Posted by samzenpus (44% noise) ViewSkip snydeq writes “InfoWorld’s Tom Yager takes a closer look at Apple’s iPhone SDK confidentiality agreement, which restricts developers from discussing the SDK or exchanging ideas with others, thereby leaving no room for forums, newsgroups, open source projects, tutorials, magazine articles, users’ groups, or books. But because anyone is free to obtain the iPhone SDK by signing up for it, Apple is essentially branding publicly available information as confidential. This ‘puzzling contradiction’ is the ‘antithesis of the developer-friendly Apple Developer Connection’ on which the iPhone SDK program is based, Yager contends. ‘You’ll see arguments from armchair legal analysts that the iPhone developer Agreements won’t stand up in court — but those analysts certainly won’t stand up in court on your behalf.’ Anyone planning to launch an iPhone forum or open source project should have ‘a lawyer draft your request for exemption, and make sure that the Apple staffer granting it personally commits to status as authorized to approve exceptions to the iPhone Registered Developer and iPhone SDK Agreements,’ Yager warns.”
Re:If this is the computing model of the future - by TheNucleon (Score: 5, Insightful) Thread
It is, no doubt.
I mean, look at the programmable hardware platforms out there that “the powers that be” won’t let you program. Game consoles, smartphones, even APIs for stinking video cards. This is all hardware that WE BUY, yet, we can’t find out how to write our own stuff unless we are a big dev house and pay tons of $$. Ridiculous.
Developers, developers, developers, developers.
This will have to change… - by Karpe (Score: 5, Informative) Thread
Stanford has announced that it will be offering an iPhone development course. I would also expect that many books on iPhone development are being edited to be published soon. For these to occur, iPhone development information cannot be under NDA. So it’s just a matter of time. Apple is not stupid.
I had assumed this would be lifted Real Soon Now. - by w3woody (Score: 5, Interesting) Thread
After all, the iPhone SDK cannot remain a “beta” forever, and once it’s no longer a beta, I presume the SDK will show up side-by-side with the MacOS X Cocoa SDK from which it was derived.
Most of Apple’s beta stuff has the same confidentiality agreement, so I presumed this was just a bug.
So basically, no learning help? - by TellarHK (Score: 5, Insightful) Thread
So with this NDA issue, I can’t buy a book, read a forum, get any assistance at all with writing my iPhone application… So what the hell good is an SDK you can’t talk about? Is this cellular fight club or something?
Apple, fix this shit. Really. Fix it now. There’s no excuse for not letting the NDA go, no way that it protects you. The phone’s been jailbroken, it _will_ be unlocked, so why stifle development?
No, it’ll end when… - by PC and Sony Fanboy (Score: 5, Interesting) Thread
It won’t end until the piratebay.org steps in and provides a safe, secure, overseas forum to discuss apple products.
OH wait, this isn’t even piracy. It isn’t even ‘stealing’… its just talking to another human being who has the same program you have… like, Idea sharing.
I guess they really mean it when they say “Think Different”. As in, don’t you DARE think what he’s thinking. Don’t even think about thinking about it…
Posted by samzenpus (27% noise) ViewSkip
Grablets writes “Using a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that rethinks the way network blacklists are formulated and distributed. The service, called Highly Predictive Blacklisting, exploits the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future. A free experimental version is currently available.”
Babies out with the bath water. - by LostCluster (Score: 5, Insightful) Thread
This isn’t going to work in the real world. Too many users you want to hear from at an ISP won’t like it when the virus-victim spammers gets their whole network preventatively banned.
Stop fixing the mail protocols we have today. It’s time to replace with some form of sender authentication.
Probably a bad idea. - by Jane Q. Public (Score: 4, Insightful) Thread
The problem with ANY “predictive” statistics (like racial profiling, for one glaring example) is that even when they become accurate enough to produce useful information, they tend to produce too many false positives.
And often (again using racial profiling as a good example), even a few false positives are too many.
Not really that “predictive”. - by khasim (Score: 5, Informative) Thread
They take X firewall logs…
Then they look for matches in attacking IP addresses between the logs…
And if any IP addresses appear in log A (which is very similar to log B)… then those IP addresses are “predicted” as being possible to attack the firewall from which log B was obtained.
Logical - yes. Predictive - no.
Re:Not really that “predictive”. - by LostCluster (Score: 4, Insightful) Thread
That worked back in the say when you could say “Syracuse Unversity’s gotten hit with the latest worm. So, don’t trust any mail that comes from 128.230.x.x.” but these days mail comes from one address per organization or household. Most corperations expose only one mail server IP address to the world, and some smaller companies have hundred-user systems and only one IP to show for it. So, who you’re next to doesn’t hold much water in predicting whether the message is spam.
Not really. - by khasim (Score: 5, Interesting) Thread
So if this isn’t predictive, what is? Would you rather they develop an algorithm that identifies blacklist-worthy addresses before they make their first attack?
Ummmm, yes. If you can identify them BEFORE they make their first attack then that would qualify as “predictive”.
It captures the fact that “true” attackers mostly attack “true” (that is, weak or high profile) targets, whereas those targets are mostly attacked by “true” attackers.
Not in my experience. The attacks are usually automated scripts running on zombies that randomly scan address (or search their immediate networks) looking for known vulnerabilities.
Thus some isolated attack by a never-before-detected attacker on a never-before-attacked target has very little predictive potential in the eyes of the algorithm, whereas even just a few attacks by a never-before-seen attacker on several oft-attacked targets raises a huge red flag.
That is the opposite of how their system was described. They looked for matches amongst IP addresses and then “predicted” that if your example machine one firewall it should be blacklisted for the other firewalls that closely matched that list.
Now a real predictive system would look more factors.
#1. Who was attacking.
#2. How did the attacker(s) gain access to the machines used in the attack.
#3. What other machines are vulnerable to #2 that are available to #1.
Example - Spam zombies often appear in ranges of home addresses from the large ISP’s. So machines in those ranges are given an increased score in SpamAssassin. Whether they have ever sent spam before or not. See #1 and #2 and #3.
