation.)

As for angle, that definitely cost us some power - our panels are very much immobile, aside from changing the orientation of the entire boat - but I'm not actually sure how much. Even at 60 degrees off apex, which is pretty late in the day (assuming you're right under the sun's path, within +/- 60 degrees is 1/3 of the day, or 8 hours), you still get 50% of the insolation you would get at apex, atmospheric losses aside. That's certainly significant losses, and it drops off sharply after that, but the middle hours of the day are not severely affected.

By the way, nice site! I'll have to ask my folks if they ever ran into Animation coming up the Aus coast. Alternatively, do you know S/V Vamp? Good friends of ours. I'm sorry you posted as AC but I may ping you by email.

Comment: Class projects vs. professional projects (Score 4, Informative) 175

The pay cheque isn't the important thing. Experience working in a professional environment is. The difference between how you work on a class project and how you work in a professional environment is vast.

For example, class projects are typically:

- very small

- implemented by a single person or at most a very small team that does not change over the lifetime of the project

- finished within a short period of time

- built with unchanging requirements determined by a single authority and entirely known from the start

- implemented with little need or regard for ongoing maintenance.

Exactly none of those things will be true of a typical industrial software development project. The need to take these kinds of factors into consideration completely changes how you design your software, what tools you use, what processes you follow...

Comment: Re:Regular expressions (Score 4, Interesting) 40

by cbhacking (#48439427) Attached to: Critical XSS Flaws Patched In WordPress and Popular Plug-In

<img src="xss" onerror="alert('Nope!')" />
<iframe src="javascript:alert('That won't work.')"></iframe>
<object data=""></object>
<scri<scriptpt>alert("In fact, that kind of blacklisting is trivial to bypass.");</script>
<form action="javascript:alert('I once spent a month breaking a client's blacklist every time they updated it to block my last POC exploit, telling them all the while they had to use output encoding.');"><input type="submit" value="SPOILER" /></form>
<h1 onmouseover="alert('They eventually did, but oh man did they waste a lot of time trying variants on your suggestion first!')">REALLY BIG TEXT THAT YOUR MOUSE WILL GO OVER</h1>

People thinking like you do frequently leads to exactly this sort of problem, where something *supposedly* has XSS protection but in fact totally doesn't. With the possible exception of the nested script tags (if you're smart enough to run the filter repeatedly until no further hits occur, that'll be caught), every single one of these lines will execute arbitrary attacker-controlled JavaScript through the filter that you propose. I strongly recommend that you go read OWASP, especially the top 10, and in the meantime I hope you haven't written any in-production web applications...

Comment: Re: Regular expressions (Score 1) 40

by cbhacking (#48439359) Attached to: Critical XSS Flaws Patched In WordPress and Popular Plug-In

Content Security Policy (as you link) is indeed a "better" solution, in the technical sense; it's fine-grained, supports reporting, doesn't require servers to generate the random "hard_to_guess_string" needed to unlock the block, and (possibly most important) doesn't introduce a new un-XML-like construct into HTML. On the other hand, it tends to be more complicated to use it in real-world web applications, and it's so broad that a lot of browsers have either no support for it or have serious bugs in their support (did you know SVG can contain scripts, and sometimes CSP rules aren't applied properly there?).

Sandboxed iframes are simpler and basically do what you're asking for, except that the content is loaded from an external source or by writing it into the framed document (if same-origin); no need to worry about an attacker terminating the sandbox with a </iframe> tag because the sandboxed content isn't inline with the iframe itself. On the other hand, given how few people actually use them (despite pretty good browser support), the problem may be more a matter of web devs being bad at security than of web devs not having good security tools. Of course, we knew that already...

With all that said, I feel compelled to point out that *just* blocking XSS isn't enough anyhow. Without using a single scripted behavior (just HTML and some simple CSS) I can do things like create a lightbox that contains an HTML form saying "Your login session has expired. To ensure the security of your account, please log in again." with a username/password box, all themed accordingly with the site I'm attacking. Of course, the form POSTs to a web server that I (the attacker) control, but you don't know that. There's many other types of things you can do with the same restrictions. It's not enough to block scripts and plugins, you also have to prevent the attacker from simply taking over the page with their own content by layering it on top of the Z-order.

