Slashdot Mirror
Cross-Platform Java Sandbox Exploit
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
... Or worse since it runs on more than just Windows.
www.timcoleman.com is a total waste of your time. Never go there.
Correct. Except ActiveX cannot infect Linux. So I suppose the answer is actually no. Cheers.
Since the architecture is so different, could a virus really spread between the two of them? I mean Linux is more secure for a userlevel, so I think that may be overrated.
If I wrote something witty, you would say I stole it from somewhere.
...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article, that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.
This is where the serious fun begins.
I think this tries to highlight another reason why allowing a third party review your code is a good thing
Generally, the most cost effective way can be an open source model.(there are others !)
[ Monday is a terrible way to spend one seventh of your life. ]
java != mozilla
Wow i've learnt something already at uni! i better leave!
- http://www.milkme.co.uk
Its the browser-based sandbox that's the culprit here, not Java. Saying its a problem with Java, is like saying an IE exploit is a problem with HTML.
Come on, don't just make those statements without having anything constructive to say... now you're just flamebaiting.
- Leon Mergen
http://www.solatis.com
That's the way Microsoft typically tried to do it before everyone started bitching about them doing it that way. Of course Sun does it that way and they're the darling hero. Slashdot is Fox News for people who should know better.
It happens all the time with Windows. The difference is that when the /. crowd finds out that Microsoft knew about an exploit a month before they release the patch it turns into another bashing session.
This bug affected IE and Firefox, but not the Opera Browser.
Opera Watch - An Opera browser blog.
And it's a java plugin vulnerability so a website running java on the serverside is not affected.
while (!asleep()) sheep++
You are mistaking a Sun plugin exploit with Java exploits in general. This limits this exploit to people who actually have a jdk installed. This limits the population of susceptible systems to people who develop with java or to people who use java based software which uses a recent java spec. Once again a fairly small group (I am talking general population, not slashdot readers).
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
From the Sun website:
"...through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet."
A unix-like OS like Linux is somewhat safer than Windows, as one user account compromised doesn't trash the stuff that user doesn't have read/write permissions on (such as root or other users). So it's possible to contain on Linux, but on Windows... people usually run as Administrator.
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
Write once, exploit everywhere!
:)
rewriting history since 2109
You clearly did not 'see the attachment for details'.
Actually, this is my personal experience/observation, not flamebait at all.
Just because your browser can run a certain plugin/extension does not mean it has to - unless you need it. You avoid potential issues by limiting yourself to the bare necessities.
This the only cross plattform security issue known. and it's a theoretical one, no exploits known.
One failure in a secure sandbox environment is still not as bad as an environment where any code is executed and the security consists of the developer saying:
"I don't think I built in something harmfull and sign that belief with this digital signature"
while (!asleep()) sheep++
The "patch before admitting the problem" thing DOES happen on Windows.
But when it happens on windows it is microsoft "covering up their vulnerabilities".
Apparently, for you, when someone else does it they are doing something good...
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform. However, this is a single bug. With active X, you are in problems if there is a bug in *any* ActiveX component that is safe for scripting. So the target is way smaller with Java. Obviously that also makes it possible to vigourously (no spell check available - dang) test that part, so no excuse for Sun for not doing that.
Note that there are very few security notifications with Java. I can remember a few buffer exploits in the VM (not in the Java applications itself, that's impossible, unlike active X). Java makes it much easier to write secure code. So the chance on serious bugs occuring is smaller (bugs tend to be in the design, not so much in the implementation). But it is definately not a holy grail, mistakes can be made as you can see.
So is it a serious bug: answer YES. Does that make Java (/.NET managed code) a bad idea: NO. Do you need to upgrade: certainly. Is java as bad as ActiveX in the browser: definately not.
java.sun.com is STILL dishing out J2re-1.4.2_05.
Be sure to get the right one from java.sun.com/j2se
If you go to java.sun.com and click on Java VM under "popular downloads" you also end up getting the vulnerable _05 version.
I'm sorry if I haven't offended anyone
" There are differences. This is a bug in the security implementation of Sun. That's bad, since it goes for every platform."
What you should have really noted was that this is a bug in the security implementation of java. Which is bad.
ActiveX, on the other hand, doesn't HAVE a security implementation in which to get such a bug, which is terminally bad.
A virus writer's dream!
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
> > hasn't to date been a single Java virus. ...that we know about...
>
True, and it's worth noting that the quote I offered above came from Jonathon Schwarz, who - just possibly - might be biased. I'm still inclined to trust a platform with no visible viruses than platforms with very obvious viruses. Put another way, I'm in no hurry to locate a browser that supports ActiveX.
This is where the serious fun begins.
Is the Java that comes on Macs exploitable by this too? (Maybe not, since Apple might have changed something, but I don't know)
Also, what about BSD?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
The nice thing is, is that if you are using Linux, Java is most likely running as root, and therefore less likely to mess around with your OS, Or files which that user does not have access to. Therefore, it's probably hard to get something into a startup script, and to create a virus that would be around after you rebooted the computer.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
From the horses mouth right here. The issue is actually with the plug-in, not Java itself. In brief, you can load a Java class in an applet via JavaScript using getClass().forName() and use that reference to make calls outside the confines of the sandbox.
The "sandbox" that cordons off Java applets from the rest of the system has typically worked well.
When Java first came out, people found lots of security problems with its sandbox; there were both fundamental flaws in Java's type system and problems in Sun's implementation. That aspect of Java was subject to intense scrutiny back then because Sun had positioned Java as a new way of delivering client applications, which depended critically on sandboxing. The vision was that Java would replace heavy desktop apps.
These days, it doesn't matter much anymore: Java has failed to achieve its goals on the client; you can browse perfectly fine with applets disabled and never even notice. And for Java's current server side uses, sandboxing isn't really that important. So, people stopped finding flaws in Java's sandbox because they stopped looking--it just doesn't matter to anyone anymore.
I think Java's original vision of a thin client platform for high-quality applications delivered through the Internet is still relevant, but Java won't be able to fulfill it anymore: it has become too bloated and too complex. More likely, that niche will be filled by an updated version of Flash (yuck), XUL, or, perhaps, something entirely new.
Write once, infect everywhere!
www.java.com is only offering j2re-1.4.2_05, a vulnerable version.
Version 1.5.0 is available from java.sun.com.
WAKE UP SUN!
There is no patch, there is only the next release of the JRE, why is that? Wouldn't it make more sense to also release an executable patch rather than forcing a 14MB download (not that I care, I download it at 400KB/s?)