Posted by samzenpus (47% noise) ViewSkip Iddo Genuth writes “Researchers at Purdue University are developing a miniature refrigeration system, small enough to fit inside laptop computers. According to the researchers, the implementation of miniature refrigeration systems in computers can dramatically increase the amount of heat removed from the microchips, therefore boosting performance while simultaneously shrinking the size of computers.”
Hype - by MojoRilla (Score: 5, Insightful) Thread
The article says:
The researchers developed an analytical model for designing tiny compressors that pump refrigerants using penny-sized diaphragms. This model has been validated with experimental data.
Translation:
This is completely impractical hype so far. We are looking for grant and startup money.
Re:Condensation? - by Smidge204 (Score: 5, Informative) Thread
Only because they cool below the dew point - which, in turn, is dependent on the humidity levels.
People who build active cooling into their computers (for overclocking) typically insulate the chip(s) and cooling block to keep air-exposed surfaces at or above ambient temperatures for just that reason.
Also, even if it does produce condensation I’d say there’s little reason to worry… just recycle the condensate to provide evaporative cooling on the (much hotter) heat sink side of the system. =Smidge=
How much juice? - by fyoder (Score: 5, Insightful) Thread
And how much electricity will this consume? It may not be that appealing to laptop users if it eats significantly into their battery life. And for servers many colo companies are finding themselves less constrained by space than by available electricity.
Re:How much juice? - by megaditto (Score: 5, Interesting) Thread
Could be pretty damn efficient if it’s a heat pump.
A good AC unit usually consumes less than 10 times the energy it moves (a 1 kW window unit rated for 40,000 BTUs for example), but that depends how much colder the inside needs to be compared to the outside air.
In case of CPU coolers (cooling things hotter than ambient air), one could even GENERATE electricity if the size and cost of the “cooler” is not a concern (A thick diamond heatpipe to conduct heat away to distant thermocouples is how I would do it).
Yeah I don’t get this, the heat need to leave the laptop somehow, and since the refrigerator will have to be within the laptop the heat remains inside it
The refrigerator’s exterior heat exchanging pipes don’t have to be inside the refrigerator itself. They didn’t give any technical specs, so what are you worried about? Surely if they are working on this project, they’ll have thought or experienced this problem if they were putting all items in the same location.
Also, consider that, to a point, the ambient heat inside a laptop can be higher, as long as the PUs are kept cool. Of course if this were the only consideration, eventually the ambient heat would screw all the components except for the processors, but, as I said, they’ve considered this already. I’m sure of it.
Posted by samzenpus (42% noise) ViewSkip
get_Rootin writes “That didn’t take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky’s DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: ‘This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.’ Here’s our previous Slashdot coverage.”
See if you’re vulnerable - by neokushan (Score: 5, Informative) Thread
There’s a tool on the site below that apparently checks if the DNS you’re currently using is vulnerable to such an attack. I checked my work DNS and my home DNS - both were fine. Apparently OpenDNS is secure as well, so there’s probably nothing to worry about.
Re:DNS Glue poisoning was already known… - by blueg3 (Score: 5, Informative) Thread
It only works because the DNS server caches the result of the glue record, against the recommendation of the above writer.
The glue record is necessary if, say, you need to provide the address of a nameserver when you provide the name of the authoritative nameserver for a query. You should use that glue record for that query only.
What happens is that an attacker queries lbixds.google.com (or some other nonexistent domain) and then sends the server he issued that request to a response to that query that also has a glue record giving a false address for ns.google.com. If the DNS server only used that false address for resolving lbixds.google.com, cached lbixds.google.com, and left it at that, then lbixds.google.com would be the only entry the attacker could poison — basically useless. However, the DNS server caches the glue record giving the address for ns.google.com, too.
Re:DNS Glue poisoning was already known… - by Anonymous Coward (Score: 5, Insightful) Thread
Congratulations, you confused the mods. Bailiwick checking was added to all DNS resolvers in response to glue poisoning and made cache poisoning through spoofed glue records very difficult. The current problem is that the typical filter rules are insufficient for stopping a glue poisoning attack which appears to come from the authoritative server: Kaminsky found a way around the glue poisoning countermeasure. This means that a very dangerous kind of attack which was thought to be defeated is now possible again.
I exploited this and let a huge cache of people visit my site(127.0.0.1) in stead of the site they wanted to go. It was kickass.
The Book Of Internets, Chapter Three, Verse Twelve - by Aussenseiter (Score: 5, Funny) Thread
And lo, all unpatched websites were rendered unto Goatse.
Posted by kdawson (63% noise) ViewSkip Brian Jordan and other readers sent in word that Google has taken the wraps off Knol, its expert-written challenger to Wikipedia. (We discussed Knol when it was announced last year.) Wired has an in-depth look. Knol’s distinctions from Wikipedia are that authors are identified by their real names (and verified), and that they can share in ad revenue if they choose to. The service initially features a lot of medical articles, which is interesting considering that Medipedia also launched today. This medical wiki is backed by Harvard’s and Stanford’s medical schools.
Knol on Wikipedia, Wikipedia on Knol - by Glasswire (Score: 5, Funny) Thread
Scholarpedia? - by jnana (Score: 5, Informative) Thread
On the topic of Wikipedia-like sites, I recently found Scholarpedia, which I imagine a lot of slashdotters might like. They don’t have that much content yet, and they are currently focusing on a few fields (science- and tech-related), but I have found some really high-quality articles by experts in the field, like:
Typing Equations? - by biased_estimator (Score: 5, Insightful) Thread
I only looked at it briefly, but they don’t provide an easy way to type equations? I suppose that might be a lot to ask for…
I guess I’ll just have to LaTeXiT.
Wikipedia definitely suffers from the problem of having a lot of know nothing jackasses writing articles, random defacements, and a lot of useless crap.
But Knol seems to be missing the best part of wikipedia - extensive internal links. Half the fun of wikipedia is looking up something, then wasting a couple hours wandering through topics till you get someplace you might not have gone otherwise.
Wikipedia ^ ~Wikipedia - by Metasquares (Score: 5, Insightful) Thread
It’s like Wikipedia but without the open collaboration which made Wikipedia successful.
