NSA Discovers OWASP. Movie at 11.
Top scientists and the NSA have come together and realized that regular application code monkeys can be as dumb as web skiddies.
http://www.owasp.org/
-dZ.
938 publicly visible posts • joined 23 Apr 2007
@James,
Wow, I'd hate to work on the same projects you have if this sort of thing is so commonplace. In my experience, as stated, this is just bad design and poor understanding of the system in which the developer was working.
The possibility that a developer left the company and now everybody else is stuck with a mess of abstruse code, does not excuse it; and in fact it says much about the development and documentation practices of the organization: again, bad design and incompetence.
This may be very common in some places, but trust me when I say that it is definitely not an inherent aspect of software development, and it does not occur everywhere as a rule.
-dZ.
Call it what they will, it is still bad practice, and the fault of the developer (out of ignorance, as Tim Brown suggests) not checking the environment properly. Giving it a spiffy sounding name and acronym only legitimizes the practice as a common issue within the environment, when in fact it's just incompentence.
It's like giving a fancy name to, say, forgetting to remove one from the full count of items in an array, when iterating from zero:
for (int i = 0; i <= myArray.Size(); i++)
myArray[i]->foo(); // will point to hell when i = Size
It is not an issue inherent in the platform, language, or framework; it is not something that we must "warn against", as if it were some abstract creeping evil lurking in the shadows of the machine. A competent developer understands the boundaries of the arrays with which he is working, and set his control variables accordingly.
But just for the hell of it, let's give it a cutesy name: Final-Out-Of-Band-Array-Register. Remember kids, watch out for those nasty FOOBAR's, they just sneak up on you like the dickens!
-dZ.
Whether they are doing it because they decided it is time to set things right, or because the threat of legal action from the European Union is too great to ignore; I think this marks a great day in the development of the World Wide Web. (Possibly, it further evidences the downfall of the once great giant.)
I understand the disruption that this may cause in the short term, but I believe that this is the best way to ensure common compatibility among all web sites and browsers in the long term, working towards the ultimate goal of complete platform and brand independence.
Most web sites which are not compatible are so because of bad code and lazy developers: the fact that they are a limited number is evidence that there are ways to implement sites which are viewable on most commonly used browsers--including older IE--without resorting to browser-specific hacks. This has been known by many developers for years. The days of absolute incompatibility between browsers which required implementing a site twice, once for each of the two popular browsers of the time, has long gone with the death of Netscape 4.0.
-dZ.
All that bitching has had some effect on them. Why is it that every self-righteous freak gets a saying on every part of someone elses life?
Just now, they renamed the minifig to a more generic "White Bandit" (of course, it couldn't be any other color of bandit, lest they offend someone else), and changed the image to an "exploded view", showing off all the accessories. They also hid the fully assembled "Taliban" action shot from their list of available merchandise.
http://www.minifigforlife.com/theprostore/main.php?P=product&pid=C000057
The site seems to be dedicated to collectors, not to kiddies. Their specialty is custom-made weapons for Lego minifigs, pressumably for grownups.
-dZ.
@Andrew Ness:
Simple: The JavaScript code runs on the client side and is granted, by the client's security model, the same privileges as a same-domain script. This means that it now has access to the global memory space reserved for the entire application (on the client side, of course), which in turn includes being able to perform requests to the server as if it was part of the original application served by the it.
The article gives the example of the script having access to the Session Cookies set by the server; this alone is a big threat, as it may give the third-party who controls the external script access to session information, or in a worse case scenario, same-privileges to execute requests on the server as the logged-in user.
You seem to misunderstand the threat. It is not that evil JavaScript is going to hack into the server; the threat is that an external party--one over which your organization has absolutely no control--may have access to the same functions, privileges, and features of the application at the server side available to a local user trusted by the server.
-dZ.
Is it pronounced "Truh-too-un"?
While we're at it, I don't think I like "Tron Too-Point-Oh" either, as it reminds me of crappy and slow web sites with shiny colors and rounded corners.
