Slashdot Mirror

← Back to Stories (view on slashdot.org)

Brian Hook on the ActiveX Experience

Posted by Hemos on from the poorly-made-and-maintained dept.

Obiwan Kenobi writes "Brian Hook of id software fame got around to developing on ActiveX and found some minor grievances, particularly in the security department. To quote: "I've been doing some ActiveX coding on the side for a couple days, stuff I'm not familiar with, and I'm just flat out _appalled_ at how bad that entire API and design is. I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.""

12 of 523 comments (clear)

  1. Wouldn't it be more useful... by Anonymous Coward · · Score: 4, Interesting

    ...to point out potential issues in .Net. Even MS is no longer pushing ActiveX/COM. They are rewriting that trash out of their architectures as fast as they can. Maybe .Net doesn't come off as bad as COM, so can't be used to ridicule MS.

  2. Anyone surprised? by Penguinoflight · · Score: 2, Interesting

    I guess it's surprising brian hook is interested in anything to do with web design, an activex intrest is even more odd.

    ActiveX is an aweful problem, I guess the only reason IE users are as safe as they are is the level of integrity in many website (better than we have thought in the past maybe...)

    Btw, thanks for the FP editors :)

    --
    "And we have seen and do testify that the Father sent the Son to be the Savior of the World"
    1 John 4:14
  3. More Ammo by TSR+Wedge · · Score: 5, Interesting

    That is, more ammo to use when telling people to get off of MSIE. The prospect of having a webpage completely wipe their hard drives clean is something that should scare even the most lackidaisical of users.

    --
    What if the hokey-pokey really is what it's all about?
  4. Crazyness by bburton · · Score: 4, Interesting
    "First off, by default IE will not allow you to run an unsigned control. A control can be digitally signed, verifying that it came from you, and the signing process is arduous enough that, say, a bored junior high school student won't bother with the process. Unfortunately, anyone with $20 and who DOES care can get signed relatively easily."
    Besides the obviously stupidness inherent with ActiveX and its purpose, this is another really good reason why I refuse to use it. It doesn't have to be a program that formats my hard drive. It can be a piece of spyware, or some annoying ad pop-up that gets installed. There is no good way to implement natively executed ActiveX controls, at least for anything other than a company or website I know in advance that I trust unconditionally.

    I shutter at the thought of running any code that I (or at least someone else) has not inspected. Just another reason to use Firefox and other opensource software.

    --
    Slashdot = ((Technology + Politics) / Trolls) % Grammar Nazis
  5. Re:Gee, that's news... by Frymaster · · Score: 4, Interesting
    I wonder if anybody knew that before...

    well, it is pretty obvious. although the key phrase here is "if the user's security settings are set low enough."

    i mean, any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose. if you set your entire filesystem to 777 then you're completely vulnerable on any unix-based os too.

    the real questions here are:

    1. how low is "sufficiently low"
    2. how low is the security level out of the box
    --

    2 1337 4 u!

  6. Re:Gee, that's news... by Gordonjcp · · Score: 5, Interesting

    If you set your entire filesystem to 777 then loads of stuff will just throw up its metaphorical hands and refuse to run. Try it on a throwaway box some time (actually, User Mode Linux is good for experimenting with Practical Unix Terrorism, but that's a whole other topic).

  7. Too Bad Rest of World Doesn't Understand by Spencerian · · Score: 2, Interesting

    If only the media could understand the magnitude of how completely frakked this OS design is in Windows, our government would start using systems less likely to be compromised during hostile acts against the US and its population.

    Not that any OS that doesn't use ActiveX is perfect...nothing is. But allowing the OS to be commanded through something as commonplace as a Web page or email is just ASKING for it.

    "No networked computers on my ship," says Adama in the new Galactica series. That point saves their asses from the other ships of the fleet, whose computers were rooted by the Cylons and quickly destroyed because of over-integration.

    Sure, it's fiction. But fiction has a grain of fact in it to make it real.