Posted by kdawson (70% noise) ViewSkip
ruphus13 writes “Ubuntu and Canonical have been very active at OSCON this year. They showcased a new distro, announced improvements to their code-hosting platform, and made Mark Shuttleworth available for a couple of talks and panel sessions. Quoting: ‘Ubuntu Netbook Remix, a complete distribution designed to run on Atom-based Netbook PCs. The main difference that sets it apart from its big brother Hardy Heron is the Ubuntu Mobile Edition (UME) Launcher, a user interface created specifically for use on the teensy screens and keyboards of today’s popular ultra-portable computers.’ Canonical also announced Version 2.0 of Launchpad, their code-hosting platform. Enhancements include ‘a planned API that’ll allow third-party applications to authenticate, query and modify data in the massive Launchpad database, without a user needing to manually access the system via a browser.’ Mark Shuttleworth went on to state that Linux’s market share will grow when it has better eye-candy than Apple’s.”
The difference between Mac and Linux “eye-candy” - by harlows_monkeys (Score: 5, Insightful) Thread
When Apple introduces eye-candy, they use it sparingly themselves, and make a great API and developer tools so developers can also use it in their apps.
Linux eye-candy seems to hit a dead end, where all it gets used for is for the original project that developed it to see how many different flashy effects they can make.
The Linux projects need to realize that it is not about the flashy eye-candy itself—it’s about providing more capabilities to application developers.
it just needs the applications - by radarsat1 (Score: 5, Insightful) Thread
Forget the UI, it’s usable and that’s what matters. What Ubuntu needs now is support from other players in the software market.
Honestly, I’m pretty well convinced at this point that Ubuntu is “ready”. I know tons of people that would switch to it if they could. The crux of the problem is that the major applications these people depend on (or at least, are used to using) don’t run on it. What Ubuntu needs more than anything is to make deals with the major players in various software markets (graphics, video, gaming, CAD, simulation, RAD languages, etc) to port their applications. I don’t know how this could happen, but I’m pretty sure it’s necessary for us to see major adoption.
While there obviously are some amazing and great tools that come with Ubuntu, it needs to be possible for someone to use those few applications they need. Companies need to start offering Ubuntu versions of their products. If that happens, it’s game, set, match. And I actually think this would be possible: considering how disheartened many people feel about Vista, convincing them to port to another platform in order to reduce their dependency on MS might not be so difficult anymore. People seem to be finally seeing the pattern than dependence on a moving target like Windows can come back to bite them.
I think a few deals in this direction might actually have the potential to push Ubuntu into the mass market.
What I like about Ubuntu - by HalAtWork (Score: 5, Interesting) Thread
What I like about Ubuntu is that as a whole, the community takes the biggest problem with a given platform from an end user standpoint, and then provides an open solution that sticks to the common design rules of the software it compliments. The software doesn’t stick out, is modular, sticks to standards (or provides a defacto method that tries to emulate already existing standards), and it seems like it could be drop-in software that would work in any distribution.
It’s kind of the antithesis of YaST, for example, which seems like you couldn’t separate one part from the other, and it also seems like if you use any other tool to mess with the files YaST has touched, then YaST will either have a problem or ignore it and pretend it never existed. (I’m not sure if this has changed, the last time I used SuSE was version 9)
As a user of Ubuntu, it gives me security by making me feel like if the distribution ever became anything users didn’t want, they could easily take these parts and fork. Also as a user, it makes me feel like they are trying to develop software that works for the end user primarily and not as a advantage that only this distribution can have to attract users and keep them. One reason why I use OSS is because I don’t feel like my data is tied to anything, and I can always use it. Ubuntu makes me feel that way about the software as well. It really is closely rooted to Debian in that way and really I feel it ties Debian together with some sealant in the cracks and some polish as well. Good job everyone and thanks!
Re:Installation over eye-candy - by McGiraf (Score: 5, Informative) Thread
And i forgot because i do not use it, but in Ubuntu there is an “Install applications” somewhere in the menu which is another front end for apt. Way more simpler than synaptic and way more simpler than anything else i saw on any OS for the non-technical people.
“eye candy” is misleading - by commodoresloat (Score: 5, Insightful) Thread
Vista has better “eye candy” than XP, even arguably better than OSX, but many people aren’t switching because it’s not just about “candy.” It’s about user experience, in which animation and soothing visuals play only a part. Simplicity is more important than prettiness, and the ability of the user to know somewhat intuitively what a button will do goes a lot farther than 3D visual effects.
Posted by kdawson (70% noise) ViewSkip
ydrol writes “After building my new Core 2 Quad Q6600 PC, I was ready to unleash video conversion activity the likes of which I had not seen before. However, I was disappointed to discover that a lot of the conversion tools either don’t use SMP at all, or don’t balance the workload evenly across processors, or require ugly hacks to use SMP (e.g. invoking distributed encoding options). I get the impression that open source projects are a bit slow on the uptake here? Which open source video conversion apps take full native advantage of SMP? (And before you ask, no, I don’t want to pick up the code and add SMP support myself, thanks.)”
avidemux - by Unit3 (Score: 5, Informative) Thread
I’ve noticed a lot of talk about commandline options, but not the nice guis that use them. Avidemux is open source, cross-platform, gives you a decent interface, and uses multithreaded libraries like ffmpeg and x264 on the backend to do the encoding, so it generally makes optimal use of your multicore system.
The problem with MPEG encoding and decoding is that the data itself is not well suited to multi-threaded analysis.
Multi-threading is most efficient when it is applied to discrete data sets that have little or no dependency on each other.
For example, suppose I have a table with four columns — three holding input values (A, B, and C) and one holding an output value (X). If the data in a given row of the table has nothing to do with the data in any other row, multi-threading works efficiently, because none of the threads are waiting for data from any of the other threads. If I want to process multiple rows at once, I simply spawn additional threads.
On the other hand, for data such as MPEG video, the composition of the next frame is equal to the composition of the current frame, plus some delta transformation - the changed pixels.
This introduces a dependency which precludes efficient multi-threaded processing, because each succeeding frame depends on the output of the calculations used to generate the prior frame. Even if more than one core is dedicated to processing the video stream, one core would wind up waiting on another, because the output from the first core would be used as the input to the second.
