posts brought to you by the category
“security”
Das eez kaput! Sometime around 2002 I spaced the
entire database table that mapped individual entries to
categories. Such is life. What follows is a random
sampling of entries that were associated with the
category. Over time, the entries will be updated and then
it will be even more confusing. Wander around, though,
it's still a fun way to find stuff.
Movable Thoughts #21 : Removed -T from mt.cfg and
mt-send-entry.cgi
You can enable taint mode explicitly with the
-T
command-line switch. You should do this for daemons,
servers, and any programs that run on behalf of someone
else, such as
CGI
scripts. Programs that can be run remotely or anoymously
by anyone on the Net are executing in the most hostile of
environments. You should not be afraid to say
No!
occasionally. Contrary to popular belief, you can
exercise a great deal of prudence without dehydrating
into a wrinkled prude.
On the more security-conscious sites, running all
CGI
scripts under the
-T
flag isn't just a good idea: it's the law. We're not
claiming that running in taint mode is sufficient to make
your script secure. It's not, and it would take a whole
book just to mention everything that would. But if you
aren't executing your
CGI
scripts under taint mode, you've needlessly abandoned the
strongest protection Perl can give you.
The Camel
Book, 3.0
Marc Fonvieille : Encrypted File System on a USB
Thumbdrive
Lori Alden : The Cook's Thesaurus
The New York Times ties its panties in a knot over
wireless back-channelling.
Andy Lester : "...I added a utility called
'mech-forms'."
Meanwhile, William Gibson cites
John Carleton : "I was almost done with my ramen"
The first two points on this author's wishlist will
never happen
Laura Holder : Illinois Flatland #5
Me : sql-abstract-_recurse_where-order-by.2.diff
James Spahr : "I made a Movable Type BBEdit
glossary"
From the "I don't mean to disabuse you of your Google
swooning" department:
Angela Lewis : Hoax E-mails and Bonsai Kittens: Are You
E-literate in the Docuverse?
Our social mantra is very much 'is Internet, is good',
and our logic is often placed around a misguided belief
that if the information was found on the 'Net, then it
must be good'.
This paper discusses the importance of not only having
the skills of computer literacy, that is defined as being
able to use computers and software to navigate the
Internet, but also the importance of information
literacy, defined as the skill of being critically
literate.
The random pseudodictionary.com word of the day is :
world serious
A collection of baseball games, generally
played in October, often viewed by aficionados in a light
similar to religious ritual. Term first coined in the
1950s by the inimitable Walt Kelly, cartoonist, humorist,
and linguist extraordinaire. ("We have met the enemy and
he is us.")
ex. 2001 was the first year the World Serious
lasted into November.
The random pseudodictionary.com word of the day is :
skrilla
"Money, Loot, Chedda."
ex. "whut up ninjaz,I gots the skrilla fo'
rilla, I'll take care of the chizeck"
The random pseudodictionary.com word of the day is :
narkit/fair narkit
Scottish slang. Narkit = angry. Fair narkit =
pretty darn angry.
ex. Your wee laddie made me fair
narkit.
Kip Hampton : Introducing XML::SAX::Machines, Part
Two
The random pseudodictionary.com word of the day is :
fundage
Money.
ex. We're gonna have to go soon. I'm running
low on fundage.
W3C : IsaViz
IsaViz is a visual environment for browsing and
authoring RDF models represented as graphs.
Bob DuCharme : Reading Multiple Input Documents [in
XSLT]
The dictified dictionary.com word of the day is :
frisson
frisson n : an almost pleasurable sensation of
fright; "a frisson of surprise shot through him" [syn:
{shiver}, {chill}, {quiver}, {shudder}, {thrill}, {tingle}]
wn
The dictified dictionary.com word of the day is :
tyro
Tyro, KS (city, FIPS 71925) Location: 37.03670
N, 95.82142 W Population (1990): 243 (98 housing units)
Area: 1.4 sq km (land), 0.0 sq km (water)
gazetteer
Tyro \Ty"ro\, n.; pl. {Tyros}. [L. tiro a
newlylevied soldier, a beginner.] A beginner in learning;
one who is in the rudiments of any branch of study; a
person imperfectly acquainted with a subject; a novice.
[Written also {tiro}.] The management of tyros of eighteen
Is difficult. --Cowper.
web1913
tyro n : someone new to a field or activity
[syn: {novice}, {beginner}, {tiro}, {initiate}]
wn
Nicholas C. Zakas : Creating a Cross-Browser (DOM)
Expandable Tree
The dictified dictionary.com word of the day is :
potable
Potable \Po"ta*ble\, a. [F., fr. L. potabilis,
fr. potare to drink; akin to Gr. po`tos a drinking, po`sis
a drink, Skr. p[=a] to drink, OIr. ibim I drink. Cf.