You can't handle the truth.
http://java.sun.com/j2se/1.5.0/download.jsp
while (!asleep()) sheep++
Open source, although a wonderful thing which should be given away at school bake sales, church meetings, and nascar rallies, is not a silver bullet. Case in point - the Firefox browser (which I use and love) has already had several security flaws (e.g. the same JPG flaw as IE) for which exploits have been released. The major reason we don't see more is *not* because it's so much more robust - it's because it still doesn't have the visibility and marketshare of IE, not to mention the raw hatred of ubergeeks around the world. I know, I know - the marketshare is going up, and as a faithful user I'm honestly torn. I'd love for it to be successful, and for Microsoft to have some kind of competition, but for now, Firefox is pretty safe. Give it the marketshare, and watch all those 2600-loving eyes start reappraising their goals.
daniel
Browsers aren't responsible for sandboxing plugins--in fact, they couldn't do it if they wanted to. Sandboxing is exclusively a function of the language and its runtime, in this case Java. If Sun's Java plugin allows the execution of dangerous code by untrusted code, it is Sun's fault. Note also that this is not the first time that this has happened.
Fortunately, the solution is simple: just turn off Java applets in your browser. These days, you won't be missing anything important on the web by doing so.
Lets make a deal: it is a bug in the security implementation of Java by Sun. Sheesh. That's what I said, didn't I?
:)
As for the ActiveX part: ActiveX does have a security implementation. You need to sign your ActiveX component to make it safe for scripting. There can be security leaks in that. For instance the ASN-1 decoder may have a buffer overrun exploit, to name a completely random example. Or you might release a few libraries with the same signing certificate, needing to update *all* the libraries instead of one (another completely random example).
Obviously, it does not have a sandbox implementation, so you're right with the "terminally bad" part
It was nice that a patch was released before the exploit was widely known, but this is the first I have heard of the exploit. From TFA, the exploit was patched last month by Sun, but now we hear details. Now is when I first found out about this.
I am sure this would have clouded over the launch of Solaris 10, but I would have appreciated knowing about this last month when the exploit was patched.
The cancel button is your friend. Do not hesitate to use it.
The linked notice sez the bug is patched in 1.4.2_06, but the web site and java auto-update both say the 1.4.2_05 I have now is the latest.
Does anyone out there have _06 yet or is this another case of premature press-releasination?
"Lawyers are for sucks."
- Doug McKenzie
I agree with you, browsers aren't responsible for the sandboxing, and it is Sun's fault for having a buggy plugin. But sandboxing is not a function of the language - it is solely a function of the runtime. I could use a different runtime with the same compiled Java code and not have the problem. Therefore its not a problem with the language.
Okay, I'm a doofus.
To fix this vulnerability, you have to go to
http://java.sun.com/j2se/1.5.0/download.jsp
and download the J2SE 5.0 JRE, right?
(Yeah, yeah, I know, and then install it.)
Get j2re from here.
follow the links to the JRE download.
www.java.com is STILL dishing out the wrong version (1.4.2_05). Grrrr. Naughty Sun!
Actually, its another good reason that I don't load any plugins.
I only enable them when I'm staring at a blank page and for some morbid curiosity I want to see what is on the site.
The new JDK/JRE is "safe"... I've heard they're faster, too, with some JRE improvements. I just downloaded the whole 1.5 set, and I'm pretty excited, looking forward to it... I install it on my Slackware instance tonight!
If I had a girlfriend, I'd invite her to hang out and share the joy; this'd be way better than a movie as a date... Um... Maybe I should get out more, now that I think about it...
Farewell! It's been a fine buncha years!
Not so long ago (for someone my age. For some /. it may be half a life time ago) java web applets were everywhere. Has this now been replaced with flash or have webdesigners decided they didn't need what java can do or am I visiting the wrong pages?
Not I am not talking about web applications here but java applets that things like menus, scrolling news banner etc etc.
I did a quick check of both real life and online friends and only a few had java enabled. Hardly a scientific measurement and neither is asking here but is your webbrowser java enabled?
This is not an anti-java post. I like azureus wich would never be available to a linux user if it had not been done in java.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
" Lets make a deal: it is a bug in the security implementation of Java by Sun. Sheesh. That's what I said, didn't I?"
I think you read an implied slur into me simply having chosen to use the word "java" instead of "sun" when paraphrasing instead of actually quoting you. None was intended.
On to the point; as I recall the 2 main problems with ActiveX security are:
1; the browser (IE being _the_ ActiveX browser IIRC) pushes "security" options such as "allow signed scripts to run". Johnny Hacker is quite capable of signing his code, thus getting it run without question on most installs.
2; it is quite plausible to spoof your signature. Then even if you are requiring manual authentication of each signature before you let it run, it may well look to the casual user like a macromedia or Microsoft signature, and therefore it gets run.
Contrast with the (intention of the) Java security model, where it is not supposed to be possible to GET the kind of access that allows destruction / subversion in the first place.
Its the (piss-weak) "security" attitude that "if company X wants access that would let it format your drives, but only after scanning all the files on them, then its OK, because its company X, isn't it?" that is the problem with ActiveX.
No "program" run through your browser has legitimate need to that level of access to your local machine.
My personal opinion is that there are 2 fundamental flaws in how some companies view "browsers":
1 - they think that the web browser and the file manager shouyld become one.
2 - they think that goal justifies tying the browser tightly to the file system on the local machine, and justifies including low-level local access mechanisms into the browser and the things it can browse.
Personally I disagree; I think that having any "web format" of data/program able to escalate its rights to that kind of level is suicidal in terms of security, and therefore the risks of the required infrastructure make having your web browser serve to handle your local file system vastly outweight the minimal benefit of dropping one program from the machine.
I also think that may have been the longest sentence I've ever written; so I'll preserve it for posterity!
Actually, I'm running 1.4.2_06, and it still lists me as running an older version. Because I am, there's 1.5 (5.0) available now.
The cesspool just got a check and balance.
Aaah, piffle.
Just fetch a newer JVM, they're faster anyway.
Farewell! It's been a fine buncha years!
I completely agree with parent. And Microsoft supporters at least admitt mistakes some times.
You go to www.java.com, upgrade from 1.4.2_03 to 1.4.2_05 and think you're safe, until one day, BOOM!
WAKE UP SUN!
On my development workstation I am reporting back JRE 1.4.2_02 but my MSIE plug-in reports it's running the Microsoft JVM 1.1.4. My corporate workstations can be upgraded to JRE 1.4.2_06 without a hitch. But then again I would really rather patch the Microsoft JVM since most of the standard workstations don't have (or need) the entire Sun JRE installed on them.
:-)
I know that Microsoft won't release a patch for their JVM. That means I will have to deploy the entire Sun JRE on all worsktations and then deploy some MSIE registry hack that will disable Microsoft's JVM in favor of the new Sun JRE instance. Fun, fun, fun.
By default I have disabled all active scripting unless users manually add websites to their Trusted Sites list. I would think then that the Javascript initiation of the exploit wouldn't work unless there was some site-spoofing going on. Perhaps this might be a band-aid just continuing this policy.
No matter what I think the only permanent solution for most Windows security is probably pulling the plug on the Internet connection. I don't think I could get away with that here at work though
And of course more importantly disable JavaScript. And after that get into a very long series of discussions with your users as to why so many web sites don't seem to work "properly".
Sun's Installer will happily leave your old copy on, so uninstall first. If you're using the Java 3D addon, you'll need to uninstall that and the old Java first. Then install jre 1.5.0 and Java 3D. Then all works happily.