Actually, the MPEG stream resets itself every n frames or so (n is often a number like 8, but can vary depending on the video content). These are called keyframes (K) and the delta frames (called P and I frames) are generated against them. Because of this, it is really easy to apply parallel processing to video encoding.
Actually, the MPEG stream resets itself every n frames or so (n is often a number like 8, but can vary depending on the video content).
That is not true for MPEG-4 unless you have specifically constrained the I/IDR interval to an extremely short interval, and doing so severely impacts the efficiency of the encoder because I-frames are extremely expensive compared to other types.
Keyframes are usually inserted when temporal prediction fails for some percentage of blocks, or using some RD evaluation based on the cost of encoding the frame. Therefore unless the encoder has reached the maximum key interval the I frame position requires that motion estimation is performed, and thus you can’t know in advance where to start a new GOP.
In H.264 due to multiple references you would certainly have issues to contend with since long references might cross I-frame boundaries, which is why there is the distinction of “IDR” frames, and this would certainly not be possible threading at keyframe level.
Granted, for MPEG1&2 encoders threading at keyframes is a possibility, although still not one I’d personally favor.
Load balancing: Why? - by DigitAl56K (Score: 5, Insightful) Thread
don’t balance the workload evenly across processors
Why is balancing the load evenly important, as long as one thread is not bottlenecking the others? Loading a particular core or set of cores might even be beneficial depending on the cache implementation, especially when other applications are also contending for CPU time.
Sure, a nice even load distribution might be an indicator for good design, but it doesn’t have to apply in every case. I don’t think software should be designed so you can be pleased with the aesthetics of the charts in task manager.
Posted by kdawson (44% noise) ViewSkip snydeq writes “InfoWorld’s Peter Wayner delves into the ill-defined realm of ’cloud computing,’ providing a deeper look at four shared services: Amazon EC2, Google App Engine, GoGrid, and AppNexus. Offering wildly divergent amounts of hand-holding at various layers in the stack, the services simplify your workload but force you into a set, ‘ball-and-chain-computing’ routine that you may not prefer. Sure, the services allow you to pull CPU cycles from thin air whenever you need to, but they can’t solve the deepest problems that make it hard for applications to scale gracefully, Wayner writes. He describes these ‘clouds’ as an evolving experiment, rife with potential but ‘far from clear winners over traditional shared Web hosting.’ The sobering look at the trend includes a QuickTime tour of each service — EC2, App Engine, GoGrid, AppNexus (those links all .MOV).”
Sound familiar? - by psmears (Score: 5, Funny) Thread
From the article:
…any Web site filled with an endless stream of mostly forgettable comments trolling for reactions from the rival fans
I can’t think of any site to fit that description…
Amazon EC2 wins - by orionr (Score: 5, Informative) Thread
I run a small startup in the Boston area and have been using Amazon EC2 (plus S3, SQS, and the rest of the AWS family) for the last year. It’s worked for us like a champ. A little downtime in the beginning plus some S3 outages, but with the right backup, failover, and restore procedures in place we’ve gotten reasonable uptime.
The big requirements for us were the following:
1. Ability to move our website (and code base) elsewhere if needed. Could be in-house, to another cloud provider, etc. 2. Minimize up-front cost and allow for massive scaling if needed 3. Cost competitive servers/computing over time 4. Cost competitive storage/disk over time
App Engine fails the first criteria, since (at least currently) you can’t build a BigTable application on anything but Google App Engine. “Cloud computing” in general beat out traditional hosting on the second, third, and fourth points. I hadn’t checked out GoGrid or AppNexus at the time, but other competitors (Sun, etc.) couldn’t match Amazon’s price-performance specs.
So, with all of those requirements, Amazon EC2 won out and I’m a happy customer.
Sure, the services allow you to pull CPU cycles from thin air whenever you need to, but they can’t solve the deepest problems that make it hard for applications to scale gracefully, Wayner writes.
AFAICT, they aren’t intended to. The deepest problems are software problems for which there is no general solution, only problem-specific solutions for each particular task; what they are intended to deal with is the hardware problem that having a scalable software solution is of limited value if you have a fixed pool of hardware and have to go through disruptive upgrades when you expand that pool of hardware (and deal with the associated capital costs.)
Cloud computing services are, largely, tools to help dynamically “right-size” hardware, changing it from a capital investment that requires predicting the future well to plan right to an operating costs that can be quickly adjusted based on changing needs. Complaining that they don’t solve the fundamental problems of software scalability seems to be missing the point.
Finally, a burst of common sense on the latest hype. Hosted servers have offered many of the benefits you get out of “cloud” computing for years, without locking you into a particular vendor or platform. With virtualization, you should be able to build your own images and farm them out to hosting companies, using your technology and platform of choice. Clustered ESX and SANs already give us the resource scalability we need for most systems, partitioning finishes the job. You can just pay a hosted server company to host your vmware image on their ESX cluster and scale up your storage as needed on their SAN. The key is that YOU build a scalable design.
I highly doubt a majority of businesses are going to lock themselves into one hosting provider’s specific development platform just to take advantage of hosted servers that push themselves into the next layer.
I prefer Google for Cloud Computing… - by PC and Sony Fanboy (Score: 5, Funny) Thread
I’d choose Google App Engine. Since no one really knows what cloud computing is, and no one knows what google does, I think they make a good fit.
oh wait. I do know what google does - It makes the internet better… and it prints money (I guess…)
Posted by kdawson (49% noise) ViewSkip Barence writes “Google’s Blogger service is responsible for 2% of the world’s malware hosted on the Web, according to a new report from security firm Sophos. The company claims hackers are setting up pages on the free blogging service to host malicious code, or simply posting links to infected websites in other bloggers’ comments. ‘Blogger accounts for around 2% of malware,’ according to Sophos’s senior technology consultant, Graham Cluley. ‘It’s head and shoulders above the rest [of the blogging services].’” Sophos believes that Blogger is favored because, being part of Google, it gets spidered early and often.
Market share - by Haxx (Score: 5, Interesting) Thread
I’m curious to what the 2% number means when market share and region figures are factored in. I’ll bet it doesn’t mean much.