{Poison}, {Bib}, {Imbibe}.] Fit to be drunk; drinkable.
``Water fresh and potable.'' --Bacon. -- n. A potable
liquid; a beverage. ``Useful in potables.'' --J. Philips.
web1913
potable adj : of alcoholic beverages that are
suitable for drinking; "it's an impudent young wine but I
think you will find it quite potable" n : any liquid
suitable for drinking: "may I take your beverage order?"
[syn: {beverage}, {drink}, {drinkable}]
wn
POTABLE, n. Suitable for drinking. Water is
said to be potable; indeed, some declare it our natural
beverage, although even they find it palatable only when
suffering from the recurrent disorder known as thirst, for
which it is a medicine. Upon nothing has so great and
diligent ingenuity been brought to bear in all ages and in
all countries, except the most uncivilized, as upon the
invention of substitutes for water. To hold that this
general aversion to that liquid has no basis in the
preservative instinct of the race is to be unscientific --
and without science we are as the snakes and toads.
devils
chromatic : Slash's Wiki Plugin
"In theory, any Web application could
be reimplemented as a Slash plugin. In practice, it's not
terribly difficult to write something useful."
N.Y. Times : " The court began by observing that a
hyperlink is not merely a high-tech footnote
or reference card that conveys
information to a reader concerning the location of additional
content. Rather, the court said, a hyperlink contains a
speech component and an additional "nonspeech" component --
some computer code -- that has the functional capacity to
bring the content of the linked Web page to the user's
computer screen at the click of a mouse. It is this
instantaneous, functional nature of the hyperlink that
distinguishes it from its non-electronic print cousin, said
the court, because a hyperlink to digital material can result
in "instantaneous worldwide distribution [of prohibited
material] before any preventative measures can be taken."
Because the D.M.C.A.'s anti-trafficking provision is targeted
at the functional, instantaneous aspect of Corley's
hyperlinks, continued the court, the regulation is "content
neutral" and thus is subject to a relaxed level of judicial
scrutiny."
The dict-ified dictionary.com word of the day is
enunciate
| source : web1913 | Enunciate
\E*nun"ci*ate\, v. t. [imp. & p. p. {Enunciated}; p. pr.
& vb. n. {Enunciating}.] [L. enuntiatus, -ciatus, p. p.
of enuntiare, -ciare. See {Enounce}.] 1. To make a formal
statement of; to announce; to proclaim; to declare, as a
truth. The terms in which he enunciates the great doctrines
of the gospel. --Coleridge. 2. To make distinctly audible; to
utter articulately; to pronounce; as, to enunciate a word
distinctly. | source : web1913 | Enunciate \E*nun"ci*ate\, v.
i. To utter words or syllables articulately. | source : wn |
enunciate v 1: speak, pronounce, or utter in a certain way;
"She pronounces French words in a funny way"; "I cannot say
`zip wire'" [syn: {pronounce}, {articulate}, {enounce},
{say}] 2: express or state clearly [syn: {articulate},
{vocalize}]
Does anyone know if any standardized vocabularies
Me : Apache::XML::TreeView.pm
Danny Goodman : Supporting Three Event Models at
Once
Canada DMCA Opponents
Daniel Lundin : xmlrpc.el
"is an XML-RPC client implementation
in emacs lisp, capable of both synchronous and asynchronous
method calls (using the url package's async retrieval
functionality)."
I wonder how difficult it would be to write an
interactive weblog client
The Meerkat Product
"gives access to the Meerkat's
XML-RPC API and allows the placement of news items in any
Zope document."
Politics of Culture : E-Books: On Paper or in the
Hand?
The thing I don't understand is
What's the only thing better than a dead tree?
Hour : It's not the internet, stupid
"Here's a look at the net-savvy parts
of each platforms, focussing on the Red Book of futureman
Jean Chrétien's Liberals."
CBC : Do penguins fall over backwards watching
planes?
Peter Y. Sussman : How stupid can an e-mail program
be?
"Words become offensive by the nature
of the attention that is paid to them. When a corporation
tacks a chili onto this or that word in an e-mail message or
builds a software barrier around a word on a Web site, it
invites writers and readers to consider the word
one-dimensionally, with only the meaning and intent that the
corporation has interpreted as offensive."
Jonathan Kay : Caste of characters
"But it is not so much Homer's choice
of words as his manner of speaking them that is instructive.