Who the hell moderates stuff like this as "insightful". I don't have any exact numbers in front of me (nor will I spend the time to find them), but I can safely tell you that over their respective lifetimes, ActiveX has suffered many orders of magnitude more exploits than Java ever will. The only meaningful caveat I can think of to this statement is the "default" Java runtime environment (that used to be) packaged with Internet Explorer that is written by Microsoft. Of course, you can hardly attribute any problems with that to Java because Microsoft built it on top of ActiveX and took very little interest in security when doing so.
Also, I should point out that any of theoretical exploits will have the most damage on Windows than other platforms because Windows is insecure. It seems that any code running on a Windows box has, one way or another, unbridled access to resources that should be above the user's privileges, but that's an entirely different situation altogether...
Why bother.
> But sandboxing is not a function of the language - it is solely a function of the runtime.
Pedant alert. In this case, ignorant pedant alert. the runtime is the Sun(R) Java(tm) Runtime Environment(tm), and Sun has lawyers who will do bad things to you if you claim the Java moniker does not apply to the JRE (which includes plugins for several popular browsers). Cue "Java is a platform" blather from Sun execs.
In this case, they are simply being hoisted on their own petard. It is a bug in Java. The Platform (or, if you prefer, the thingamajig they sell/give away). Period.
Go somewhere random
Linux?
No, no, it can't be? Linux is invulnerable to virii!
Time to give 1.5 a go I think!
Sadly, the "Update Now" button in my J2SE 1.4.2_05 RE Plug-in Control Panel still informs me that I already have the latest version installed. You'll probably have to update manually, for now.
Another thing: the auto-update timer in that same Control Panel is set to go off once a month by default. You might want to turn that up a notch for fixes like these.
while (!asleep()) sheep++
But sandboxing is not a function of the language - it is solely a function of the runtime.
Java isn't a language, it's a platform: it's the language, the entire set of official APIs, and the runtime. Sun says so (in fact, they insist on it), that's what they require compliance for, and they own the trademark.
(Note that, disturbingly, this bug in Sun's implementation shows that, not only is their implementation buggy, but their extensive certification process didn't catch the bug either.)
Disable Java in your browser unless you absolutely need it (rare). Period.
/usr/bin one in /usr/local/bin. If the (l)user has sufficiently screwed up their PATH statement, or uses a broken shell (like bash which cannot decide which dotfiles to load under which invocation, don't get me started with (t)csh)) then the wrong instance of python gets loaded, and I have to go through my speach again about how #!/usr/bin/env python is wrong. But since it works most of the time, I don't rant about it like Java.
Why is this flamebate?
My browser has _no_ plugins running by default. Also, my browser (Safari) has a separate Java and plugin preference checkbox, and I rarely load Java. The last time I did was to look at some buggy applet that someone wrote at work.
Over the years I have come to dispise Java. It would be different if it worked, but for me, Java has caused many problems, and I have seen 0 benefits from it.
So, I won't get modded as flamebate as well, I'll elaborate.
Oracle's "Universal Installer" is written in Java so that it could be crossplatform, etc, etc. to make it easier and universal for people to install Oracle. How convenient that it took me _hours_ to install it on a NT machine because of a bug in Java made the installer fail if the display was using more than some arbitrary number of colors (256, 16k, dunno, don't care). Thanks.
There are many "web installers" or whatever written in Java for Solaris machines. I've had these fail about 40% of the time.
I've had Netscape crash at least on the order of hundreds of times because of Java.
Java in a browser applet is very slow loading.
My brand new Apple Xserve RAID came with a GUI admin program written in Java. It worked for about a week, now it doesn't, and I have to call Apple and bitch when I get the time.
Java applets _never_ looked near the same on different OSes or even on the same OS with different browsers. Besides the silly thing a coworker wrote, I don't rememember the last time I had to load the Java plugin for a website.
I have installed Websphere once, I won't go into details from here.
One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
I'm familier with Java for years. This is not some blind "this sucks" thing. I've coded in Java to write applications and applets that run native on a normal OS, and in browsers, and on embeded devices like smartcards and iButtons.
I don't particularly care for Python either, but at least most of the python applications that I have used work, so I have no real objections to it besides I just don't like the language or the quirky way python and python programmers do things. For example, the damn #!/usr/bin/env python thing kills me. Try explaining to (l)users over and over again that there are 2 versions of python on the system. One in
I'm just talking from my experiences here, and I have not had a pleasant experience with Java.
That could be like comparing two prisons. In prison A, there have been no escapes, while in prison B there have been several.
.Net since Microsoft has pretty much depreciated the ActiveX technology anyway.
The other variable, prison A is housing no prisoners, while prison B holds 200 prisoners.
Which is a better prison? It's really impossible to tell from the number of escapes.
Java definitely has some inheritant benefits. Is it better than ActiveX, most likely, but we need to make sure we don't rely on simple imperical measurements that may not present an accurate picture.
At this point in time it would probably be more beneficial to compare Java and
I have always found the idea of viruses on Unix amusing. I mean, any user can cause damage to his/her files, either manually or by running a script or binary. But this is not an "infection" as the system is left completely untouched. What worries me though is the way the news sites report "Linux viruses". Someone unfamiliar with Linux/Unix might think: "Oh! So Unix also has viruses, just like Windows." This I think is giving a completely wrong impression about Unix to such people.
-- anux
"One of Java's cool "features" is that it does not have pointers.
No, Java does not allow a programmer to directly manipulate pointers.
Java definitely has some inheritant benefits. Is it better than ActiveX, most likely, but we need to make sure we don't rely on simple imperical measurements that may not present an accurate picture.
That's a fair point, and one I was largely overlooking. I'm not sure I agree with your point about .Net, however, as .Net isn't a browser-level technology like Jave applets or ActiveX (and, as far as I know, this problem only affects Java applets).
I suppose the one conclusion we can definitely draw from this is that browser-based technologies are potentially dangerous ;)
This is where the serious fun begins.
Browsers should allow you to configure java and javascript on a per site basis. Much like you can allow pop-ups from certain sites.
I prefer to have javascript off all the time.
Being able to selectively enable them for certain sites would be nice and would improve security.
.. and how is anyone supposed to find that out from the sun website?
1.5 is a devel release until it's officially released on the sun website. I'll wait until the proper www.sun.com download is available - there's probably nothing written that runs under it yet anyway.
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
You're saying that vulnerability details should be announced before patches are completed? I'm afraid I disagree. There's a fair bit of evidence (see stories here and here) that black hats are using vulnerability announcements and patches to find exploits rather than finding them themselves. If that's the case, keeping vulnerabilities quiet until the software company's had a chance to patch them is a good idea, even if security through obscurity is in general a bad idea.
For the average user, the most important stuff is their own documents, images and programs. These would be in danger as well on a Linux box.
I dont disagree, I will just point out that people are trying to get everything to work. Look at the kaffe gump stats to see how it is faring. There are problems bootstrapping ant; more diags are being added to things to track them down. Once Ant is booting, more stuff will follow.