Newsflash! 2% of the Internet is where 2% of the hackers are!
Way to go, PC Pro - by Cajun Hell (Score: 5, Insightful) Thread
Sophos says:
Blogger accounts for around 2% of malware,” according to Sophos’s senior technology consultant.. .. Sophos says it doesn’t blame Google for the situation…
PC Pro’s crack writers say:
Google’s Blogger service is responsible for 2% of the world’s malware hosted on the web
(Emphasis mine.) Journalism at its finest!
Hypocrisy - by Eric Smith (Score: 5, Insightful) Thread
On two occasions miscreants managed to inject links to malware into my site, and on each occasion Google nearly immediately started listing my site in search results as “this site may harm your computer”, and no direct (clickable) link.
If Blogger is so full of malware or links to malware, why don’t all the search results pointing to Blogger get the same warning and lack of link?
yahoo email? - by thermian (Score: 5, Interesting) Thread
Most of the time the scam mail I get has a yahoo email attached. There are no innocents among free web service providers.
The best part . . . - by greenreaper (Score: 5, Informative) Thread
If you’re subscribed to Google Alerts, and they post a malware-hosting blogger site with material you’re watching for, it comes straight into your inbox.
I’ve had this happen to me with spam copied from one of my own wikis.
They seriously need to clamp down on the ability to redirect people automatically from Blogger.
Posted by samzenpus (35% noise) ViewSkip Chromodromic writes “Apress’s newest Django offering, Practical Django Projects by James Bennett, weighs in lightly at 224 pages of actual tutorial content, but trust me, they’re dense pages. Filled with pragmatic examples which directly address the kinds of development issues you will encounter when first starting out with Django, this book makes an important addition to the aspiring Django developer’s reference shelf. In particular, the book’s emphasis on demonstrating best practices while building complete projects does an excellent job of accelerating an understanding of Django’s most powerful features — in a realistic, pragmatic setting — and which a developer will be able to leverage in very short order.” Read below for the rest of Greg’s review.
This book serves an important function by providing progressive, useful examples of Django’s role in the development of realistic projects. During the course of the tutorial you build three basic apps: A simple brochureware-oriented CMS, a complete blogging system (with Akismet spam protection and RSS feeds, among other features), and a social code-sharing site similar to that found at djangosnippets.org (with account signups, syntax highlighting via pygments, and bookmarking features — the whole enchilada). You may or may not find these projects
immediately relevant to your work or goals, but the projects themselves are really just platforms for delving into Django’s nooks and general philosophy. It’s an important point to make about the book especially, because though Django itself provides potent facilities for creating reusable code while preserving a high degree of flexibility, “magic” is kept to a minimum compared to some other popular frameworks. It follows that maximizing your knowledge of Django’s inner workings through familiar paradigms is critical to making the framework perform to your best advantage. The book excels at accomplishing this goal.
Along these lines, a lot of territory is covered in a short span. You’re introduced to a couple of Django’s contrib apps — code which comes with a normal Django installation and which cleanly plugs into your own application while remaining extremely customizable. After being ushered through a straightforward installation and database configuration, your first exposure to development is through the contrib app most frequently lauded in the Djangoverse, Django’s deservedly well known admin system. But immediately, emphasis is shifted from the basic features of the system to the ways it can be customized. This approach of introducing a feature and then modifying or extending it is repeated immediately with Django’s Flatpages contrib app, a very basic CMS which, again, comes with Django and installs with a single line of code and one command.
By the time you’ve finished the third chapter, you’ve built the foundation of a typical brochureware site, complete with a working search system and a completely functional customized admin with which you may modify your content using a javascript-based HTML editor (TinyMCE). Pretty impressive for 41 fast-moving pages.
The strongest feature of the book, though, is not the speed or facility with which features are presented, but rather the way these
features are always demonstrated with a mind to Django’s strongest argument: how easy it is to create reusable code, once you understand
the framework’s approach. As you move through the next four chapters of building the blogging system, the establish-modify-extend technique
of presentation does a good job of working you through various standard Django features — generic views (a very important concept which is illuminated nicely), code organization, ORM techniques, template inheritance, and so forth — and you’re smoothly shown the ways by which you will be able to incorporate much of the code you write into your future work. As you begin your last project, the code-sharing app, you’ve gotten an overview of both coding and workflow techniques which work best with Django. The final chapters reinforce everything you’ve learned while still introducing new material on library integration, form handling and the newforms library, and code distribution.
The overall approach is very effective, though I found I had to trust the tutorial a little at first in order to get the most out
of it. The projects initially seemed somewhat vanilla, so it wasn’t until I really focused on the organization of the material that I
discovered the book’s strengths. Now I wish I’d had this book years ago.
Issues? I had only one, really. The material presents itself as a tutorial suitable for those who are just starting out with Python. For example, near the beginning of the material the def keywork is pointed out as the way Python functions are declared, and similar kinds of notes and comments pepper the tutorial, somewhat unevenly, as well. While I appreciate the impulse to make the material as accessible as possible, I’m skeptical of the book’s role as truly introductory at that level, although I could see some experienced developers, especially those coming from other languages, benefiting from these quick notes. But my feeling in general would be that if you’re so new to Python that the def keyword is a revelation, you might be better off starting elsewhere before you dive into Django.
This is a minor point, though, and if you’re willing to give the material the time, you’ll appreciate what Django has to offer more and
more with every page. The book maintains a brisk pace which I truly appreciated. And if you’ve struggled with Django in the past, or you’ve wanted to learn more about what to do beyond getting the admin running, “Practical Django Projects” is an excellent foundation for your Django education. I absolutely recommend this as the Django book
I’ve found to be, by far, the most useful.
Re:Significantly better than Zend? - by Balinares (Score: 5, Informative) Thread
Firstly:
> I’m planning on using the Zend Framework
I understand the Zend Framework is not so much a framework as a tight collection of helper tools. If you want a framework, as in, framework, you’ll probably want to look into CakePHP. Symfony is more powerful, but also kind of more complicated. (And declaring my models in XML makes my skin crawl — but it’s just me.)
Secondly:
> Would it be worth my time to learn Python and then do the project in Django?