Though Homer is dumb in any language, France's dub community
decided the star of the show shouldn't speak in anything less
than standard French. "There is a levelling effect," says
Éric Plourde, a French-Canadian linguist who wrote his
master's thesis on the translation of The Simpsons. "The
French brought the pronunciation of almost all the characters
to more or less the same plane." The uniform quality of the
language, he argues, "reflects a belief in the uniqueness and
irreducible character of the French identity" - in other
words, the French are secure enough to insist that even a
dolt can, and should, speak proper French. This approach,
Plourde says, betrays an "imperialist" attitude towards
language animated by the nation's colony-holding past."
Here's me,
looking for god in all these fucking
details...
The Big Move 2.0
has begun. Regular programming will
resume sometime next week. In the meantime, I'll leave you
with these three words :
nineteen
foot Cadillac
.
Jorn Barger : Scare the motherfuckers shitless
All basements are not created equal.
I found these photos while preparing
for The Big Move 2.0. With six and half foot high stucco
ceilings and (dark) fake wood panelling, this is the place
that I have measured all the others against. Just West of
Little Italy, we lived three to the basement with another
three "apartments" in the house. Above the kitchen lived a
woman our age, affectionately dubbed The Screamer. Somewhere
above my make-shift room, lived the single mother whose son
was taken away from her by the police on an April morning;
not soon enough to prevent her from beating the shit out of
him too many times. We never saw the people on the second
floor but they got more mail than the rest of us combined.
This is where I quit smoking, rediscovered computers and
made these paintings
.
Kudos to A List Apart
for
raising
a little
hell
this week, even if it is mostly just ill-conceived, childish
drivel : "The lone coder, hunched over his keyboard at 3
A.M., echoes the monks of the Middle Ages who painstakingly
translated and copied the Bible by hand. The zeal of the
early online pioneers recalls the disciples spreading the
word. And the corporate jackals are the Pharisees and false
prophets, intruding and crowing that the Web is theirs,
stomping over anyone who dares to oppose their "authority" -
the very authority we were trying to escape from." I think
that you need to get a little more sleep, Buddy. see also :
Zeldman
, "Next week I will publish a useful article on designing
with the DOM. If any of you are still ALA readers, you will
learn some cool and useful design programming techniques."
The road to Hell is paved with telephone companies
It's the dial-tone stupid. The modem
I bought for my Visor doesn't grok the Italian dial tone. I
will rant at length about the morons who run high tech
companies when I get back. Until then I will write for the
web periodically; I didn't come to Italy to sit in front of a
web browser. The rest will have to wait. Sorry, I'm not very
happy about it either.
[U.S.] Chief Justice William H. Rehnquist
"Physically invasive inspection is
simply more intrusive than purely visual inspection. [A
passenger in Mr. Bond's position] does not expect that other
passengers or bus employees will, as a matter of course, feel
the bag in an exploratory manner."
It is gorgeous here today.
The kind of weather that smothers the
idea of getting any work done. Meanwhile, on the wayback from
the kitchen, I considered buying two or three boxes of
tangerines and decorating my apartment with them.
It's as if you have to wait for the dough to rise
Dr. Stickgold said. And we all know
what happens to bread dough once it's risen...
Magnus Lie Hetland : Instant Python
Ars Technica
"Actually using DP2 is akin to
logging into a demented Xterm running a poorly designed
window manager theme meant to look something like Mac OS.
Launch a Cocoa application and you feel like you've been
warped into NEXTSTEP, again running that funny window
manager. Run a classic applications and it's like being in a
slightly odd version of Mac OS 9, with that alternate NeXT
universe still visible in the background. Pull up the command
line and you start to think that all of this is one big
facade running on top of good old Unix."
Mark-Jason Dominus : The Sins of Perl Revisted
Floyd proved to be
decidedly underwhelming here on the
Vineyard
- a good thing. The worst of it, for me, was the humidity
which made me want to clean my ears every five minutes and
waking up feeling hung over even though I had nothing to
drink last night.
Clive Thompson : The Attack of the Incredible Grading
Machine
"The theory behind the method is
this: For any given essay, good content is a function of
using certain words in the vicinity of certain other words,
and that accomplishment can be expressed numerically."
Fascinating. The claim is that it is optimized for
short-essay answers, but how long will that last? What
happens, then, when you feed it a paper by someone who
decides to challenge accepted notions, expand the area of
discussion or just outright aims to prove an idea to be wrong
wrong wrong? Galileo, anyone?
Fun mail
from
postcardgirl
! "...reminds me of that old joke: 'I'm sure there's a pony
in here *somewhere*!'" -
anita
What's the Plural of Virus?