It IS on java.sun.com, so it is released. JRE 1.5.0 runs fine here. Firefox users will find fewer Java-related crashes with that release too.
Actually Java *is* open source.
Maybe not the "Open Source" that most OS fanatics have come to preach, which has to be "Free Beer, fork and redistribute at will"
But the sources are freely available from Sun. There do are restrictions, which in short are that you can't run a modified JVM in a production environment. But for any kind of research purpose ( finding bugs, security flaws, experimenting new techniques ), the Sun JVM is no different than the Linux Kernel !!!
Get a mac. Not only is it not affected by this bug, it also has a spell checker for every textbox in the OS.
I'm not sure I agree with your point about .Net, however, as .Net isn't a browser-level technology like Jave applets or ActiveX (and, as far as I know, this problem only affects Java applets).
.Net resides on the client.
.Net's language agnostic attribute to provide the browser with more varied scripting language support. More than their current stable of VBScript, JScript, etc. Imagine using Python to script web pages. But I'm going off on a tangent now.
It's not yet, but I expect Microsoft to allow ASP.Net to capitalize on its existance on the client, if they haven't already. Allowing people to do some interesting things if
One of the interesting things they could do is to use
Wow, you can bash fox news. Maybe we are at a point in life were you just don't get it.
The people saying sun is the hero isn't the same people that are saying microsoft is the root of all evil for the same reasons. Yes it may be a shock to you but, different people with different opinions frequently visit this site. Also like the fox news comment, you don't seem to have the ability to read somethign with a grain of salt. You take one statement and asume it is the belief of the entire comunity.
Why don't sub you fox news comment with a cbs comment. afterall they are the one making the news up instead of reporting it in a way you don't like.
BTW, what has fox news ever reported that was wrong or missleading? Outside calling florida in the 2000 elections i am not aware of anything.
Holy shit, you knew about EVERY security fix released on 11/2 ahead of the fact? And on 10/5? And on 9/9? And on 8/10? 7/6? This is STANDARD, you TROLL.
Listen up -- when someone finds a problem with a product they generally go to the manufacturer say "Component foo has problem bar which can yield baz result. Note the following sample code." The company then isolates the cause, finds a fix, tests it, and releases the patch. They don't send out an irresponsible security bulletin saying "OMG!!! WTF?!? U K4/\/ 0\/\/NZ0R O|_|R SH1+ L1K3 TH15! \/\/3 W1|_|_ F1>But... occasionally... something does go terribly wrong. The person who finds the bug may not be responsible enough to contact the vendor directly and might instead go public right away. At which point the vendor posts a bulletin about an exploit "in the wild" -- and describes mitigation procedures to keep you from being f'd.
I want a new world. I think this one is broken.
"Security through obscurity" refers to a cryptographic algorithm that relies on security by keeping its algorithm secret. It does not mean that keeping any kind of secrets is not a valid form of security. After all, even with modern cryptographic algorithms, you still need to keep your private key secret don't you?
What a fool believes, he sees, no wise man has the power to reason away.
Wow, that's worse than I've seen.
.. if first appeared in 1.3.1-02, was fixed in 1.3.1-05, broke again in 1.3.1-06 and never fixed since).
The worst problem I've had was writing a commercial app that had a Java frontend. Because Sun kept making seemingly random changes to the API and not fixing bugs (or worse, breaking the bugs that they fixed on the last version) we were stuck with 1.3.1-05 almost right until the java code was abandoned (went to c# - we only supported Windows servers anyway).
One customer wanted a 1.4.0 release, which we duly did (required a special fork and about a month of developer time) - then rejected it because it wouldn't work through MS Proxy server (a java bug which has never been fixed to this day
You sir are reacting like an idiot. You list applications that do not work and then blame the language. Blame the application writers, not the language. This is like saying "C++ sucks, look how buggy and insecure windows is, C++must be to blame, not the developers." Thanks then post.
Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article [silicon.com], that there hasn't to date been a single Java virus.
There was an attempt to write a Java virus, but after the coder wasted a bunch of time fooling with deployment descriptors, ANT builds, and CLASSPATH problems, he just threw up his hands and said "f--k it, I'll write it in C".
The reason it's different here is that the patch was submitted swiftly. They clearly were dealing with the problem as quickly as possible. Some other organizations have sat on information for over a year without issuing a patch, which is an unacceptable turn-around.
Most people believe in giving companies a head-start on fixing problems, because they often can fix them swiftly. In this case, that head-start worked out.
other organizations have sat on information for over a year without issuing a patch, which is an unacceptable turn-around.
Sort of like how Mozilla "classified" bugs that sat around for YEARS before getting fixed? Case in point, the "shell:" expoit of a few months ago. Turns out the Mozilla team knew of a potential problem for years, but "classified" the problem and didn't do anything about it until an actual exploit surfaced. Of course, here on Slashdot, there was no harsh words for Mozilla, because after all, it was "Microsoft's problem".
It is not worse. News mentions "Highly Critical" bug, while the one that affects Opera is "Not Critical": http://secunia.com/advisories/13257/ It is fixed already, in beta version though. http://snapshot.opera.com
There was one, it was used to spread other malware about 6 months ago. However, it only affected the MS JVM (a bug in the exception handling of the system classloader), and MS had released a fix for it about 3 months before the virus appeared, so the people it affected probably wouldn't notice it under the swarm of other viruses an unpatched Windows machine is going to pick up.
http://64.233.167.104/search?q=cache:B7hYQ0Ipn1sJ: www.philly.com/mld/philly/news/special_packages/ir aq/6918170.htm+fox+news+wmd+weapons+of+mass+destru ction+study&hl=en&client=firefox-a/
Weapons of Mass Destruction. That was the first thing that came to mind...I'm sure that with more time and want...I could find more...but there's a start for you.
Asmodeus
Your mind is like a parachute. It works best when it's been opened.
I agree with your main point, but not what you say about Fox news.
Why don't sub you fox news comment with a cbs comment. afterall they are the one making the news up instead of reporting it in a way you don't like.
They did not make up the story about Bush's service records, they were tricked into believing it. Whether they should have detected the fraud or not is a matter of opinion. Much like Bush's similar misstep.
BTW, what has fox news ever reported that was wrong or missleading?
Read this
It's also invulnerable to wormii and trojanii. You know why? Because there's no such thing. On the other hand, viruses for Linux are quite possible.
Why is anything anything?
4 months is quick? Boy, I'm sure glad there's such a large anti-full disclosure mentality going around lately. Now, vendors don't have to secure their vulnerabilities in a timely manner!
....
1. Get notified about a serious security flaw
2.
3. Release a patch a quarter of a year later
4. Profit!
I'm glad someone can get java running cross-platform even if it does only run on the Sun JVM.
to get people to upgrade, you just have to find "critical" security bugs in your old software. Of course Microsoft has known this for many years.