Short answer: If you know PHP really well and it works for you, it’ll be less work (and less risk) to just keep using PHP.
Long answer: If you’re a fast learner, and intend to keep using Django afterwards so the overhead of learning it is worth it, then I’d say, absolutely. If I were in your shoes, I believe I would probably create a small functional site in Django in my spare time — it doesn’t take very long at all to get a blog with comments up and running, for instance — and see how it flies with me. I understand learning Python and Django hand in hand works very fine, although I can’t personally comment on that, having been into Python for many years.
If you go the Django road, you’ll probably find these resources handy:
The Django community aggregator is at http://www.djangoproject.com/community/ and has many good posts with great insight on how to get the best out of your new Django toy.
The Django Snippets site at http://www.djangosnippets.org/ is a great catalog of small, useful bits of code. I read it in my RSS aggregator, personally.
And of course, there’s the #django IRC channel, and the various mailing-lists.
Enjoy exploring Django! I’ve been following it for a few months already and still don’t hate it, and for an old bitter bastard like me, that’s the biggest praise.
Note that Django 1.0 is due this fall and it looks to be actually on track. I used Zope for personal and freelance projects for about 9 years and professionally for about 2. I migrated my site and the majority of the content over in about a week, and that included the process of learning django.
I will note that one of the things I liked about Zope was the admin interface, which was clunky and minimal but a far sight better than what most other app servers had at the time (late 90’s/early 00’s). Django’s is immensely better.
I’ve also Read The Fine Book reviewed here and concur with the reviewer. This book is a great introduction to a useful tool.
Re:The book may be out of date soon. - by ubernostrum (Score: 5, Informative) Thread
One issue, however, is that it is still changing rather quickly. Things in version.95 or.96 can be substantially different than the current development version.
Hi, I’m James and I wrote Practical Django Projects, and I have a confession to make: I cheated while writing the book. You see, I’m also Django’s release manager, which meant I had a good idea of what would land in trunk and what would change by the time we went to press. Except for activating/hacking on the admin interface (the admin refactor just landed over the weekend), everything in the book should be up-to-date and usable on the Django 1.0 alpha we released Monday.
I recently had a look at web application frameworks for some new
development and ended up doing it with Django.
I find it handy. It’s logically put together,
the Python back end is fast, and, once you figure out a few
basic concepts, you can put web apps together very
quickly. The template system is particularly clever. I find that I like to set up my database tables
first, then let Django create the model classes. Not the other
way around. I also like to do table joins as views in the database,
rather than gluing things together in Django. YMMV.
My last experience with web application development
was with Tomcat. I still have nightmares.:-(
…laura
Currently on sale at Bookpool.com - by gorbachev (Score: 5, Informative) Thread
I just got a newsletter about a sale at Bookpool.com for APress books. APress books are 45% off until 8/31.
This particular book is $5 cheaper at Bookpool.com than Amazon right now.
Posted by kdawson (61% noise) ViewSkip KentuckyFC writes “Earlier this year, Paris-based Aldebaran-Robotics picked up $8 million in venture capital funding to help commercialize its NAO humanoid robot. The target market for this device is research labs working on the next generation of robotic hardware and software. Today, the company has posted a detailed spec of NAO on the arXiv saying that it expects the robot to cost about $15,000 each. That’s cheap compared to other humanoids. Fuitsu’s HOAP humanoids cost $50,000 each and various estimates price Honda’s Asimo at $1 million per bot, although they are not for sale. Aldebaran-Robotics says that NAO’s cost should come down to about $6,000 as production ramps up.”
Videos from RoboCup - by Falkkin (Score: 5, Informative) Thread
The RoboCup 2008 world competition just finished in Suzhou, China — new this year was a league where all the teams must use the Nao robots. The top two teams were from the University of Newcastle (Australia) and a combined Carnegie Mellon/Georgia Tech team. The final game was scoreless and decided by penalty kicks. Full results are here:
I wasn’t at the competition but it’s clear due to the scores that the league is still in its infancy, with scores being few and far between. As with any humanoid robot, falling over is a huge problem. I’m sure there will be some videos of the competition online once all the teams get home and have time to edit and upload them.
Here’s a video of the robot walking, from the 2008 RoboCup US Open (where there was no competition but a couple small demos for the public.)
Why can’t someone make a bipedal robot as impressive as bigdog?
Re:Boston Dynamics Big Dog is the best - by OzPeter (Score: 5, Funny) Thread
Although big dog is great (and I was amazed at its abilities), I pissed myself laughing at this one instead:
Another big dog robot
The technical specs (yes, it runs linux) - by gozu (Score: 5, Informative) Thread
NAOs head is equipped with an x86 AMD GEODE 500 MHz CPU motherboard with 256 Mb SDRAM. An additional 1Gb Flash memory is available. Communication with the robot is possible through WiFi 802.11g protocol and through Ethernet port. The CPU manages audio, video, and WiFi and other advanced modules. One ARM7-60MHz microcontroller located in the torso distributes information to all the actuator module microcontrollers (Microchip 16 bit dsPICS) through a RS485 bus (throughput of 460[Kbits=s]). There are two RS485 buses, one that connects the ARM7 microcontroller to the dsPICS modules of the upper part of the body, and the other that connects the ARM7 to the dsPICS modules of the lower part of the body. This bus partition permits to increase the data throughput.
The ARM-7 microcontroller communicates with the CPU board through a USB-2 bus with a theoretical throughput of 11[Mbits=s]. It can be used to control the robots stabilityusing the inertial unit. The operating system is based on Linux, but the whole system can be modified.
Specialized robots are useless outside their function, and are thus just expensive deadweight when not in use. For example, a Roomba is great at vacuuming a floor, but when the floor is clean it can’t do anything else. It can’t carry boxes or wash dishes. You’d need additional robots for those specialized tasks, and they’re going have the same “deadweight” problem as the Roomba too.
A humanoid robot would be able to do any physical job that a human could do. Such robots would be versatile enough to be useful all the time. A single humanoid robot vacuums the floor, then it carries boxes, and then washes dishes, and then etc etc etc. A humanoid robot would always be useful in some way, and thus more efficient in the long run.