    --
    Vos teneo officium eram periculosus ut vos recipero is.
  8. Ah blah.... by MajorDick · · Score: 1, Interesting

    "I've been doing some ActiveX coding on the side for a couple days," WOW...HOW EXPERIENCE you are.....oh my

    In a word bullshit..

    Ie done ActiveX programming on and off for 6 years now, and while there are theings to be desired in the model, I can tell you you can create some pretty cool stuff in a short time.

  9. Re:Nothing new. by arendjr · · Score: 4, Interesting

    While I agree it's somewhat of a flamebait story, there's some validity to bashing ActiveX. You call ActiveX an old technology and so MS shouldn't be bashed for it, but as long as MS hasn't developed something better (which can take quite a while) it should be counted for as their currently best offering in that area, which is quite pathetic really. If you add to that the fact they dropped Netscape plugin support with IE6 so as to get everyone on ActiveX, it's really their own fault they're getting bashed about it.

  10. Re:Security was never needed by DingerX · · Score: 2, Interesting

    This gets a little circular, doesn't it? From those heady days of the nineties, I remember thinking security plenty of times. I remember plenty of companies thinking security too.

    Just because Microsoft (or rather their corporate strategists) was thinking "leverage OS monopoly into market domination", doesn't justify a cavalier disregard for what was going on around them; just because Windows 98 had security problems doesn't mean security wasn't an issue. This is especially true when copying technology that's out there: programs that can be run off the internet that affect the local machine's experience? You can't excuse Microsoft from ignoring the steps everyone else was taking (including the cited case of java) by allusion to some Zeitgeist the existence of which is attested only by Microsoft's moves.

    In any case, ActiveX is still being distributed, and, it may surprise some slashdotters to realize this, but the vast majority of Windows users use ActiveX controls, and those who actually have security settings on have for the most part been trained by IE's other wonderful security settings (such as "you are moving to a secure page") to click "OK" on every popup they see.

    But okay, old news, we all know the Microsoft experience is merely to gaze upon the promised land with the knowledge we'll die in the desert.

  11. Re:Yeah, well... by 99BottlesOfBeerInMyF · · Score: 4, Interesting

    Microsoft makes it pretty clear that arbitrary code can be ran from a web page in the security dialog.

    What is lacking is sandboxing. Here is a typical example. I go to a site to use a service. It has an active X control. I need to use the control, but don't fully trust them. My options are A) find another service, or B) run it and hope for the best. That is unacceptable. There needs to be an option C) run it in a sandbox, and don't let it read my files, or overwrite anything. I mean this is not brain surgery here. Java can do it, and Sun does not have the OS code.

  12. Re:Security was never needed by Trepalium · · Score: 2, Interesting
    1) optimizing virtual machines compile to native ops
    At the time, the fastest Java VM was still much slower than even Visual Basic compiled code.
    2) COM/ActiveX means writing (and rewriting) everything yourself (yes, the power to innovate)
    Please try to keep in mind when the decision was made. There was no huge Java library at the time. Microsoft took the easy way out, and integrated OLE (a.k.a. COM, ActiveX) into Internet Explorer letting all the current OLE controls (with a few modifications to support the new features) plug into IE.
    3) powerful means what in this context? the power to do everything yourself? the ability to tie directly into the OS? or to exclude those fringe platforms (na na)? Assuming you mean power to tie into the OS, you can do that in Java too using JNI/DLLs/Signed Applets and gosh - there is event a security infrastructure around doing that.
    Again, remember when this happened. Java was young, and signed applets were unheard of. Most people were (and some still are) under the impression that Java limited what you're allowed to access from the underlying platform to ensure platform independance, and Sun's marketing of Java did nothing to change that perception because it was in their favor to have that perception. Today, with Firefox gaining popularity, I am starting to see signed Java applets appear on websites.

    I like bashing Microsoft as much as the next guy, but Java was a tactical threat to Microsoft's platform, and that's why they did all they could to sabotage it. It's nothing personal, it's just business.

    --
    I used up all my sick days, so I'm calling in dead.