So you have plugins including Java applets turned off but then say you haven't seen any useful applets. So let me get this straight: you hide them and then complain that you can't see any good ones. Self-fulfilling prophecy? By that metric, do you drop all usage of OS X if you come across a badly written program on the Mac? Starting the plugin the first time is slow, granted. But I've been running Safari on a 500MHz iBook and Java applets haven't been a problem for me. The best written ones have been the ones where I almost didn't notice they were applets. Well-written ones are like this. A lot of folks who denigrate Java out of hand have come across good applets but not recognized them as Java.
Have you used Java since the old Netscape days? The plugins in IE, Mozilla, Firefox and Safari have not caused me any problems in years. I find it hard to believe that I've just been the only person in the world and/or am extremely lucky.
Well... except for that one applet that was a site logo rippling like it was underwater. Pure eye candy that sucked up 60% CPU time sustained on a 3GHz processor. Once again, good technology, bad applet writer.
That said, I prefer DHTML and related technologies to visual Java applets these days. In a better world, I would have the UI handled by the browser's renderer and the logic handled by Java. Javascript is nice and all, but sometimes you want to do some heavier lifting. And I sure as hell am not going to use ActiveX for that even if it was supported on non-IE and non-Windows environments.
And I too am talking from experience as I have developed on Java on Windows since Win95, OS/2 Warp, Novell NetWare, Solaris, OS X and Linux. Applets, servlets, EJBs and standalone apps. Aside from filesystem path differences, I have had maybe two problems in the last seven years moving my code from one platform to the next. And yes, I can code in C (K&R and ANSI) and C++ (including ISO98) too. Learned them before Java, so it's not because I haven't seen any other platforms.
By the way, your mention of NullPointerException is funny to me. Take a C app and access a null pointer. Boom! Hope you have core files enabled so you load the image in a handy debugger. Take a Java app and access a null reference (pointer). Not only can the exception be caught so that it doesn't completely take down the app, but you get an easy to read (relative to C and C++) stacktrace telling you exactly where it occurred so that you can fix it.
It's not the only language in the world and definitely isn't the only language you should have in your toolbelt, but it doesn't deserve the maligning you just gave it.
- I don't need to go outside, my CRT tan'll do me just fine.
You were comparing references (memory addresses) instead of actual values. I think you should have used:
Java.equals(JavaSandbox)
instead. It's a common mistake, don't sweat it.
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Does anyone know if this only affects SUN-branded java? IIRC, the version of java (and plugin) that ship with RedHat Enterprise is IBM-branded.
Just curious...
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
Can you point to some source to corroborate your story that early viruses infected Unix machines? Early viruses predate Unix on x86, and I don't think most Unix installations used boot floppies.
Yes there are vulnerabilities everywhere, but the difference between *nix vulns and Windows vulns are enough to justify smugness.
I think this tries to highlight another reason why allowing a third party review your code is a good thing
How?
Haven't exploits been found in third party reviewed
code?
You point to two articles that describe the same virus. Yes the proof of concept happened in 2001. No such viruses have been found spreading in the wild. Windows apologists who claim that most people run as root on Linux are obviously wrong.
I tested my PC, which the sample code worked on, but it didn't seem to work on my mac which runs OSX 10.3.6 in safari or firefox. Safari comes back with a "Class undefined" and firefox just seems to ignore the javascript alert at the end.
Anyone else try this on the mac and have similar results?
Prompting to create a non-root account works. If lots of people were running as root, there would have been a Linux virus spreading in the wild by now.
Certainly some people get overly smug about free software being more secure. More users means more people finding normal bugs. Security holes, however, aren't usually found by casual users trying to use the software as intended. Security is achieved not by exposing the source to many eyeballs, but to the right eyeballs.
The source for Java is downloadable, feel free to review it...
When was the last time you reviewed any OSS projects code?
I don't rememember the last time I had to load the Java plugin for a website.
I actually have several websites with banking etc that use applets. The JVM load time is annoying though, I agree with that.
One of Java's cool "features" is that it does not have pointers. I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
Yes, that is an unfortunate wording in the JVM. It should say "null reference exception". Everything except primitives are pointers in Java, but unlike C/C++, Java does not allow pointer arithmetic, so they call them references instead.
If you see "null pointer exceptions" often, you must be unfortunate enough to have to be running some pretty amateurish programs though (no offence). Null pointers are not hard to avoid in normal code, and in situations where they might fail from an external source (for instance loaded from file), the programmer should of course wrap that in checks to see that the instance is properly initialized before proceding.
I have not had a pleasant experience with Java.
So I see.... sorry to hear that. My experiences have been much better. Eclipse and Azureus kicks ass. I couldn't do without Java on my mobile phones these days.
Being bitter is drinking poison and hoping someone else will die
think this tries to highlight another reason why allowing a third party review your code is a good thing
How many bugs like this have been found in the plug in? How many have been found in Apache and Sendmail?
Yes, you're right: Virus Definition
Well, my usage improved today.
When I installed openoffice.org I pointed it to my 1.4.2 install of jre. Will updating to 1.5.0 affect openoffice.org? Has anyone had any problems? I've spent too long customising openoffice.org to want to reinstall it.
Smug and humble are not opposites. The opposite of smugness is self-effacement. The opposite of humility is conceit. If you want to keep yourself humble, there are better ways to do it than exposing yourself to needless security holes.
Could browsers such as Mozilla when running on Linux, sandbox plug ins? Could User Mode Linux be used for this? Within the sandbox, the plug in would run, could make kernel calls, etc., but would be limited by what the "kernel" (i.e. the User Mode Linux) would let it do. The plug in would see a network interface, but could only communicate with the server that had the original web page. (Or the end user could have policy control over this.) The plug in could truly be restricted to what files it could create and/or modify. Maybe inside the UML kernel you could see some folder within its filesystem tree that maps to an actual folder within the user's home directory? Maybe each individual plug in could be given its own sub folder within a folder such as $HOME/mozilla/plug-ins/Flash/Temp $HOME/mozilla/plug-ins/Flash/Permanent That way, a plug in can create and store preferences and permanent config settings, as well as temp files that the browser is free to delete. The plug in could be restricted in its ability to draw to the display, or open windows, or in almost any possible way. Maybe an easier design would be a new plug in API that is designed to run inside of a UML type sandbox? Just some psuedorandom thoughts. ("plug ins" and "Glade" are a trademark of Johnson Wax.)
I'll see your senator, and I'll raise you two judges.
"Bingo."
Why bother.
"found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday."
But according to the Bugtraq posting Sun Microsystems was informed on April 29, 2004.
Don't waste those cycles! Put them to use! http://www.distributed.net/
Sun produced a patch before the issue was released to the public.
You say that like it was a good thing. I don't think it is. I'd rather have had Sun issue a security bulletin outlining the problem and how to avoid it as soon as they knew about the problem. Concealing a product defect until after it is fixed and it is most convenient for the compnay (and has the least impact on share price) is not trustworthy behaviour. Microsoft does that too often too and I hate it.
Just because a defect hasn't been offically disclosed does not mean people with malicious intent do not know about it. I want to know about a problem as soon as it is discovered so I can work around it until it is fixed. The longer vendors of closed software (or leaders of open source projects) drag their feet in informing the public, the more opportunity there is for the defect to be exploited by intelligent but malicious individuals with advance knowledge.