Comment: Re:Ads (Score 2) 301

It seems you forgot to quote the later part of that post, where I did acknowledge the problem of content that comes malware-laden... Personally, I don't buy AAA games any more (nor do I pirate them instead). I got bored of the generally poor quality and accompanying malware breaking things a few years ago. Given the comments I see every time gamers' enjoyment of a big new title is spoiled because someone's DRM screwed up again, I suspect my life is still better that way. However, I do miss and would gladly pay for the kind of experience I used to enjoy from the top end games of yesteryear, before everything went downhill when the Internet became an excuse for shipping software that wasn't finished yet (we'll just patch it later, or not) and using ever more obnoxious DRM schemes (of course we can expect gamers to be online with a perfect connection any time they're playing our game).

Comment: Re:So it was a documentary (Score 1) 235

by cbhacking (#48436153) Attached to: Russia May Be Planning National Space Station To Replace ISS

Source? Given the extreme cost of any wasted launch mass, I can't imagine they would operate every launch armed. That they have experimented with arming the capsules would be no surprise - I'd be shocked if they hadn't experimented with arming *some* of their spacecraft, even if only unmanned satellites - and they might even have launched armed craft, but I sincerely doubt they've done so on *every* launch.

Comment: Re: Forget the Space Station (Score 1) 235

by cbhacking (#48436127) Attached to: Russia May Be Planning National Space Station To Replace ISS

Not sure if serious, so I'll respond as if you are: nuclear waste does not "explode". The reason it's "waste" is because it no longer is even capable of maintaining a barely critical chain reaction in a moderated reactor core (neutron moderation - slowing them down to the point that they can be captured by other nuclei - is an important part of reactor operation). By itself, it's hot (decay heat) and radioactive (most of the half-lives are really long, so it doesn't actually release a ton of radiation per unit time but it will keep doing it for a long time), but that's about it. Now, it could be reprocessed to remove the low-grade stuff and refine out the actually really useful material. Only about 3% of the potential energy gets extracted from fuel in modern reactors before it drops to the point of being unable to maintain criticality, but with enough work you can purify it and make it usable again. You could, in fact, purify it even more to the point where it will go supercritical *without* a reactor core's moderation - this is one way to make bomb-grade material - but that's difficult, expensive, and never going to happen naturally.

Comment: Re:What's it good for? (Score 1) 235

by cbhacking (#48436003) Attached to: Russia May Be Planning National Space Station To Replace ISS

Oh, that's hardly true. As a random example, SpaceX's Merlin rockets (currently on their 4th revision, not counting the difference between atmospheric and vacuum variants) have the highest thrust-to-weight ratio of any production rocket engine, and they are a very recent design. The Space Shuttle Main Engines have a significantly higher specific impulse (thust*time per mass of fuel) but the fuel (hydrogen) is so low-density that you need a ton of it to get anywhere, and volume has its own costs (especially in atmosphere). The SSMEs also went through a number of revisions that increased their power and efficiency.

On the other hand, just because SpaceX is busy pushing the bounds of chemical rockets does not, by any means, mean we shouldn't be researching alternate thrust systems... and we are! Not as enthusiastically as I'd like to see, but it's happening. There's research into high-efficiency space drives, alternate launch systems, and even some research into drives which have the capability to make interstellar flight potentially feasible. None of these are close to production, and some of them (especially the ones involving nuclear-powered drives) have been mothballed for years or decades, but even if the test apparatus (for those projects which got so far) no longer exist, the designs and theories and mathematics do, and rocket scientists can and do continue building on those. I'd really like to see practical research start up again on these:, such as this project (which was building and testing actual hardware!) from the 70s:

Passwords are implemented as a result of insecurity.