If the attacker already has control of the email address, they can reset the account without going to such lengths--just visit the site and request a password reset.
This is normal behavior. The .net root server gives you the authoritative name servers for cloudfront.net, and cloudfront.net's name server gives you the name servers for your CloudFront subdomain. Most users will do lookups through their ISPs' recursive resolvers, so they'll get a cached response in a single round trip from there instead of doing the full 3-level resolution starting from the root.
In theory, Amazon could serve the A-records out of the cloudfront.net zone. Practically though, there are other factors like the dynamic nature of CDNs, the massive size of a zone containing records for all of the CloudFront subdomains, and the aforementioned ISP caching resolvers that preclude such an approach.
Interesting. Did not think about ISP caching resolvers having to deal with massive zones. But a TTL of just 1831 in the second delegation sounds too low.
I graduated this spring from the University of Minnesota. Currently helping complete some special projects from my old job, but looking for long-term employment within the next month. I'm comfortable doing software engineering, system administration, or a mixture of both. I find problems involving networks and big data particularly engaging.
I did survey of Android side of things during winter break right after Ice Cream Sandwich came out[0]. As I recall most of the severe fragmentation cases were low-end handsets which were typically behind a version or more already when released.
The point is presumably that there's no equivalent in the Apple ecosystem at all. If you want an iPhone for even close to the price of a low-end Android phone, your only option is a second-hand 3GS which is also one major version behind and no longer getting updates (or the equivalent at whatever time that survey was done). Except that, because Android can update many of the bundled apps seperately and iOS cannot, you're actually worse off.
That approach makes sense for technologies outside of the scope of the HTML5 spec, but for a core element like <math> it seems rather silly to propose external implementation using custom elements (and therefore requiring Javascript availability, which shouldn't be taken for granted).
The engine obviously does support javascript, so an alternative is ensure extensions can "plug in" these custom elements and implement them in JS in a separate sandbox regardless of whether JS is enabled or disabled for the page itself.
Less code with direct OS access sounds good to me.
But you'd still have to download and install the extension in order to use it (or, as was somewhat glibly proposed in a comment on the bug, Google would need to ship a version of MathJax with Chrome). Anyone without the extension and with JS disabled would still be out of luck.
So far as direct OS access, I'm having trouble envisioning a situation in which the layout code for MathML would be any more vulnerable than SVG (or the rest of the layout engine for that matter).