My employer sells mission critical equipment where failure can result in extensive property damage, injury or death. If a defect is discovered it MUST be reported IMMEDIATELY. We cannot wait for a firmware update because someone could stumble upon the defect and be killed. Any time there is a potential problem reported it includes a recommended workaround. If there is no acceptable workaround the product is recalled (this is rare--it has not happened while I have worked here).
Why is it that this practice is considered "due diligence" and the responsible thing to do in other industries, but in the IT/software world it is considered reckless by some to inform the public of all issues in a timely fashion?
The parent is right, client-side Java is dead.
Web developers make sure not to have the functionality of their website depend on applets, as Windows only comes with a mutant of java 1.2 - if any - installed, and of the clients on the interweb, the overwhealming majority will be windows PCs with Internet Explorer. You just can't count on visitors being willing to download a 14 megabyte installer to use your site.
Also the performance of client side Java is still very poor compared to the alternatives, and in the early years, when Java was still heralded as the future of computing, it was so unreliable, that it's image has been tainted forever.
Only on slashdot would a comment that this exploit is "Not that critical" receive a "Score:4, Insightful" rating.
Last night, while sitting at my machine, I noticed a Java icon appear in my taskbar. "That's wierd," I thought, "I'm not doing anything or hitting any pages that should need the JRE." Since I don't use the JRE much anymore (I installed it while testing a java-based web server) I went to "Add/Remove Programs" and uninstalled j2re-1.4.2_05.
Too late. This morning I browsed to Slashdot and saw the parent article telling me why the Java icon had popped up.
Whatever payload the thing delivered appears to have punched a hole in Norton AntiVirus (the Norton Firewall console is reporting that Norton AntiVirus requires "Urgent Attention" but the annunciator on the AntiVirus tab appears to have been disabled in an effort to hide whatever was done to the AntiVirus). It may also have installed the bat/mumu-a worm (one spyware scanner is reporting an infection by the worm, but Symmantec's bat/mumu-a removal tool reports the machine is clean).
Once a drive has been compromised by something more complicated than a simple virus, there's no way you can ever trust the machine again because there is no way to know what sort of rootkit the exploit delivered.
I've already disconnected the machine from my network and picked up a new hard drive. The old hard drives will go into an external drive housing that I'll only connect to the machine (a) after I have antivirus software reinstalled and (b) only if I absolutely have to pull data from the drive.
"Not that critical" hah! This is by far the most serious attack I've ever been hit with, and I downloaded j2re-1.4.2_05 at most two months ago (elsewhere in the comments someone is reporting that j2re-1.4.2_05 is still available for download from sun.com, I can't confirm that but this is hardly an antiquated version).
There goes my day...
-Don
It is just like the glib library under linux.
I notice that debian, for example, has glib 1.2 and glib 2.0.1.
If you have apps that depend on glib 1.2, you cannot remove it from your system and only have glib 2.
The same is true of the JRE. You may run some Java apps that were written against 1.3 and other Java apps that were written against 1.4.
Even if apps that run using older APIs are open source, someone still has to do the work of updating the software to use the new version of the APIs.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
If you see "null pointer exceptions" often, you must be unfortunate enough to have to be running some pretty amateurish programs though (no offence).
Um, yes, like the Oracle Financials client. Very amatuerish.</sarcasm>
Actually, I take back the sarcasm. It just plain sucks.
open source does not prevent security bugs. why don't you go google for mozilla or firefox security problems. they existed. they were quickly patched, as was the issue you're ragging on sun about. for a platform that is as widely used as java, there have been amazingly few security issues. huh? i guess that proves that open source is not the way to go right?
slashdot reminds me of right-wing radio more and more. it's a place where people come to have their beliefs re-affirmed and not for real discourse and facts.
now, this thread, like many others, is just a bait to get
the last thread i read about sun had some guy stating that sun was crap because they didn't include enough tools, and he cited the lack of gzip. solaris has bundled gzip for many, many years. you know what also? when i installed linux back in 1994 on my 80386, 66Mhz PC, linux didn't inlude gzip either. huh! linux sucks!
There were plenty of harsh words for Mozilla here. Perhaps we read a different article, where yours had completely different comments?
Huh. How about them apples.
I make these: http://beatseqr.com
My browser has _no_ plugins running by default.
Ever notice how when people say stuff like that, it almost always means, "More people should be like me."?
I can't tell you how many times I've run a Java program and gotten a traceback which mentions a "null pointer exception".
Those tracebacks are a Godsend compared to C/C++'s completely unhelpful "Segmentation fault." It makes it much easier to find the bug. But why are you blaming the language for a poorly-written programs? Should I mention how many times I've seen an "Illegal Instruction" exception on Windows, and tell you how much C++ much therefore suck?
Like woodworking? Build your own picture frames.
No. That's incorrect. It's neither function of the browser (by definition, plug-in is an extension that's not part of browser core), NOR function of the language or its runtime. It's because of Sun's Java plug-ing. So don't go thrashing the language or VM, even if they come from the same company as the plug-in in question.
There's nothing wrong with Java the language or its runtime that fundamentally causes problems like this.
Ever notice how when people say stuff like that, it almost always means, "More people should be like me."?
In this case it does mean that.
Its foolish for a web developer to depend on a 3rd party plugin to view their site. If you want some platform specific application, then just write a platform specific application. For me, I currently use 3 OSes -- Solaris, Linux, and OS X on 5 different architectures. Its annoying to have to abandon looking at a website because there is no plugin for my specific architecture and OS. The web is supposed to be portable. KISS. Text and images can do a whole lot. Hell, text by itself can do a whole lot.
I couldn't do without Java on my mobile phones these days.
What??? I've had a mobile phone for years. Never once considered having a JVM on the thing.
Just out of sick and morbid curiosity, what does Java give you on your phone that you cannot live without?
Wow! That's the first time I've got a response like that to a language-nazi post. Kinda makes me feel bad for being so snarky about it. Well you've just ensured I keep up the pedantic fight. Well done!
Why is anything anything?
Go for it bud. Some people mind. In some places, I might mind. However, I'm one of those guys who tries to improve his vocabulary by listening to CDs. I have Verbal Advantage: Complete Edition, Word Smart, Word Smart II, Word Smart: Genious Edition and Grammar Smart.
On business trips and on my daily commute I listen. I used to be pretty religious about it, but I need to fix my car's CD player, so, less so now (playing with an older model FM broadcaster every morning gets old, especially in my area, where ALL of the channels on mine are taken).
There is no reason whatsoever why using the same UI for a web browser and a file browser should cause any new security problems.
File managers do not have any higher access to the filesystem than the web browser already does.
Advanced users are users too!
I'll try showing things from my point of view. I have been co-hosting a weekly science and technology radio talk show for the last four years. Right now we put the show archives on the web so people can listen at their leisure. But MP3s aren't so hot for dialog. To get voices to sound good, you have to up the bitrate which in turn ups the bandwidth usage.
