From what I've been reading the attacks were not sophisticated, mainly using SQL injection. Many here on HN understand that kind of threat but it seems lots of companies and important services don't. Is it possible that the attention shone on these simple/trivial hacks will cause those less security conscious admins to get rid of that low hanging fruit?
If so, it should help reduce the impact of a broad, simultaneous attack across many sites from much more dangerous foes. I am not saying it is right, but it may be more effective than the legislation our congress comes up with to protect us, with fewer nasty side effects.
They all look alike to me, tart cherry juice and colchicine must work just the same! This struck a chord with me, it is like saying MySQL and Ruby are both used to make websites, why not replace one with the other?
The few times I have had to take colchicine, I had to titrate my dose up, taking two 0.6mg pills to start and then 1 every hour, at least until the diarrhea and abdominal pain sets in. My gut has continued to hurt for months after the fact. The risk of organ damage, especially the kidneys, is serious. So it is important to watch exactly how much your taking so that you take the absolute minimum needed, usually around 3mg total for me. I don't think controlled upping of dosages is even possible with the herbal supplement version.
The relief it brings within 24 hours, after being 2 weeks into a devastating gout attack, is unbelievable. It is the difference between laying frozen in severe pain, unable to so much as twitch for fear of pain that is not unlike being stabbed. Try not moving the "stabbed" appendage under penalty of being stabbed harder additional times the moment you do. Severe, quivering pain is the result of this feedback loop, as you struggle to stay calm and limit movement. It is torture and rates very high on the official pain scale.
I have also drank lots of tart cherry juice, which may work as prophylactic but doesn't seem to bring attacks under control. It has anti-inflammatory properties similar ibuprofen (it is a COX inhibitor), and may help alkalize the body a bit, but this is not the mechanism colchicine works by, and the effect is not the same. This is common knowledge for anyone having to deal with gout. I don't drink cherry juice anymore, but I do make fresh lemonade to help alkalize my blood and take regular inexpensive COX inhibitors to control inflammation when needed.
I'm not saying cherry juice is bad, just expensive and not comparable to colchicine. I would not buy from cheribundi and just get 100% tart cherry concentrate in syrup form. The concentrate does not have added sugar, which has a significant acid forming effect that can scuttle the benefit.
The bottom line is Colchicine, which is now sold exclusively under the name Colcrys, has been written about since 1500BC. Ben Franklin brought it over here from France to deal with his own ailments. There is a long history behind the stuff and the studies required to monopolize the drug haven't changed the way it is used or made it any safer. Suggesting alternative treatments is a red herring, nothing else works quite like it.
This reminds me of Wikipedia of all things. I recently read somewhere about how Wikipedia had put all the door to door encyclopedia salesmen out of business. Families would often buy just a couple volumes because they were hard to afford, but now we have Wikipedia which is more expansive and comprehensive than what was offered then. Sure fewer $ are being made and that is a hit to the economy, but this shows that using $ earned as the the only measure of value is sketchy, particularly when competition is diminished through regulatory or other means.
The inverse has happened here with colchicine, introducing scarcity so $ can be generated. All the while providing diminished value due to the drug being financially out of reach for many, without any additional benefit to those able to afford it.
Developers interested in creating location based services had to wait until carriers allowed the requisite devices and started offering reasonable data plans. It was only in the second half of 2008 that Apple's app store launched. As a Palm developer around 2002 I talked with fellow enthusiasts about leaving digital "graffiti" at various locations using GPS, for only friends or subsets thereof. I looked into developing for Verizon with J2ME and BREW, but there was no clear path to getting an app published, no public API to get location, and data plans were out of reach for most of the public.
Apple managed to pry its way in with the 2007 release of iPhone, allowing users to see what is possible when carriers relax their restrictions. Other competitors are still effectively locked out though, due to device "subsidies". Your monthly bill on AT&T remains the same whether you buy a $200-$300 subsidized smart phone or spend $300 more for an unsubsidized model not sold by the carrier. Most people don't seem to understand this and simply see unsubsidized phones as a rip off. There is a big penalty for choosing a phone outside the carrier's selections, and in the case of Verizon, outside choices aren't possible. This leaves little incentive for new players to enter the smart phone market, because after all the R&D, you are likely to be locked out.
