Microsoft Brands WebGL a 'Harmful' Technology

← Back to Stories (view on slashdot.org)

Microsoft Brands WebGL a 'Harmful' Technology

Posted by Soulskill on Friday June 17, 2011 @12:46AM from the guns-don't-kill-people,-webgl-does dept.

An anonymous reader writes "Microsoft has announced that it has no plans to support WebGL — a cross-platform low-level 3D graphics API designed for web use — in its future browsers, citing numerous security concerns over the technology and branding the basic principles as 'harmful.'"

503 comments

Min score:

Reason:

Sort:

Microsoft should know... by Bill_the_Engineer · 2011-06-17 00:47 · Score: 5, Informative

a dangerous web idea when they see one. They created ActiveX.

--
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
1. Re:Microsoft should know... by Noughmad · 2011-06-17 00:52 · Score: 1
  
  Didn't they use to claim how Firefox and Linux are insecure?
  
  --
  PlusFive Slashdot reader for Android. Can post comments.
2. Re:Microsoft should know... by jjetson · 2011-06-17 00:53 · Score: 1, Offtopic
  
  Isn't Android Linux?
3. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 00:54 · Score: 0
  
  and auto-run, scripting in E-Mails/Documents etc.
4. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 01:03 · Score: 4, Insightful
  
  To this day it is still easy to make Word Documents that phone home to a server with user info every time they are opened. But WebGL is harmful.
5. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 01:04 · Score: 0
  
  Isn't Android Linux?
  Yes, but why's that relevant?
6. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 01:11 · Score: 5, Interesting
  
  Maybe Processing has them scared as shit. Not only does it do OpenGL acceleration in a browser, but it's also open source and nearly a drop-in replacement for Flash or Silverlight.
7. Re:Microsoft should know... by xednieht · 2011-06-17 01:15 · Score: 0
  
  Amen brother!!!!
  
  --
  
  Hope is the currency of fools
8. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 01:17 · Score: 0
  
  And I'm sure this has nothing to do with them hampering the use of OpenGL over Direct3D in general.
9. Re:Microsoft should know... by cygnwolf · 2011-06-17 01:18 · Score: 5, Insightful
  
  I think you hit the nail on the head there with the Silverlight comment. M$ could probably care less about Flash but they're not fond of any new players in that market.
  
  --
  Free Pie! The Pie is Also Evil!
10. Re:Microsoft should know... by jasmusic · 2011-06-17 01:18 · Score: 2
  
  ...and are adding P/Invoke to Silverlight last I heard.
11. Re:Microsoft should know... by beelsebob · 2011-06-17 01:27 · Score: 5, Insightful
  
  I'm really surprised that everyone is jumping on the "lawl microsoft security" bandwagon here, rather than the "well of course it's dangerous tech – it's OpenGL based, not D3D based... it's dangerous for MS's market share" bandwagon.
12. Re:Microsoft should know... by sorak · 2011-06-17 01:29 · Score: 0
  
  And the number of zero day flash exploits isn't a problem, but webGL is.
13. Re:Microsoft should know... by erroneus · 2011-06-17 01:43 · Score: 1
  
  That too was my first thought. And they still haven't been able to put the shit back into the horse. Once the web (internal and external) started hosting proprietary apps based on ActiveX and/or MSIE6, it has been amazingly hard to get business to move on. After all, they spent a LOT of money utilizing these technologies and they don't want to spend even more developing and migrating away from it.
  That said, I am all but certain there must be a way to make WebGL safe.
14. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 01:46 · Score: 2, Insightful
  
  Even a stopped clock can be right once or twice a day. Concerns for the security of this popped up on slashdot not long ago, and seemed to be accepted, but now that MS has concerns, it's a great tech?
  They should treat it like they treat all of their other insecure tech (scripting in word, html in emails with outlook, activex, silverlight that wants to do risky things) - prompt the users "Hey, do you want to do this, it's probably not a bright idea unless you really trust the source"
15. Re:Microsoft should know... by Ephemeriis · 2011-06-17 01:52 · Score: 4, Insightful
  
  Yup.
  If it were WebDirectX they'd be all over it. Since it's WebGL, however, there are security concerns.
  Which isn't to say that the security concerns aren't valid... If you're giving a web page low-level access to your hardware there's certainly a possibility for abuse. But I suspect that Microsoft's concern here is more about market share than security.
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
16. Re:Microsoft should know... by icebraining · 2011-06-17 01:53 · Score: 3
  
  Processing is Java, what does have to do with WebGL? Do you mean Processing.js?
  
  --
  Dilbert RSS feed
17. Re:Microsoft should know... by Locutus · 2011-06-17 01:57 · Score: 5, Insightful
  
  they created ActiveX in response to Java applets and the threat that someone else's API's could become dominant. This is normal business for Microsoft and just like how they created Direct3D to counter the spreading OpenGL API's in the 90s, WebGL is probably too much of a platform threat to support so they'll do the typical FUD thing and say it sucks, it's bad and it's dangerous while they're working on their own replacement which will solve world hunger according to their press releases and up until it actually ships with about 50% of what WebGL had when they started.
  
  They must do everything they know how to keep profits rolling and 3D is finally catching on so it's back to their form of business. FUD before crud.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
18. Re:Microsoft should know... by Entrope · 2011-06-17 01:58 · Score: 1, Insightful
  
  Bugs in the OpenGL stack are no more plausible than bugs in the rest of a web client stack. Arguably they are less likely in OpenGL because the semantics are more tightly defined and the set of commands is smaller and less complex than in (say) HTML 5. Heck, the Canvas element is almost as complex in a lot of ways as WebGL, and has equal scope for exploiting graphics driver bugs.
19. Re:Microsoft should know... by bhtooefr · 2011-06-17 02:04 · Score: 3, Insightful
  
  Except video drivers are about as secure and stable as IE4.
20. Re:Microsoft should know... by Bill_the_Engineer · 2011-06-17 02:05 · Score: 1
  
  Don't be. ActiveX and WebGL share a common trait of being complicated to implement and have access to hardware therefore Microsoft should know what it's talking about when it comes to dangerous plugins.
  Despite this experience, Microsoft is only attacking WebGL because it competes with their interest. Silverlight version 3 advertises some features similar to WebGL as well as version 4 offering the ability to execute other applications within a "extended sandbox". If that doesn't scream over complexity for a single platform then what does?
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
21. Re:Microsoft should know... by Entrope · 2011-06-17 02:08 · Score: 2
  
  Consequently, the Canvas element is obviously harmful too.
  Video drivers do a lot more than just OpenGL. It's not clear to me that WebGL exposes any more potential security issues than anything else in a web browser.
22. Re:Microsoft should know... by ifrag · 2011-06-17 02:09 · Score: 1
  
  That said, I am all but certain there must be a way to make WebGL safe.
  Probably, doesn't mean it will ever be made safe though. There's a lot of low level stuff going on there, and for efficiency there's not really a lot of time to waste double checking everything. Bugs in graphics drivers already manage to crash machines all on their own, and that's while running non-malicious code. Trying to secure it is going to have to start at the driver level, which is out of WebGL's scope. Add this onto the fact that the vendors drivers sometimes fall a little short of the spec itself, so even using it as intended can bring up some odd issues.
  
  --
  Fear is the mind killer.
23. Re:Microsoft should know... by Locutus · 2011-06-17 02:13 · Score: 4, Insightful
  
  probably because they have a history of not doing well with security. Microsoft always goes out of their way 'calling the kettle black' when they don't want people using something they don't control so its no wonder people here mock them and point the finger back to them. Have you asked yourself why Microsoft would make such a public statement about WebGL? what is their position on OpenGL and cross platform 3D and why is that? Is Microsoft even part of the WebGL Working Group? Maybe Microsoft should be the ones STFU.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
24. Re:Microsoft should know... by CokoBWare · 2011-06-17 02:16 · Score: 4, Interesting
  
  Something tells me they wouldn't create ActiveX today... they've had well over a decade to learn how bad the technology actually is, and try to mitigate their mistakes with it. It doesn't surprise me they'd make comments on WebGL like this today in 2011. A lot can happen in 15 years.
25. Re:Microsoft should know... by CokoBWare · 2011-06-17 02:17 · Score: 1
  
  I actually kinda see the point of this "troll".
26. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 02:18 · Score: 1
  
  Or maybe behind your ridiculous frothing you'd see the independent research that shows why allowing the internet to run code directly on your fucking graphics card might just be a shitstorm waiting to happen.
27. Re:Microsoft should know... by macshit · 2011-06-17 02:18 · Score: 1
  
  Yup.
  The important thing is not that they've pointed out some security problems, but how they're going to proceed from there.
  A good faith reaction would be to work with others to fix the security issues.
  But of course, they're not going to do that, because security is really just a smokescreen -- their real concern is that WebGL is a portable standard that they have no control over, gives no advantage to Microsoft, and which already works well on competitors' systems.
  Guaranteed they subsequently announce they're instead supporting a competing web-3d standard that "leverages Microsoft technologies"...
  
  --
  We live, as we dream -- alone....
28. Re:Microsoft should know... by numbski · 2011-06-17 02:20 · Score: 1
  
  I look at it this way - if everyone but them supports it and uses it, they will have their hand forced into supporting it. Otherwise you'll have more javascript "go download a *real* browser to use this site/webapp" and more exodus from IE.
  
  --
  Karma: Chameleon (mostly due to the fact that you come and go).
29. Re:Microsoft should know... by TaoPhoenix · 2011-06-17 02:21 · Score: 1
  
  Forgive the giddy Friday phrasing, but you made me think of the famous phrase from the courts. Truth, Whole Truth, Nothing But Truth.
  So apparently MS's comment isn't a total fabrication. I think you're saying it isn't laced with fud if in fact it is tricky to implement. So the new hotness in marketing must be skipping Nothing But Truth.
  I'll state it another way. $Category has a problem such as difficult to implement. $Company complains that $CompetingSolution has a problem, but they carefully phrase it to make it sound like the problem *does not* belong to the $Category, implying that their solution escapes the flaw by Fallacy of Omission.
  
  --
  My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
30. Re:Microsoft should know... by Bill_the_Engineer · 2011-06-17 02:28 · Score: 1
  
  Let me use a famous phrase that explains it best. It takes one to know one.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
31. Re:Microsoft should know... by Runaway1956 · 2011-06-17 02:31 · Score: 0
  
  You stole my reply!! You evil person!
  LMAO
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
32. Re:Microsoft should know... by Joce640k · 2011-06-17 02:32 · Score: 1
  
  Yeah ... and I'm sure it's a complete coincidence that WebGL can do computing in a browser and they just launched a new DirectCompute offensive a few days ago.
  
  --
  No sig today...
33. Re:Microsoft should know... by Nadaka · 2011-06-17 02:38 · Score: 1
  
  Because he used the past tense phrase, and they still say linux (Android) is insecure.
34. Re:Microsoft should know... by Hatta · 2011-06-17 02:42 · Score: 1, Insightful
  
  It's like the Republicans and Libya. Sure, they have a point, it's a bad idea. But when it was their turn with the bad idea, they ran a lot farther with it. It's clear that they're not opposed to it because it's a bad idea, but because it's not their bad idea.
  
  --
  Give me Classic Slashdot or give me death!
35. Re:Microsoft should know... by John+Hasler · 2011-06-17 02:43 · Score: 1
  
  A good faith reaction would be to work with others to fix the security issues.
  And if they are fundamental conceptual problems that cannot be fixed?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
36. Re:Microsoft should know... by blowdart · 2011-06-17 02:44 · Score: 1
  
  Microsoft is only attacking WebGL because it competes with their interest.
  Does it compete with John Carmack's interests? Doubtful, but he agrees
  
  I agree with Microsoft's assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.
  
  .
37. Re:Microsoft should know... by tepples · 2011-06-17 02:48 · Score: 2
  
  If you're giving a web page low-level access to your hardware
  Then your operating system is broken. A browser implementing WebGL makes calls to the operating system's implementation of OpenGL or Direct3D, which is supposed to protect each application using OpenGL or Direct3D from others. A broken 3D video driver is no different from a broken 2D video driver: both are security holes.
38. Re:Microsoft should know... by georgesdev · 2011-06-17 02:49 · Score: 1
  
  absolutely, plus it can compete with Microsoft Silverlight
39. Re:Microsoft should know... by WindBourne · 2011-06-17 02:55 · Score: 3, Interesting
  
  Yes, they did. However, with WebGL, they actually have a good and factual point. There ARE security flaws in it that MUST be addressed.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
40. Re:Microsoft should know... by Darfeld · 2011-06-17 03:01 · Score: 1
  
  To be fair, the research might be independent. It might be right too.
  But GP is correct when he say Microsoft suffers a lake of credibility that they earn themselves.They seems to not care thought because this lakes of credibility isn't so big that they can't manipulate opinions with that sort of comment.
  
  --
  (\__/) This is Lapinator
  (='.'=) copy it in your sig
  (")_(") so it can take over the world
41. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 03:02 · Score: 0
  
  Blow it out your ass. I bet you lick Ballmer's taint clean for him, don't you?
42. Re:Microsoft should know... by Ephemeriis · 2011-06-17 03:02 · Score: 2
  
  If you're giving a web page low-level access to your hardware
  Then your operating system is broken. A browser implementing WebGL makes calls to the operating system's implementation of OpenGL or Direct3D, which is supposed to protect each application using OpenGL or Direct3D from others. A broken 3D video driver is no different from a broken 2D video driver: both are security holes.
  I guess that's true these days. I've had various games crash my 3D drivers and I just get a pop-up message stating that the driver had to be re-started.
  I'm still thinking of the good ol' days where a video driver crash meant a BSOD.
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
43. Re:Microsoft should know... by nschubach · 2011-06-17 03:03 · Score: 1
  
  fundamental conceptual problems that cannot be fixed
  Yeah, we wouldn't want someone to do anything related to innovation.
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
44. Re:Microsoft should know... by siglercm · 2011-06-17 03:03 · Score: 1
  
  In the U.S. system of government, this is called "checks and balances."
  
  --
  sigfault (core dumped)
45. Re:Microsoft should know... by drinkypoo · 2011-06-17 03:22 · Score: 1
  
  the driver could be broken too. of course, it's part of the operating system (whether it came with it or not) so I guess it's all the same thing.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
46. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 03:37 · Score: 0
  
  probably because they have a history of not doing well with security
  /. called. It would like a citation please.
  You think Microsoft has better security than RSA, Lockheed-Martin, and Sony? I do. At least for now.
47. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 03:40 · Score: 0
  
  Funny how DirectX is powering most of my games, though. I would not jump to conclusions and suggest that simply because something is the underdog that it is inherently better somehow. Or shall we start becoming code hipsters?
  "I used OpenGL before it HAD a version number."
48. Re:Microsoft should know... by Bill_the_Engineer · 2011-06-17 03:45 · Score: 1
  
  You confuse facts with motive.
  Nobody doubts the accuracy of Microsoft's concern (well at least I don't). It's the motive behind Microsoft's voicing their concern that has us amused.
  Does WebGL create a security risk? Yes all plugins do. Some more than others.
  Does John Carmack have a motive for speaking out against WebGL? Not that is apparent.
  Does Microsoft have a motive for speaking out against WebGL? Yes. In fact they point out the security issues in WebGL while actively ignoring the ones being introduced in their products that are poised to compete with WebGL.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
49. Re:Microsoft should know... by paulo.casanova · 2011-06-17 03:46 · Score: 1
  
  Actually, Microsoft is suffering from bad fame more than anything else. Looking at the CERT database you can see 4 vulnerabilities in MS products in the middle of tons of others. They effectively have taken security somewhat seriously (it did that a long time but that is another story).
  On the other hand, Adobe seems to be doing a nice work making sure Flash goes down the drain!
50. Re:Microsoft should know... by TheRaven64 · 2011-06-17 03:49 · Score: 3, Insightful
  
  A good faith reaction would be to work with others to fix the security issues.
  The problem is, a lot of the security problems with WebGL need fixing in silicon. With most GPUs currently out there, a small bug anywhere in the OpenGL stack - a huge chunk of code that was designed to run trusted code and so optimised heavily for speed, and not really designed with security in mind - can let shader code completely compromise the system, or at least let malicious code perform a DoS attack. This isn't much of a problem at the moment, because most users don't run OpenGL code that they don't trust. You rarely see GLSL code on servers, it's either running on compute nodes (where compromising the node isn't seen as a problem because you want the user to be able to get as much out of the hardware as possible) or on machines that are basically single-user, so it's already trusted by the only user with any important data on the system.
  
  --
  I am TheRaven on Soylent News
51. Re:Microsoft should know... by LS · 2011-06-17 03:50 · Score: 1
  
  Yes! exactly.
  And silverlight as well. Does silverlight not use the graphics card? What, it does, you say? Ok, so how does this differ from OpenGL from a security perspective? Oh, it doesn't? uhh.....
  
  --
  There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
52. Re:Microsoft should know... by Glock27 · 2011-06-17 03:51 · Score: 1
  
  And if they are fundamental conceptual problems that cannot be fixed?
  There aren't. The best (and only reasonable) "fix" is a "This site wants to access your graphics hardware. Allow?" prompt from the browser.
  Just as with any native code (like a DirectX game, for instance) there is no way to ensure "safety"...although I'd think almost any other attack vector would be easier than WebGL.
  In the end, you just have to trust the source of the code, or not.
  
  --
  Galileo: "The Earth revolves around the Sun!"
  Score: -1 100% Flamebait
53. Re:Microsoft should know... by Locutus · 2011-06-17 03:55 · Score: 1
  
  yup, they were successful in curtailing OpenGL support and eventually got DirectX to a point where it could be used. It took years and billions of dollars but they were successful. that has nothing to do with what's going on with WebGL or are you saying that in 10 years Microsoft's solution will be usable?
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
54. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 03:56 · Score: 0
  
  No, it's not. It's based on a Linux kernel fork, but it has lost every point of contact with Linux except the fact that they add every improvement of the Linux kernel to their own, while keeping their own improvements basically to themselves. Yes, releasing a single patch file of some megabytes in size and no comments is the same as not releasing anything.
55. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 03:56 · Score: 1
  
  A lot can happen in 15 years.
  Not at Microsoft.
56. Re:Microsoft should know... by TheRaven64 · 2011-06-17 03:58 · Score: 2
  
  More likely, you have broken hardware. Microsoft's complaint is based on reality, not theory. In theory, the driver would contain no bugs and the hardware would provide enough isolation that multiple applications' command streams and memory accesses would be isolated and would be no more able to interact without operating system mediation than multiple unprivileged processes on the CPU. In practice, the hardware generally makes a half-arsed attempt at providing isolation, with numerous ways of bypassing it, and the drivers are the buggiest code in ring 0 and probably anywhere on your computer.
  These are not likely to change any time soon. Why do people choose GPUs? When was the last time you saw a GPU advertised with 'security audited drivers' or 'hardware memory protection' as features? People buy GPUs because they're fast, and writing fast secure code (and designing fast secure hardware) is significantly harder than writing code that is either fast or secure. The one that doesn't sell cards is the one that slips, every time.
  This is why most operating systems only permit one user to access the GPU at a time. From a security standpoint, there's little lost because programs can only control the GPU if they are already running on the CPU, and that means that they're code that the user trusts. If they compromise the system, it's no different from the user running a trojan - you can't protect against the user intentionally running malicious code.
  WebGL changes this. Now the web browser will run untrusted GLSL code and there's nothing that the web browser can do to make that secure. In a few years, when GPUs have proper support for MMUs and preemptive multitasking as basic features, WebGL might be possible to implement securely. At the moment, I'd be surprised if it's possible to implement it securely on more than about 10% of the systems that it's possible to implement it on.
  
  --
  I am TheRaven on Soylent News
57. Re:Microsoft should know... by jellomizer · 2011-06-17 04:01 · Score: 1
  
  I think is is more of an issue that Microsoft has their own (DirectX/Silverlight) system that has the same security conserns. And they are saying Open Standard is Bad while ours is good.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
58. Re:Microsoft should know... by Locutus · 2011-06-17 04:02 · Score: 1
  
  so this "independent research" has also been done on Microsoft's browser integration to the graphics card also? I think we're on the same page on that but this bit about Microsoft calling out WebGL as trouble is 100% marketing FUD and a business method well used by them. If they called out why their own implementation was the correct one that would be one thing but there is no mention of Microsoft's own bypass of the OS and giving the browser direct access to the graphics card.
  
  Are Apple/BSD, UNIX and GNU/Linux doing the same thing or do they have to do the same to get some much needed performance boost? Maybe we're going back to the days of DOS where the application had their own hardware drivers.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
59. Re:Microsoft should know... by TheRaven64 · 2011-06-17 04:03 · Score: 1
  
  Bugs in the OpenGL stack are no more plausible than bugs in the rest of a web client stack
  Speaking as someone who has worked quite closely with OpenGL driver developers: bullshit. Web clients are expected to interact with hostile code. When you write code for a web browser, you are writing code that you know people will try to compromise. It encourages defensive programming and exploitable bugs creep in anyway.
  When you are working on OpenGL drivers, you care about one thing: throughput. Every hack, every tweak, everything that gives you another 0.1% performance improvement goes in, because that is what sells. GPUs are sold on performance, nothing else. Given the choice between a secure and stable graphics stack and a fast one, people pick the fast one. Code that is developed under these constraints is far more likely to contain bugs than other code. In general, people don't care because they trust the programs that they choose to run on their GPU (games, CAD, and so forth). Chuck a bunch of untrusted code at this stack, and you're asking for trouble.
  
  --
  I am TheRaven on Soylent News
60. Re:Microsoft should know... by Dracos · 2011-06-17 04:08 · Score: 1
  
  Regarding security, MS suffers little more than a puddle of credibility.
61. Re:Microsoft should know... by Dracos · 2011-06-17 04:12 · Score: 1
  
  The fundamental flaws in WebGL are an order of magnitude worse than almost any problem in Flash.
62. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 04:20 · Score: 0
  
  Also, they could be worrying about browser games. If you can play CoD in a modern browser, why would you buy an XBox? Why would even buy a PC for that matter...
63. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 04:27 · Score: 0
  
  Really? We must have landed on different pages, then. I see 30 vulnerabilities on your link. Six are for MS products (20%), and only two for Adobe products (6.7%).
64. Re:Microsoft should know... by hairyfeet · 2011-06-17 04:33 · Score: 1, Interesting
  
  Oh please! Can you and the other fanbois be any more full of shit? Lets look at the facts, shall we? What is currently the most buggy driver on ANY system by a LARGE margin...hmmm? Why that would be the graphics drivers by a mile. So what does OpenGL do? Why it allows untrusted third party code to run on the buggiest drivers and NOBODY here sees that as a problem?
  The ONLY reason machines aren't getting pwned by the graphics cards is because currently the ONLY things running on them are legitimate code written by game designers and adding sanity checks or any kind of security to graphics drivers would slow the living shit out of them so that's right out. Do you REALLY want the entire web to be able to run any code they want on that nice fast processor with plenty of RAM for loading exploits and with no real security protecting it? Because if you honestly believe that OpenGL wouldn't be a malware writers paradise I have a bridge you might be interested in.
  MSFT has already made developers shit bricks by going HTML V5, which will probably cause the slow death of SL and .Net, at least on the client side, so your theory doesn't hold weight. But after finally getting security right with Windows 7 (only 4 per 1000 infected vs 14 per 1000 infected with XP IIRC) they sure as hell don't want to hand the keys to the kingdom over to the WWW. Hell considering how much JavaScript malware is out there you don't think giving malware writers their own processor and RAM wouldn't be exploited out the ass? Please!
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
65. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 04:35 · Score: 0
  
  If they could use it today to retain market share they would create it all over again. It successfully did what it was designed to do. Lock users into Microsoft Windows.
66. Re:Microsoft should know... by gtall · 2011-06-17 04:52 · Score: 1
  
  Knocking off the Q-Man was never a bad idea, regardless of who's flip-flopping on the matter this week.
67. Re:Microsoft should know... by westyvw · 2011-06-17 04:55 · Score: 1
  
  My thoughts too. What about Flash? I would rather trust webgl over flash....
68. Re:Microsoft should know... by gtall · 2011-06-17 04:55 · Score: 1
  
  Wot? ActiveX gave MS years and years of lockin, it was a smashing success for them. The fact that it sucked as a technology never made it to the marketdroids running MS.
69. Re:Microsoft should know... by ConceptJunkie · 2011-06-17 04:55 · Score: 1
  
  Nonetheless, Microsoft is here fulfilling the role of the "boy who cried, "Wolf!". They have very little credibility on this topic. That they may happen to be right does not change the fact that these kinds of statements from them are usually 1.) Self-serving, in order to drive support from technologies they do not control, and 2.) Hypocritical, because they are often pointing out problems that they have been or are at least as guilty of.
  If, in being self-serving and hypocritical, they also happen to be right, it's really only a marketing win from their point of view, as the security and well-being of the electronic world at large has always and clearly been, or has at least been treated as, almost completely orthogonal to Microsoft's interests.
  