"Another theory holds that virus,
being a 2nd declension neuter--which we are 100% certain of
because its nominative singular is -us and its genitive
singular is -i--must go to *vira in the plural as do its -um
neuter brethren in the 2nd declension. However, that assumes
that it works like a -um form, not as a -us form does. And it
really seems to do neither. If it were a -us form (again, as
a 2nd declension nominative), then its vocative would have to
be *vire; but it's really only virus. You also expect an
accusative form *viros, but that too is missing; it's still
just virus in the accusative. And if it were a -um form, then
its vocative would have to be *virum. But it's not--here
again, it's only virus. (Vocative examples of virus are not
particularly common. Apparently the Romans seldom addressed
their slime in a personal fashion. :-)" It all starts to
sound like
new math
to me.
Wired : Big Blue Reinvents Internships
"If the most popular kids at summer
camp are those who can do the fanciest dives into the lake,
at Extreme Blue the attendees who garner the most respect are
those who work the longest hours." I saw a similar attitude
in the hardcore scene. The focus was drugs but the goal was
still to be "hardcore-er than thou." The idea was to get as
*fucked* up as possible, and I often saw people I knew on
acid and mescaline at the same time, sometimes with a liberal
dose of cocaine thrown in for kicks. That didn't include the
obligatory quarter-ounze of pot, and a couple of 24's. Most
of those people are junkies now, which led another friend to
muse that they are just hanging on (doing smack) until the
first first person OD's. That way, they can quit and say they
were more hardcore than heroin.
It's August 1
which probably doesn't mean anything
to most people, but on the Vineyard it's the turnover day for
summer rentals. To mark the occasion, I'd like to direct your
attention to
a local zine called Martha's Minions
(don't get me started on the url.) Written by and about the
people who work here year-round, each issue tackles one
sector of the Island economy, offering a tiny voice to those
who labour to make this place "so special". So far, there's
only a dead-tree version (with no ordering info), but I bet
if you asked, you could find out how to get a copy : Martha's
Minions / POB 1044 / Oak Bluffs MA 02557 / maria @
vineyard.net
Talk Back on nicknames
real audio (starts 10:56)
wtf?
-
dude, where's my car
This document uses
CSS
kung-fu and a small amount of JavaScript for rendering
its contents. Efforts have been made to separate the
form from the content so if you are viewing this in a
text-based browser it shouldn't be an issue.
On the other hand it may look funny if you are
viewing it in a browser with incomplete
CSS
and/or JavaScript implementations. Internet Explorer 6
comes to mind.
It's not that I don't love you. However, my time is
limited and I no longer feel very good about spending
it working around any one browser's inconsistencies
with little, or no, confidence that they will ever be
fixed or otherwise made more inconsistent at some later
date.
On the other hand, if something is down-right
unreadable
please let me know and I will endeavour to fix it.
-
yes, we have no bananas
This page may not validate. It's not that I don't
care, it's just that I'm not aware of it yet. Part of
the reason that I rewrote the entire back-end for
managing this site is that the old stuff made it too
easy for these kinds of mistakes to slip through the
cracks.
See also :
W3C::LogValidator.pm
-
it's the software, stupid
Use the source, Luke.
Prompted by all the talk about using Movable Type as an open relay for spammers, I decided to poke at the actual code and see what was going on.
There really isn't anywhere that Movable Type should be disabling taint mode but if I had to list things in order of importance, the mt-send-entry.cgi script would be near the top.
The script is potentially handing off to the sendmail program whose entire existence has been marked by security exploits. There is nothing to suggest that more won't be found in the future. Relying on sendmail to test for Potential Badness being passed by a ne'er do well via the Internet is wishful thinking, at best, and just plain crazy, at worst.
In fairness, the Movable Type mail widget tries to load Mail::Sendmail which does some basic sanity checking and, drumroll, untainting on the stuff you pass it. On the other hand it is not part of the core libraries shipped with Perl, nor is it in Movable Type's extlib directory which is a mystery since two thirds of it's dependencies are part of and the other third has no non-standard requirements itself.
Untainting email addresses can be brain-crushingly difficult and inaccurate and the last thing you want to do when you're selling a computer widget for non-techincal people is start spewing errors where there are none. But not only did the Movable Type kids disable the
-T
flag on the mt-send-entry.cgi script they don't appear to have ever done any kind of untainting on theto
andfrom
parameters. Hello? Is anyone home?I find this especially discouraging because one of the first things I did when Movable Type was released was send Ben code to at least try and untaint email addresses .