It was only by around 2007 that there were indications that the carriers may offer a path to developing a location based services, with check ins and tracking friends being one of the most basic applications. Just about the time this patent was filed for. By that point though, a lot of location based service ideas had been floated around by enthusiasts for a couple years already.
The article on Arstechnica noted at similarities between the infringement and the functionality of HyperCard, which shipped on all Macs in 1987. Hypercard used stacks of cards that had some shared some aspects with a group, but individual cards could also have unique elements. These included text fields, GUI elements and background images. I haven't looked at the patent, but owning the ability to - display records/documents in a virtual pile, possibly in chronological order, with the ability to scroll through them - sounds absurd to me.
I spent a couple years hanging out/mostly lurking on a speaker design mailing list, learning the basics of designing a decent speaker. Early on, I had wanted a Bose system after hearing them at a department store. The sound just had a pop to it that I liked, compared to some of the larger speaker/receiver systems that were often cheaper. So I thought to myself, "You're paying because they pack all that sound into those tiny speakers." But I was wrong, well sort of.
The Bose cube speaker/bass module combo is designed to play well into a large open space. For this it has to be loud, especially the bass, because it is more omnidirectional. On the other hand the treble has to overcome the background noise at a large store, where the detailed highest frequencies are likely to be obscured anyway. This is two strikes against spending manufacturing dollars towards reproducing higher frequencies. Unlike bass, treble above 10Khz falls of sharply when you get 30 degrees or so outside the field, which takes away from the "room filling" aspect. By doubling the volume (+10db) of the mid-high frequencies around 7Khz, you'll start sounding like you have a lot more punch and fill than the neighboring system designed for a normal quiet room.
Creating loud bass in an open space without upping the costs requires a similar compromise, but for different reasons. Playing a 30hz signal at X decibels requires a far heavier and more expensive amp than one that just needs to play down to than 80hz. 30hz also requires a much larger diameter speaker and/or a motor with a bulky magnet to play sufficiently loud. This, by Bose standards, would be a kludge - not the small, sleek, and sexy it markets. Woofers naturally have a peak resonance, typically from 25-80hz, and manufacturers usually try to dampen this with expensive stuff. Things like stiff cone materials instead of low quality paper, surrounds that effectively spring the cone back to center, and a heavy frame/basket. The Accoustimass bass module embraces a low cost design that produces lots of resonance around 80z so it can play loud at the expense of accuracy and frequency range. It sounds punchy but it can't recover from reverberating from one moment to articulate the next, so everything just sounds like it is booming close 80hz.
After building a couple speaker sets and trying various brands over the last 10+ years, I've found that it is always possible to buy a much better system than Bose for half the cost, sometimes less. I'd be willing to bet most people would reject the Bose in test between it and carefully selected components costing the same, and set up in a normal room. If your considering spending Bose kind of money look into subwoofers from HSU Research. It is not strange to spend half as much on the subwoofer as the remaining speakers combined, or even more. A cheap sub sticks out like a sore thumb, it should fill in and add depth to all the other speakers output, not just boom. Piano and deep voices benefit greatly without sounding muddled, definitely not things you think of normally as going boom.
For the surround speakers, if you want something smaller, the Klipsch Cinema-6 are a good bet. Paradigm speakers are expensive but sound light years ahead of anything Bose has ever made, and most people will never feel the urge to upgrade again with these. To amplify and tie everything together, a $400 or $500 Denon receiver provides some of the best bang for the buck in terms of clean amplification and a slightly better DSP chip than the competition, check out Model # AVR-1611 OR AVR-1911. The DSP setup uses a microphone to auto-calibrate the system to your room, and it works pretty darn well. If you want to get everything in a box for around a $1000, look into the Onkyo S9300-THX, which handily beat a $2000+ Bose system.
Finally, about this latest Bose system that uses an array of speakers with nanosecond timing to beam sound. Other companies like Yamaha have had similar products with many speakers attached to a single bar, that goes above or below the TV, for about $1000 bucks. Use the remaining $4000 to buy a far better TV instead of paying Bose a fat margin for an inferior product. I'd be willing to bet the Yamaha product is better. They both use some clever signal processing to direct sound and simulate sound coming from behind your ears with slight frequency dependent delays. The Denon receiver I mentioned uses similar tech to suppress echoes and standing waves that are characteristics of the room and measured with a mic. Many manufacturers license this tech from Audyssey, and you see it in car audio as well. These sorts of features are what has been a big differentiator from the old receiver tech for a few years now, but Bose portrays it as a revolution that they are bringing upon us. If you look at the proprietary waveguide technology used in their clock radios and this new TV, it is also existing technology called a transmission line design, mentioned in the Loudspeaker Design Cookbook going back to the 60's. Bose just adds some minimally useful twist and applies for a patent to make it sound innovative.