  --
  You are in a maze of twisty little passages, all alike.
70. Re:Microsoft should know... by Shotgun · 2011-06-17 04:57 · Score: 2
  
  They had 20 years of UNIX to learn from before they created ActiveX. Hell, even a fool with a comp-sci degree could have told them that unfettered access to the local machine from any remote machine was brain-dead stupid. The biggest pain with Java applets was the sandbox put around it, and Micosoft was well aware of the reason for it.
  The "they didn't know it would be that bad" argument is just lame. If they didn't know, they were completely incompetent. If they knew, and chose to ignore common sense, they were criminally liable. You choose.
  
  --
  Aah, change is good. -- Rafiki
  Yeah, but it ain't easy. -- Simba
71. Re:Microsoft should know... by dna_(c)(tm)(r) · 2011-06-17 04:58 · Score: 2
  
  The fundamental flaws in WebGL are an order of magnitude worse than almost any problem in Flash.
  [citation needed]
72. Re:Microsoft should know... by ConceptJunkie · 2011-06-17 04:59 · Score: 1
  
  While there is no doubt that this is a FUD move on Microsoft's part, that doesn't preclude the fact that they may be right about WebGL. They lost the browser war, and this is obviously part of their "scorched earth" tactics that are the only way they can ever regain ground.
  
  --
  You are in a maze of twisty little passages, all alike.
73. Re:Microsoft should know... by mrchaotica · 2011-06-17 05:03 · Score: 1
  
  When that someone is Microsoft? Then no, we really don't! For Microsoft, "innovation" is a euphemism for "embrace, extend, extinguish."
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
74. Re:Microsoft should know... by hairyfeet · 2011-06-17 05:04 · Score: 1
  
  I don't think the problem will be the code so much as the wildly varying hardware which it will run on. Nvidia is currently selling from the 6200 to Fermi, AMD has from the 2900-the latest 6xxx in the channel, and I haven't kept up with Intel but i'm sure they got plenty of chips as well, and that don't include all the chips not currently sold which may or may not have the power to run WebGL.
  So how in the hell would you lock it down, when you are dealing with tons of drivers (most folks don't update GPU drivers) and tons of chips, with huge variance in implementation? Unless you lock it down to where it only runs on a tiny subset (and even then malware writers would write code that bypasses this check) which would kinda kill the whole point of this I honestly just don't see anyway to have any real security with this. Hell Nvidia and AMD has released...what...50 drivers between them just in the past couple of years? And there is some pretty huge differences in how a 6200 handles things VS say an HD4650 or the latest Fermi chip.
  So I just don't see how it is possible, not without slowing it down so much with browser checks that you would be better off just using the CPU. it isn't like x86 where pretty much everything runs identical, we are talking a ton of chips with a ton of differences with drivers all over the place. GPUs work well now because the user is only running games which he/she bought from legit sources, and like the Carmack quote above GFX isn't exactly a hotbed of security focus in the first place.
  Whether you want to say MSFT has an agenda or not I think the results would be the same, WebGL equals major pwnage.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
75. Re:Microsoft should know... by metacell · 2011-06-17 05:12 · Score: 1
  
  I mark this the first of many "Microsoft have shit security durhurhur" comments. Probably no point reading the rest of the comments for this one, there's going to be very little useful commentary in amongst the complete fucking dross.
  There's a reason for the sarcastic comments... and it's that it's extremely hypocritical of Microsoft to dismiss OpenGL due to security flaws, when they usually promote much unsafer technologies.
  But I'm sure there are people who'll be worried (fear), because they can't be sure there's not something to the criticism (uncertainty), and maybe decide it's safest to not use OpenGL after all (doubt).
76. Re:Microsoft should know... by ConceptJunkie · 2011-06-17 05:13 · Score: 1
  
  Wow. I'm glad my car only explodes 4 times out of every 1000 times I start it instead of 14. I am now safe.
  I don't know if HTML 5 will cause the slow death of Silverlight or .NET, it's Microsoft's modus operandi. They release so many development and application frameworks that the only difference among them is whether they die a slow death or a fast death. While HTML5 is a strategy that Microsoft is using so they can (probably futilely) bolt an iOS-like layer on top of the already gargantuan Windows behemoth and somehow hope that phones will run this, I think it's going to be a long time before that replaces anything used to make desktop apps, even if the only desktop apps being made any more are Office, games and high-end packages like AutoCAD or Maya. And the only reason Office still exists is because of Microsoft's monopolistic legacy. There's no way that hopelessly cryptic, archaic, bug-ridden monstrosity could have survived the last decade on its own merits.
  
  --
  You are in a maze of twisty little passages, all alike.
77. Re:Microsoft should know... by HermMunster · 2011-06-17 05:15 · Score: 1
  
  Windows has significant security flaws. These flaws are extreme and cause hardship for others and costs the industry billions a year. It is estimated (as of a few years ago) that malware that gets in via security issues and other flaws costs the economy over $5 billion a year. These are pretty hard and known facts. IE with ActiveX is one of those technologies that has serious implications and has from the beginning. Microsoft wrote Windows and continues to progress that product line even with these facts so well known. It is still full of flaws and security holes, many of which are extremely serious. My question is: in comparison to the $5+ billion a year worth of very serious flaws in Windows and the design of products such as ActiveX, how serious is/are the flaw(s) in WebGL? Are we talking magnitudes larger for WebGL? Are we talking ease of access to things once you are able to exploit it? Or, are we talking a tiny fraction of the potential of the Windows flaws (past, present, and future)?
  Asked differently, is Microsoft just showing buffoonery and are they just using FUD to try to destroy a solid competitor?
  Granted security issues are serious and must be addressed. But it seems that if Microsoft (with all these flaws (some massively serious) in Windows) is taking pot shots at a much smaller issue and are getting press coverage just because they have such a loud voice then they are being very disingenuous, doing nothing more than shooting from the hip, calling the kettle black, throwing stones from their own glass houses.
  
  --
  You can lead a man with reason but you can't make him think.
78. Re:Microsoft should know... by SuperDre · 2011-06-17 05:30 · Score: 1
  
  MacOSX,iOS, Linux or Android (other popular Osses) are also full of flaws. The problem Window has, is it's actual success, because of the shear ammount of people which use windows makes it a big target for malware/viruswriters, but we already see a big increase in malware on the other OSses which are increasing in populairity... No OS is really secure and never will..
79. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 05:33 · Score: 0
  
  ...Maybe because Microsoft is right, and untrusted, proprietary code shouldn't be poking at proprietary, horribly maintained GPU drivers?
80. Re:Microsoft should know... by runningman24 · 2011-06-17 05:41 · Score: 1
  
  If what they're saying is true, what does it matter what their motive is? If WebGL is a "severe security risk", what's the point of attacking Microsoft for pointing that out and not supporting it? Conversely, if Microsoft did support something that gave IE and Windows a new gaping security hole, wouldn't everyone then jump on Microsoft for not doing the right thing? Also, if Microsoft has a competing platform which is a lot more secure, why shouldn't they support that instead? I don't see how it's their responsibility to fix a technology which is not prepared for primetime, when they already have technologies that do the same thing without the same amount of risk.
  I really can't figure out what Microsoft is being blamed for here.
81. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 05:51 · Score: 0
  
  Wow, what a surprising comment from you. Bitter, angry neckbeard who hates Microsoft is bitter, angry, and hates Microsoft! Quick, someone call the local news department!
82. Re:Microsoft should know... by nfc_Death · 2011-06-17 05:52 · Score: 1
  
  Whats with all the bolding? You can make your points by using proper sentence structure and punctuation.
  I fail to see your point here, first you curse the 'fanbois' but what 'fanbois'?
  Then you claim the most buggy driver on any system is the graphics driver? Making a statement with bold lettering doesn't make it true. Citation needed, badly.
  Then you laud game developers for writing secure game code? It seems you are already trying to sell us a bridge that everyone here knows is vapor. Game developers and designers have been writing the buggiest software ever and always have. Would you like some cheat and exploit sites to go look at? Can you find the same numbers of cheat and exploits offered for any other software anywhere?
  Your Freudian slip in the last paragraph is the kicker though;
  "they sure as hell don't want to hand the keys to the kingdom over to the WWW'
  Yes they certainly don't and that's what this article and your strange comment are all about.
  You sound very much like oil company exec's; 'But this other technology is untested and we see flaws, no one should use it no matter what, because our system only fucks up 4 to 14 times out of 1000.'
83. Re:Microsoft should know... by RightSaidFred99 · 2011-06-17 05:52 · Score: 1
  
  Wow, welcome to 1998! Microsoft puts a tremendous effort into security now, and they are very good at it. Not flawless by any means, but "credibility" doesn't mean what you think it means. Microsoft is extremely credible in the security space. They've learned the hard way.
84. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 05:52 · Score: 0
  
  Imagine a world where CPU architectures were kept secret. Instead, everybody assembled to one of two high level bytecode languages which then compiled your bytecode into proprietary, secret machine code and executed it. Thus, every time a new CPU generation comes out, the secret machine code changes with it, sometimes drastically. Also, there's a lot more of these secret machine codes now. This is pretty much how GPU interfaces work.
  A while back some people at Crytek were saying that we needed direct access to the graphics hardware, because OpenGL and DirectX were tremendously slow compared to the direct access offered by consoles. I'd like to argue for that same point, but from a different perspective - our kernels need direct hardware access, not through a proprietary, buggy driver. We can't understand and protect against the security implications of untrusted graphics code because graphics cards don't have low level interfaces like CPUs do.
85. Re:Microsoft should know... by BitZtream · 2011-06-17 05:54 · Score: 1
  
  :BEGIN ActiveX IGNORANCE RANT:
  You do realize that ActiveX is just a plugin system ... right? Just like the one Mozilla has, and Chrome, and Safari, and Opera ...
  Its just a COM object, you know Mozilla uses its own variation of COM called XPCOM ... which actually less secure than ActiveX. In order to get ActiveX to load in a browser AT ALL, the developer has to mark the object as safe for use in the browser, then if you want to access it via javascript, it also has to be marked for that by the developer. XPCOM has no such flags, though it does use additional security mechanisms to accomplish the same thing, so they are functionally the same with one major exception:
  ActiveX is a system wide plugin implementation.
  IE had some stupid defaults, and MS developer made a habit of marking all kinds of ActiveX objects as safe for use in a browser and scripting when they never should have been marked as such. Then when they first added support to IE for it, they defaulted to accepting them all, then the changed to defaulting if the ActiveX object was digitally signed to be more secure, which of course took 24 hours for new controls to be released with digital signatures on them from the bad guys, but it did cut out most of the accidentally 'safe for web/scripting' controls since they hadnt' been digitally signed.
  Now days, it takes an actual exploit to get unknown code to run in IE, otherwise the user has to click Yes somewhere.
  Yes, the IE implementation to use ActiveX what a prime example of how not to design software which is intended to documents from untrusted sources, but it was purely the IE implementation that was bad, and the real problem was defaulting to allow instead of deny or prompt.
  If ActiveX is bad, so is XPCOM and all mozilla plugins, and well, all plugins in general, regardless of browser or application. I have plugins that compile for both ActiveX and XPCOM with nothing more than a change of the IDL compiler so it generate mozilla compatible wrappers instead of ActiveX wrappers for the methods. If I simplified it ever so slightly, I could actually use the same IDL file for both too, just use the different wrapper generators.
  If you think ActiveX is the problem, you are 100% ignorant of what the problem actually is and why its a problem.
  There is absolutely nothing about ActiveX that makes it 'bad' or 'insecure'. How the IE team implemented support for it on the other hand, was horrible.
  Blaming ActiveX for IE's problems is roughly the same as blaming Nintendo because you threw your Wiimote through your big ass plasma screen in a fit of rage.
  I beg you, please stop spreading such ignorant FUD. :END ActiveX IGNORANCE RANT:
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
86. Re:Microsoft should know... by RightSaidFred99 · 2011-06-17 05:59 · Score: 1
  
  Nice try, but facts exist in a vacuum. Nobody but anti-MS neckbeards thinks the way you describe.
87. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 06:00 · Score: 0
  
  ...well you can trust what you like of course.
  Fortunately your opinion stands for exactly zero when it comes to these things.
  For once microsoft have taken a right decision and they are to be applauded for it.
  Html has always been best for rendering text and there is good reason why that will remain the case.
88. Re:Microsoft should know... by RightSaidFred99 · 2011-06-17 06:02 · Score: 1
  
  Yeah... no. Microsoft implements their own shit, they control it, and they can secure it. WebGL would be a glut of browsers sending shit haphazardly to the graphics drivers, God knows wtf will happen.
  I also find it laughable that people think a company should just bend over and take it in the ass when an "Open Standard" comes out. What if I have a better solution to a problem? Ohhh noooo!! You must use this (dramatic music) duh-duh-duh!!! STANDARD!
  Well... no. They don't have to. Sometimes standards suck and should be shunned. Sometimes (not always), standards are anathema to innovation.
89. Re:Microsoft should know... by RightSaidFred99 · 2011-06-17 06:05 · Score: 1
  
  Don't be daft. Silverlight does not allow a developer to directly send code to the graphics driver for execution. You have no idea what you're talking about.
90. Re:Microsoft should know... by beelsebob · 2011-06-17 06:08 · Score: 1
  
  Personally, I'll go with "perhaps we should stop blaming the nifty API, and start blaming the crappily written kernel-level code".
91. Re:Microsoft should know... by Goaway · 2011-06-17 06:18 · Score: 1
  
  so this "independent research" has also been done on Microsoft's browser integration to the graphics card also?
  
  Microsoft's graphics card integration does not let website run arbitrary code on the GPU, so it is entirely unrelated to the problems with WebGL.
  (Most other browsers have similar projects, and these are also independent of WebGL and its problems.)
92. Re:Microsoft should know... by snemarch · 2011-06-17 06:25 · Score: 1
  
  They aren't dismissing OpenGL, they're dismissing WebGL - please figure out the difference and at least try contemplating why WebGL might not be a terribly good idea before commenting further.
  
  --
  Coffee-driven development.
93. Re:Microsoft should know... by spongman · 2011-06-17 06:28 · Score: 1
  
  i'm sorry, but as cute as processing is, it doesn't come close to touching the capabilities of silverlight, let alone flash. when you can do animated/layered compositing of bitmap effects on vector shapes in 3d, with audio & video at decent framerates - let me know.
94. Re:Microsoft should know... by snemarch · 2011-06-17 06:33 · Score: 1
  
  Just as with any native code (like a DirectX game, for instance) there is no way to ensure "safety"...although I'd think almost any other attack vector would be easier than WebGL.
  I do wonder. Of course it would mean targetting specific GPU vendors, and perhaps specific driver versions as well. But imagine what you could do if you were able to play with DMA... bye bye to any OS security.
  
  --
  Coffee-driven development.
95. Re:Microsoft should know... by Hatta · 2011-06-17 06:37 · Score: 1
  
  Nation building is never a good idea.
  
  --
  Give me Classic Slashdot or give me death!
96. Re:Microsoft should know... by snemarch · 2011-06-17 06:54 · Score: 1
  
  And perhaps the truth lies somewhere between those extremes?
  Graphics drivers are crappily written kernel-level code - it's one of the few things that has made my system crash, whether that be linux or windows (Vista did at least one thing right - move large parts of graphics drivers to user mode).
  We have to accept this situation, it's not going to change anytime soon. OpenGL itself is a rather big chunk of code as well, and it's not the kind of code that's reviewed with a focus on security.
  Do you, honestly, think it's a good idea to pretty much directly expose the GL and graphics driver stack to the web?
  
  --
  Coffee-driven development.
97. Re:Microsoft should know... by man_of_mr_e · 2011-06-17 06:58 · Score: 2
  
  ActiveX is rarely used as a malware vector. Almost all malware is delivered these days from Flash, Java, PDF, and through user allowed trojans.
  The fact is, ActiveX holds no more additional threat than do Trojans, as both require end users to agree to install them. In the distant past that was not the case, but now it is and virus makers don't even bother with it anymore as it's too limiting and with IE Protected mode, it's very hard to exploit anymore.
  
  --
  If you need web hosting, you could do worse than here
98. Re:Microsoft should know... by LO0G · 2011-06-17 07:17 · Score: 0
  
  Umm... Flash is an ActiveX control.
  There hasn't been an ActiveX vulnerability in a REALLY long time (like maybe a decade?). But ActiveX is a plugin technology. When people talk about ActiveX being insecure, they're really saying that plugins are insecure.
  And guess what: Every browser out there (except iOS browsers) has a plugin model. There are only two things that make ActiveX plugins different from any other plugins:
  1) A web page can suggest an installation location to use for the plugin (unlike Firefox which recommends that you install plugins from their own site)
  2) ActiveX plugins are all digitally signed (on the internet). That means that it's hard for bad guys to deploy vulnerable plugins. This isn't a huge deal because bad guys just use vulnerabilities in existing signed plugins. And they can use #1 to point the user to plugins which have known vulnerabilities.
  That's basically it.
99. Re:Microsoft should know... by man_of_mr_e · 2011-06-17 07:22 · Score: 1
  
  The difference here is that an extended sandbox is disabled by default, and must be explicitly enabled via group policy, and even then can only run in the confines of a trusted security zone. WebGL's dangerous features are part of the default mode of operation.
  
  --
  If you need web hosting, you could do worse than here
100. Re:Microsoft should know... by Billly+Gates · 2011-06-17 07:28 · Score: 1
  
  Microsoft supports CSS 3D instead. Seriously Microsoft is right about security flaws in OpenCL and WebGL as skeptical as I am.
  I read stories here on slashdot with computer scientist publishing articles saying how bad OpenCL is from a security stand point. No user priveldges at all in using the GPU.
  If only drivers did not contain scripts, trusted, and untrusted code in a demonic bastion could we trust them. Check this out, when a null hits a texture load api? A simple Javascript could root the system easily using webGL and read your ram just like that example above printed out the contents of the users VRam as a texture.
  Another example of hardware acceleration with security gone wrong is flash. It seems the new flaws of security are graphics related. We need a new graphics API, frankly Intel, Nvidia, and ATI have shitty and horrible drivers no matter what the platform is. Even my ATI 5750 can not render the stupid aquarium right with Firefox 4 in Windows 7. I admit I am not a hardware expert but it seems the driver model in itself is flawed.
  
  --
  http://saveie6.com/
101. Re:Microsoft should know... by man_of_mr_e · 2011-06-17 07:29 · Score: 1
  
  Unix was not designed to be a secure OS. Most of the security was layered on through years of attack. It's only through the efforts of projects like OpenBSD that Unix/Linux has become pretty secure.
  
  --
  If you need web hosting, you could do worse than here
102. Re:Microsoft should know... by Snover · 2011-06-17 07:35 · Score: 1
  
  One of the main differences in my experience between ActiveX and other plugin systems that made it so hazardous is that ActiveX’s system for plugin discovery actually worked. The plugin lookups for NPAPI-based browsers required asking a service run by the browser manufacturer what plugins could handle a certain mime-type (or, earlier, they just directed to a generic web page that listed some common plugins), whereas ActiveX allowed the <object> tag to explicitly declare a URL where a plugin could be found. Allowing the page itself to provide an arbitrary URL to a plugin package may have seemed like a great idea from an ease-of-use perspective, but it also meant that there was no gatekeeper to prevent unscrupulous authors from creating plugins and dumping them in the hands of unwitting users. It’s kind of like the Apple iOS model vs the Android model of software distribution. Even changing it to ask whether or not to run/install a control wasn’t a great change because it would still interrogate the package for the plugin name, which often ended up being something like “CLICK YES TO VIEW THIS PAGE”.
  
  --
  
  [insert witty comment here]
103. Re:Microsoft should know... by man_of_mr_e · 2011-06-17 07:47 · Score: 1
  
  Yes, you're correct. However, most people who refer to ActiveX as unsafe refer to so called "drive-by" activex installation. This is something that hasn't been a problem for a very long time, but people keep claiming its true.
  
  --
  If you need web hosting, you could do worse than here
104. Re:Microsoft should know... by DarkOx · 2011-06-17 07:48 · Score: 1
  
  I am not so sure that is even the case. One positive thing that did come out of the IRAQ (which I was supportive of at the time, but in hindsight don't feel it was worth the costs monetary or human) war was that the message it sent. "Don't attack US interests, and don't let people within your boarders attack US interests or you might find yourself being regime changed."
  That message has if anything won a good number of "partners" in the war on terror. Sure those governments are not taking anti-terror steps because its the right thing to do but; rather to save their own hides often at the expense of their own who they continue to abuse but it did make use safer.
  Libia is NOT a humanitarian question. If we were there for humanitarian reasons, we would be in Bahrain, Yemen, Iran, (a full third of Afican Nations), North Korea, and Perhaps China trying to topple those regimes. Say its for humanitarian reasons is either a lie or a delusion, depending on the speaker.
  Qaddafi - was one of the leaders in the region who had suddenly despite his past gotten religion about opposing terror and has been supportive of our security interests, post 911/Iraqi invasion.
  By making us a part of this civil war (that's what it is) Obama has change the message form "Don't put us in jeopardy and we won't topple you" to one of "Make sure we need you or that you so dangerous we won't want to risk it". That is not going to be good for our long term interests.
  Make no mistake the "He's a son of bitch, but he's our son of bitch" approach for foreign policy this country has had since Truman is not a very smart one, but this new Obama policy of "We are big powerful and above all fickle, your best pal one day and bombing you the next" policy is aggressively stupid.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
105. Re:Microsoft should know... by Stephen+Samuel · 2011-06-17 07:49 · Score: 1
  
  It really works well. Given all of the security problems with MS-Windows, if Microsoft calls something 'insecure', it will cause all sorts of CxOs to quake in their boots at the thought.
  Just like the way that MS complaints about RPM compatibilities would trigger flashbacks to DLL hell,
  or warnings about 'hardware (driver) hell' for Linux would cause panic attacks for specialists who sometimes spent days getting a proper mix of Windows drivers for machines they were building for customers.
  etc., etc., etc....
  
  --
  Free Software: Like love, it grows best when given away.
106. Re:Microsoft should know... by asvravi · 2011-06-17 07:50 · Score: 1
  
  I agree. MS has become increasingly security savvy to protect their main business - the OS and the Office applications that go on it. The Vista/Win7 permissions model, MS Anti-malware updates, MS Security Essentials, Driver signing, bug bounties, are all examples of MS efforts to up the security. These comments are along expected lines from MS in this age. (And no, I use more Linux than Windows, but credit to be given where credit is due).
107. Re:Microsoft should know... by ultranova · 2011-06-17 08:03 · Score: 1
  
  Oh please! Can you and the other fanbois be any more full of shit?
  
  Fanbois of what?
  
  Lets look at the facts, shall we? What is currently the most buggy driver on ANY system by a LARGE margin...hmmm? Why that would be the graphics drivers by a mile. So what does OpenGL do? Why it allows untrusted third party code to run on the buggiest drivers and NOBODY here sees that as a problem?
  
  I have bad news for you: every graphical program - such as the web browser - sends commands to the graphics driver. And both Firefox and IE nowadays use graphics acceleration - but even if they didn't, the Windows and Linux desktops do.
  I don't know what you mean by running on the drivers - perhaps you meant running shaders on the graphics card? But then any malice is restrained by the inability to do anything beyond rendering into a buffer. Or perhaps you meant the shader compiler has buffer overflows or something? That might be, but it doesn't match your "no sanity checks" scenario, since shader compilation is done only once and thus doesn't really need to be that fast.
  