And, why call it it "Tron" at all? The character Tron had actually a supporting role in the film, and it seems that it's not even going to be present in the sequel. Perhaps it should be called "Flynn" or even "Clu", which was the name of Jeff Bridges' alter ego in the computer world (though, admittedly, that sounds rather silly).
I'll go see it, along with the upcoming "Logan's Run" and "Wargames" remakes, though I know they're going to be crap.
-dZ.
Once again even the "gurus" fail to recognize the nuances of the argument, and once again they propose solutions to the wrong problem. The traditional view is that RDBMs embrace and embody the Relational Model, and since they may not be able to scale to modern needs, this is therefore an indictment on the Relation Model. At the root of the problem is that this argument is faulty because its assumptions are wrong.
The Relational Model is a mathematical model, designed to impart coherence, structure, and integrity to the amorphous data it contains. At its heart is a strong separation between the logical model (how users interact with it and organize the data logically) and its physical layer (how its actually stored and retrieved in practice). The Model defines everything about the former, and says nothing (except perhaps makes some accidental suggestions) on the latter.
It has been understood for decades that modern DBMS systems tend to commingle both layers in an effort to simplify design and improve performance. This is not dictated by the Relational Model, and in fact deviates from it. Also, SQL is decidedly not relational, but a declarative language with many faults and limitations. The fact that modern DBMS systems anbd SQL are not able to cope with the necessities of the modern business world says nothing about the Relational Model itself; so looking to "solve" or "fix" or even replace the it is not necessarily warranted.
-dZ.
I read a lot of your books, and enjoyed them immensely. From "A Case of Need", "The Andromeda Strain", and "Eaters of the Dead"; to "Rising Sun", "Jurassic Park", and "Airframe". I also enjoyed and admired your handywork in such great, through-provoking, and yes, entertaining films such as "Coma", "Westworld", and "Looker", which provide not only a thrilling experience, but social commentary on the human condition.
My warmest regards go to your family and friends; may you rest in peace. You will surely be missed.
-dZ.
>> "With atypical American family" does not mean the same thing as "with a typical American family."
You committed the same typo as the writer of the article: you typed "atypical" instead of "a typical"--they are not the same thing.
What's that? You actually meant to write "atypical"? Oh. You mean there are legitimate uses of the word? Could irony be one of those?
-dZ.
Sounds like a terrific idea! But I would think that carrying a gun on board would automatically put you into one of those "lists", which means that your security checks (and perhaps even your on-board presence) will demand more close scrutiny from everyone; which may undermine the conveniences you mentioned.
-dZ.
>> "In case Google's work with mobile phones, word processing, web browsers, disease prevention, encyclopedias, email, watercraft, cartography, and humanitarian aide hasn't driven home Google's aspirations to have its hand in absolutely everything, try a new $4.4 trillion energy plan on for size."
It'll finally sink in when I see Google-branded chips at the corner store. (Er, that's "crisps" for you brits.)
-dZ.
I think the implication of those comments was that the law would contain provisions to exclude visitors from other countries.
>> "The US supreme court has ruled the foreigners do have civil rights"
Yes, and the Constitution of the USA defines some rights for its citizens also, which obviously did not affect the policies of the current administration (hum, the 4th Ammendment comes to mind).
-dZ.
I like the new look, but I just noticed that on RegHardware pages, the "subtitle" does not show up. For example, on this page, the subtitle below the headline on the front page is "Online war of words went too far?", but it doesn't appear on article page itself.
Is this on purpose?
-dZ.
Bravo! I couldn't have said it better myself. I also can't comprehend how this is such an alien concept to others: The limitations of technological solutions are intrinsic to the solution itself, and therefore known before hand.
When a publisher chooses an advertising delivery system which is mostly autonomous, he is consciously surrendering control of the advert selection to such system. As Chris C. said, they could decline such system and have a human make the advert selection, or they could build their own system that would prevent such misalignments as discussed in the article. The fact that these alternatives are more expensive or difficult is not an excuse to chose a system that violates laws or policies.
The publisher must understand that he still has liability for all the content he publishes--regardless of who is making the decisions, be it his editor, account manager, or yes, even a machine.
-dZ.
But it is *not* running an Open Source OS. Google claims it will, eventually, but it hasn't released the source yet.
