Interesting, I can't recall any specific expensive toy except that the RKR guy's wife liked expensive interior design, and my main takeaway from it was "accountants can make unimaginable amounts of money, both by creating value and destroying it, pay attention to the accounting perspective".
I'm halfway through Feld and Mendelson's Venture Deals and earlier this year worked through Ittelson's Financial Statements.
Having cofounded a startup that raised investor money before, I can state confidently that both are going to make me better at what I do next time I start something.
Of course, they're not books about "what to do", just "how people do the basics". Which is harder because there's less ambiguity to hide behind. Sometimes my eyes glaze and I need to put them down and wait for a time when I have more energy.
This is legal communication written by a lawyer and intended to be read by lawyers.
Consistently, the first thing every lawyer has said to me when preparing for any interaction with third parties that had a legal aspect was "never volunteer information you were not explicitly asked for". Of course lawyers would practice this among themselves. The law requires him to suspect something wrong to investigate, so he states "I hereby formally suspect something wrong". If the investigation leads to a court filing, the law would then require him to submit evidence, so he will strategically decide which evidence to submit and submit it. Why would he commit in advance to what evidence he believes relevant if not required by law?
But also, if reading the letter as if written in good faith - which I find hard to do - those are all true reasons to suspect something wrong (it is common knowledge and well established that Wikipedia is a very influential source of knowledge, and that there are attempts at foreign influence), and great questions to ask to investigate whether the Foundation is making a reasonable effort to fight it if you were a regulator or auditor or other investigator, all of which have great answers already written up that prove the foundation is doing a very good job at establishing and maintaining processes to ensure the neutrality of its articles. In my headcanon, Wikipedia's lawyer responds simply with a list of URLs.
Of course, Wordpress is basically undefendable, so I'd never ever host it on a machine that has anything else of value (including e.g. db credentials that give access to much more than the public content on the WP installation).
You're being downvoted because WAFs work exactly like this, and it's intentional and their vendors think this is a good thing. A WAF vendor would say that a WAF parsing JSON makes it weaker.
It's frightening that so many people are convinced the author is correct, when the author never proved they were correct.
The author just collected a bunch of correlations and then decided what the cause was. I've been doing this kind of work for many, many years. Just because it looks like it's caused by one thing, doesn't mean it is.
Correlation is not causation. That's not just a pithy quip, there's a reason why it's important to actually find causation.
Having had three opportunities in my life to diagnose this exact problem and then successfully resolve it by turning off the WAF rule (see my top level comment) - I don't know you or your work history, but trust me, the author is much closer to the truth here than you are.
edit: Also, someone commented here "it was an irrelevant cf WAF rule, we disabled it". Assuming honesty, seems to confirm that the author was indeed right.
Your auditor wants your WAF to block those things. _You_, at least I, never ever want to have a WAF at all, as they cause much more harm than good and, as a product category, deserve to die.
After having been bitten once (was teaching a competitive programming team, half the class got a blank page when submitting solutions, after an hour of debugging I narrowed it down to a few C++ types and keywords that cause 403 if they appear in the code, all of which happen to have meaning in Javascript), and again (working for a bank, we had an API that you're supposed to submit a python file to, and most python files would result in 403 but short ones wouldn't... a few hours of debugging and I narrowed it down to a keyword that sometimes appears in the code) and then again a few months later (same thing, new cloud environment, few hours burned on debugging[1]), I had the solution to his problem in mind _immediately_ when I saw the words "network error".
[1] the second time it happened, a colleague added "if we got 403, print "HAHAHA YOU'VE BEEN WAFFED" to our deployment script, and for that I am forever thankful because I saw that error more times than I expected
First time something on-prem, maybe F5. Second time AWS.
Oh, I just remembered I had another encounter with the AWS WAF.
I had a Jenkins instance in our cloud account that I was trying to integrate with VSTS (imagine github except developed by Microsoft, and still maintained, nevermind that they own github and it's undoubtedly a better product). Whenever I tried to trigger a build, it worked, but when VSTS did, it failed. Using a REST monitor service I was able to record the exact requests VSTS was making and prove that they work with curl from my machine... after a few nights of experimenting and diffing I noticed a difference between the request VSTS made to the REST monitor and my reproduction with curl: VSTS didn't send a "User-Agent" header, so curl supplied one by default unless I added I think -H "User-Agent:", and therefore did not trigger the first default rule in the AWS WAF, "if your request doesn't list a user agent you're a hacker".
reply