  The ONLY reason machines aren't getting pwned by the graphics cards is because currently the ONLY things running on them are legitimate code written by game designers and adding sanity checks or any kind of security to graphics drivers would slow the living shit out of them so that's right out.
  
  It's a good thing a malicious shader program is unable to do anything besides rendering into an on-card buffer, no?
  
  Do you REALLY want the entire web to be able to run any code they want on that nice fast processor with plenty of RAM for loading exploits and with no real security protecting it? Because if you honestly believe that OpenGL wouldn't be a malware writers paradise I have a bridge you might be interested in.
  
  Just out of curiosity, could you provide a simple example of malicious OpenGL code? I accept a series of OpenGL commands rather than insist on actual shader programs.
  
  MSFT has already made developers shit bricks by going HTML V5, which will probably cause the slow death of SL and .Net, at least on the client side, so your theory doesn't hold weight.
  
  .Net is a managed language family to write programs in, and has nothing to do with HTML 5 or any other version.
  
  But after finally getting security right with Windows 7 (only 4 per 1000 infected vs 14 per 1000 infected with XP IIRC) they sure as hell don't want to hand the keys to the kingdom over to the WWW. Hell considering how much JavaScript malware is out there you don't think giving malware writers their own processor and RAM wouldn't be exploited out the ass? Please!
  
  You've yet to explain how it would be exploited. It can't be used to access files on the hard drive. It can't be used to access the Net. The words it can be used for is to display Goatse, and that's something you can do even without OpenGL access.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
108. Re:Microsoft should know... by shutdown+-p+now · 2011-06-17 08:05 · Score: 1
  
  Windows has significant security flaws. These flaws are extreme and cause hardship for others and costs the industry billions a year.
  Can you give some specific examples of "extreme security flaws" in Windows 7?
109. Re:Microsoft should know... by shutdown+-p+now · 2011-06-17 08:07 · Score: 1
  
  This is for out-of-browser (a fancy marketing term for "desktop") applications only, not the kind that run when you open a web page.
110. Re:Microsoft should know... by shutdown+-p+now · 2011-06-17 08:18 · Score: 2
  
  A browser implementing WebGL makes calls to the operating system's implementation of OpenGL or Direct3D, which is supposed to protect each application using OpenGL or Direct3D from others.
  
  The operating system "implements" OpenGL or D3D largely by deferring to the driver, since only that knows whether the call can be handed over to graphics hardware pretty much as is, or need to be broken down into smaller components. What's under question here is the security of the driver.
  It's not normally an issue when we're talking about basic stuff such as "draw this here polygon", but WebGL also has shaders - i.e. code! - that runs on the GPU. And it's much harder to guarantee that the existing implementation of that is completely safe - it is actually a VM of sorts, so now you're talking about sandboxing that properly, and the people who wrote it likely never considered that shaders would be coming from random unsafe sources.
  So, yes, it's fundamentally a security problem that doesn't go away just by ignoring WebGL and needs to be fixed; but you can't ask the OS to fix it (or at least not without ditching hardware acceleration altogether). The burden lies on graphics hardware manufacturers.
111. Re:Microsoft should know... by shutdown+-p+now · 2011-06-17 08:20 · Score: 1
  
  . Arguably they are less likely in OpenGL because the semantics are more tightly defined and the set of commands is smaller and less complex than in (say) HTML 5.
  You forget about shaders.
112. Re:Microsoft should know... by ultranova · 2011-06-17 08:59 · Score: 1
  
  More likely, you have broken hardware. Microsoft's complaint is based on reality, not theory. In theory, the driver would contain no bugs and the hardware would provide enough isolation that multiple applications' command streams and memory accesses would be isolated and would be no more able to interact without operating system mediation than multiple unprivileged processes on the CPU. In practice, the hardware generally makes a half-arsed attempt at providing isolation, with numerous ways of bypassing it, and the drivers are the buggiest code in ring 0 and probably anywhere on your computer.
  
  Well, no. The GPU does not do a half-arsed attempt at providing isolation, because it does no attempt whatsoever. It can't, because it has no way to know what program originated any particular command it's given. It's entirely the drivers responsibility to provide isolation, because it's the only thing that can.
  And besides, since all major browsers - including Microsoft's IE9 - are already using GPU acceleration, if the drivers really are that buggy, you're already screwed.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
113. Re:Microsoft should know... by Anonymous Coward · 2011-06-17 09:11 · Score: 0
  
  Posting as anonymous so I don't remove my mods.
  Think about it for a while. You installed the graphics program. It's running already. You have to execute regular code before it can be sent to the graphics driver and then the graphics card. Running code sends instructons to the graphics card.
  If you run a video game or a graphics program, you implicitly trust it. By running it, you've lost the security battle. The expression is closing the barn door after the horse has bolted. With a browser executing random instructions for your video card, well there you have a problem. Your browser might have been installed and running but do you trust what it is accessing? I sure don't.
  Font libraries and image libraries have been exploited many times before. Hell, even the Python interpreter has. What makes you so sure that a video driver, of which there are many, won't get exploited? If anything, it's more expoitable, there is one for every card!
  How? Look up buffer overflows. Driver code is often privileged,
  ~ improfane
114. Re:Microsoft should know... by WindBourne · 2011-06-17 09:13 · Score: 1
  
  If you have a reputation of being a slut(fairly deserved) and you decide that you want to clean it up,
  Is it smart to continue doing what earned you that reputation in the first place?
  That is what you are asking.
  
  Yes, MS is HORRIBLE on security. There are few on this planet that do not know it. Many try hard to stand up for them and claim that it is not an issue. Yet, the reason why the virus and attack come is because MS is EASY .
  BUT, MS is working on cleaning up that reputation (and mac and linux should be wary of the day that MS is considered stronger than either of them, for they will be the targets). Off hand from what I have seen MS is better, but they are still at the bottom.
  
  So, if you are at the bottom of a heap, why would you want to adopt something that continues your reputation and does enable you to compete against others?
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
115. Re:Microsoft should know... by ConceptJunkie · 2011-06-17 09:18 · Score: 1
  
  Microsoft really didn't even acknowledge security problems as a priority until about 2000, and they made no significant progress until about 2004.
  I stand by my statement. Just because they are better now doesn't mean they have much credibility. There are still millions of zombie Windows PCs as a testament to Microsoft's legacy with respect to security..
  
  --
  You are in a maze of twisty little passages, all alike.
116. Re:Microsoft should know... by Entrope · 2011-06-17 09:44 · Score: 1
  
  Shaders are not really more complicated than the geometric transforms and image management bits in the Canvas element. They are simpler than CSS inheritance rules. I could go on, but I hope you get the point.
117. Re:Microsoft should know... by RightSaidFred99 · 2011-06-17 09:55 · Score: 1
  
  Yeah.. you do know those zombies were in few, if any cases, due to security holes in MS products right? If some asshole asks another asshole "Hey, run this", and asshole the second follows asshole the first's advice and runs it, that's not really MS's fault.
118. Re:Microsoft should know... by ultranova · 2011-06-17 10:18 · Score: 1
  
  Think about it for a while. You installed the graphics program. It's running already. You have to execute regular code before it can be sent to the graphics driver and then the graphics card. Running code sends instructons to the graphics card.
  
  I'm thinking about it. I still don't see how having this regular code execute OpenGL commands as opposed to some other commands has anything to do with security. Especially since the code is already using OpenGl and Direct3D/Direct2D to accelerate drawing the web page.
  
  If you run a video game or a graphics program, you implicitly trust it. By running it, you've lost the security battle.
  
  So by running a web browser, a graphical program, you've already lost the battle. Gotcha.
  
  The expression is closing the barn door after the horse has bolted. With a browser executing random instructions for your video card, well there you have a problem. Your browser might have been installed and running but do you trust what it is accessing? I sure don't.
  
  So how does WebGL change the situation?
  
  Font libraries and image libraries have been exploited many times before. Hell, even the Python interpreter has. What makes you so sure that a video driver, of which there are many, won't get exploited? If anything, it's more expoitable, there is one for every card!
  
  Yes, they have. How does that make being able to call OpenGL functions a security risk?
  
  How? Look up buffer overflows. Driver code is often privileged,
  
  And since a browser has no choice but to call graphics driver code to display anything, your point would be?...
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
119. Re:Microsoft should know... by beelsebob · 2011-06-17 11:27 · Score: 1
  
  Graphics APIs are crappily written code that calls into crappily written kernel-level code - it's one of many things that makes systems crash, whether it be linux or windows or OS X.
  We have to accept this situation, it's not going to change any time soon. Graphics APIs are a big chunk of code as well, and it's not the kind of code that's reviewed with a focus on security.
  Do you, honestly, think it's a good idea to let web pages render images and html through the graphics API and driver via the web?
120. Re:Microsoft should know... by jafac · 2011-06-17 12:17 · Score: 1
  
  This is just microsoft's latest in a long, long, LONG string of moves to kill off any kind of open 3d framework from thriving. Many, many possible, potential candidates have come and gone, and microsoft has been there standing over the corpse of each one, with bloody hands, proclaiming their own innocence in innovation. Let's get real here, and understand that this is, and always has been, about D3D, and controlling the game development market. When all games (game content) can easily cross over via OpenGL/WebGL, MS will be fucked, as far as having a captive developer market on xbox/windows. Browser-based content is currently only a small part of that, game-wise, because gamers need hardware support == performance. But on the mobile side - how do you suppose that's going to matter? Since mobile == phones, microsoft has a very sharp knife to stick into WebGL. Folks are starting to get damn paranoid about trojan'd content on smartphones. It will be interesting to see where microsoft goes with this.
  
  --
  
  These are my friends, See how they glisten. See this one shine, how he smiles in the light.
121. Re:Microsoft should know... by shutdown+-p+now · 2011-06-17 12:43 · Score: 1
  
  CSS inheritance rules have pointer arithmetic?
122. Re:Microsoft should know... by LO0G · 2011-06-17 12:44 · Score: 1
  
  Ok, I've got to ask: Which people within the borders of Iraq attacked the US?
  I totally support and supported the Afghanistan invasion for exactly the reason you listed ("Don't attack the US or let people who attack the US use you as a safe harbour"), and I oppose(d) the Iraq invasion for the exact same reason: As far as I know, nobody who was living in Iraq attacked the US and Iraq didn't harbour any of the people who attacked the US.
123. Re:Microsoft should know... by macshit · 2011-06-17 12:45 · Score: 1
  
  A good faith reaction would be to work with others to fix the security issues.
  The problem is, a lot of the security problems with WebGL need fixing in silicon. With most GPUs currently out there, a small bug anywhere in the OpenGL stack - a huge chunk of code that was designed to run trusted code and so optimised heavily for speed, and not really designed with security in mind - can let shader code completely compromise the system, or at least let malicious code perform a DoS attack....
  Then require shaders to be signed (with some system of delegating trust), or only allow webgl programs to reference standard named shaders, or ... etc
  Anyway the point is that even if webGL needs to be substantially altered / gimped / whatever, ultimately, it's not an unsolvable problem. Maybe it should be replaced entirely (e.g. by a scene-graph oriented system), though of course "good faith" effort would make the smallest change that reasonably solves the problem.
  But however it's addressed, the crucial issue is whether the process is open and broadly based, and result an open widely adopted standard that's equally accessible to all parties -- as webGL is, whatever its flaws -- or something that's proprietary and/or under the control of one party, as MS would no doubt highly prefer (as long as that one party is them).
  MS has a lot of really smart and experienced people, so in an ideal world they could play an important part of such an effort -- but unfortunately in this world, their dysfunctional corporate culture and history of backstabbing make it very hard to trust them.
  
  --
  We live, as we dream -- alone....
124. Re:Microsoft should know... by tepples · 2011-06-17 12:53 · Score: 1
  
  It's entirely the drivers responsibility to provide isolation
  The problem, according to another comment, appears to be that GLSL implementations provide no robust bounds checking.
125. Re:Microsoft should know... by Locutus · 2011-06-17 13:09 · Score: 1
  
  and hopefully they've designed in ways to mitigate security issues.
  
  If WebGL and OpenCL are as holy as some are saying then some large companies are completely missing the security boat. It still seems like this should be something Microsoft takes up with those groups supporting WebGL instead of public releases stating 'it may do this' or someone 'might do that', etc. This makes their statements a marketing ploy no matter if it's true or not.
  
  if it is as bad as Microsoft says then it will fail on its own.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
126. Re:Microsoft should know... by Locutus · 2011-06-17 13:13 · Score: 1
  
  if it really is that bad then it will fail on its own as more and more attack vectors get listed. Adding security after the fact is not likely to help with compatibility and constantly breaking compatibility while creating a new standard is a tough road.
  
  I'm surprised such large corporate backers would be pushing such flawed software too.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
127. Re:Microsoft should know... by Locutus · 2011-06-17 13:22 · Score: 1
  
  correct, they _could_ be right but since they are well known for spreading FUD about competitors their warning flares look like clown faces in the sky. I would much rather see anyone else make statements about this than them. Especially since they are promoting some other direct interface to graphics drivers by the browser.
  
  if WebGL is really this flawed then it will fail on its own.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
128. Re:Microsoft should know... by hairyfeet · 2011-06-17 13:44 · Score: 1
  
  The BIG difference is that currently browsers ONLY use high level code, and what WebGL will do is give bare metal access to the WWW. You honestly don't see the problem? The entire reason why GPUs are able to crank out the truly insane number of IPS that they are able to now is because they are running at ring 0 right there deep in the kernel.
  Your basic graphics calls being done by web browsers today simply aren't getting anywhere close to bare metal, at most they may call on DXVA for flash and even with sandboxing look how often flash has pwned machines. With ANY 3D graphics framework you are talking running at almost a DOS level of bare metal since the OS basically hands everything to the GPU with implicit trust. Without this GPUs would be so slow as to be pointless compared to the CPU, to keep those large pipes fed there is simply NO way to do real sanity checks or sandboxing. Just look at how large the pipes are on the average GPU (hell my $60 HD4850 has a 256bit pipeline and GDDR 3, and that is slow compared to the 256bit GDDR 5 pipelines in the latest Radeons) and you honestly think you can do any real security checks and not have it choke and stall and end up twiddling its thumbs?
  The entire point of DX and GL is to make everything fast and smooth. Fast and smooth is not even on the same planet as secure and well programmed. Look at the logs of any machine with decent GPUs you'll find most bugs can be traced back to graphics drivers, and that is with clean legit code running on them. Do you honestly think with malware writers purposely trying to overflow the buffers they won't make the whole thing fall down?
  And as a final note I'd like to point out the dead elephant in the room nobody has yet mentioned...the firmware. nearly every chip nowadays comes with the ability to flash firmware, so that bugs can be fixed and features added or subtracted. No imagine what a malware writer could do with that! Hell forget the malware writers, imagine the trolls! you got trolls now that will paste links to foul and sometime illegal shit just to cause someone to have a bad day, imagine what "fun" they'd have with the ability to destroy someone's GPU?
  I'm telling you whether you like MSFT or not doesn't matter, having bare metal access to hardware by the WWW is a BAD idea with a capital B!
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
129. Re:Microsoft should know... by paulo.casanova · 2011-06-17 15:13 · Score: 1
  
  Sorry, I meant this year (2011). And I linked to the second page of the list instead of the first one. Here is the link to the start page. Rule number one: don't post without sleep :)
  Adobe: 5, Microsoft: 4, Cisco: 2, Oracle: 2, IBM: 1, all out of 58. Now, if you take into consideration the number of products Microsoft ships and its installed user base it is a hell lot better than it used to be (remember the days when a new root exploit for IIS came out every week?)
  Also, please understand I'm not saying Microsoft is good at security. I'm just saying they're much better than what they used to be. Of course you can argue that -Inf + x = -Inf, for any x :) but that's a totally different issue.
130. Re:Microsoft should know... by baxissimo · 2011-06-17 15:18 · Score: 1
  
  I'm not a security guy, but I think the access that shaders give you to the "bare metal" is a lot less than you seem to believe. The code you write is not some kind of assembly instructions executed directly on the GPU. Even what they call shader assembly code is actually just a low-ish-level language that is first processed by the video card driver. DOS attacks are the main worry, and they're being addressed by ARB_robustness.
131. Re:Microsoft should know... by baxissimo · 2011-06-17 15:19 · Score: 1
  
  Well, WebCL is the thing that's going to be for that, really. Doing compute with WebGL would be like going back to the bad old days before CUDA.
132. Re:Microsoft should know... by baxissimo · 2011-06-17 15:25 · Score: 1
  
  Put another way -- saying "Oh noes! It lets you run shader code DIRECTLY ON THE GPU!!" is not much different from saying "Oh noes! It lets you run javascript DIRECTLY ON THE CPU!!!". In neither case is anything actually running "directly" on the metal. Both go through layers of interpretation before getting to their respective processors. And there are no GPU instructions that have any way to do anything to files on your machine, just like there are no javascript functions that do.
133. Re:Microsoft should know... by baxissimo · 2011-06-17 15:31 · Score: 1
  
  Just as with any native code (like a DirectX game, for instance) there is no way to ensure "safety"...although I'd think almost any other attack vector would be easier than WebGL.
  I do wonder. Of course it would mean targetting specific GPU vendors, and perhaps specific driver versions as well. But imagine what you could do if you were able to play with DMA... bye bye to any OS security.
  This is NOT native code we're talking about here! This is a javascript API that lets you send shader programs written in a high level language to the GPU! Both the javascript code and the shaders are jit compiled (in a modern browser) before being run. The javascript WebGL api has no way for you to get anywhere near a DMA handle. They GPU may use DMA under the hood, but big whoop, GPU accelerated 2D canvases like IE9 has now do the same thing. You can't get any closer to getting your hands on a DMA handle with WebGL than you can with the 2d canvas context API.
134. Re:Microsoft should know... by HermMunster · 2011-06-17 15:48 · Score: 0
  
  I couldn't disagree more. 25 years of PC watching it advance (or deteriorate in many ways) clearly demonstrates what are you saying is untrue, almost as if you are astroturfing for Microsoft.
  All toolbars are activeX controls. Flash is an active X control under IE. Active X controls were there are the beginning of this insanity we call Windows insecurity. In fact, it is the major malware vector for the past 10 years. Malware is spread through many means and is not by far the greatest malware vector but it certainly is a major contributor and one of those technologies that lead us to this point..
  It is also false that one must agree to install all active X controls and that trojans are installed in the same manner (only by permission). In fact, there was a time when the malware authors relied on the ignorance of people by placing you in a loop where you were not allowed out unless you answered yes to the question. Another method is through the concept of allowing malware authors to create media files with codecs that are nothing more than viruses.
  You really need to learn more about the technology you are misleading others about. IE and Windows are infection machines. Maybe not intentionally so, but Microsoft has been negligent in so many ways. Seriously, you need to spend a couple years cleaning computers of viruses and then come back and try to say what you have with a straight face.
  My points stand. Microsoft is pointing a finger at a small issue so that the developers won't support it while their whole large ecosystem is so infested that it can only be viewed as insanity
  
  --
  You can lead a man with reason but you can't make him think.
135. Re:Microsoft should know... by kmoser · 2011-06-17 16:54 · Score: 1
  
  In the past year that I've had Win7 installed on one of my PCs, I've lost count of the many "critical security updates" Windows Update has installed. Virtually every one of them describes the vulnerability as a possibility of a malicious program allowing an attacker to gain control of my PC. I would characterize those as "extreme."
136. Re:Microsoft should know... by metacell · 2011-06-17 21:40 · Score: 1
  
  I know the difference; I just used the wrong word. And I don't deny WebGL has huge security issues; it's still hypocritical to dismiss WebGL when you promote even more unsafe technologies.
137. Re:Microsoft should know... by macs4all · 2011-06-17 21:41 · Score: 0
  
  MacOSX,iOS, Linux or Android (other popular Osses) are also full of flaws. The problem Window has, is it's actual success, because of the shear ammount of people which use windows makes it a big target for malware/viruswriters, but we already see a big increase in malware on the other OSses which are increasing in populairity... No OS is really secure and never will..
  Windows fanboi much?
  
  I don't know so much about Linux and Android (and there are plenty of people here that will take care of defending those OSes); but I'm not exactly sure which orifice you have pulled that statement out of when you include OS X and iOS.
  
  Let's see: The number of viruses, trojans and other malware for iOS stands fast, at ZERO. Yes, Jailbreaking requires exploiting a vulnerability; but you said MALWARE was showing a "big increase". Such is simply not true. And with iOS, the "popularity" argument just completely falls apart. But don't let FACTS cloud your rant.
  
  As for OS X, I guess you could consider an increase from TWO to THREE TROJANS (from which, no OS can be immune) (and zero viruses or other malware) a "big increase"; which statistically I guess it would be; but, you really need to come back when OS X has even as many pieces of malware as Linux (836); which will be a long, long, LONG time.
  
  And in the case of MacDefender (the TROJAN which had the world abuzz two weeks ago), note that we don't hear about it anymore. Why? Because, like all TROJANS, it doesn't propogate quickly enough to remain viable, and because Apple has taken steps to stop it.
  
  But you just keep on sucking Ballmer's cock; lord knows, SOMEBODY needs to!
138. Re:Microsoft should know... by Anonymous Coward · 2011-06-18 01:30 · Score: 0
  
  Something tells me they wouldn't create ActiveX today... they've had well over a decade to learn how bad the technology actually is, and try to mitigate their mistakes with it.
  If this were true. Then why do banks and such still use ActiveX for APIs?
139. Re:Microsoft should know... by snemarch · 2011-06-18 01:41 · Score: 1
  
  Nice try :)
  However, there's quite some differences between the APIs used by normal browser rendering, the 2d canvas context, and finally the WebGL canvas context. If you have followed Mozilla's work on GPU-accelerating Firefox, you should know that even "controlled" usage of the 3D APIs can be troublesome... and with WebGL, you pretty much remove the "control" part.
  
  --
  Coffee-driven development.
140. Re:Microsoft should know... by snemarch · 2011-06-18 01:48 · Score: 1
  
  Of course it's not native code, and of course the high-level API doesn't offer DMA access. Just like JavaScript, Java, Flash, Adobe Reader (et cetera) doesn't come with ExploitBufferOverflow() or LocalPrivilegeEscalation() functions... catch my drift? :)
  WebGL is a more complicated API than, say, the 2d context for the html5 canvas, and it's one big step closer to a graphics API that was written exclusive with speed in mind.
  
  --
  Coffee-driven development.
141. Re:Microsoft should know... by Pigskin-Referee · 2011-06-18 03:49 · Score: 1
  
  And the only reason Office still exists is because of Microsoft's monopolistic legacy. There's no way that hopelessly cryptic, archaic, bug-ridden monstrosity could have survived the last decade on its own merits.
  Seriously, have you forgotten to take your meds today? MS Office is simply the finest Office Suite currently available. OO tried for years but was never able to clone anything even as functional as Word 97.The open-source community has never been able to conjure up anything that is even remotely is as fully functional and integrates word processing, spreed sheets, calendar, mail program and all of the other applications available in the Office Suite as fully or easily. In addition, the wealth of third party programs available for the Suite itself is something that the open-source community has never even come close to accomplishing. I have seen grown men and women brought to tears trying to configure OO with a database trying to configure a custom mailing list with documents and envelopes. In MS Office it is a simple process.
  Open Office and it minions are best left for the casual home user. However, out of morbid curiosity, exactly what is the last version and suite of MS Office are you familiar with?
  