Plus there is really no suggestion that the platform where the OS is running (i.e. the hardware) will be open. It may just turn out to be like a TiVO: soft and chewey open source middle with a hard, closed shell.
-dZ.
Ok, I'll bite.
I refuse to be subjected to advertising, out of principle, and avoid it to the extent that I can. I, personally, would have no problem with no web-content to read that "isn't subscription based or Government funded". Why does everything have to be ad-supported? So that you feel you're getting something for free while being subjected to subconscious brand persuasion? Talk about freetards.
If it is worth the ticket price, I'd gladly pay it--and I have repeatedly said that I would happily subscribe to The Register if there were a subscription-based, ad-free, navigation surveillance-free version. (If there is, I apologise for missing it, and would appreciate if you could point me to it.)
Nobody has the right to push advertising on anybody else, and contrary to common believe, there is no unspoken social contract between the publisher and reader. Just as I am free to read a book--even freely distributed pamphlets--in any order that I like, skipping which parts I want, so to I can skip any parts of a web page I do not want or like.
Next you'll tell me that I cannot walk out of the room or change the channel when a commercial break occurs while watching a television show. I have no obligation to watch the ads. And to that end, I tend to avoid commercial television, and subscribe to commercial-free channels that I do enjoy. Most of the time I just watch DVD videos (which I have legally purchase, since you ask).
The Register publishes their web site, and they chose advertisement as their source of income. With this comes the risk that some people will not enjoy the ads, will not be swayed or influenced by them, or will skip or even block them. I did not participate in this decision. If they decide to refuse me entry to the site because I do not want to view the ads--which is their prerrogative--or if they frankly tell me flat out that I, as an ad-blocker, am not welcomed, I'll oblige them and leave for good.
It'll be a pity, though, as I do enjoy it much; I read it every day and tend to pass links to my friends and colleagues (some of which do not block ads).
If it makes everybody feel better, in lieu of a subscription option, I can certainly, voluntarily, send a yearly cheque to the editors, of a reasonable amount that would cover any revenue that my page views would have generated had I accepted the ads. Really. I think the Register is worth some money. El Reg editors, just say the amount.
I am not a "freetard", I just do not like advertising as a matter of principle.
-dZ.
I guess I spoke to soon before; I do have a suggestion: The "Top Stories" block does not particularly stand out to me. Basically, I did not even noticed it there until I read your article justifying the changes. I guess it could use a different color for the hyperlinks. As they stand, they are indistinguishable from regular text (i.e. they're black, although bolder), and do not really attract my attention in any obvious way--that is, as compared to the regular stories, which have larger, blue letters in their headline along with a sub-text line.
-dZ.
I think the redesign is nice and serves its intended purpose. I find the stories easier to follow throughout the day, in a logical manner (I still don't get the old sorting order whereas stories seemed to jump around randomly). Regarding the fixed-width, I do tend to disagree with its usage, given that it wastes space on large screens. That said, I am not particularly annoyed with its implementation on El Reg; I find it rather comforting, in the way it forces the site's organization and cohesion.
I still don't see any ads (must by my AdBlock and NoScript at work--attaboy!). Perhaps that in itself enhances--artificially--my perception of the layout. As I said before, I reject and oppose all ads in principle: I refuse to be subjected to them in any medium, to the extent that I can prevent it. But, as I also have said before, I will be more than willing to pay a reasonable subscription fee to gain access to the site, provided it does not bring with it additional navigation surveillance, or such common intrusions. I generally enjoy The Register and understand and respect the staff's need to eat (and occasionally drink beer). And I am most definitely not a "freetard".
As for the comment icons: Bleh. I never used them, and tend to ignore them when others do. I find it too Web 2.0-ish and social-networky for my taste. Thus, I don't care for them either way. But, of course, that won't stop me from criticising them: The old ones were too crude and cheesy; the new ones are too cute and cartoony.
Overall, I like the new look and hope the content continues the old tone and spirit of "biting the hand that feeds IT."
Cheers!
-dZ.