Posted by timothy (86% noise) ViewSkip bigsmoke writes “So, all your servers run on RAID. You back up religiously. You’re even sure that your backups are recoverable. But do you also need a UPS? According to Halfgaar (on Slashdot before to promote better Linux backup practices), yes, usually you do. He argues that despite technological advancements such as file system journaling, power failures can still cause data loss in most setups.”
He forgot UPS-triggered shutdown - by SleptThroughClass (Score: 5, Insightful) Thread
The author did not mention having the system set up to have the UPS trigger an automatic shutdown.
If you’re not at the machine, or don’t know how to shutdown without a CRT, the disk can get messed up when the UPS runs out of power. Unless you only have a desktop machine with no network applications writing to disk (no BitTorrent); then you might be OK if you just walk away from your keyboard and let the system become quiescent before it loses power.
Chose your UPS carefully, and TEST it the hard way - by jalet (Score: 4, Informative) Thread
This morning we had a planned shutdown of 100 servers for eletricity works, all were on the same 40 kVA UPS. All went fine, we shutdown all servers to be safe, and kept some stuff online for montoring and the like, then main power was shut off. The UPS gladly took the load, with an estimated battery life of 75 minutes, more than what was needed for the electrical work. Once this was done, the electrician put the main power back on, and… the UPS shutdown !
Since all servers were stopped already we didn’t lose anything, but we had to put the UPS in bypass mode for a while, then back on, and now we hope for the best waiting for the UPS to be repaired, crossing most of our fingers because of the holidays…
In summary : testing that the UPS can handle the power coming back is as important as testing for it to be able to handle the power shutting down.
Other reasons to run a UPS - by rwa2 (Score: 4, Interesting) Thread
UPS units are relatively cheap, it’s well worthwhile to invest in one, not just to protect from data loss:
* Hardware loss: I’ve seen a lot of hardware blown up from power interruptions. Do you trust your power company that much to provide clean power to you? Sure surge protectors help a bit, but a decent UPS costs maybe twice as much as a good surge protector.
* Time lost restoring your session after blackouts / brownouts: OK, maybe you’re used to restarting your computer every morning anyway. But I like to leave things open and return to my desktop just the way I left it arranged.
* Stats: Using NUT and Munin, you get to monitor and log your power, so you can see things like exactly when your electricity went out and for how long, what load your PC is drawing after that last upgrade, etc. e.g.: http://hairball.bumba.net/cgi-bin/nut/upsstats.cgi?host=apc@localhost
* Graceful shutdown: you have a chance to tell your buddies that your power just went out, and you’ll be coming back once it’s restored.
Frankly, I’m a little surprised a backup battery isn’t built into PC power supplies already, so they’d work a bit more like laptops. Same with networking gear.
A UPS is good to have. Even at home. - by Forge (Score: 4, Interesting) Thread
Last night we had a power outage. I shut down the desktop and was able to continue working for almost 2 hours on the laptop because with the Desktop down the UPS was only carrying the DSL router and the WiFi box.
At work. Power is a whole enterprise within the company I work for.
Dual gas powered Generators at each location, Rooms full of Batteries for the Telecoms gear (most is straight DC) and Inverters for the Servers. (DC PSUs are available for some of the servers we use but at so high a premium that the inverters are cheaper.)
We can handle a dozen Power cuts in a day with no service interruption or data loss (“Tested” 2 weeks ago) and we can stay up without external power for more than a week. After that we have to start trucking in additional diesel.
Yep. That’s right. With sufficient fuel we can be online indefinably. Which we will have to do if we get hit by a major hurricane.
Which means the phone network is a lot more reliable than the Power grid where I live.
As for Data loss. I have over the years done a lot of recovery work. “Morfy” of “Murfy’s Law” fame isn’t a guy or a girl. He is a deamon from the darkest pits of hell sent to torment the souls of IT workers everywhere.
Imagine a server, where UPS #2 is down for repairs, UPS #1 fails during a power cut, When everything comes back up we find 2 failed hard drives in the RAID 5 on the email server.
despite previous testing and confirmation that the backups work the most recent tapes failed to read.
Eventually we sent the failed drives off to a Data recovery company in Florida because
#1. The customer can afford it. #2. Simply “skipping” a few days of Email is not an option for a bank (hence the ability to afford data recovery).
So yeah. A UPS is essential. Just like RAID, Clustering and Backups but in the end it can all fail.
Best advise? Memorize all your important data. That way if you loose your mind, you are not responsible for the lost Data (or anything else).
And this is what ZFS looks out for - by E-Lad (Score: 4, Interesting) Thread
…by design. TFA doesn’t delve into too much detail, but a sudden power loss on such software RAID systems is a condition that ZFS accounts for. Its Copy-on-write (COW) and write-length stiping strategy prevents things such as the RAID5 write hole condition, a condition that has the biggest chance of occurring when a power loss event happens.
Posted by timothy (87% noise) ViewSkip chareverie writes “A law just passed in New York now requires labels for violent content in video games that are already rated, as well as having parent-controlled lockout features installed in consoles by 2010. The law has caused an uproar with civil rights groups who claim that such a law is unconstitutional. A legal challenge is already in the works by the New York Civil Liberties Union who cite that similar laws that have been brought to courts in California, Illinois, Minessota, and Washington state have been deemed as unconstitutional. NYCLU legislative director Robert Perry also says that the ‘new law is a “back door” way of regulating video game content.’”
Not sure why this is bad. - by MrShaggy (Score: 3, Insightful) Thread
I was watching the documentary “Heavy: The History of Metal.”. They were talking about how the PMRC made a big deal out of the fact there was explicit lyrics, and that the kids might actually hear this.
There were senate hearings. They interview Dee Snyder(Twister Sister) , expecting him to be a blithering idoit. He wasn’t.
The PMRC was succesful in the ‘WARNING; this album may contain…’. Tommy Lee of Motley Crue was ecstatic, they had the first label ever. When asked why, he said “this is the best advertisding ever. How many kids are going to buy this knowing that they had these lyrics in them.” true enough! Many bands thanked the pmrc for the extra ash in there pocket.
Wouldnt this be the same effect that the publishers would realise if this were to pass??