  --
  Pigskin-Referee
  Linux: Yesterday's technology, tomorrow ...
142. Re:Microsoft should know... by anonymov · 2011-06-18 03:54 · Score: 1
  
  The entire reason why GPUs are able to crank out the truly insane number of IPS that they are able to now is because they are massively parallel stream processors running algorithms specifically optimized for parallelization
  Here, fixed that for you. Ring 0 has nothing to do with performance, and nothing to do with things accesible from WebGL as well. Shaders are not run in ring 0, they - surprise! - are not even run on the CPU.
  The only way it could be exploited (except _possibly_ crashing/hanging a PC by sending a complex shader that would hang the GPU) is if there was a buffer overflow in the shader compiler (which still would be run in ring3, so no ring0 yet).
  And if there were such exploits they would have been used already - go count moddable games out there, or even any games.
143. Re:Microsoft should know... by beelsebob · 2011-06-18 08:07 · Score: 1
  
  No, there isn't any difference at all. Both are user space libraries that at some point talk to the graphics driver, whether one does more filtering of its input or not is irrelevant. The bottom line is that it should not be possible for user space code to cause kernel space code to misbehave. If it's possible, there's a problem in the kernel space code, not in the user space library.
144. Re:Microsoft should know... by jasmusic · 2011-06-18 08:08 · Score: 1
  
  But it still takes them out of the trusted sandbox, FWIW.
145. Re:Microsoft should know... by shutdown+-p+now · 2011-06-18 08:27 · Score: 1
  
  It does, but why are you worrying about trusted sandbox for a desktop app? My point was that it's not like ActiveX at all, and has nothing to do with web security. The only role browser plays here is as a client to download and install such an app, which works pretty much the same as Java Web Start and other similar technologies. This isn't really fundamentally different from downloading and running setup.exe, though at least in this case it actually tells you that what you're doing is a potential security issue (a bit like Android) - have a look at the screenshots.
146. Re:Microsoft should know... by jasmusic · 2011-06-18 08:48 · Score: 1
  
  We all know COM wasn't invented for the browser.
147. Re:Microsoft should know... by shutdown+-p+now · 2011-06-18 08:53 · Score: 1
  
  Yes, and it is not a security issue outside the browser, either. ActiveX only became one when IE was _intentionally_ made to support it as an extensibility platform for untrusted sources. So I still dont see your point.
148. Re:Microsoft should know... by Goaway · 2011-06-18 09:52 · Score: 1
  
  and hopefully they've designed in ways to mitigate security issues.
  Well, they have. Do you know how they work?
  If you have a driver that is known to be particularly buggy, WebGL is disabled completely.
149. Re:Microsoft should know... by Aighearach · 2011-06-18 10:47 · Score: 1
  
  Are you sure about the existence of some large number of JS exploits?
150. Re:Microsoft should know... by man_of_mr_e · 2011-06-18 12:14 · Score: 1
  
  Actually, YOU need to learn more. Real statistics show that the largest attack vectors are PDF, Flash and Java. Yes, those tools are installed in IE via an ActiveX control, but ActiveX is not the vector of the infection. The executable code inside these pieces of software is. Java and Flash are just as exploitable under Chrome and Firefox, because those are plug-ins as well and have the same rights.
  Yes, years ago, and under XP there were security holes in IE (Pre-SP2) that would allow ActiveX controls to be an exploit vector, but that's no longer the case and hasn't been for almost a decade. The codec issue is also no longer the case. Again, you have to agree to install that crap. That's a social engineering attack. It would work just as well to say "You have to download this program and run it in order to see this cool pr0n". and people would do it.
  I am aware of no ActiveX installed trojans that do not require the user to agree to do so on any recent version of Windows. Can you provide any evidence otherwise?
  
  --
  If you need web hosting, you could do worse than here
151. Re:Microsoft should know... by Aighearach · 2011-06-18 20:23 · Score: 1
  
  Real statistics show that the largest attack vectors are PDF, Flash and Java. Yes, those tools are installed in IE via an ActiveX control, but ActiveX is not the vector of the infection. The executable code inside these pieces of software is.
  No, the ActiveX control in not just the installer. Those tools themselves are ActiveX controls in IE. That "executable code inside" stuff.
152. Re:Microsoft should know... by Aighearach · 2011-06-18 20:37 · Score: 1
  
  So then it is not a danger at all, if there are exploits the early adopters will get smacked and within a few years it will all be rock solid. Like JS.
153. Re:Microsoft should know... by Locutus · 2011-06-19 02:35 · Score: 1
  
  I've seen responses from the Kronos group and it appears this is indeed a Microsoft FUD stunt with issues brought up having been remedied months ago or other actions taking place to mitigate the issues. As expected, Microsoft is starting their FUD campaign and using the same old way of doing it.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
154. Re:Microsoft should know... by man_of_mr_e · 2011-06-19 06:08 · Score: 1
  
  ActiveX is a plug-in architecture. The only difference between ActiveX and FF or Chromes plug-in architecture is the self-install feature. Flash and PDF are integrated in all major browsers and are equally vulnerable.
  
  --
  If you need web hosting, you could do worse than here
155. Re:Microsoft should know... by Anonymous Coward · 2011-06-19 07:51 · Score: 0
  
  configure OO with a database trying to configure a custom mailing list with documents and envelopes. In MS Office it is a simple process
  It looks like you might be talking about Exchange. Like to have a cookie or abbreviation with that?
156. Re:Microsoft should know... by Pigskin-Referee · 2011-06-19 08:26 · Score: 1
  
  configure OO with a database trying to configure a custom mailing list with documents and envelopes. In MS Office it is a simple process
  It looks like you might be talking about Exchange. Like to have a cookie or abbreviation with that?
  I am referring to the mail merge feature in MS Word. Obviously you are not familiar with it or else you would never have made such a totally asinine comment. I can only conclude that you are an Open Office user and therefore not familiar with more advanced word processing techniques available in MS Word.
  
  --
  Pigskin-Referee
  Linux: Yesterday's technology, tomorrow ...
157. Re:Microsoft should know... by Anonymous Coward · 2011-06-19 12:09 · Score: 0
  
  How much less could they care.
158. Re:Microsoft should know... by Goaway · 2011-06-20 05:04 · Score: 1
  
  The Khronos group is not a particularly unbiased source, here.
  This is a problem. Security issues aside, most OpenGL drivers are horrible at handling multiple tasks, and you could easily make a webpage that grinds your system to a halt by overusing the GPU on a lot of cards.
159. Re:Microsoft should know... by Anonymous Coward · 2011-06-20 05:55 · Score: 0
  
  I'm pretty sure he was talking about those scripts where you have to copy-and-paste some Javascript into your address bar on Facebook which loads an external script that loops through your friends and leaves spam messages on their walls.
160. Re:Microsoft should know... by Locutus · 2011-06-20 06:23 · Score: 1
  
  of course the Kronos group is unbiased, it was their project Microsoft targeted in that "report".
  
  and if what you're saying about OpenGL drivers is true then anything which rendered through a web connection and used the OpenGL drivers would be a problem. Has Microsoft been putting out similar "reports" about those? Java3D and JGL are the first which come to mind and any 3D application is also a "threat" to Windows.
  
  Sorry but regardless if this being a valid issue, I have a problem with Microsoft, the marketing company, deciding when and what they want to declare as a security threat when you know darn well it's the competition which is the threat to them.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
161. Re:Microsoft should know... by Goaway · 2011-06-20 07:08 · Score: 1
  
  of course the Kronos group is unbiased, it was their project Microsoft targeted in that "report".
  I really do not understand what you are trying to say here.
  
  and if what you're saying about OpenGL drivers is true then anything which rendered through a web connection and used the OpenGL drivers would be a problem. Has Microsoft been putting out similar "reports" about those? Java3D and JGL are the first which come to mind and any 3D application is also a "threat" to Windows.
  I have not checked whether they allow you to run custom code on the GPU, but if they do, then yes, they are a problem too. They are, however, not really in wide use at all, as far as I can tell. Certainly there is nowhere near the same amount of interest in them as there is in WebGL.
  
  Sorry but regardless if this being a valid issue, I have a problem with Microsoft, the marketing company, deciding when and what they want to declare as a security threat when you know darn well it's the competition which is the threat to them.
  And why is it not foolish to disregard a warning of a threat just because you dislike the person delivering the warning?
162. Re:Microsoft should know... by Locutus · 2011-06-20 08:55 · Score: 1
  
  I never said it was not foolish to disregard a warning of a threat. But no one should keep giving credibility to a company who's name is synonymous with the acronym FUD. As a business is is not smart to jump every time such a company puts out PR releases saying your stuff is a threat.
  
  There is no such thing as independent studies when any kind of backing for the study comes from Microsoft. That company just does not have the credibility unless you just climbed out from under a rock. I'm merely the guy over on the side saying "Hey, watch out! That guy lies, he's lied before so many times I've lost count and he stands to make money if you give his claims any merit. If you want to talk about the security of WebGL you would be better off going someplace away from them." that's all I'm saying it looked like it's pretty much like what lots of others under this topic have been leading too.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
163. Re:Microsoft should know... by RockDoctor · 2011-06-20 13:12 · Score: 1
  
  Not knowing much about the issues under question, one question :
  
  There ARE security flaws in it that MUST be addressed.
  What is the probability of the flaws being addressed in OS applications before they're addressed in closed source applications?
  My bet : better than 0.9 probability that (essentially all) OS will have solutions before (essentially any) CS.
  Prove me wrong with links.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
164. Re:Microsoft should know... by Shotgun · 2011-06-27 16:24 · Score: 1
  
  Exactly. Unix blazed the trail. By the time ActiveX came along, it was well mapped and documented territory. The security hole that was ActiveX was clearly a disaster in the making, and anyone well versed in the art of their profession should have known it.
  
  --
  Aah, change is good. -- Rafiki
  Yeah, but it ain't easy. -- Simba
Good advise! by VincenzoRomano · 2011-06-17 00:48 · Score: 1

From a security centric company!

--
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
1. Re:Good advise! by Nickodeimus · 2011-06-17 01:21 · Score: 1
  
  I should probably advise you not to use the word advise when you mean to use the word advice. Just my advice, I'd advise you to take it for what its worth.
2. Re:Good advise! by balbord · 2011-06-17 01:30 · Score: 2
  
  Good recommending!!!
  
  --
  "If I have been able to see so far, It is because I went out and bought a damn binoculars" - Ze da Esquina
3. Re:Good advise! by Luckyo · 2011-06-17 01:53 · Score: 1
  
  For last few years, microsoft has done a lot for security. I understand that this is slashdot and microsoft bashing is always in vogue, but to claim that because company x was doing something wrong several years ago, and started doing it right many years ago makes for ancient history in IT world.
4. Re:Good advise! by iserlohn · 2011-06-17 02:09 · Score: 2
  
  You're right. Microsoft has done lots for the information security industry by selling a desktop and desktop derived server OS that has an security model that is insecure by default.
  Just because we're Microsoft bashing, doesn't mean we don't have a point.
  
  --
  :. Ultimate Control Dedicated/VM Servers
5. Re:Good advise! by RightSaidFred99 · 2011-06-17 06:06 · Score: 1
  
  Ahh hand waving. The last resort of scoundrels and half-wits. Why, since you say it's "insecure by default", you totally redeemed yourself! Hard to argue with those facts.
6. Re:Good advise! by iserlohn · 2011-06-17 07:01 · Score: 1
  
  How about creating for the user by default an account that has administrator privileges? Or autorun of removable media turned on by default?
  
  --
  :. Ultimate Control Dedicated/VM Servers
7. Re:Good advise! by snemarch · 2011-06-17 07:10 · Score: 1
  
  Ah yes, NT's (in reality, VMS') security model is wrong - that must be why there's implementations of ACL for both Linux and BSD? :)
  
  --
  Coffee-driven development.
8. Re:Good advise! by Aighearach · 2011-06-18 20:57 · Score: 1
  
  well advised.
Microsoft has no security credibility. by Anonymous Coward · 2011-06-17 00:50 · Score: 0

If they did they would do an apple and ban all plugins from their browser.
1. Re:Microsoft has no security credibility. by _merlin · 2011-06-17 00:54 · Score: 1
  
  Are you referring to Mobile Safari for iPhone/iPad? In that case, I think Microsoft have "pulled an Apple" already and failed to provide a plugin API for the Windows Phone 7 browser. If OTOH you're referring to IE for Windows, Apple's equivalent Safari for OSX supports plugins anyway. I don't see your point.
Games on Linux means the end of the MS Empire by alienoide · 2011-06-17 00:51 · Score: 1

End of story.
1. Re:Games on Linux means the end of the MS Empire by schnikies79 · 2011-06-17 00:55 · Score: 2, Informative
  
  The business world keeps Microsoft in power, not gamers.
  
  --
  Gone!
2. Re:Games on Linux means the end of the MS Empire by GameboyRMH · 2011-06-17 01:03 · Score: 1
  
  At home, yes, in business, not so much. Legacy apps and textophobe-friendly administration are MS' bread and butter in business. But they are slowly killing off their legacy compatibility (and looking at going muliti-arch with closed source code), and since Win Server 2008 they've switched to a Linux-like "CLI before GUI" design, so it'll be interesting to see what happens...
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
3. Re:Games on Linux means the end of the MS Empire by _merlin · 2011-06-17 01:03 · Score: 2
  
  WebGL won't deliver that. It's just going to deliver the next generation of what are currently Flash games, that run on Linux anyway (just not RMS' GNU/Linux because the player isn't free as in beards).
4. Re:Games on Linux means the end of the MS Empire by cb88 · 2011-06-17 01:04 · Score: 1
  
  Eh... RedHat is taking care of that bit..
5. Re:Games on Linux means the end of the MS Empire by Elbereth · 2011-06-17 01:05 · Score: 2
  
  Don't underestimate gamers or the gaming industry.
  If every gamer switched to Linux, you'd see Windows become as irrelevant as OS/2, which also had a sizeable installed base in the corporate world, or Mac OS, which had a huge installed base in education. Corporate users hardly ever upgrade, and many of their biggest apps have already been ported to at least one other OS, if not more. In the corporate world, they cater to the customer's needs and desires. In the home market, they dictate to the market.
6. Re:Games on Linux means the end of the MS Empire by ron_ivi · 2011-06-17 01:08 · Score: 1
  
  And the business world uses Microsoft because that's what the CEO and CFO is familiar with.
  And they're familiar with Windows because that's what their kid uses to play games.
  The technical departments in the business world have been heavy unix users for a very long time.
7. Re:Games on Linux means the end of the MS Empire by Anonymous Coward · 2011-06-17 01:08 · Score: 0
  
  and they rule the business world because employees are comfortable with a windows interface, a win in the home market would certainly bleed through to the office market
8. Re:Games on Linux means the end of the MS Empire by mcgrew · 2011-06-17 01:18 · Score: 1
  
  You may be right, but I'm not so sure. When OS/2 first came out, the motto was "nobody ever got fired for buying IBM". Now it's "nobody ever got fired for buying Microsoft". MS is entrenched in the business and government worlds and has been for decades, while OS/2 was mostly just toyed with for a short time.
  Plus, almost every desktop computer made has Windows factory-installed. Only a tiny percentage of home PCs are used for serious aming. Then there are other programs, like TurboTax, that have no Linux equivalent.
  As a kubuntu user, though, I hope you're right and I'm wrong.
  
  --
  Free Martian Whores!
9. Re:Games on Linux means the end of the MS Empire by Dog-Cow · 2011-06-17 01:18 · Score: 1
  
  Funny. I work at a fairly large Auto manufacturer (in the US) and RedHat isn't visible here at all. I know there are some one-offs, but nothing supported by global IT. Lots of Linux here, though, but on any desktops.
10. Re:Games on Linux means the end of the MS Empire by peterbye · 2011-06-17 01:20 · Score: 1
  
  Not on the desktop yet, unfortunately.
11. Re:Games on Linux means the end of the MS Empire by camperdave · 2011-06-17 01:25 · Score: 1
  
  Eh... RedHat is taking care of that bit..
  Oh? Are they releasing 100% compatible versions of Windows XP, IE6, and Microsoft Office? I ask because these are the only things the business world uses.
  
  --
  When our name is on the back of your car, we're behind you all the way!
12. Re:Games on Linux means the end of the MS Empire by Quarters · 2011-06-17 01:25 · Score: 2
  
  End of story.
  Linux gaming is a niche idea for a niche OS (-Linux on desktops for the masses. I know Linux in the enterprise is big). Microsoft isn't losing any sleep over the idea of Linux gaming going mainstream.
13. Re:Games on Linux means the end of the MS Empire by Marc+Madness · 2011-06-17 01:27 · Score: 1
  
  Then there are other programs, like TurboTax, that have no Linux equivalent.
  As a kubuntu user, though, I hope you're right and I'm wrong.
  TurboTax in Canada is a web-app that works with Linux. However, the security/privacy implications of compiling your tax return in the cloud are not to be overlooked.
14. Re:Games on Linux means the end of the MS Empire by mistiry · 2011-06-17 01:31 · Score: 1
  
  Oh? Are they releasing 100% compatible versions of Windows XP, IE6, and Microsoft Office? I ask because these are the only things the business world uses.
  I've worked at several places in the last 2 years where I saw no installations of XP or IE6, and I've also worked at several places where XP and IE6 were used. I've seen installations of OpenOffice, Firefox, and even Linux desktops.
  The point, though, is that your statement that XP/IE6/MSO is the only things the business world uses may have been true ~5 years ago, but not anymore.
15. Re:Games on Linux means the end of the MS Empire by wisnoskij · 2011-06-17 01:34 · Score: 1
  
  Well Linux is already a heavy weight in the server department but it is because most people still have a MS box at home that they know MS and therefore want a MS box to work at at work. If Linux was the king of gaming then they would buy Linux boxes for personal (and for their kids) gaming and then would ask for them to work on.
  Gaming is the only reason they are not winning in my opinion.
  Not that I agree with the general consensus that the Linux OS is better then Windows. MS because they are a company dedicated to making money need to make Windows usable and enjoyable from back to front, while Linux seems to have used their free product designed for expert users as a reason to not really polish some of their features and at least in the case of Ubuntu, release versions that are far from ready for use.
  
  --
  Troll is not a replacement for I disagree.
16. Re:Games on Linux means the end of the MS Empire by Quarters · 2011-06-17 01:35 · Score: 1
  
  Don't underestimate the power of Linux users to delude themselves into thinking that "If everyone did..." is the same as "any day now everyone will..." Ask yourself this...what would compel any, let alone every gamer to switch to Linux? It's not the games, as they don't exist. It's not the access to high performance video drivers, as they don't exist. It's not the access to ubiquitous and non-finicky audio systems, as they don't exist. The gamers need something better than what they have if they are going to move away from their current situation and negate their library of games. With regards to Linux that doesn't and probably will never exist. The majority of game companies won't make games on Linux until there is a market, which doesn't exist. Catch-22. For this to ever even have a possibility of happening there needs to be a killer-game-app on Linux and a Linux distribution that is as easy to setup and configure, along with always offering access to current quality video card drivers, as Windows offers. So where is the killer game and perfect gaming Linux distro? Instead of wishing for ponies and utopian group-think you might want to dig in and get to work.
17. Re:Games on Linux means the end of the MS Empire by Anonymous Coward · 2011-06-17 01:47 · Score: 0
  
  Microsoft isn't releasing those things either, so what's your point? That IT is stuck in about 1997 and can't figure out how or where to move forward? What happens when they do decide to move off XP, IE6, Office (2003?). Where do they go? Microsoft's current stuff is basically incompatible with that software as well, so why not move to a more stable, secure, reliable, cost-effective platform?
18. Re:Games on Linux means the end of the MS Empire by rishistar · 2011-06-17 01:52 · Score: 1
  
  It looks like that would be under threat from Chrome.... http://www.guardian.co.uk/technology/blog/2011/jun/15/google-chromebook-os-microsoft-threat
  
  --
  Professor Karmadillo Songs of Science
19. Re:Games on Linux means the end of the MS Empire by pandrijeczko · 2011-06-17 01:53 · Score: 1
  
  Mate,
  Don't make us look like zealots, there's no harm in being a realist.
  I work with Red Hat systems every day, it's the platform OS of virtually all the telephony server products we do in my company, whether it's the actual voice switch, voicemail, interactive response servers, etc. Red Hat displaced commercial UNIXes on those platforms, Linux has had huge penetration in the server and embedded space but on "workhorse" servers like these, it's unlikely Windows would ever be used anyway.
  I also use Linux most of the time at home, for what I need a desktop to do it does about 80% of it as good as Windows does. But the fact is I still use Windows a bit of the time for the occasional game and because I need to open Word docs, Excel sheets, etc. Yes, LibreOffice does a good job but if I've been sent an Office doc that I need to edit and send back to a lot of people, I'm not going to risk introducing compatibility issues in the process - I'm human, lazy and just want to get stuff done as easily as possible.
  But Red Hat is not going to make big inroads into the Enterprise because whether you or I like it or net, Microsoft Exchange and Office are the de-facto standards for most companies.
  I do accept that it might change in the future if the business world goes more to cloud computing and lower-powered portable devices like tablets, then there's a possibility of displacing Microsoft's grip in that area, in which case Red Hat might then have the opportunity to "ride the wave" and provide software and services on those platforms.
  
  --
  Gentoo Linux - another day, another USE flag.
20. Re:Games on Linux means the end of the MS Empire by Merk42 · 2011-06-17 01:53 · Score: 2
  
  Hypothetical:
  Developer: I'm going to make a great game for Linux, it's closed source.
  Linux Community: closed source? BAH! No thank you, Linux is about Freedom man,
  Result: Game does not become the widely adopted killer game converting people to Linux
  Developer: I'm going to make a great game for Linux, it's open source.
  Windows Community: Open source? Cool! *ports game to Windows*
  Result: Game does not become the widely adopted killer game converting people to Linux
21. Re:Games on Linux means the end of the MS Empire by sorak · 2011-06-17 01:55 · Score: 1
  
  Don't underestimate gamers or the gaming industry.
  If every gamer switched to Linux, you'd see Windows become as irrelevant as OS/2, which also had a sizeable installed base in the corporate world, or Mac OS, which had a huge installed base in education. Corporate users hardly ever upgrade, and many of their biggest apps have already been ported to at least one other OS, if not more. In the corporate world, they cater to the customer's needs and desires. In the home market, they dictate to the market.
  Agreed. At my workplace, there are three things driving decisions:
  Does it work?
  How much does it cost?
  Do the CEO, his idiot brother-in-law, the CFO, the CIO, the various VPs of this and that, your boss, and your boss' boss personally get good vibes about this?
  I'll leave it to the reader to determine which factors are more important than others. Either way, if the CEO had grown up playing video games on Linux, the only people using Linux workstations would be those who need specialized software that only exists on other platforms.
22. Re:Games on Linux means the end of the MS Empire by binarylarry · 2011-06-17 02:04 · Score: 1
  
  Riiight, because Microsoft has never released anything before it's ready.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
23. Re:Games on Linux means the end of the MS Empire by Penguinisto · 2011-06-17 02:06 · Score: 1
  
  Funny. I work at a fairly large Auto manufacturer (in the US) and RedHat isn't visible here at all.
  Hate to sound snarky, but that might be part of why the US auto industry is having such a hard time staying in the black...
  I mean, I've seen 7-figure Microsoft EA agreements at companies with only 1500 people in it. I can only imagine how much dosh an automaker regularly forks over.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
24. Re:Games on Linux means the end of the MS Empire by Penguinisto · 2011-06-17 02:07 · Score: 1
  
  Depends on the industry.
  If you buy any large tools in manufacturing and they have computers? They still almost always come with XP installed.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
25. Re:Games on Linux means the end of the MS Empire by Ultra64 · 2011-06-17 02:16 · Score: 1
  
  Aren't we done with the "cloud" buzzword yet?
  When can we go back to just calling it the Internet?
26. Re:Games on Linux means the end of the MS Empire by icebraining · 2011-06-17 02:17 · Score: 1
  
  I don't think that most gamers that use Linux as their main OS would refuse to buy closed games.
  What I think does happen is that any gamer, even if they use Linux as their main OS, has a Windows installation anyway even if it's just to play, so a good number of Linux sales would be accompanied by a drop in Windows sales.
  On the other hand, Linux has less competition, so that can help you. It's not a coincidence that Linux users paid almost double of what Windows users paid for the Humble Bundle.
  