>> And much of the hubbub that grew up around the orgone idea was eventually debunked as a load of old cobblers. Which will hopefully be the ultimate fate of a lot of this cloud computing nonsense,
Congratulations! You appear to finally "get" the reference in the tag line. On behalf of everyone here, I would like to welcome you to The Register. Enjoy your stay, and try not to strain yourself too much trying to figure out the witty quips from the writers in the future.
-dZ.
From the Gears FAQ:
"For example, webmasters can use Gears on their websites to let users access information offline or provide you with content based on your geographical location."
How does it let users "access information offline"? This is just what the world needs: some new magical link that allows your browser to phone home to Google when disconnected from the network.
-dZ.
@Keith T:
Nobody is stating that criminals should be allowed to do harm, nor that freedom of speech should give license for criminal activity. However, the basis to determine that an actual crime has been committed is usually a legally nuanced one, and should not be arbitrarily made by the service provider. As Julian Field mentioned, a Domain Name Registrar should not be allowed to cancell service indiscriminately--which can result in financial losses--by the mere fact that someone complaint, or that your name appears in some arbitrary list presumed to be official, but compiled by (possibly anonymous) volunteers.
@Franklyn:
The analogy stands when you consider the fact that the telephone company will not discontinue service on the basis of a single complaint of one of those charges you mentioned. If considered serious, the telephone company would indeed investigate, and if a crime is suspected, the appropriate law enforcement agencies will be involved.
By contrast, as noted in the article, sometimes all it takes is a complaint or inclusion on a third party list for a domain registrar to cancel service unconditionally. As Julian Field mentioned, it is indeed scary that their lists assert such influence
-dZ.
Oh no, are you proposing the "enwikification" of the World Wide Web? Isn't that what we have now with the Web 2.0, blogging, tagging, and of course, Wikipaedia? And isn't that what is taken to be the problem?
There has been numerous studies done that show collective mass opinion can be significantly more accurate than small numbers of experts--sure, for a very liberal definition of accurate. Just because every uninformed idiot agrees it is true, does not make it so.
-dZ.
We're talking about Spam, i.e. unsolicited e-mail. Not murder, nor armed-robbery, nor kidnapping; it's e-mail that is not solicited.
Nobody, not even the judge in this case, is saying that what he did was fine, nor that he should be let go without punishment. They are just saying that the particular law the state threw at him is unconstitutional for various reasons. That just means two things: first, go back and make a better case that relies on existing laws of subverting proprietary systems and electronic trespassing and such (of which there are many); and second fix the damn anti-spam law to be more narrow in prohibiting unsolicited commercial advertising without preventing freedom of speech.
This is what happens when lazy legislators make knee-jerk reactionary laws to please the populace without proper research into the legal implications of the statute.
-dZ.
I'm one of those who thought it was weird how stories moved their way around on the page and never got it. I like this new look, and it does indeed appear to solve the problems you attempted to address.
I hope it works out for you, though I still won't accept the ads; I use AdBlock. I'd be willing to pay a subscription to El Reg, like with any other rag of interest, but I just don't like ads.
Cheers!
-dZ.
>> "We've updated the Community Guidelines to address some of the most common questions users ask us about inappropriate content."
From: j****@alqaeda.online.org
To: support@youtube.com
Subject: Help with content
Attachments: recrutmen1.mov; recrutmen2.mov
Deer sirz:
were planing to show one of our videoss in yur site to recrutment of yoofs into our troopz. plez you can chek the attach videoss and letus now if is ok. we can has permishoon to post?
kthnxbyek.
So first they claimed that it must have been an expert because of the specific knowledge required to make the spores into a weapon (see, I'm American, but I can avoid 'izing' every other word). Then, when the counter-argument came that the alleged single expert with access to the stuff had not the knowledge or skill for such activity (not to mentioned that the other alleged single expert who actually had the knowledge in bio-weapons had to be cleared of all charges with a big apology cheque), then it turns out that it really wasn't all that hard to create weapons (look ma', no 'ize') from the bacteria, and any old Joe could have done it.
And all the proof ever needed to point the finger indisputably at our guy comes from a brand new branch of biology and test protocols which were invented precisely for this occassion.
Rather convenient, isn't it.
-dZ.