Not so much on the lockout stuff for the conolse just the labling.
Re:“Simpsons already did it” - by DragonTHC (Score: 3, Insightful) Thread
yes, this is true. the ESRB has had content labels on their products since 1994. The problem is, retails and retarded parents don’t read the labels.
I’m a parent and a gamer. My kid isn’t playing violent games any time soon. I read the labels.
Fine. - by kellyb9 (Score: 5, Insightful) Thread
Fine, then put the label on movies too. There’s no reason video games and cds should be differentiated from any other form of entertainment.
Because Violent Video Games are Hiding so Well - by hardburn (Score: 5, Insightful) Thread
So you take a game like “Grand Theft Auto”, which is named after a felony, and comes with subtitles like “Vice City”, and which has a back cover talking about guns and gangsters, and if that’s not enough for you, comes with an M rating with a clear label of “Blood and Gore Violence”. Apparently after seeing all that, some people’s first thought is that it’s a game about rainbow-colored horses galloping across fields where the trees blossom lollipops.
Parents should have more than enough information already about what games are violent or not. If they’re still buying them, then that’s their fault, not the gaming industry.
Re:What could this possibly do? - by Repossessed (Score: 3, Interesting) Thread
ESRB ratings don’t work because Grand Theft Auto IV is in the same damned category as Warcraft (The RTSes, I’m not familiar with the MMO game).
Somehow I doubt the government would do a better job at defining labels though.
Posted by timothy (89% noise) ViewSkip snydeq writes “Jailed IT admin Terry Childs relinquished his hold over San Francisco’s multimillion-dollar FiberWAN, handing his administrative passwords over to San Francisco Mayor Gavin Newsom, who was ‘the only person he felt he could trust.’ Childs is still being held on $5 million bail for his lockout of the city’s FiberWAN, a case that has been called into question since an insider came forward with details about both the network and Childs himself. The case hinges on No Service Password Recovery commands Childs allegedly configured onto several Cisco devices, as well as dial-up and DSL modems the SFPD has discovered that would allow unauthorized connections to the FiberWAN. Childs intends to ‘expose the utter mismanagement, negligence, and corruption at DTIS, which if left unchecked, will in fact place the City of San Francisco in danger,’ according to his motion. The Department of Telecom and IS has cut 200 of its 350 IT positions since 2000 — pressure that may have contributed to Childs’ actions, according to interviews with current and former DTIS staffers. Newsom secured the passwords without first telling the DTIS that he was meeting with Childs.”
I agree with many others that point out the gaps in the headlines. The so called “rest” of the story. This circumstance didn’t just develop in a week. This case is a classic story of I/T service immaturity - which could be caused by dastardly BOFH’s or equally by incompetent management failing to initiate/fund a proper plan. Or both.
Once you strip away the glorius certifications and acronyms that give you credibility, all that’s left is your integrity. Terry Childs has gone to jail to keep his intact. So he’s either really stupid or really right.
Within the linked article is a link to the original InfoWorld “scoop” that contains copy from a confidential source. That copy contains statements that back Childs as having proposed and promoted an I/T security policy, which would be a first step toward process maturity (having a process in the first place).
My guess is when the dust settles, the story will be as follows:
For years Childs unsuccessfully tries to bring I/T service maturity to the city
Childs continues keeping things running while excercising some CYA
Management finally gets interested or worried enough to hire a “security manager” who then
Crashes down on Childs to relinquish control unconditionally and without any explanation or bothering to include him in the process (typical PHB approach)
Terry bows up and says “you ain’t getting shit from me”
New security manager calls the police while preparing a wooden cross and some 20d nails for Childs’ hands and feet.
Just out of curiosity… what if he isn’t? - by Bomarc (Score: 5, Interesting) Thread
Reading a lot of comments about him being a nut job. My question is - what if he isn’t? Is it possible that as a administrator of a SAN/Network, he saw some significant security issues, and when he presented them to his supervisors was slammed for reporting the problem — including being fired? I know from experience the feeling: Management does not like to know that they’ve screwed up, and will fight kicking and screaming rather that admit that they’ve done something wrong. For me — most recently this includes bogus Business Requirements, and critical Business Requirements that are not being met. I’ve found significant security holes in the where I currently work. Presented the problems to management. The response - don’t call use, we’ll call you.
Posted by timothy (78% noise) View the4thdimension writes “MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren’t familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google’s Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others.”
Reader gbjbaanb adds a link to the BBC’s coverage and points out that MySpace’s 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: “Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available.”
A Major Advantage You’re Missing - by floateyedumpi (Score: 4, Interesting) Thread
All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one’s password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.
With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.
Re:One Password to Rob Them All - by Jellybob (Score: 5, Informative) Thread
Good security doesn’t even let the other party know your cleartext password, or access your account with them without it. But I don’t see how OpenID will do anything like that.
Maybe you should try reading the spec then, since that’s exactly what it’s designed to do.
The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider’s site, where:
1) If you don’t already have a session open, you login, and then go to 2.
2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from “nothing at all” to “everything”, or a combination of them).
This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.
If you’re feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you’ll know as soon as they try to use it, and can disable or change them.
Is 1 ID really wise? Single point of failure? - by SpecialAgentXXX (Score: 4, Insightful) Thread
Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.
Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don’t have to memorize every ID and password.
Re:OpenID? - by phoenix.bam! (Score: 5, Informative) Thread
I don’t think you understand how openid works.
The only way to compromise all sites is for your openid provider to be compromised. You only provide 3rd party sites with a URL which points to your openid provider. You are forwarded to your openid provider (SSL cert verifies to you that the provider is legit.) You enter your credentials to the openid provider who then sends over a back channel that you are verified back to the 3rd party site.
At no time does the 3rd party site have any of your authentication credentials and therefore can not access anything on other sites which you use that openid account for.
> Who cares about a unified username/password “experience”.
fair enough, but i think for many users it would be cool to have a unified identities across several sites. ie, so my MySpace social network could be parsed by YouTube or my favorite online game or what have you. Not saying it’s for everyone, but there’s certainly some value there for some.
All rss from this site
Print this article
Webmasters ! Get this feed on your site