  --
  Dilbert RSS feed
27. Re:Games on Linux means the end of the MS Empire by camperdave · 2011-06-17 02:24 · Score: 1
  
  Microsoft isn't releasing those things either, so what's your point? That IT is stuck in about 1997 and can't figure out how or where to move forward?
  That pretty much is exactly my point. Although it's not necessarily IT that is stuck but business culture. Microsoft's new stuff is incompatible, so that's off the table. Ditto linux. Businesses already have corporate licenses for XP, so from their point of view XP works and it's free. Why switch?
  
  --
  When our name is on the back of your car, we're behind you all the way!
28. Re:Games on Linux means the end of the MS Empire by Anonymous Coward · 2011-06-17 02:27 · Score: 0
  
  If you are spending seven figures for only 1,500 employees, than Microsoft is providing much more than just the OS and Office. That or your negotiators are incredibly incompetent.
29. Re:Games on Linux means the end of the MS Empire by Penguinisto · 2011-06-17 02:43 · Score: 1
  
  SQL Server, Exchange, AD, CALs for everyone, SharePoint, etc etc etc etc.
  Trust me, MSFT usually sells more than just Office/Window seats to a typical org.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
30. Re:Games on Linux means the end of the MS Empire by brusk · 2011-06-17 02:48 · Score: 1
  
  When can we go back to just calling it the Internet?
  When they're the same thing. Doing something "over the internet" could refer to doing it on a server that you control, connecting to it through interweb pipes. Whereas the example above is "cloudy" in the sense that the server is out there somewhere, perhaps not on a machine owned by the company you are interacting with.
  
  --
  .sig withheld by request
31. Re:Games on Linux means the end of the MS Empire by alienoide · 2011-06-17 03:12 · Score: 0
  
  Thank you sir. Not to mention that games under Linux perform better than installed on Windows on identical hardware.
32. Re:Games on Linux means the end of the MS Empire by zeroshade · 2011-06-17 03:24 · Score: 2
  
  Actually, lack of games on Linux is one of the driving forces for keeping a large swath of people from switching.
33. Re:Games on Linux means the end of the MS Empire by Alex+Belits · 2011-06-17 03:50 · Score: 1
  
  Another excellent "I love Linux, but" post from your friendly Microsoft astroturfers.
  Exchange will be thrown out of businesses by switching to IMAP, then dropping the original protocol and installing a real IMAP server. Based on actual security concerns. No one will ever care about Exchange after that.
  Office is pretty much irrelevant thanks to companies actually using their network to handle data instead of copying pretty pictures back and forth. Good luck shilling your stupid Sharepoint that only consultants love.
  
  --
  Contrary to the popular belief, there indeed is no God.
34. Re:Games on Linux means the end of the MS Empire by pandrijeczko · 2011-06-17 04:23 · Score: 2
  
  I don't know you from Adam and therefore don't care that you're having a bad day and feeling a bit grumpy with the rest of the world either.
  But just for the record, my computer knowledge started with programming on Commodore Amigas and doing system support work during mid- to late-80s on DEC PDP-11s running RSX-11 and IBM x86 servers running SCO UNIX - so I actually worked on UNIX before I ever even touched a Windows PC. And by the immaturity of your comments, that was probably around the time you were in nappies...
  I've also run Linux for nigh-on 18 years, I was a Red Hat Certified Engineer in 2000 and my full-time job is doing security analysis and hardening of Linux-based telecoms servers - believe it or don't believe it, I don't care.
  But I'm not a zealot. A computer is a tool and you use the best tool for the job. Period.
  
  --
  Gentoo Linux - another day, another USE flag.
35. Re:Games on Linux means the end of the MS Empire by Alex+Belits · 2011-06-17 05:50 · Score: 1
  
  I worked on RT11 before RSX11M, and since that time I have seen plenty of people who became worthless Microsoft shills after starting as engineers.
  
  --
  Contrary to the popular belief, there indeed is no God.
36. Re:Games on Linux means the end of the MS Empire by RightSaidFred99 · 2011-06-17 06:10 · Score: 1
  
  You know you sound like a total tool, right? I mean, just making sure. Most humorous of all is that you think "IMAP" is a product or application and that Exchange is just a mail server.
  But rock on, El Penguinario! 2012, year of Linux in the Enterprise space!!!!
  [That last part was sarcastic, by the way. I'm mocking you.]
37. Re:Games on Linux means the end of the MS Empire by pandrijeczko · 2011-06-17 07:06 · Score: 1
  
  So be it - I'd rather be a Microsoft Shill than a Linux Zealot anyway.
  
  --
  Gentoo Linux - another day, another USE flag.
38. Re:Games on Linux means the end of the MS Empire by Alex+Belits · 2011-06-17 07:32 · Score: 1
  
  You know you sound like a total tool, right?
  To be a tool, I would at very least care about opinions of people who clearly identify themselves as my enemies.
  
  Most humorous of all is that you think "IMAP" is a product or application
  IMAP is a protocol. Exchange has its own, shitty protocol that requires retarded VPN to be accessed in a "secure" manner (except, of course, then in 99.9% installed configurations your whole network is accessible to anyone who stolen employee's phone).
  
  and that Exchange is just a mail server.
  Exchange is a mail server bundled with a shitty, time-wasting calendar application used to waste people's time, that must die in a fire along with those who developed it.
  
  --
  Contrary to the popular belief, there indeed is no God.
39. Re:Games on Linux means the end of the MS Empire by Alex+Belits · 2011-06-17 07:33 · Score: 1
  
  Everyone looks like a zealot to his enemies. Not everyone looks like a shill to them. You do.
  
  --
  Contrary to the popular belief, there indeed is no God.
40. Re:Games on Linux means the end of the MS Empire by mcgrew · 2011-06-17 07:35 · Score: 1
  
  Sadly, no. I think it caught on because 1) folks don't know that "in the cloud" means "on somebody else's server" and 2) OSES is almost as stupid sounding, and "On somebody else's server" is too cumbersome.
  
  --
  Free Martian Whores!
41. Re:Games on Linux means the end of the MS Empire by snemarch · 2011-06-17 07:57 · Score: 1
  
  Oh, they have, but even Vanilla Vista was a more enjoyable experience than whatever Linux distro.
  (This post is aiming for a +5 funny).
  
  --
  Coffee-driven development.
42. Re:Games on Linux means the end of the MS Empire by RightSaidFred99 · 2011-06-17 08:44 · Score: 1
  
  You poor deluded soul. I really find your types just to be hilarious because you're so sure your crusty old opinions are so correct and the rest of the industry are just a bunch of plebs. First, IMAP can be enabled in Exchange. Second - Exchange supports far more than just mail/calendaring and can be integrated with a huge range of communications software.
  In short, like most zealots, you don't know what you're talking about. Your risible zealotry has prevented you from learning anything outside of your pathetic little computing niche, so anything you comment on outside of that niche can be immediately discarded as meaningless.
  Now please return to your newsgroups where you can share an exciting scheme to use 'filter' to forward your mail to your ca. 1995 beeper.
43. Re:Games on Linux means the end of the MS Empire by pandrijeczko · 2011-06-17 11:12 · Score: 1
  
  Why would anyone care about how one looked to one's enemies? Surely, by the very definition of "enemy", one is not seen in a particularly good light by them anyway and they're hardly going to be objective in their opinions about one.
  And I'm sorry that you consider me your enemy but if that's a problem to you then I'm afraid I'm not a personality therapist so I'm afraid you're going to have to go find one yourself. So good luck with that.
  
  --
  Gentoo Linux - another day, another USE flag.
44. Re:Games on Linux means the end of the MS Empire by Alex+Belits · 2011-06-17 21:10 · Score: 1
  
  First, IMAP can be enabled in Exchange.
  This is how IMAP can be used in "Microsoft shops" now. This is happening because not even Microsoft can afford to insist on Outlook being the only mail client allowed on the office networks. If they could, they would never touch IMAP.
  
  Second - Exchange supports far more than just mail/calendaring and can be integrated with a huge range of communications software.
  I am sure, someone at Microsoft wrote some huge and ambitious "API" to make Exchange the centerpiece of all business-related communications. The reality is, Exchange is a bad mail server and stupid calendar that everyone hates with a passion. Now Microsoft can't even force companies to use exclusively their protocol with their product that exists for sole purpose of keeping systems closed. This always happens before this kind of product fails.
  
  --
  Contrary to the popular belief, there indeed is no God.
45. Re:Games on Linux means the end of the MS Empire by Aighearach · 2011-06-19 04:36 · Score: 1
  
  When OS/2 first came out, the motto was "nobody ever got fired for buying IBM".
  No. It really wasn't. And you're old enough to know better!
  It was closer to, "is there software for it yet? How about now?"
  
  Now it's "nobody ever got fired for buying Microsoft".
  That "now" was a long time ago.
46. Re:Games on Linux means the end of the MS Empire by Aighearach · 2011-06-19 04:39 · Score: 1
  
  1) folks don't know that "in the cloud" means "on somebody else's server"
  It doesn't.
  And of course it is somebody else's server, that why it is the internet and not the intranet.
Surprise by Anonymous Coward · 2011-06-17 00:53 · Score: 1

Yeah, a cross platform solution that is in competition with a Microsoft proprietary solution; being applied to the Web; and Microsoft is against it. Personally I am shocked, just shocked. They've been spending a lot of money trying to optimize IE9 for use with DirectX, and care a whole lot less about security or empowering Web developers, than they do about preventing competition on a level playing field.
1. Re:Surprise by mcgrew · 2011-06-17 05:45 · Score: 1
  
  Well, that's what Miocrosoft means when it comes to security concerns -- they're concerned that it will loosen their stranglehold on the market.
  
  --
  Free Martian Whores!
MSFT to be at $20.00 by Anonymous Coward · 2011-06-17 00:53 · Score: 0

Pot, meet kettle.
At least silverlight is save! by cccc828 · 2011-06-17 00:53 · Score: 4, Interesting

I am relieved that sliverlight will never support such harmful technology!
1. Re:At least silverlight is save! by fuzzyfuzzyfungus · 2011-06-17 01:16 · Score: 2, Interesting
  
  Under "Extended Features":
  
  "Access devices and other system capabilities by calling into application COM components."
  
  "Call existing unmanaged code directly from within Silverlight with PInvoke."
  
  "Read and write files to the user’s My Documents folder, making it easier to find media files or create local copies of reports. Launch Microsoft Office and other desktop programs. Users can open Microsoft Outlook and create an e-mail message, or send a report to Word utilizing the power of Office."
  
  They just couldn't stay away from the convenience that ActiveX plugins' "me casa es tu casa" security model provided...
2. Re:At least silverlight is save! by Anonymous Coward · 2011-06-17 01:40 · Score: 0
  This is squarely aimed at businesses, who are demanding these features. Note that:
  
  You have to opt-in to this via group policy.
  Applications have to be signed, and I suspect the trusted roots will also be specified in group policy (i.e. it won't use the default list in the browser)
  I'd also be surprised if this feature was exposed in home versions of Windows.
  Microsoft were badly burned by ActiveX and they have learned many lessons.
3. Re:At least silverlight is save! by Anonymous Coward · 2011-06-17 02:20 · Score: 0
  
  Hah, they made it possible for such harmful technologies to exist. Because of them there are now millions of viruses, malware and other evil software. If they would have done their jobs right, computer security would have meant locking the computer behind steel, not buying thousands of dollars worth of useless software to protect and clean their damn OS.
4. Re:At least silverlight is save! by Anonymous Coward · 2011-06-17 02:37 · Score: 0
  
  Microsoft is not against using graphics within the browser. Their statement clearly gives the reasons for it. It's not because they believe its OpenGL roots are necessarily evil (although they probably believe it to be "weaker" than DirectX).
  I'm curious what the idiots that keep posting this drivel believe that Silverlight uses under Mac OS X. Hint: there is no DirectX on Mac OS X.
  Silverlight forces the developer to write to higher level APIs than WebGL, which eventually provides a direct mechanism to abusing a user's video card--something anyone with a brain should realize will be exploited within days or weeks of mass availability.
5. Re:At least silverlight is save! by Anonymous Coward · 2011-06-17 02:52 · Score: 1
  
  Although you clearly have no idea, Silverlight can be used to write client-side applications as well. Within the browser, it lives in a sandbox.
  As the other AC below mentioned in response to cccc828, Group Policy changes are required to enable these features even on the client side. In other words, it seems like Microsoft has learned from their terrible ActiveX mistakes. It just sounds like no one else has.
6. Re:At least silverlight is save! by fuzzyfuzzyfungus · 2011-06-17 03:32 · Score: 1
  
  I do realize that. My point was that, as Silverlight has evolved, market demands have been moving it back toward a (less-broken); but much more ActiveX-esque and potentially dangerous set of capabilities than it previously had. It isn't enabled by default for joe user anymore, because they learned that lesson; but the more fundamental problem isn't a lesson to be learned: If you want power, and people certainly do, programs have to have access. If programs have access, you either have to trust them implicitly(both not to be malicious and not to fuck up in serious ways) or increase the amount of your system to which you devote serious time and attention to vetting.
  
  In this case, I'm sure that important customer groups cried out for the features they are announcing for version 5. Certain line-of-business applications probably couldn't be built without them. However, as a side effect, they've basically had to drag back in(at least optionally, this time), the ability to do absolutely anything the user's security context allows.
7. Re:At least silverlight is save! by snemarch · 2011-06-17 08:03 · Score: 1
  
  It will be interesting to see how Silverlight will implement GPU access - if it's going to be a thin wrapper around DirectX (in other words, the DX equivalent of WebGL) I'll be the first person to cry "bloody fucking morons". Hopefully (and perhaps this is wishful thinking) the silverlight team have been getting cluebat beatings from some of the competent security people at MS.
  
  --
  Coffee-driven development.
8. Re:At least silverlight is save! by shutdown+-p+now · 2011-06-17 08:25 · Score: 1
  
  All of these are only permitted for out-of-browser (i.e. effectively desktop) Silverlight applications. The kind that runs as a plugin in a browser cannot do any of that.
They can't even spell by DavidR1991 · 2011-06-17 00:53 · Score: 3, Insightful

"Although mitigatinos such as ARB_robustness [...]"
Nice Microsoft, nice.
Whilst I believe that WebGL _could_ become a vector for attack, I think this is actually "We want to push DX not GL, let's stick to NIH by saying it's dangerous instead"
1. Re:They can't even spell by Anonymous Coward · 2011-06-17 01:48 · Score: 0
  
  "Although mitigatinos such as ARB_robustness [...]"
  Nice Microsoft, nice.
  Whilst I believe that WebGL _could_ become a vector for attack, I think this is actually "We want to push DX not GL, let's stick to NIH by saying it's dangerous instead"
  Or, maybe websites should be websites and applications should be applications. Over the last 20 years the paradigm of browser plugins/applications in the browser has been abysmal for security AND performance.
  While I think it's cute that I can play angry birds in a web browser, it hogs an entire CPU core to do so. A dedicated application runs far smoother.
2. Re:They can't even spell by diegocg · 2011-06-17 02:10 · Score: 1
  
  The fun thing is that Silverlight 3D APIs are not more secure than WebGL.
3. Re:They can't even spell by Anonymous Coward · 2011-06-17 07:31 · Score: 0
  
  WebDX scribed on a piece of paper is being hand delivered towards the USPTO registration office as we speak. It's already at the Woodrow Wilson bridge! Lets hope the wind takes hold of it, hurdling it over to the murky waters of the Potomac river, never to be seen again.
4. Re:They can't even spell by snemarch · 2011-06-17 08:19 · Score: 1
  
  Or, maybe websites should be websites and applications should be applications. Over the last 20 years the paradigm of browser plugins/applications in the browser has been abysmal for security AND performance.
  +1. And now people think it's cute you can decode MP3s via javascript... ugh.
  
  --
  Coffee-driven development.
Oooor... by Anonymous Coward · 2011-06-17 00:54 · Score: 0

or because it sounds like opengl which is eeeeviiiiiiiil
It has no plans to support WebGL... by Anonymous Coward · 2011-06-17 00:55 · Score: 0

Until it can come up with it own proprietary version that IE only.
Hate to Say This... by mrpacmanjel · 2011-06-17 00:58 · Score: 5, Informative

The security issue is a valid question.
In one of the links in the summary it shows that the video memory can be read and get a snapshot of the user's desktop (in the example a confidential document is viewable) - exceptionally bad. Use an exploit like this with something else means their is potential for a severe security breach.
Then again it's early stages and I'm sure the security issues will be resolved in time.
It's an exciting techology especially with regard to streaming games over the internet.
Who remembers VRML???
1. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 01:23 · Score: 1
  
  the video memory can be read and get a snapshot of the user's desktop (in the example a confidential document is viewable)
  This could get even worse, in light of the fact that AMD plans to unify the video, and system RAM address space.
2. Re:Hate to Say This... by royallthefourth · 2011-06-17 01:37 · Score: 2
  
  It will be better since it should mean that video memory will exist in protected mode instead of real mode (since it will be part of the same protected address space as system memory), thus proscribing programs from reading data not belonging to them.
3. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 01:44 · Score: 0
  
  Who remembers VRML???
  I've been trying to name each new pet VRML for the last 15 years!
  The closest my wife has let me get is the cat who goes by Indigo or Indy for short...
4. Re:Hate to Say This... by NatasRevol · 2011-06-17 01:50 · Score: 1
  
  Good thing THAT'S never been done before!
  
  --
  There are two types of people in the world: Those who crave closure
5. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 01:54 · Score: 0
  
  You're not going to be able to keep someone out of the video buffer by the nature of the entire concept. Microsoft is correct.
6. Re:Hate to Say This... by Luckyo · 2011-06-17 01:58 · Score: 1
  
  It's not just that. Remember all the new games that crash drivers in spite of being actively optimized for them?
  Now imagine a browser window that executes while(true) {open new tab, run code that crashes video drivers()}
7. Re:Hate to Say This... by AllyGreen · 2011-06-17 02:08 · Score: 1
  
  VRML was/is awesome, still taught in some Uni's I think! I certainly used it towards the end of my Bsc in 2009.
8. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 02:08 · Score: 0
  
  The problem could be mitigated somewhat by requiring the user's consent before allowing WebGL code to read data back from the graphics device (by popup or enabling an advanced setting). Only postprocessing and GPGPU should need to do this, so most apps wouldn't be affected.
9. Re:Hate to Say This... by sgt+scrub · 2011-06-17 02:21 · Score: 2
  
  I completely agree. It needs to be fixed not dumped. This reminds me of WebSockets Experiment comparing Upgrade and CONNECT handshakes. Microsoft didn't say they wanted websockets abandoned. If there isn't OpenGL support in other browsers HTML5 canvas will be better in IE than any other browser. In other words, convincing everyone OpenGL support is evil and scary when IE gets HTML5 canvas support it would put them in the front of graphically rich web interfaces.
  
  --
  Having to work for a living is the root of all evil.
10. Re:Hate to Say This... by Locutus · 2011-06-17 02:27 · Score: 1
  
  did they bring this up to the WebGL Working Group or is this a PR piece to spread FUD about something they don't control and want gone? It may or may not be a valid point but they don't get to have their cake and eat it too. So instead of Microsoft working with the WebGL WG at Kronos and providing security APIs to the driver vendors to help secure the platform, they spread FUD about how things might be insecure. And doesn't Microsoft have to "approve" drivers so wouldn't it be their responsibility to prevent poor drivers from enabling security circumvention at the OS level?
  
  This looks like 100% pure MS FUD and it's not surprising since Microsoft's business methods do not promote cross platform API's because of the threat of reducing the importance of the Windows platform in the market.
  
  I remember VRML and remember SIGGraph when all the world was buzzing about 3D on the web. Lots of cool tech and it's about time.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
11. Re:Hate to Say This... by LWATCDR · 2011-06-17 02:41 · Score: 1
  
  Why not virtualize it? Create a virtual video space that is just limited to the browser's display? Seems like a good way to secure it.
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
12. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 02:51 · Score: 0
  
  I remember VRML. I don't rememeber when it was dropped but I haven't heard ANYBODY mention it for about a decade. I only remember it from the bad old days, when Shockwave and Flash were still distinct, and belonged to Macromedia, there was no Firefox, and Internet Explorer, Netscape and (eeeugh! *shudder*) ..."AOL" were the only browsers.
  It was horrendously slow, and looked like the old Star Fox game from Super Nintendo, or even a Dire Straights video. Similar results in Java Applets were common at the time.
  But once you saw what could be done using Macromedia Director/Shockwave and/or Flash, if you were a graphics person you didn't want to bother with anything else.
13. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 03:21 · Score: 0
  
  Don't open confidential documents on a computer with internet access.
  Problem solved.
14. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 03:28 · Score: 0
  
  You're absolutely right. So my question is, why is the word 'harmful' in quotes? The entire article is quoting them indirectly, so putting 'harmful' in quotes is pure editorial slant. I suppose it's too much to ask /. editors to look at a subject objectively. Much better writeup on Ars Technica here.
15. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 03:31 · Score: 0
  
  Oh god, I miss the idea of VRML.
  It was such a nice idea, but just too ahead of its time sadly.
  Now we will never (not now) browse virtual internets to kick the ass of advertisements, then go see nudes of a hybrid of Amy and Leela..
  This saddens me greatly.
16. Re:Hate to Say This... by LS · 2011-06-17 03:46 · Score: 1
  
  Why is this any different from any other exploit? If you get past the browser's sandbox, you've got the control of the machine, and things are good as toast. Access to video memory seems minor in comparison to a complete breach.
  
  --
  There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
17. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 04:20 · Score: 0
  
  I think the security issue is valid as well, however, I believe it's worth mentioning that Microsoft's silverlight also has this feature.... In light of that criticism of microsoft is completely valid and should be heaped on.
18. Re:Hate to Say This... by fermion · 2011-06-17 04:23 · Score: 1
  
  I wonder how many exploits are based on video memory. I am not saying this is not aq security hole, just that that does not seem like the most effecient manner to get hundreds of credit card numbers.
  This tends to support a basic belief about MS. When MS talks about security they are not talking about protecting end user data or making sure that personal information is not used in ways unknown to the user, what they are talking about is digital rights management. When talking about insecure video memory, one is talking about streaming movies that can be copied. Netflix has stated that Silverlight is used instead of HTML5 because HTML 5 does not deliver the protection of Silverlight. Flash is also not secure because it will leave cache images.
  
  --
  "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
19. Re:Hate to Say This... by Godeke · 2011-06-17 04:24 · Score: 1
  
  Yes, it is a security problem. So why is this OK: https://www.microsoft.com/silverlight/future/#graphics (specificially: "Immediate mode graphics API allows direct rendering to the GPU").
  It isn't a security vulnerability when Silverlight gains access to the GPU. Hhmmm.
  
  --
  Sig under construction since 1998.
20. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 04:29 · Score: 0
  
  That was a bug in Firefox, not WebGL. Sheesh. Microsoft FUD at it's finest.
21. Re:Hate to Say This... by Anonymous Coward · 2011-06-17 06:42 · Score: 0
  
  And who the fuck said its OK? Apparently in a company of 90,000 employees there can are differing opinions. They aren't all wired to think "microsoft good others bad" like some borg mind. You trolls should get your defective brains fixed..
  But putting your retarded "logic" aside, if everything has to be spelled out to you like a four year old about the difference between a managed memory model API thunking to the native layer and webgl you are fit to comment on this website. You fit perfectly in this uninformed troll zoo...
22. Re:Hate to Say This... by Touvan · 2011-06-17 07:12 · Score: 1
  
  >> The security issue is a valid question.
  Not really. WebGL, like OpenGL, Glide or D3D is just an API abstraction. The way MS would likely implement WebGL (or WebD3D) is as a "wrapper" layer that would re-interpret all the WebGL calls to another lower level API - essentially, a shim would exist that would use lower level APIs, but not expose them. The layer that deals with the WebGL calls can be as hard as the engineers make it - there is no requirement in the WebGL spec that the API provide unfiltered access to lower level system APIs.
  What MS is saying is actually just not factually accurate. I'm pretty surprised more haven't caught on to that.
  