So I researched around and found Ogg Speex. Even at low bitrates, speech sounds great. So at a smaller file size than MP3, I can get better quality for my listeners. Everybody wins, right?
Well, the codec has a problem. There isn't a uniformly good decoder for Windows, OS 9, OS X and various Unixes where I can just point someone to a URL and have them hear anything interesting -- unlike MP3. So what about a Java applet? There's a Speex decoder for the JavaMedia API. (An Ogg Theora as well, but I digress.) With even an older JVM on the system, codecs can be downloaded as needed. And after the user has left my website, no trace remains. Nothing to install and nothing to uninstall.
But...
There are quite a few people out there who refuse Java "on principle". My website is for a radio program. Audio is an intrinsic part of the overall equation. So what are the alternatives?
It's not that I think Java is perfect. It's that for many tasks, it's the best tool for the job.
As far as ActiveX goes, my hatred of it is a different animal than your hatred of Java. I cannot and will never trust ActiveX precisely because it's native code. You cannot build a code sandbox around a technology that allows direct pointer manipulation. Period. The use of ActiveX in all but the most rare intranets is absolutely unforgivable in my opinion from a network security perspective. Then of course we get into the fact that ActiveX only works on one browser on one operating system on one type of hardware -- quite the anathema to the original spirit of the internet. None of these items is true of Java. The worst indictment of Java is that it has been slow and people have used it for ad banners.
You hate Java for how it's been used. I hate ActiveX for what it is, its underlying design. There's a fundamental difference there.
Regarding NullPointerExceptions -- any unchecked exception for that matter -- and the end-user/developer divide, I couldn't disagree more. Developers get their bug reports from end-users. Stacktraces, being text, fall into log files easily. These log files get emailed to developers in "incident reports". Core files don't fall into log files quite so easily. Printable stacktraces with line number references was one of the best things to happen to the client-debug-patch loop in the software arena. Released binaries with debug symbols stripped out (as is common in shipped software) can be an absolute nightmare when trying to replicate in-house.
If it helps the developer fix bugs, it by definition helps the end-user and is therefore just as relevant to the end-user.
As far as ad banners go, the same technology used against Flash and Gif/Jpg ads could be applied to Java applets as well. The Ad Blocker extension to Firefox comes to mind. By default, all plugin or suspected ad banner activity is blocked from view unless you specifically enable it on a per-site basis. As far as if a complete site is based upon Flash or Java (a horrible design decision 99.9% of the time in my opinion), the simple answer is to avoid the site in the future.
I guess what I'm getting at is that there are technological solutions to these problems, but just turning it all off is akin to throwing the baby out with the bathwater.
- I don't need to go outside, my CRT tan'll do me just fine.
Actually there is a virus that attacks M$ JVM through a security hole. Take a look at Symantec's note regarding this. This is the only issue I've ever had with Java.
It figures that it would be M$ that would once again introduce security problems into software that has proven to be quite secure.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
Bad Sun. Bad. Fedora is not the only rpm based distrib.
$ java
/usr/java/jdk1.3.1_13/bin/i386/native_threads/java : error while loading shared libraries: libstdc++-libc6.1-1.so.2: cannot open shared object file: No such file or directory
$ ls /usr/lib/libstdc++*
/usr/lib/libstdc++.so.5@
/usr/lib/libstdc++.so.6@
/usr/lib/libstdc++.so.5.0.6*
/usr/lib/libstdc++.so.6.0.1*
Shite.
It does encourage stupid design flaws like shell:// though.
English is easier said than done.
not really....I wouldn't expect shell:// to exist in a filemanager either.
hmmm...does such a thing exist in IE / Explorer, or is that a KDE thing? and what does it actually do?
Advanced users are users too!
wormii and trojanii [...] there's no such thing
Look, Mr. Spelling Fascist, we computer geeks invent new vocabulary all the time. Bogosity/bogons/quantum bogodynamics (check the Jargon file). Blog (web log). Mob (mobile). Vaxen (plural of DEC VAX, by association with oxen, because they are reliable but slow). Boxen (plural of box, by association with vaxen). Thunk (crazy piece of assembly for transferring code between different ABI's). Foo/bar/baz/wombat (uncertain origin). So if words that aren't in the OED scare you, you better stop reading slashdot right now.
Now, as for "virii". Ancient Romans never used the word "virus" in the plural. Furthermore, didn't write down the rules for how such a plural should be constructed. So it's not like "virii" is replacing a good old Latin plural - there was no plural before, we were forced to construct one.
I have seen The study it is refering to. The conclusions drawn from it or the artice you referenced wasn't that fox news makes things up rather then people that relly on television news as a primary source of information often are not as informed as the people that radio and print media as thier primary source of news. Once you examine the numbers you also find strange fact like 60% of ABC's viewer also held at least one of the major misconceptions about the war despite ABC strongly questioning the motives and reporting the grounds for the war as "shakey".
This lends one to believe that people "watching thier news" tend to not be as inteligent or capible of comprehending it as much as those that read about it or use some source that lets relies on thier imagination/mind to occupy the reletivness of the news reports. Asmuming this is actually the case, the fact fox news had a higher percent of misinformed viewers was because thier audience is greater.
Also the page you cited has a disclaimer stating that
meaning the authors of the study doesn't claim fox news is misleading the public. In reality it is more likley what i described above in the level of comprehension of the viewers compared to the amopunt of viewers. In another article here here with its original here sheds a little more light or at least make it a little clearer on the numbers from other news sources.
I think to continue to claim fox news lies or purposley misleads in thier news reporting (not neccesarily you saying it but the general impression from others too) Is not only intelectualy dihonest but intelectualy lazy too. On the surface it is easy to come to the conclusion you did. It is the minute disclaimers that surfaced afterwards and looking into the source of the story a little that makes it clear.
In essence, you can say that you held misconceptions about "fox news' integrity" based on the same situation. Now there was actually a sitr found with about 20 barrels of a chemical (i forget the name right now) That was though to be a WMD and could have definatly caused damage as a WMD would but it turned out later to be an insecticide used with agriculture aplications.This was reported by manny news sorces other then but including fox news. This redacted story is probably the main reaosn of the misconceptions about the WMDs in iraq. The news print had to wait until publication and distrobution before releasing the news and by that time the chemicals purpose was already clearified.
I'm not a fox news schill or fanboy in the lest. I generaly get the majority of my news from the radio. I think most people would agree that the content on television (new anyways) has started lacking with the flux of 24hour news stations. I did however take the time to offer this post because i have heard too many time about how fox islieing to it's viewers or somethign along those lines. I'm under the impression that this is likely the result of
Anyone knows a good online guide to understanding how the user accounts system works on windows, that both gives practical info, but also allows one to understand what's going on? I don't refer to "click this, click that, click 7 times OK" guides, and I'm quite tired of lying to Windows wizards in different ways to try to get them to do what I want. I'm not an active programmer ot techie (I teach math now) but I did Fortran programming many years ago, so I know what computers are, and I do play a bit with things like Javascript and HTML, and I can read RFCs, but I'm looking for guides that don't treat me as either I'm computer-illiterate or have 3 years to learn everything there is to know at highest professional level. Yes, I could spend lots of time learning, but I would rather spend some of it learning something other than Windows (like linux), but I still need to use windows to handle all the things for the kids+|wife+work (word/powerpoint homework, work related word documents, employer's IE5.5+ compatible website etc.) so I want resources that would teach me how windows work without insulting my inteligence or using up too much of my time...