On the Apple devices each app lives sand boxed in it's own directory, but apps can still access photos taken with the camera or saved from other apps. They don't ask for permission, but go through a standard image picker user interface provided by the system. I don't think apps can grab photos unless the user picks them through this widget. This way you know exactly what you are handing over. Direct access to the SD card is dicey at best.
It looks like compiled apps on Palm can also read the whole media directory. The neat thing with Palm though is any app can bring in scenes (a screen) from other apps, preserving the state of the application underneath, while passing back data. This way any app can selectively share with another app. On iPhone OS the only system wide widgets available are provided by Apple. I'm betting/hoping Palm will come back and give Apple a run for it's money, if the carriers don't cripple it somehow first.
I don't think apps can grab photos (on iPhone) unless the user picks them through this widget.
iPhone apps have been able to access camera roll images by direct file access. I think they are still able to, though I didn't verify that.
It wasn't even difficult at all, a path to the photo directory can be easily figured out either from the simulator's file system or by jailbreaking the phone. (Or nowadays by Googling)
Secure sandboxing is pretty difficult thing to do properly.
If the image picker UI widget has an access to your photos and it is running inside your applications process, then your process has access to those files. It doesn't matter if the actual path is hidden, a clever hacker could still figure out to get access to those files.
To make sandboxing secure, UI widget has to run in a different process and only communicate data of selected image back to your app. This is non-trivial to implement well, given that UI transitions are expected to be smooth and even support animations.
Due to the API design of UIImagePickerController, I think Apple has known this from the beginning and maybe planned to do it securely. But I assume they just haven't got time to implement it yet.
> To make sandboxing secure, UI widget has to run in a different process and only communicate data of selected image back to your app.
Android already does this using separate processes for distinct Activities and by using Intents for message-passing between those activities. Granted, Android doesn't prevent access to the SD card data, but assuming it did secure that access somehow, the existing Activity/Intents framework would make it trivial to keep that functionality separate. Except for the fact that all the system applications and activities are built on top of the same basic Android SDK/API as 3rd party applications, so anything they can do, your apps can do too if it requests the right permissions.
After doing some reading it looks like you can get a path to the image by poking around undocumented methods in the UIImagePicker class, but Apple does not allow those private API method calls past it's approval process. Just like you said, it is possible, but Apple curates it out.
I am surprised the images aren't accessed through another process that has directory access but enforces limits. Couldn't that process just allocate a buffer or take a pre-allocaed buffer for a UIImage and pass back a pointer to the requesting app? Is there some sort of technical limitation that forces it to send the image back via a slower method like IPC? Sending a message to the managing process to get the image and receiving a pointer back shouldn't have too much overhead should it?
I read on Ars that hardware virtualization support is coming to mobile at some point. The ability to trap the right instructions so an app can't break out should hopefully help secure these kinds data stores without having a curated app library, and without too much of a performance hit.
I thought we were there already there, so this is dissapointing. For some reason I am less comfortable with my phone apps having the sort of file system access than my desktop apps. Restricting internet access for apps in order to control data from leaking out is too far reaching, lots of apps need internet for things besides stealing data.
As the docs say, that's a property of internal phone storage (which is very limited). External storage doesn't have permissions. How could it? It's all FAT32!
Simple Carbs like refined white flour, pastas – instead I opted for only whole grains, nothing milled or crushed.
Is he chewing on whole grains? Boiling them as porridge? I figure you have to mill or crush at some point to make most things. Whole grain flours, unbleached and with the germ/bran unfiltered seems fine to me. When dealing with wheat, some people may want to watch the gluten content as well, depending on their sensitivity.
If so, it should help reduce the impact of a broad, simultaneous attack across many sites from much more dangerous foes. I am not saying it is right, but it may be more effective than the legislation our congress comes up with to protect us, with fewer nasty side effects.