  --
  http://www.unfocus.com/
23. Re:Hate to Say This... by shutdown+-p+now · 2011-06-17 08:28 · Score: 1
  
  I don't see how this can be fixed while remaining OpenGL in anything but name. The point here is that OpenGL-like API is low-level enough that it permits too much leeway (most notably, shaders, which are effectively a Turing-complete language which requires proper sandboxing in web context). What is needed short-term is some higher-level 3D API, akin to XNA, only perhaps even more limited. What is needed long-term is ensuring proper security for the entire 3D graphics stack, from hardware to drivers to OS to browser (we have the latter two today, but not the former two).
24. Re:Hate to Say This... by snemarch · 2011-06-17 08:31 · Score: 1
  
  Wow, that's a confusion of terminology if I ever saw one.
  I hope that was intended as a +5 funny. If not, please read up on your terminology. You might also want to familiarize yourself with alien words such as "DMA".
  
  --
  Coffee-driven development.
25. Re:Hate to Say This... by snemarch · 2011-06-17 08:36 · Score: 1
  
  Massive driver and - possibly - hardware changes. Perhaps just fix the API instead? Might give lower performance and ruin the wet dream of "zomg desktop games in a browser", but that's just silly in the first place IMHO.
  
  --
  Coffee-driven development.
26. Re:Hate to Say This... by snemarch · 2011-06-17 08:39 · Score: 1
  
  ...but I got them from a POP3 connection, what do you expect me to do? Company policy forbids USB drives, and all our networked machines have internet access :(
  
  --
  Coffee-driven development.
27. Re:Hate to Say This... by snemarch · 2011-06-17 08:47 · Score: 1
  
  Why is this any different from any other exploit? If you get past the browser's sandbox, you've got the control of the machine, and things are good as toast. Access to video memory seems minor in comparison to a complete breach.
  Allowing ActiveX == allowing ANY native code to run on your system - bad.
  Allowing Java or .NET stuff == allowing sandboxed and security-constrained code access to relatively verifiable resources.
  Allowing WebGL == ???, where ??? depends on specific video driver version as well as hardware silicon.
  Graphics drivers aren't generally scrutinized for security issues, and hardware can do stuff like DMA (overwrite arbitrary regions of system memory without the OS being able to intervene in any way).
  
  --
  Coffee-driven development.
28. Re:Hate to Say This... by snemarch · 2011-06-17 08:52 · Score: 1
  
  At what level, though? A thin wrapper over DirectX, or a higher-level API that can do some additional checks (or simply doesn't allow for really-unsafe constructs)?
  
  --
  Coffee-driven development.
29. Re:Hate to Say This... by snemarch · 2011-06-17 08:56 · Score: 1
  
  It's not really about video memory, it's about shader code and driver bugs - which can (potentially) do a lot more damage than just reading video memory.
  
  --
  Coffee-driven development.
30. Re:Hate to Say This... by snemarch · 2011-06-17 08:58 · Score: 1
  
  Yes, it is a security problem. So why is this OK: https://www.microsoft.com/silverlight/future/#graphics (specificially: "Immediate mode graphics API allows direct rendering to the GPU").
  It isn't a security vulnerability when Silverlight gains access to the GPU. Hhmmm.
  It says "immedate mode graphics", it doesn't say "thin wrapper around DirectX" or "you can run shader code directly".
  It's very possible it might in fact be a thing wrapper around DX, in which case I'd be the first to cry bloody murder... but you can't deduce much from just that statement.
  
  --
  Coffee-driven development.
No news by The+MAZZTer · 2011-06-17 00:58 · Score: 2

If WebGL takes off, they'll have no choice but to support it. If it doesn't, then no-one will care that they don't support it.
1. Re:No news by Anonymous Coward · 2011-06-17 01:08 · Score: 0
  
  Kinda like Flash?
2. Re:No news by royallthefourth · 2011-06-17 01:09 · Score: 1
  
  Ha! If only that was true for CSS
3. Re:No news by Bengie · 2011-06-17 01:11 · Score: 2
  
  WebGL is as bad or worse than ActiveX ever was. Should be interesting.
  I've already read security blogs from reputable security professionals about how WebGL is flawed from the ground up and can allow for kernel level security issues. ActiveX at least ran as the current user, not kernel.
  I really think MS could get away with no implementing it.
4. Re:No news by camperdave · 2011-06-17 01:32 · Score: 1
  
  If WebGL takes off, they'll have no choice but to support it. If it doesn't, then no-one will care that they don't support it.
  If it takes off, Microsoft will pull its standard Embrace, Extend, Extinguish strategy on it.
  
  --
  When our name is on the back of your car, we're behind you all the way!
5. Re:No news by Anonymous Coward · 2011-06-17 01:35 · Score: 0
  
  It may be bad, but it can't possibly be anywhere near as bad as ActiveX.
6. Re:No news by Anonymous Coward · 2011-06-17 01:51 · Score: 0
  
  If it takes off, Microsoft will pull its standard Embrace, Extend, Extinguish strategy on it.
  Actually Microsoft would have to pull Google's standard "Embrace, Extend, Extinguish, Evil" strategy since Google evilly embraced, extended and extinguished it.
7. Re:No news by John+Hasler · 2011-06-17 02:09 · Score: 1
  
  > ...Extinguish...
  We can only hope.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
8. Re:No news by Locutus · 2011-06-17 03:41 · Score: 1
  
  or like Java, C++, OpenGL, etc. I can't wait for the day Microsoft, instead of putting out FUD, they put out press releases stating their existing software is better than the up and coming stuff because of X, Y, and Z. That would mean a "new" kind of company and actual competition.
  
  Did you notice MSRC report targets the drivers when Microsoft is responsible for providing the driver interfaces to the kernel and approving the drivers? Don't forget, Microsoft is building direct video interfaces into their browser too and I didn't see a word mentioned about that. Seems like we're going backwards these days. Facebook is looking more and more like AOL and Windows is looking more and more like DOS by bringing the hardware closer to the application. They are saying the design of Windows is insufficient to provide proper abstraction and performance it would seem.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
9. Re:No news by TopSpin · 2011-06-17 05:12 · Score: 1
  
  I really think MS could get away with no implementing it.
  One good hit, the WebGL equivalent of Farmville, will change everything. Don't underestimate this; WebGL is cool and the potential great. If WebGL is successful it will help to break the domination of DirectX among the desktop graphics hardware vendors and cause developers to look beyond the Microsoft romper room.
  OpenGL ES 1.x/2.0 is already dominant on mobile platforms (iOS and Android, specifically) and WebGL is based on the same edition. There is a real opportunity for convergence around a solid, open, non-Microsoft GPU framework.
  WebGL security is a non-issue really. If the HTML5's 2D canvas + built-in video streaming isn't already good enough to obviate flash it will be soon. Together, those two are sufficient for most graphical applications and much easier to secure than the 3D pipeline. The 3D pipeline will never be secured well enough for general purpose use on the web, so WebGL will ultimately have to require operator authorization, among other things, to prevent it from becoming a popular attack vector.
  It will require a couple of incidents before Google, Mozilla, et al. concede this and lock down WebGL, taking it off the table as a viable attack vector. Eventually they will. Bank on it.
  
  --
  Lurking at the bottom of the gravity well, getting old
10. Re:No news by Anonymous Coward · 2011-06-17 05:23 · Score: 0
  
  Then you clearly don't understand what ActiveX is or does. ActiveX lets you run native code, un-sandboxed - letting you do whatever the heck you want as the local user - yes it doesn't give you kernel level priveleges but basically the whole concept is unfixable.. WebGL is simply a JavaScript API that lets you render graphics. It's true that 3D acceleration driver implementations used in turn by WebGL implementations are not developed with the mindset that it is going to be called from untrusted sources, and that's where security issues appear (which admitedly can be more harmful if they are at the kernel level), but they are of a completely different nature than those caused by ActiveX.
  Frankly, most graphics acceleration happens in the kernel on Windows, and which underlying API (be it OpenGL or Direct3D) and accompanying implementation is going to used probably won't a huge influence on the probability that security issues will appear. The better driver architecture would perhaps be something like Mesa, where most of the implementation lives in userland, and commandstreams and buffers are passed to the kernel, which verifies them. (For performance reasons, one could disable verification for running things like locally installed games).
  As for MS getting away with it.. yeah I'm afraid you might be right. Frankly I couldn't blame them for not wanting to adopt it any time soon, but to rule out ever adopting it is a bit unfortunate, but completely understandable considering it undermines their own graphics API. Once people get comfortable with WebGL, they are inevitable going to become more open to using OpenGL if they ever have to develop something that doesn't run in the browser. That combined with the fact that going the OpenGL route opens up the possibility of supporting Mac platforms.. well, I can see why MS is not willing to increase WebGL's chances of becoming a de-facto 3D web acceleration standard in the long term.
  TL;DR: 3d acceleration is going to be iffy until driver writers change their ways, no matter how it's done, pinning this on the WebGL API itself is MS FUD, in my humble opinion
11. Re:No news by snemarch · 2011-06-17 09:06 · Score: 1
  
  If WebGL is successful it will help to break the domination of DirectX among the desktop graphics hardware vendors and cause developers to look beyond the Microsoft romper room.
  Ah yes, WebGL + JavaScript will displace native C++ code combine with OpenGL/DirectX? (That'd be a wet dream of Intel and AMD - even with JS JIT advances, we'd need quite more powerful CPUs).
  It will require a couple of incidents before Google, Mozilla, et al. concede this and lock down WebGL, taking it off the table as a viable attack vector. Eventually they will. Bank on it.
  Google are cool, but they aren't superhumans. Some things just aren't 100% securable.
  
  --
  Coffee-driven development.
12. Re:No news by drb226 · 2011-06-17 09:45 · Score: 1
  
  Quirks mode is the worst idea ever. And yet my company's app *depends* on being run in quirks mode. [insert angry reddit eyes here]
13. Re:No news by Anonymous Coward · 2011-06-17 11:48 · Score: 0
  
  You know Internet Explorer (at least up to 8, I don't know about 9) is one of the applications which is able to execute kernel-level operations without activating UAC, right?
  Previously, on Slashdot...
  IIRC, Notepad.exe was also one, as well as Windows Explorer and Run32.dll
  So, no, you can't guarantee that anything running subsidiary to IE is running "as the user" -- in fact, in the case of malicious code, I would simply ASSUME it wasn't. Especially ActiveX, which isn't even interpreted code, but an executable object simply loaded as a piggyback on the IE process.
Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 00:59 · Score: 3, Insightful

Microsoft has no business building browsers. The open architecture of the web will always conflict with IE being closed source and the EEE tactics Microsoft is constantly trying on various web technologies. In the past, Microsoft's hegemony over computer technology gave them enough influence that they might actually have a chance at "de-commoditizing" (as they say) some popular open web technologies, but that's over, they aren't the 800lb gorilla in the room anymore, they're just another dog in a fight with at least 2 other dogs (the Open dog and the Apple dog - and no they're not the same. Look at Safari's special HTML5 rendering. Familiar? Don't forget that an open web also poses a threat to Apple's mobile apps).
By continuing to work on browsers, Microsoft is fighting a war they can't win, but like all wars this one is still harmful to the other combatants and various innocent bystanders.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
1. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 01:03 · Score: 0
  
  Except for the fact that the web sucks. Hopefully we will move beyond browsers soon.
2. Re:Microsoft should get out of browsers ASAP by JBMcB · 2011-06-17 01:10 · Score: 1
  
  The web sucks, except for everything else.
  The biggest hurdle in designing something like the web is to get everybody to agree on standards. HTTP/HTML - that's 90% of the battle, and infinitely better than 30% of websites only working on flash, 20% only working on silverlight, 15% on XML/XSLT, 15% on PDF...
  
  --
  My Other Computer Is A Data General Nova III.
3. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 01:10 · Score: 1
  
  If we move "beyond" browsers to client apps we'll be moving backwards (not that it can't happen, that seem to be the direction we're moving in these days).
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
4. Re:Microsoft should get out of browsers ASAP by pinpuke · 2011-06-17 01:17 · Score: 2
  
  RE: "Microsoft has no business building browsers." Well, maybe that should read... "Microsoft has only to build browsers for big business." Firefox is a pain to manage in large corporate settings. Luckily someone out there made the CCK for Firefox but it can still be a pain to manage once deployed. If you take away IE then when you make calls to businesses that serve you don't complain about the extra long call queues and slow account services. Corporate infrastructures that utilize web apps will come to a crawl while internal devs, and third party devs, scramble for fixes.
5. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 01:30 · Score: 0
  
  How are we supposed to download firefox?
6. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 01:36 · Score: 1
  
  The same way you do on their browser-less European versions?
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
7. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 01:39 · Score: 1
  
  Why is that backwards? Most 'real' software is still client based and will continue to be. It just works better. Browsers are great for reading stuff, but they suck as an application development environment. They are not designed for it - all these technologies (AJAX, etc) are compete hacks to mimic what's been around for years in client app development.
8. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 01:43 · Score: 2
  
  Because you're destroying the client-independence of the web. If you believe in an Apple-like One True Platform future I can see how you could consider moving to clients to be a forward move, but I'd just have to disagree.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
9. Re:Microsoft should get out of browsers ASAP by chemicaldave · 2011-06-17 01:56 · Score: 2
  
  I'll admit that developing web apps does indeed suck. It sucks hard, but not because the actual app development sucks. That part is easy. Where I work we still do the meat and potatoes of the work with the same languages we would use for a desktop app. The only thing we use the web for is presentation and a little scripting for input -- which gets mirrored on the server anyway -- and that's the part that sucks. Mostly because browsers don't work the same way.
  But customers are always right, and if they don't get what they want they'll get it somewhere else. And customers want to access an app from -- almost -- any browser, on any computer -- or mobile device -- from any location, and that's just not practical with desktop apps.
10. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 01:58 · Score: 0
  
  Fixes, or fix the screwups that they had to implement to get it working under IE?
11. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 02:06 · Score: 0
  
  The open architecture of the web will always conflict with IE being closed source
  That is the most ridicules statement ever made. Let me guess, you can't point me to your core contributions to firefox, can you?
  IE is important part of web technology, even if all they do is keep other browsers in check. 80+% IE is just as bad for the web as 80+% firefox or anything else.
12. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 02:10 · Score: 0
  
  Look at Safari's special HTML5 rendering. Familiar?
  Are you talking about CSS vendor prefixes, because that is what vendor prefixes are for?
  If not, what are you talking about?
13. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 02:15 · Score: 1
  
  No I'm not a Firefox developer, what does that have to do with everything? IE can't have WebGL or OGG/Theora codecs built-in because it's closed. The licenses don't allow that. Nothing ridiculous about it.
  If it were just IE and Firefox, IE might play an important role, but there are many different browsers out there made by companies with many different interests, so IE isn't contributing significantly to the competition. Also they are constantly making closed-source addons like Silverlight and ActiveX which are negative contributions. So I'd say the browser market would be better off without them.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
14. Re:Microsoft should get out of browsers ASAP by binarylarry · 2011-06-17 02:19 · Score: 1
  
  Not if we take an approach like Google's nacl project, which allows you to run real native code safely in a browser.
  The key thing is keeping it safe, which Google has put a lot of thought and legwork into.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
15. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 02:19 · Score: 0
  
  The open architecture of the web will always conflict with IE being closed source
  Oh gee I dont know there have been oh several *VERY* successful browsers over the years that were closed source. Netscape, Chrome, and Opera to name 3...
  In 1998 they made *THE* browser everyone wanted. It blew the others out of the water. Then they sat back and let it rot. MS does its best work when it is not in the dominant position. IE is starting to actually look cool again. I may even use it in a couple of versions (we shall see).
  But I am thinking a company with one of the largest attack surfaces might know a thing or two about what is and is not secure. Trust me they have the security religion now. Now if they could just get the 'faster releases' religion...
  I want *MORE* browsers out there coming up with new features. You are arguing for open source only. Does not sound like a good plan to me. In fact I would say less people making new features is exactly the wrong way to do it.
  Also you are arguing that 'they should just give up they cant win'. Uh people said that the first time and they *DID* win at nearly 95% share. They could do it again. Will they? Probably not as what they have now is not as night and day better than the competition (and it cost 30-50 dollars less than everyone else did not hurt). They are probably going to end up with about 15-30% share. But out of all the computers out there that is a significant number.
  What you are arguing for is monopoly and non competition. Firefox was willing to let JS sit and rot at the 2.0 speeds until Chrome showed up. IE was doing the same thing. A new entrant to the market created competition. Which is making for a better internet...
16. Re:Microsoft should get out of browsers ASAP by nschubach · 2011-06-17 02:21 · Score: 3, Informative
  
  Windows doesn't come pre-loaded with wget yet (as far as I'm aware) so it's a little more difficult:
  (Start / Run:)
  cmd
  ftp releases.mozilla.org
  (User: anonymous)
  (Pass: joe.blow@somewhere.com)
  cd /pub/mozilla.org/firefox/releases/latest/win32/en-US/
  binary
  mget *.exe
  (answer yes)
  quit
  dir Firefox*
  (Run listed program)
  Pretty sure I didn't miss anything...
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
17. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 02:23 · Score: 1
  
  Apple is relying on vendor prefixes (which should only be used as a last resort if they must exist, and which Apple created a metric shit-ton of, right off the bat) because it doesn't render standard HTML5 quite as well. They're trying the same thing with HTML5 that IE tried with traditional HTML. Embrace, Extend, Extinguish.
  http://www.reelseo.com/apple-doctors-magical-html5-demo-safari-quicktime-video-standards/
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
18. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 02:25 · Score: 0
  
  I say you should go out of IT business, that's because you don't know statistics.
19. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 02:25 · Score: 1
  
  nacl is a terrible idea, at best it's a more secure ActiveX. Why make the web architecture-specific and expose a computer's microcode vulnerabilities to the web?
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
20. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 02:37 · Score: 1
  
  Netscape, dead and opened up, now wildly successful as Firefox.
  Chrome is closed? That's news to me. Does Google know about the source leak that's been released as Chromium?
  Opera is the BSD of browsers in terms of popularity.
  I'm not arguing for monopoly and non-competition. I agree more browsers are better, but the negative effects of Microsoft's EEE and de-commoditization efforts aren't worth the competition they bring to the market. If Microsoft could follow standards and maybe have IE offer the option to download plugins for the open technology the rest of the web uses after installation, I'd welcome their presence, but they do more harm than good.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
21. Re:Microsoft should get out of browsers ASAP by caywen · 2011-06-17 02:38 · Score: 1
  
  And if WebGL was invented by Microsoft, and it were Google and Mozilla who wouldn't support it, you could still post this. Whether your point is valid or not, this doesn't have anything to do with the TFA.
22. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 02:44 · Score: 1
  
  I figured that getting out of browsers implied also getting out of related browser technologies, but if that wasn't clear, I'll say it now. IE should get out of browsers, and let Silverlight and ActiveX die, and not build any other browser technologies, all for the same reasons outlined in my post.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
23. Re:Microsoft should get out of browsers ASAP by paimin · 2011-06-17 03:07 · Score: 2
  
  How does Webkit not qualify as open?
  
  --
  Facebook is the new AOL
24. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 03:20 · Score: 2
  
  Webkit is open source but Safari isn't, and Apple has shown they have no intention of following HTML5 standards, at least with Safari (although adding a ton of redundant vendor-specific HTML5 features to WebKit in the first place doesn't scream "openness"). If IE swapped its rendering engine to a WebKit fork tomorrow, it wouldn't make IE an open browser.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
25. Re:Microsoft should get out of browsers ASAP by paimin · 2011-06-17 03:49 · Score: 1
  
  What features specifically are you complaining about?
  
  --
  Facebook is the new AOL
26. Re:Microsoft should get out of browsers ASAP by Shoe+Puppet · 2011-06-17 03:52 · Score: 1
  
  No I'm not a Firefox developer, what does that have to do with everything? IE can't have WebGL or OGG/Theora codecs built-in because it's closed. The licenses don't allow that. Nothing ridiculous about it.
  If it were just IE and Firefox, IE might play an important role, but there are many different browsers out there made by companies with many different interests, so IE isn't contributing significantly to the competition. Also they are constantly making closed-source addons like Silverlight and ActiveX which are negative contributions. So I'd say the browser market would be better off without them.
  
  Q. What is the license for Theora?
  Theora (and all associated technologies released by the Xiph.org Foundation) is released to the public via a BSD-style license. It is completely free for commercial or noncommercial use. That means that commercial developers may independently write Theora software which is compatible with the specification for no charge and without restrictions of any kind.
  
  Source
  I couldn't find the license of WebGL, but I'm quite sure it's something similar.
  
  --
  (+1, Disagree)
27. Re:Microsoft should get out of browsers ASAP by Anonymous Coward · 2011-06-17 03:57 · Score: 0
  
  By continuing to work on browsers, Microsoft is fighting a war they can't win, but like all wars this one is still harmful to the other combatants and various innocent bystander.
  This.
  Good. And kudos to Microsoft. When they were developing VS there actually were some competitors to VS. I bet that there were even people sharing sentiments such as your own, that they have no business developing IDEs or programming languages, and came up with baseless arguments to suggest that even trying is a detriment to not only the competition, but to the very developers they were attempting to lure away from shit like Borland.
  Here is your feeble argument revised as a car analogy: ...some popular ISO standards, but that's over, they aren't the 800lb gorilla in the room anymore, they're just another dog in a fight with at least 2 other dogs (the Hybrid Vehicle dog and the Ford dog - and no they're not the same. Look at Ford's Mustang GT. Familiar? Don't forget that an ISO standard also poses a threat to Chevy vehicles).
  By continuing to work on cars, Chevy is fighting a war they can't win, but like all wars this one is still harmful to the other combatants and various innocent bystanders.
28. Re:Microsoft should get out of browsers ASAP by GameboyRMH · 2011-06-17 06:08 · Score: 1
  
  Didn't know that, I thought Theora was under a GPL license. Now I have a much lower opinion of Microsoft for not including it.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
They're right by Anonymous Coward · 2011-06-17 00:59 · Score: 5, Insightful

You really want websites to be able to freeze and possibly crash your graphics subsystem, possibly overheat reboot your machine?
Besides that, it's just sloppy, just like WebSQL is sloppy. It's just "hey lets compile opengl ES into our browser" or "lets compile SQLite into our browser" and neither are even half-hearted attempts at a proper standard. I originally said this as a joke, but it makes more sense to just link in the quake engine and support a "quake" tag, that takes a link to a PAK file as its .src attribute. That'd at least solve the (very real) security problems. Executing arbitrary shader code from random websites isn't a good idea.
Aside: apparently noone else supports WebGL either. The implementations in both FF and Chrome are broken. I've had problems with multiple textures, framebuffers, the list goes on. It's simply not working yet.
Of course, webGL would be trivial to reimplement in IE with a partial trust Silverlight plugin, which could just execute the GL natively, though that would be a much bigger security hole.
1. Re:They're right by kyz · 2011-06-17 01:16 · Score: 2
  
  it makes more sense to just link in the quake engine and support a "quake" tag
  Yesterday's news, my good man - haven't you heard of Quake Live? Serve up the .pak with MIME type "application/x-id-quakelive" and Bob's your uncle!
  
  --
  Does my bum look big in this?
2. Re:They're right by am+2k · 2011-06-17 02:37 · Score: 1
  
  It's just "hey lets compile opengl ES into our browser" or "lets compile SQLite into our browser" and neither are even half-hearted attempts at a proper standard.
  It's not quite the same. The WebSQL-"standard" just said "the implementation shall support whatever sqlite implements", which is a big no-no for a standard, since even though sqlite is ANSI-C and PD, you're SOL as soon as you move to something like the Java platform, where you can't use C code.
  WebGL is a proper standard, which everyone can implement without using any foreign code. There are multiple independent implementations of it as well (on every layer: browser, driver, OS).
  
  I've had problems with multiple textures, framebuffers, the list goes on. It's simply not working yet.
  It's a large standard in an area the web browser devs didn't have any experience with. It'll take some time, but they'll get there eventually.
3. Re:They're right by gmueckl · 2011-06-17 02:59 · Score: 2
  
  What hardware and OS did you try WebGL on? If it was Linux with poor (read: open source) drivers then there's your explanation. I've yet to see any open source driver for 3D hardware acceleration that actually works (and being able to run desktop compositing does not count - it's not even remotely an indication of how modern 3D rendering is done). I really hate to bash the open source drivers in that fashion, even though it's true.
  