I setup all of my PCs with "limited" user accounts for regular use, and I usually use "run as..." option for running programs that cannot work without admin privileges, but this has its own problems. One thing is that then the program runs with the default settings of the admin account (desktop, "my documents", favorites etc.) Another really more severe problem is that I DON'T WANT TO HAVE THE KIDS "RUN AS ADMIN"!!!
And there are programs they use that don't always work properly when they don't get write permissions to write their ini files that they insist on putting somewhere under "program files". For instance, Celestia doesn't save bookmarks unless "run as admin". PClogo that my son got from his logo school and looks as if made for Windows 3.x had problems accessing files under his username (limited account. plus I'm really surprised that no one has put a kids friendly interface on the open-source MSWlogo. Don'r hackers have kids? or at least nephews?)
Lots of programs that are intalled using "run as admin" install themselves only under admin (I once tried to install palm desktop that I downloaded. The installer only ran under admin. It installed an icon on all accounts desktops that was never really shown (no read permission on the icon, so it always showed as the default windows file icon, and of course did nothing as it was a shortcut to a program the user couldn't start) I could only use that program when logging into admin or "running as admin", and the palm synchronization only worked when logging into admin right after reboot - otherwise it always complained that "the port is already in use").
All of these are really frustrating and even more as I am never able to understand what the problems are, or what the "helpful wizards" really do...
Is no-one else concerned about the length of time it has taken Sun to respond to this. According to the article, it took 4 months to patch, but in reality, it was nearer 6 months. Sun were informed on April 29, so we can add a month (possibly more) to the figure of 4 months. (I can't determine when the patched version was released while @work).
Most OSS is patched within a day or so, certainly less than a week. So why did Sun sit on this for so long, and then fail to publicise the fix as soon as it was available?
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
"File managers do not have any higher access to the filesystem than the web browser already does."
Bullshit.
A browser has NO need to have rights to copy or delete files that it did not create. And it only need rights to create its own files in specific places.
By definition a File Manager needs to be able to copy and delete arbitrary files in the file system, otherwise you cannot Manage your Files with it.
There is no legitimate need for the two requirements to be brought together, and the fact that they end up co-existing in the same (externally scriptable, by definition as a web browser) leads to security risks.
Actualy that article is misleading at best. It is refering to this study
In this study you will find that almost all the news sources had at least 40% or more of thier patrons/viwers from differing networks and meadia services (ie newspaper) believing the same thing. Yest fox news watchers were higher on the list by 10% at a total of 33% of viewer belived we found WMDs in iraq were CBS was in second with only 22% of it viwers believing the same.
Also the site you linked to generalizes the concept of 3 misconceptions rather then each single one. Again fox news viewers were at a 10% higher rating with 80% of thier viewer beliving in at least one of the misconceptions with CBS again in second place at 71%. What is further interesting is that the 3 misconceptions include the U.S. finding WMD's, iraqs links to alqaeda and general worl opinion of the U.S. Over 60% of american held a misconception on at lest one of these three areas. This isn't psecific to fox news either.
You will find other resorces about this study entitled Misperceptions, The Media and The Iraq War A PIPA/Knowledge Networks Poll look under the iraq section. The questioning proccess is interesting in itself.
What we have here is a situation were national public radio had the least ill informed persons with printed news next in line. The most misinform people are the ones that watched thier news form fox news, CBS, ABC,NBC,CNN,. Somethign that debunks the effort to discredit Fox news is that over 60% of ABC's viewer were misinformed and ABC was one of the most critical and skeptical news sources about the war and events leading up to it. This leads me to believe that the study is a representation of the comprehesion and interpretation abilities of the audience rather then reflecting on the news source itself. here is another article on the same study. Somethign worth noting is the authors of the study asked for a clerification statment ammended to the article clearifying that it doesn't reflect on how fox news reports its news. Also in thier initial press release it stated Among those who primarily watch Fox, those who pay more
attention are more likely to have misperceptions. while also clearly stating I would contened that the majority of fox news viewers are conservative/republican in nature and that could be why the increased amount was with them. However when you have 60% of the country holding one of the misconcptions it is clear that other news sources are rrporting the same stuff in a simular fashion. If anything it describes a lack of quality in the news information reportin in general.
those words tell me you're not a programmer, or do not understand operating systems very well.
Pretty much every application written for an operating system can create, copy, move and delete files, as long as the user running the application has the appropriate permission.
The ability to do so is part of the standard operating system libraries.
A filemanager is just a graphical interface to those functions - it has no special priveledges that allows it to do those operations.
An execute arbitrary code bug in a web browser would allow you to do all those things regardless of whether or not it was the same programme as the filemanager.
There is no reason why combining the two programmes should immediately make the filemanager externaly scriptable - a programmer has to deliberately and manually expose a function to the scripting engine before it can be used, it's not something that happens by magic. (Although with QT4, it probably will - but DBus / DCOP are totally different things to the javascript scripting used in the browser, and javascript should not be able to make DBus or DCOP calls any more than it should be able to write to the filesystem).
Also - explorer.exe and iexplore.exe are not actually the same programme. They share common components, such as the rendering engine, and explorer.exe has some UI concepts from a web browser - such as the back button, but other than that, they are different applications.
I would be interested to know just how many security flaws in IE are a direct result of the supposed integration of browser and filemananger.
I think you'll find that most of them are buffer overflow bugs, Active X vulnerabilities, and cross site scripting bugs.
Advanced users are users too!
I sit corrected. Thanks for the info!
Your mind is like a parachute. It works best when it's been opened.
Heh, just noticed this reply a week too late. Odds are you aren't going to see this, but since you wrote such a long reply to my post, I'm going to go ahead a reply anyway.
Admittedly, the article I linked to was not the best. I found a more pertinent one afterwards, but I don't have the link anymore. You're right that viewers of all tv news had misconceptions, but viewers of fox news had signficantly more misconceptions. Its hard to prove cause and effect with something like this, but its interesting to note that people who said they followed fox news closely were even more misinformed than those who watched it casually.
I don't think that fox news actually lies. I do think they are strongly biased, and it shows in the way they present the facts, who they choose to interview, how much time they devote to a story. Of course I can't prove this; proving something like that would require pouring over videotape with a stopwatch for hours (and would still be subjective).
Final point: you say that fox may be biased to the right, but other networks are biased to the left. I don't agree with this. The other news are biased to the center. They tend to downplay either extreme and try to balance one side with the other (even when such balance is absurd). The fact that people think that what cbs reports is the left's point of view shows how under-reported the views of the left actually are.