  --
  http://www.moonlight3d.eu/
4. Re:They're right by Anonymous Coward · 2011-06-17 03:15 · Score: 0
  
  Like all new technologies, this is a risk/reward scenario. Is 3D in the browser worth exposing my system to potentially harmful websites? If not, does it have considerable use at all? If yes to that question, is there a way to guarantee that the websites using it are 'trusted'? As web technologies move forward, it only seems logical that developers will want to have more and more access to your computers internals. Perhaps then we need a system like SSL certificates as to ensure the websites that need access to the internals are trusted, or at least signed off on by a trusted third party like Verisign.
  I'm not sure what you've been working on, but Khronos (www.kronos.org) has been working on a WebGL standard for years now, and its relatively mature. Further, the fact that it's based on OpenGL ES 2.0 and all smartphones support the same standards, it lends itself to easy portability between devices.
  Most people resist change, but think back to JavaScript and it's early implementations. They were horribly broken and lots had browser dependent features. Now look at it. It's a highly mature language that runs a vast majority of websites' client side UI.
  Does it have problems? Sure, but so does Flash, JS, ActiveX, MySQL, PHP, Java and every other web technology out there. It will always be the question: "Is this really worth it?"
5. Re:They're right by Anonymous Coward · 2011-06-17 03:16 · Score: 0
  
  Use a better operating system.
6. Re:They're right by Anonymous Coward · 2011-06-17 03:56 · Score: 1
  
  Executing arbitrary shader code from random websites isn't a good idea.
  Absolutely. I'm guessing....2015 will be the year of crowd-sourced web page GPU password hashing. Of course, by crowd-sourced, I mean 'unawares'.
  This technology is going to happen, whether it is a good idea or not. Between MS admitting that HTML5 is their future and the browser/kit wars heating up in the mobile space, no developer is going to let slide the potential for an exponential increase in rendering possibilities. Coupled with everybody's System-on-a-chip solutions that are due soon, people are going to be walking around with more hardware in their pockets than they realize.
  After that, it is just a hop, skip, jump, and another decade, to the Chinese lottery.
  Why yes, it is genuine tin foil. It's not that I knew in the 80's that cell phones could be linked to cancer, it's that I wasn't taking any chances.
7. Re:They're right by Anonymous Coward · 2011-06-17 06:25 · Score: 0
  
  windows, latest ff, latest chrome beta.. ati 5700 with latest drivers..
  the implementations seemed broken, not driver glitches.. on ff i could never get anything but texture unit 0 to work, its like bindtexture does nothing at all
8. Re:They're right by Billly+Gates · 2011-06-17 07:34 · Score: 1
  
  I had issues with WebGL on Windows with a recent ATi 5750. I do admit in Chrome they run better but at slower FPS than Firefox 4. Either way, this is not something should happen under Windows with official ATI drivers. Nvidia cards are on Firefox's blacklist as well so it is not just one vendor with poor quality drivers.
  
  --
  http://saveie6.com/
9. Re:They're right by gmueckl · 2011-06-17 07:45 · Score: 1
  
  Well, there are no perfect drivers out there. All of them have bugs, but the bugs in the closed source drivers are the least annoying ones in my experience.
  As a developer you can generally get things to work with them given enough fiddling. Naturally, you can't let the users do that kind of fiddling around, which makes hardware compatibility such a pain.
  
  --
  http://www.moonlight3d.eu/
10. Re:They're right by Anonymous Coward · 2011-06-19 20:39 · Score: 0
  
  Besides that, it's just sloppy, just like WebSQL is sloppy. It's just "hey lets compile opengl ES into our browser" or "lets compile SQLite into our browser" and neither are even half-hearted attempts at a proper standard. I originally said this as a joke, but it makes more sense to just link in the quake engine and support a "quake" tag, that takes a link to a PAK file as its .src attribute. That'd at least solve the (very real) security problems. Executing arbitrary shader code from random websites isn't a good idea.
  Despite having some concerns over fully exposing the OpenGL HLSL to the outside world, this is a poor comparison. The HLSL is already supposed to be (mildly) sandboxed language; it isn't supposed to give you 100% direct access to the hardware, it is designed as something that can be reasonably quickly compiled to something that will run on the graphics hardware. As such it shouldn't be able to crash a machine or do anything too bad (beyond possibly grabbing full screenshots). Meanwhile, SQL wasn't ever designed as anything like a VM, and so has all kinds of oddball quirks which can't be reasonably wrapped (really, we need something to replace SQL that has a real consistent structure).
THEN I KNOW IT'S THE FUTURE !! by Anonymous Coward · 2011-06-17 00:59 · Score: 0

If Microsoft hates it, I LIKES IT !! I like everything !! Except Mikey !!
Harmful... by ATMAvatar · 2011-06-17 01:00 · Score: 1

...to their business model. Let's face it: if WebGL really took off and brought about it a myriad web-based games, the Microsoft stranglehold on PC gaming would be in jeopardy.

--
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
1. Re:Harmful... by MemoryDragon · 2011-06-17 01:05 · Score: 1
  
  The strangelhold is over anyway, given the current markets. You have the Xbox and the PC which are DirectX, the rest uses OpenGL or OpenGL derivates. Almost 100% of all game makers use an existing engine, which is optimized for cross platform development anyway.
  It is just a matter of time til those engines also have their webgl ports one way or the other.
  Whatever Microsoft does in this area is only to the degree relevant that if they dont support it it wont be used in a corporate environment.
Not the first time by Millennium · 2011-06-17 01:03 · Score: 1

Microsoft has rejected interoperable technologies based on spurious "security concerns" before, only to release later a competing yet non-interoperable technology with far worse security problems than ever showed up on what they rejected. Remember browser plugins, passed over in favor of the steaming pile of fail that is ActiveX?
Look for WebDirect3D in the next version of IE, likely with every problem MS claims WebGL has and a few new ones.
1. Re:Not the first time by MemoryDragon · 2011-06-17 01:06 · Score: 1
  
  I am almost 100% sure about that WebGL will be the point where Microsoft again will fork away. I have been expecting that for months now.
  Also so far all their efforts towards html5 are pretty half assed, even IE9 can be barely described as html5 compliant, but given the state of the current specs only time will tell if Microsoft again will be a burden on the web developing world.
2. Re:Not the first time by Bengie · 2011-06-17 02:55 · Score: 1
  
  Actually IE9 is very HTML 5 compliant where the standards have stabilized. Many of the HTML 5 tests check for features that are still being decided on, which makes IE9 look bad. But if you just look at the HTML5 features that have been ratified, then it's as good or better than other browsers.
  I still use Chrome. IE has left a bad taste in my mouth.
It is a problem; but... by fuzzyfuzzyfungus · 2011-06-17 01:03 · Score: 5, Insightful

It is hard to argue with the thesis that allowing a webpage to run OpenGL code on the system GPU is less secure(and places security in more hands) than not doing so. However, that seems to throw us back on the more basic problem:

Allowing the internet to do things to your machine is dangerous. It is also among the top reasons why most people bother to own a computer. Letting pages run Javascript opens you up to vulnerabilities in your JS engine. Support for images in webpages means that a bug in any of your image format renderers(and there have been a few of these) will allow the attacker to own you. Even HTML rendering isn't safe. People from the internet are running code on your CPU, through assorted layers of indirection, virtually continually... We put up with this blatantly dangerous situation because we want the functionality.

Other than the (im)maturity of OpenGL as something that is subject to maliciously crafted input, rather than just error by well-meaning application designers, I'm not seeing a fundamental difference. Everything that happens in your browser happens because filthy, possibly dangerous, 3rd party instructions are executed, through some number of intermediate interpreters and libraries and codecs, right on your hardware.

Now, I can definitely see the case to be made for "You really shouldn't enable WebGL, except for websites that you would also trust enough to download and execute with admin permissions executables from, until the OpenGL ecosystem has had time to finish wetting itself from pure fear and start improving things", it is quite likely the case that the large, complex, more-focused-on-speed-than-security, mass that is GPU firmware, GPU drivers, etc is a mass of potentially serious issues, having historically been sheltered from the more hostile side of things. However, that doesn't seem fundamentally different from the state of the stack sitting on top of the CPU that was inherited from a more innocent time before widespread network malice. Ultimately, we just had to fix that; because the alternative involved not being able to do what we wanted to do.
Crap. by Anonymous Coward · 2011-06-17 01:03 · Score: 0

This is bad news.
Yes, everyone hates IE, blah blah blah. This makes webmasters job significantly more difficult in using WebGL as a platform... Flash fallbacks? Alternative browser plug-in? Canvas3d? Uuuugggghhhh....
1. Re:Crap. by DaveV1.0 · 2011-06-17 03:24 · Score: 2
  
  Solution: Stop using the browser for things that are not browsing. Stop using the browser as an OS inside an OS. If your website needs OpenGL, you are doing it wrong.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
2. Re:Crap. by Anonymous Coward · 2011-06-17 05:20 · Score: 0
  
  Really? That's a very poor argument. What's wrong with using WebGL as a platform for games? If you don't want to visit websites that have games, then don't. Others do. And there is a market for it. It helps to extinguish Flash as a platform.
Mod parent up by elrous0 · 2011-06-17 01:03 · Score: 1

I really wish we could have more discussions where MS is mentioned that don't immediately devolve into "MS is teh E V I L !!! Anything they say or do is wrong!"

--
SJW: Someone who has run out of real oppression, and has to fake it.
1. Re:Mod parent up by imric · 2011-06-17 01:24 · Score: 0
  
  *shrug* Those comments are depressingly accurate though.
  
  --
  Paranoia is a Survival Trait!
2. Re:Mod parent up by Anonymous Coward · 2011-06-17 01:50 · Score: 0
  
  This is about DX vs GL.. more then security.
3. Re:Mod parent up by TangoMargarine · 2011-06-17 02:13 · Score: 1
  
  ...And when we do have one, you post a comment solely pointing this out. Thanks for contributing to the conversation
  
  Maybe if they stopped putting every single goddamn thing in the browser these days we wouldn't have quite so many security problems everywhere.
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
4. Re:Mod parent up by Anonymous Coward · 2011-06-17 02:49 · Score: 0
  
  I really wish we could have more discussions where MS is mentioned that don't immediately devolve into "MS is teh E V I L !!! Anything they say or do is wrong!"
  Umm... I don't see any other comments here which have "devolved" into anything like that. The main points people are making is that Microsoft has something against a graphics API that isn't Direct3D (arguably true), that it's ironic for Microsoft to be making a statement on security given the track record of their browser and ActiveX (true), and that Microsoft is obviously right, at best WebGL results in more code in the browser that could be exploited, at worst giving web developers such low-level hardware access will open up a huge can of worms (also true).
  So, it looks like the discussion has been flowing just fine until you came in hurling accusations not based in reality.
Amazing! by Anonymous Coward · 2011-06-17 01:03 · Score: 2, Funny

Microsoft claims competitor's technology harmful and everyone should use their safe & secure version :)
Tune in at 11 for more news from the No Shit, Sherlock dept
Freedom is dangerous by Anonymous Coward · 2011-06-17 01:04 · Score: 0

WebGL + fast Javascript gives developers a very powerful duo, games and apps on WebGL could rival normal applications (meaning non-Live-AppStore stuff) and endanger their revenue streams. This is exactly why Apple stopped further develop web editors and that is why IE was such a drag all the time... MS is not going to backup WebGL. You have other venues for more advanced stuff like Windows Marketplace or Apple AppStore, web should remain minimalist. A venue without 40% cut? No deal.
Microsoft Announces Next Product by simm_s · 2011-06-17 01:04 · Score: 0

In other news Microsoft is releasing DirectAzureX exclusively for Internet Explorer bringing secure 3D content to the Web. Innovation at work people! Microsoft the true king of standards fragmentation.
1. Re:Microsoft Announces Next Product by Shados · 2011-06-17 01:10 · Score: 1
  
  When the standard sucks, it needs to be done.
2. Re:Microsoft Announces Next Product by TangoMargarine · 2011-06-17 02:18 · Score: 1
  
  Vigorously. In the skull.
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
I tend to agree by Cigaes · 2011-06-17 01:05 · Score: 4, Insightful

Considering that most accelerated 3D drivers for video controllers are utter crap full security flaws, or “optimizations“, as some call them, and that a video controller has full access to the system bus, and therefore to the RAM, drives, etc., I tend to agree that letting anyone on the web transparently send possibly crafted data to the 3D driver is, from a security point of view, a rather dubious idea.
Games? by headkase · 2011-06-17 01:08 · Score: 0

The business world keeps Microsoft in power, not gamers.
I don't doubt you overall, but: for my home computers, the only reason the machine I'm typing this on has Windows 7 installed is because of games. My laptop doesn't have Windows, only my desktop which has the hardware to run the games.

--
Shh.
They're right. by John+Hasler · 2011-06-17 01:09 · Score: 1

n/t

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It is true. It is harmful. by 140Mandak262Jamuna · 2011-06-17 01:10 · Score: 2, Informative

The question is what is harmed. In this it looks like it is harmful to Microsoft's market share and profits.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:It is true. It is harmful. by caywen · 2011-06-17 02:40 · Score: 1
  
  No more so than in previous years. Last I checked, Chrome and Firefox run great on Windows and have always been far more capable browsers than IE.
Can't trust MS's opinions by bzipitidoo · 2011-06-17 01:13 · Score: 5, Interesting

What they mean by "security" is not what everyone else means. Security is just the biggest argument in the FUD arsenal. They mean control, to secure their bottom line.
For 25 plus years, that's been MS's real goal. They tried to kill off Ogg Vorbis over "insecurity"-- the supposed insecurity of no built in DRM. Security was probably one of the arguments they used to push OOXML over ODF when they were trying to maintain their file format lockdown. Talk about an outdated tactic, but then, MS has been slipping for some time now. They would have tried the old line suggesting no one would maintain the software without a large company backing it, another FUD favorite, but even they must see no one would buy that any more. And yet, they can't see the uselessness of the entire Windows Genuine Advantage program.
What specifically could they be trying to promote in place of webGL? Silverlight?

--
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
1. Re:Can't trust MS's opinions by Anonymous Coward · 2011-06-17 04:14 · Score: 0
  
  What the flying fuck is Ogg Vorbis? I assume Microsoft successfully killed it because no one fucking uses it? I'm being facetious, I know what Ogg is. The fact stands that it's dead in the wake of better codecs.
  
  MS has been slipping for some time now.
  Interesting. I never would have guessed by all the success with Microsoft Office, Windows, Visual Studio, Xbox, Xbox360, keyboards, etc, etc, etc.
  I really dislike how people post this anti-MS shit and get modded +5 by other haters. There was nothing interesting about this post. Just a bunch of old whines. Wasn't the OOXML/ODF thing like 5 years ago? Seriously Ogg Vorbis? Windows DRM? You do know it's 2011 right? Prolly wanna read up on everything that's happened in the last 5 years.
  PS) I've never had WGA fail on me. In fact, the only time it "gets in the way" about anything is on a rare Microsoft Update. But you know what? I would rather deal with this rare checkup and have the ability to install/run WHATEVER I WANT than have to deal with some App Store bullshit and an overbearing AIDS patient in a mock-turtleneck dictating everything I may do. Seriously folks: sweaty chair throwing monkey > dying AIDS patient mock-turtleneck. Monkey wins everytime!
2. Re:Can't trust MS's opinions by shutdown+-p+now · 2011-06-17 08:32 · Score: 1
  
  Instead of looking at "Microsoft" in the title, why don't you familiarize yourself with the actual arguments instead? That way, you won't have to "trust opinions", but could rather "verify facts"...
3. Re:Can't trust MS's opinions by bzipitidoo · 2011-06-17 14:54 · Score: 1
  
  No. MS does not deserve the benefit of the doubt. Their reputation precedes them.
  As to the argument, it is basically this: the graphics hardware does not have any mechanism to stop programs from accessing each other's data. And webGL doesn't provide any. Well, neither does anything else. The next point is that that matters because webGL executes code directly from the Internet. Ok, so this could be a security problem. But it is a problem common to every similar platform. So why is MS singling out webGL? Is trying to rework webGL the right approach to handling the problem? I would say no. That's the job of the OS, with help from the hardware.
  Now, what do you think the arguments are? Or didn't you familiarize yourself with them?
  
  --
  Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
4. Re:Can't trust MS's opinions by shutdown+-p+now · 2011-06-17 15:15 · Score: 1
  
  But it is a problem common to every similar platform.
  It is a general problem, but for things like JS or Flash or Java applets, there was awareness about this problem from the very beginning, and therefore implementations were designed and written from ground up with security in mind, which means proper sandboxing. Graphics hardware was not designed with security in mind, and sandboxing of code that executes on the GPU was disregarded in favor of performance. Now we take that hardware, and shove it into the environment where said code is not trusted and can potentially be malicious.
  
  So why is MS singling out webGL?
  Because no other graphics API permits downloading and running pre-packaged code in a Turing complete language on your graphics hardware.
  
  That's the job of the OS, with help from the hardware.
  The OS itself cannot do anything here short of blocking any WebGL program that requires shaders from executing in hardware, and emulating it all in software (and then providing a sandbox where the OS can ensure its security).
WebGL bugs already demonstrated by lseltzer · 2011-06-17 01:14 · Score: 4, Informative

Context Information Security has already tested WebGL implementations and demonstrated the sorts of bugs Microsoft warns about. In fact, it looks like maybe they got a tip about it from Redmond, but they do demonstrate it, and Mozilla has acknowledged the bugs for Firefox 4.
1. Re:WebGL bugs already demonstrated by Anonymous Coward · 2011-06-17 01:44 · Score: 0
  
  Are we talking about the standard or the implementation here?
  Saying "we won't use this standard becouse it's unsafe" is different from "we won't use this standard becouse that other implementation is unsafe".
  I'd like to know more about the WebGL bugs, can anyone describe them or give some pointers?
2. Re:WebGL bugs already demonstrated by deathguppie · 2011-06-17 01:51 · Score: 1
  
  Ya I read the bug report from Mozilla
  
  This is a Firefox-specific implementation issue not a WebGL specification issue.
  
  .. so I'm still not sure this issue will be as big as MS makes it. Possibly, but it is still to early to tell. Also, I've been working with webGL and loving it. I'm seriously contemplating building an entire RTS based on it. So I'm hoping it works out.
  
  --
  once more into the breach
For once don't bash M$, read the article instead by amn108 · 2011-06-17 01:14 · Score: 5, Insightful

An essential factor in security is trust. You cannot trust a website you have never seen before to load code of its choosing to be executed on a driver supplied to you by third-party which may or may not have a stellar security record themselves. Especially when "modern" operating systems like Linux run drivers as part of their monolithic kernel and so probably WILL crash when the website code messes up the driver runtime. Windows is heading in all the right directions moving their graphics driver supporing infrastracture out of the kernel into userspace. At least that way, your entire OS won't crash bringing everything down with it. At worst, smart people will figure out doing their favourite things - injecting their code through good old buffer overflows and what not.
This is what you get when you pair three poorly isolating systems to eachother. Microsoft may have done a lot of their own mess during the years with their products' security, but for once, they are right. Not the least, becaue they probably have gotten so much flak for it they finally decided enough is enough and started going by security checklist documets and automated programs that eliminate all the obvious bugs. I sincerely hope they're getting it, for I for one am tired of hearing everyone bash them. Look into your own backyard when you get 20 million lines of code running wildly on a several hundred million computers around the globe, thanks. Or reduce your SLOC, but that, again, is another discussion.
I say, use DirectX instead. by Anonymous Coward · 2011-06-17 01:17 · Score: 0

That's rock solid. No security problems whatsoever.
They are experts in the field by omfg-no · 2011-06-17 01:18 · Score: 1

Given they created ActiveX, windows, direct X, IIS, IE and many other technologies that screw up the web and the internet in general.
Me Too by Anonymous Coward · 2011-06-17 01:20 · Score: 0

Microsoft has been a me-too company since it's last killer product: Windows XP SP2
This FUD against WebGL is just another one of the death throes from a company that hasn't been able to compete since August 25, 2004.
Microsoft has innovated exactly one good product: Kinect ... yet, it took Linux hackers to force them to capitalize on it.
It reminds me of the old Toll Booth Willie skit ... does Microsoft actually want the money, or do we have to shove it up Microsoft's ass??
I feel sorry for Microsoft shareholders, and thank god I don't own any of their stock.
If Microsoft would stop with the me-too "standards" (all stillborn) and put 1/10th of that money and effort into applications for the Kinect, and the other 9/10th into innovating things their customers want, they could be the premier tech company again. Sadly, that's not gonna happen.
Their concerns do make sense by obarthelemy · 2011-06-17 01:21 · Score: 1

the graphics there sums it up nicely: http://www.contextis.com/resources/blog/webgl/ Web > Browser > graphics driver > kernel, and we all know graphics drivers are full of bugs/holes, and that even killing and restarting them is not a solution if the browser keeps bombarding them with spurious request. DOS and intrusion must be very easy that way.
It's also true that MS are picking an argument they like, and that they have, in the past and even now, created plenty of exploit avenues.
I think we need to move from a mindset where performance and features reign supreme, to one where security is a major concern. That's bad news, cause security is much harder to evaluate than MIPS or texels/s (and reviewers/commentators like easy work). And people need to be educated: assuming Intel/ATI/nVdia chose to devote resources to creating a "safer" driver, with 30% lower performance (I pulled that figure out of a dark and smelly place), who would choose that safer one, over the faster one ? In a sense, MS can't be totally blamed: they have been giving us what we wanted: perfs and features.

--
The Cloud - because you don't care if your apps and data are up in the air.
1. Re:Their concerns do make sense by obarthelemy · 2011-06-17 01:23 · Score: 2
  
  maybe one solution would be to create an intermediary WebGL driver in userland with lots of security checks. Would that still be worth it, performance-wise
  
  --
  The Cloud - because you don't care if your apps and data are up in the air.
2. Re:Their concerns do make sense by DaveV1.0 · 2011-06-17 03:29 · Score: 1
  
  Or, developers could stop being lazy and write an actual UI instead of relying on the browser.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Don't you just hate it by lorax · 2011-06-17 01:25 · Score: 4, Interesting

Don't you just hate it when Microsoft takes the high road on security and raises some valid points. We've been through this scenario a bunch of times where some class of programs that used to only be used by local programs became accessible on the web and suddenly there is a rash of exploits (jpeg and pdf come to mind), I'd rather not go through it again.
That said, I think Microsoft laid out the problems with enough specificity that they could be addressed.
1. Re:Don't you just hate it by Anonymous Coward · 2011-06-17 03:28 · Score: 0
  
  Well, I find it totally ironic. And the point they're making are totally valid: WebGL is a piece of sh!t that should never, ever, have its place in a browser. Nothing with such an amount of low-level system access should be allowed in a browser. The world would be better if retards pushing for such silly things were working in another field than CS / IT.
  But... I also really don't think that Microsoft "takes the high road to security" as you 4 digits /. ID wrote. They're just criticizing and trying to block a feature they don't like, by any way they can. This one can be attacked by an obvious rant on security.
  But I really don't think this means MS as a whole will suddenly start producing systems that aren't daily "admin'ed" by 0-day exploits and systems that don't need to be rebooted on patch-tuesday for them to work properly.
2. Re:Don't you just hate it by Anonymous Coward · 2011-06-17 06:51 · Score: 0
  
  yeah, sucks when the high road on security happens to align with M$ interest.
and yet... by Anonymous Coward · 2011-06-17 01:25 · Score: 0

And yet Silverlight will get all those "harmfull" Features.
Christ, you people are stupid. by Anonymous Coward · 2011-06-17 01:28 · Score: 0

It's a Microsoft article, which means that a few dozen unfunny chuckleheads will chime in with the easy jokes about "ACTIVEX LOL".
Here's a hint: real life is complicated. OSS is not white and MS is not black.
Slashdot is hopeless.
1. Re:Christ, you people are stupid. by Anonymous Coward · 2011-06-17 17:21 · Score: 0
  
  MS is not black.
  Well, we knew that.
Just an excuse by Anonymous Coward · 2011-06-17 01:31 · Score: 0

Ie is the only main browser which never had plans for webgl.
It's unlikely for security reasons, just that directX is still battling opengl, they're not about to give an edge to the alternative product, right?
They just jumped on the first opportunity to pin their decision on the first flaw that came out of webgl.
1. Re:Just an excuse by GameboyRMH · 2011-06-17 01:35 · Score: 1
  
  It's unlikely for security reasons, just that directX is still battling opengl, they're not about to give an edge to the alternative product, right?
  Exactly, that's the best part. After saying that the basic principle is harmful and so on, Microsoft will come out with a proprietary clone called DirectGL or Silverlight3D, which will have the same inherent security problems, but on top of that, the typical Microsoft shoddy security and slow patching.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
WebGL x GPU Accelerated Flash by Parker+Lewis · 2011-06-17 01:32 · Score: 1

This is a serious question: how different is run WebGL on GPU than run GPU accelerated Flash content? Are those different issues?
Ugh, M$ by MacGyver2210 · 2011-06-17 01:34 · Score: 0

Why don't they just stop fucking with customers' machines and actually join the ARB? Then they can help develop some open-source interoperable standards instead of their broken closed-everything type browsers/plugins/systems. Knowing Microsoft they'd probably do everything they could to shoot the process in the foot and then try to make their own competing technology... ...oh wait...

--
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
1. Re:Ugh, M$ by Richard_at_work · 2011-06-17 01:40 · Score: 1
  
  Why don't you actually post something relevant to the discussion? MS actually have a point here, and the discussion about WebGL's security has been ongoing for months.
2. Re:Ugh, M$ by nschubach · 2011-06-17 02:40 · Score: 1
  
  He did. The whole "story" is like Microsoft saying "I think your ice cream sucks" without actually doing anything to help create ice cream that doesn't suck by offering recipes to the ice cream factory. (Thus [re-]joining the OpenGL standards process.)
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
3. Re:Ugh, M$ by caywen · 2011-06-17 02:43 · Score: 1
  
  I agree with this. There's so many comments here that are just general MS bashing that have absolutely nothing to do with TFA, it's just sad.
  How can one tell if it's relevant? Just switch the roles - MS invents WebGL and Google refuses to support it citing security problems. Then, reread the comment. If the comment now makes no sense, it was relevant to the original. If the comment still kinda makes sense, it's -1, Off Topic.
WebGL is not that usefull yet for... by McNihil · 2011-06-17 01:36 · Score: 1

Games. No joystick and other input handling, no feedback and such. Now if the browsers would have this functionality possible as standard then I would say Microsoft would have a valid concern painting the devil on the wall that they think WebGL is. However without those crucial components its more likely not a valid concern... I argue that their own supposed IE9 3D accelerated rendered pages for 2D panes is already doing something they are now stating is inherently insecure... Microsoft is really now just saying "this shi*t is no way of doing it." In any event it is my honest opinion that Microsoft should not quip anything regarding this nor anyother security whatsoever because it really shows how out of touch they ultimately are.
Sure, if vid drivers are in ring 0... by DdJ · 2011-06-17 01:38 · Score: 1

I am reminded of the day when Microsoft's server OS was changed so that unverified third-party video card drivers were run in ring 0. It didn't used to be that way, and it doesn't make sense in a server OS, but they did it anyway.
It's one of the reasons I consider Windows NT 3.51 to be the last decent server OS to come out of Microsoft.
I Brand Microsoft Windows A 'Harmful' Technology by QuietLagoon · 2011-06-17 01:39 · Score: 1

Just look at all of the security issues that Microsoft Windows has, and all of the security problems that Microsoft Windows has caused globally.
Re:For once don't bash M$, read the article instea by QuietLagoon · 2011-06-17 01:41 · Score: 1

executed on a driver supplied to you by third-party which may or may not have a stellar security record themselves.
That is more of a critique of Microsoft Windows itself than of WebGL.
Harmful? by tomer · 2011-06-17 01:43 · Score: 1

Isn't that the same company that never considered ActiveX as an harmful technology even that it used most of the times to attack users who left IE ActiveX features turned on?
FUD by Anonymous Coward · 2011-06-17 01:45 · Score: 0

What a FUD title and summary. I was not able to find any quotes from Microsoft that stated they found WebGL itself 'Harmful.' They did state - and with reason by the way - that WebGL is a potential avenue for attacks given the varied and often buggy vendor supplied OpenGL drivers. This makes the browser the venue for attacks but fixes for the attacks must be implemented in the OpenGL driver code (supplied by either ATI, Nvdia, etc.)
Microsoft is not the only developer to come across this issue. Firefox already has a driver blacklist to help combat some of these issues. Honestly, Microsoft is doing the correct thing not only from a business 'save our ass' perspective but in being pro-active in protecting their users.
Security concerns? by Anonymous Coward · 2011-06-17 01:47 · Score: 0

"Microsoft has announced that it has no plans to support its Windows operating system, citing numerous security concerns over the technology and branding the basic principles as 'harmful.'"
FTFY
WebGL _IS_ potentially dangerous by GauteL · 2011-06-17 01:48 · Score: 1

Any new major features which allows the execution of code off the Internet is potentially dangerous. Its direct connection to hardware is also another cause for concern, especially with immature technology. However, there is also massive demand for hardware acceleration of downloaded code.
The reality is that if the browser vendors do this right, this is no more of a problem than the potential for users to download executables off the Internet and running them. Users can always screw things up and it is the browser vendors responsibility to put up massive safeguards to stop the browser from executing WebGL from untrusted sites and providing enough barriers to stop the user from enabling this on web sites without knowing the risks. I.e. requiring the user to open a dialog and selecting "I trust this website with my hardware".
I'm utterly convinced that Microsoft will implement this in some form or another, probably their own proprietary format using DirectX. Bashing WebGL in particular is just a ploy from them to avoid losing control in the field of gaming and graphics.
1. Re:WebGL _IS_ potentially dangerous by John+Hasler · 2011-06-17 02:16 · Score: 1
  
  > The reality is that if the browser vendors do this right...
  This cannot be done right. It's utter lunacy.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I'm shocked. by TheSpoom · 2011-06-17 01:54 · Score: 1

Microsoft saying that using any graphics library other than their own -- which happens to only be available on their operating system -- is harmful and should be avoided. Shocking.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
WebGL is not secure and MS are not actually stupid by kangsterizer · 2011-06-17 01:55 · Score: 1

Microsoft would prefer to push Silverlight (which does not support OpenGL or DirectX (good call) but still does some software 3D)
That doesn't make them wrong, WebGL is stupidly insecure, because making it secure means you start to destroy performances by having a large layer between the graphic card and WebGL, while right now you're basically calling OpenGL.
In fact, except by using a proper operating system (such as singularity incidentally) and a proper, fully controlled messaging system between the OpenGL calls and the graphic card, there's no real way out of this.
Poor performance in WebGL would not be acceptable. Poor security is not acceptable either.
Anyhow, we'll see how this turn out.
Its not WebGL vs No WebGL, its WebGL vs Flash by Vesuvias · 2011-06-17 01:57 · Score: 1

I agree. Plus the fundamental issue here is not a choice between WebGL and no 3D browser support because drivers are insecure and unstable. Its really a choice between WebGL and 3D browser plugins. People want 3D in their browser Microsoft saying no will not change this. They will simply get it through any number of 3rd party plugins as opposed to an open standard like WebGL. This is actually great news for Flash and Unity. It's bad news if you didn't want another proprietary 3rd party company setting the standard.
1. Re:Its not WebGL vs No WebGL, its WebGL vs Flash by fuzzyfuzzyfungus · 2011-06-17 02:33 · Score: 1
  
  In fairness to Microsoft, I strongly suspect that they are entirely correct when they say that running untrusted OpenGL code is currently a security clusterfuck of epic proportions. I certainly won't be touching WebGL, outside of specific trusted cases, for some time to come.
  
  It's just that I don't see how the situation will ever improve, on the driver, firmware, possibly I/O MMU availability, etc. sides unless people start rumbling about how they Really. Do. Want. to be able to do this, and that it will have to be a consideration in future designs.
  
  In much the same way, the OS security models that grew up in the days of non-networked single user systems were absolutely hopeless; but it wasn't as though there were on track to improve through some kind of magic that would allow us to just wait patiently until they were mature before hooking them up. It took market pressure for security to become a feature(at least in theory) rather than a cost center. Hopefully the tightening up of OpenGL will be a cleaner, less harrowing process; but it isn't as though it is happening in the current absence of outside pressure...
Re:For once don't bash M$, read the article instea by NatasRevol · 2011-06-17 02:01 · Score: 5, Insightful

Can you explain to me, from your security point of view, how this is any different than using flash or silverlight on the web? Using those technologies, you're loading code form a website to be executed on a driver supplied to you by a third party which does NOT have a stellar security record.

--
There are two types of people in the world: Those who crave closure
Re:I Brand Microsoft Windows A 'Harmful' Technolog by Anonymous Coward · 2011-06-17 02:07 · Score: 0

agreed.
maybe microsoft its right and webGL is "harmful technology". But one thing MS has proven time and time again is that they don't care for users using "harmful technology" as long as MS's brand of "harmful technology".
Re:For once don't bash M$, read the article instea by TyIzaeL · 2011-06-17 02:11 · Score: 1

Except Microsoft doesn't make video cards and video drivers.
Re:For once don't bash M$, read the article instea by Anonymous Coward · 2011-06-17 02:11 · Score: 0

An essential factor in security is trust
I don't trust you or Microsoft. How secure am I now?

You cannot trust a website you have never seen before to load code of its choosing to be executed on a driver supplied to you by third-party which may or may not have a stellar security record themselves.
Can you trust a website you have seen before? Do you surf with Javascript disabled? And just so you know: my driver happens to be supplied by the OS vendor, who does have a sufficient security record for my desktop needs.

Especially when "modern" operating systems like Linux run drivers as part of their monolithic kernel and so probably WILL crash when the website code messes up the driver runtime.
Pics or it didn't happen. Here's my preemptive cluebat: the Linux OpenGL stack runs in userspace (Mesa), along with the direct rendering manager. The only parts inside the kernel are the modesetting code, the direct rendering interface and the command submission checker. And guess what: the command submission checker is there for security reasons.

Windows is heading in all the right directions moving their graphics driver supporing infrastracture out of the kernel into userspace. At least that way, your entire OS won't crash bringing everything down with it.
From a security standpoint, an entire OS crash is actually safer than trying to recover from an unknown state.

At worst, smart people will figure out doing their favourite things - injecting their code through good old buffer overflows and what not.
Because that can never be harmful?

This is what you get when you pair three poorly isolating systems to eachother.
Warmth in the winter, coolness in the summer?

Microsoft may have done a lot of their own mess during the years with their products' security, but for once, they are right. Not the least, becaue they probably have gotten so much flak for it they finally decided enough is enough and started going by security checklist documets and automated programs that eliminate all the obvious bugs.
Doesn't matter if they are right. WebGL affects their bottom line so they have various reasons not to implement it. Given their track record on security, it would have been better not to say anything.

I sincerely hope they're getting it, for I for one am tired of hearing everyone bash them. Look into your own backyard when you get 20 million lines of code running wildly on a several hundred million computers around the globe, thanks. Or reduce your SLOC, but that, again, is another discussion.
I do not want to have wildly running code.
Doing it wrong by rokstar · 2011-06-17 02:13 · Score: 1

The title should be "Microsoft: WebGL Considered Harmful"
So we need something better by Vario · 2011-06-17 02:17 · Score: 1

It seems that WebGL is basically an experiment how to implement a subset of OpenGL that can be part of a webpage. This experiment more or less ended in a standard which allows the website to use the graphics card to it's full extend.
As shaders are turing-complete and we do not have a secure IOMMU in every computer but the real possibility of access a lot of memory which the website should not be allowed to. Yesterday a new exploit was published which underlines this point (Exploit from contextis.com) So this boils down to a nice idea for some internal stuff, kind of downloading an executable and showing the results right in your browser. If we do not want to repeat ActiveX for the GPU instead of the CPU and all it's problems with blacklists, etc. there are very few viable alternatives. Either something like Java or Google's native client which provide a more or less secure sandbox or a good security architecture in the graphics driver which prevents these exploits.
Until one of these security measures are in place it is hard not to agree that WebGL is a big security risk and should not be used for websites out of your control.
1. Re:So we need something better by TheRaven64 · 2011-06-17 04:23 · Score: 1
  
  we do not have a secure IOMMU in every computer
  Worse, we can't easily tell whether we do or not. The browser can't interrogate the drivers to say 'do you have an IOMMU I can trust?' Some have no MMU, some have an MMU with known problems, some have an MMU with no known problems (which is not necessarily the same as no exploitable problems).
  
  --
  I am TheRaven on Soylent News
Another nail in the coffin of.. by the_rajah · 2011-06-17 02:20 · Score: 1

Internet Explorer as a viable browser. Thank you, Microsoft.

--

"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
No... we need to do the opposite... by gQuigs · 2011-06-17 02:20 · Score: 1

The GPU has been getting more powerful and is far better for certain tasks. The GPU needs to be treated more like another core processor and less like an add-on. In fact, it's being integrated into the processor on chips like AMD Fusion.
Trying to put the graphics processing in userspace should be a bad joke at this point. The Linux Kernel has been moving to Kernel Mode Setting for a reason. Yes, it's not all of it by any means, a lot of the OpenGL stuff happens between them, but the direction it's moving in should be clear.
1. Re:No... we need to do the opposite... by John+Hasler · 2011-06-17 02:32 · Score: 1
  
  > ...the direction it's moving in should be clear.
  Yes. The wrong one.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:No... we need to do the opposite... by Anonymous Coward · 2011-06-17 06:45 · Score: 0
  
  The problem is, current GPUs are designed for performance, not security. Even GPUs touting their hardware memory "management" usually have only the address-remapping part of an MMU (for more flexible data transfer patterns, basically), and not the "you can't read from or write to there, bad program" part.
  So while in CPU land there are two options (not mutually exclusive) - verified code and memory protection, the GPU only has verified code.
  Making a GPU more secure at the hardware will inevitably make it slower. One of the main ways the Amiga managed to run rings around a PC several times the nominal speed was by dropping hardware memory protection usage from the OS and just trusting apps not to fuck up. Bad assumption in the modern era. You could run a memory-protection addon for AmigaOS ("enforcer" or "guardian angel") and AmigaOS 4.x eventually introduced memory protection, but lo, everything slowed down.
Micro$oft H4rmful by KiwiFireball · 2011-06-17 02:24 · Score: 0

In other News: The world has announced that it has no plans to support Microsoft — a cross-continent low-level suite of Operating System and Office Software designed for world domination — in its future computers, citing numerous security concerns over the technology and branding the basic principles as 'harmful.'
Re:For once don't bash M$, read the article instea by nschubach · 2011-06-17 02:35 · Score: 1

Thus, "third party [drivers] which may or may not have stellar security" ...

--
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Seems that John Carmack agrees... by HerculesMO · 2011-06-17 02:43 · Score: 1

https://twitter.com/#!/ID_AA_Carmack/status/81732190949486592

--
The price is always right if someone else is paying.
security by an_orphan · 2011-06-17 02:44 · Score: 1

Carmack seems to agree with MS here: "I agree with Microsoft’s assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security." http://twitter.com/#!/ID_AA_Carmack/status/81732190949486592
Re:For once don't bash M$, read the article instea by amn108 · 2011-06-17 02:45 · Score: 1

I would think that with Linux kernels 13M source lines of code versus Windows 7 kernel 3M, it's more of a critique of Linux in fact. And also, out of those 13M, more are driver code lines than is the case with Windows, which thankfully heeded to years and years of operating system security research and started to finally move stuff out of the kernel into user-space with the help of their user-mode driver framework.
Conceptually, WebGL is not flawed and cannot be blamed for errors that occur outside its domain, even if these can be attributed to WebGL itself. But as part of a bigger software "ecosystem", it is to blame. You help expose seven levels of hell with the help of a ladder. A stable well-built ladder, but a ladder nevertheless. Unfortunately, system security is not like a courtroom trial - you either have it or you don't. There is no such ting as "partially secure system", when one secure part of it nevertheless cannot protect it from intruding upon the rest of it.
Re:WebGL is not secure and MS are not actually stu by thePowerOfGrayskull · 2011-06-17 02:45 · Score: 1

Company names are almost always singular. A company name is not a collection of people, it is a proper name for a singular entity.
No admin rights to install Firefox by tepples · 2011-06-17 02:46 · Score: 1

Otherwise you'll have more javascript "go download a *real* browser to use this site/webapp" and more exodus from IE.
A lot of people don't own all the computers that they use and thus lack administrative rights to switch browsers. Examples include a child using the family PC, someone visiting someone else's house and using a PC, an employee using a work PC, or someone using a PC in a public library or Internet cafe. Therefore, you'll probably see IE users switch to a competitor's site that offers both a WebGL front-end and one that uses whatever Microsoft can dream up.
We missed an opportunity. by SanityInAnarchy · 2011-06-17 02:47 · Score: 2

You are flat wrong on a few points:

It's not the access to high performance video drivers, as they don't exist.
Bullshit. The nVidia drivers benchmark comparably on Linux and Windows. ATI might still be worse.
And this is where I think the Linux community missed an opportunity. Back when Quake 3 was the hot new shit, and was how benchmarks were done, someone benchmarked Windows vs Wine vs native Linux. They found the performance went roughly in that order -- Quake 3 was faster under Wine on Linux than it was on Windows, and the native Linux port was faster still.
So you're right that gamers need something better -- but we had that. We had a significant performance advantage for awhile, and that was out of the box. This was also back when desktop GUI environments were still fairly resource-intensive things, so you could get even more performance out of killing off your entire GUI and running just that game in its own X server (with no other X apps) -- and PC gamers were always looking for little tweaks like that to give them an edge.
None of these things are true anymore. Linux is no longer a performance edge by itself, and whatever performance there is to be gained isn't really going to make your framerate go up. That's where it's even comparable, because since then, Direct3D got better and much more popular. There was a point where OpenGL was just faster and better, when games would ship with multiple renderers (OpenGL, D3D, and software) in case one happened to be faster or better supported on your machine, but as I remember, after a certain point, Half-Life always ran faster under OpenGL. But again, things just aren't comparable anymore -- too many games are D3D only.
That, and there are so many new features (all of them high-performance) that you're not likely to get the best experience out of open source drivers, so if you're stuck with ATI, Linux is going to be significantly worse than Windows, even for an identical OpenGL game.
I feel like if we'd kept that edge just a bit longer, we might've seen a lot more start to change. I played an MMO with a friend, and aside from his Norton Anti-Virus always interrupting his game, I could run it windowed (via Wine hacks) while he couldn't -- and eventually, when the game's auto-patching system not only worked on Wine but not his Windows, but we "patched" his copy by pulling files out of my Wine copy, he was convinced -- a few months later, I set him up with Linux. That kind of thing happens much less often these days.
Anyway...

It's not the access to ubiquitous and non-finicky audio systems, as they don't exist.
I don't know, ALSA pretty much met that goal, and I haven't had issues with Pulse since I switched to it, though I did wait awhile before making that switch. For a gamer, though, I don't see needing anything more than ALSA. For that matter, I also don't see a game developer needing to use anything more than OpenAL.
You are, however, almost right about this:

The gamers need something better than what they have if they are going to move away from their current situation and negate their library of games... The majority of game companies won't make games on Linux until there is a market, which doesn't exist.
Linux support is still a very good idea for a new indie game. And if anything, I'd expect it to be easier to build a portable game than other kinds of applications -- the game's entire interface with the OS can be reduced to OpenAL, OpenGL, the filesystem, and the network. OpenAL and OpenGL are already ported, and the filesystem is almost automatically portable if you don't assume stupid things (don't add a bunch of backslashes; forward slashes work on Windows, too).
But then, indie developers can't really afford to exclusively support Linux, which means the game itself isn't an inc

--
Don't thank God, thank a doctor!
1. Re:We missed an opportunity. by snemarch · 2011-06-17 07:52 · Score: 1
  
  Early versions of Direct3D sucked balls :)
  Part of the reason was retained vs. immediate mode - and part of the reason for that was Carmack (and others) asking for immediate mode, but then not wanting to use it; can't blame them, though, as the userkernel mode switches and the general state of GPU hardware back then made it kinda useless. It took Microsoft until DX9 (around 9 years - slow fscks!) to gain the upper hand.
  
  --
  Coffee-driven development.
Re:For once don't bash M$, read the article instea by Anonymous Coward · 2011-06-17 02:48 · Score: 0
Yes. However, the point people are trying to make about Microsoft is as follows:
1. Context Security Whoever demonstrates the danger of giving some code off the web access to your GPU. Who paid for them to perform this research seems pretty obvious from the article, however, we can't prove it at this moment. Always remember, articles like this usually have a paying sponsor.
2. There really isn't a good way to do 3D graphics without giving code some access to the Graphic Card's memory/framebuffer.
3. Microsoft is pumping Silverlight full of all sorts of GPU access.
4. Hence, Microsoft must be providing some sort of access to the graphic card's memory.
5. Hence, Microsoft will likely suffer from the same, if not more, security issues.
At this point, everyone is still developing the framework in which you securely access the GPU. Microsoft states that there are several security assurances that have been handed to the graphics driver programmers via WebGL. However, there are no assurances that Silverlight will mitigate this without A) substantial performance issues and B) introducing several bugs that can be exploited for equally viable and dangerous attacks. Finally, Microsoft can't simply ignore 3D graphics on the web, because they'd face yet another upset in desktop browsers by the competition (Firefox/Chrome).
The problem is that in the end, Microsoft complains that someone else's product has the same problems as Microsoft's product and provides no remedy. Thus, we conclude that while there are security issues, they are currently universal to GPU access by web code. Hence, Microsoft's position is considered to be only half true at best and in the spirit and intention of complete and utter FUD.
When has this ever happened? by SanityInAnarchy · 2011-06-17 02:49 · Score: 1

Developer: I'm going to make a great game for Linux, it's closed source.
Linux Community: closed source? BAH! No thank you, Linux is about Freedom man...
Seriously? Can you cite any actual examples of this actually happening?
I mean, I might grumble that a game is closed, and that I might be able to solve some issue it has if it's open, but I'll buy it. How many Linux users with nVidia cards refuse to run the nVidia proprietary drivers? Those are a much bigger issue than some game running in userspace.

--
Don't thank God, thank a doctor!
1. Re:When has this ever happened? by TheRaven64 · 2011-06-17 04:12 · Score: 1
  
  Look up the history of Loki Software. They bought the Linux rights to a lot of games and ported them. It took them 4 years to go bankrupt.
  
  --
  I am TheRaven on Soylent News
2. Re:When has this ever happened? by mr_mischief · 2011-06-17 05:29 · Score: 1
  
  Look at GM. They make cars. They went bankrupt. Guess what... It's not because nobody was buying cars.
3. Re:When has this ever happened? by TheRaven64 · 2011-06-17 05:53 · Score: 1
  
  In Loki's case, it was because no one was buying Linux games. Linux users were either buying the Windows version and playing under WINE or a dual boot, playing open source games, or not playing games at all. A GM comparison would have made sense if there had been other successful companies selling Linux games. There weren't.
  
  --
  I am TheRaven on Soylent News
4. Re:When has this ever happened? by SanityInAnarchy · 2011-06-17 08:40 · Score: 1
  
  Well, again, do we know that this is what actually happened?
  Or is it that there just weren't enough Linux gamers of any sort to begin with for a company like Loki to be profitable?
  In either case, I was pleasantly surprised to find that most of my peers who are tech savvy enough to have heard of Linux have also bought the Humble Indie Bundle, play Minecraft on Linux, etc. Yes, open source would be better, but they're not going to refuse to play a game because it's proprietary, especially if it's ported to their OS of choice.
  
  --
  Don't thank God, thank a doctor!
5. Re:When has this ever happened? by mr_mischief · 2011-06-18 09:56 · Score: 1
  
  Were you on the board? How are you so privy to the financials of a defunct non-public company? A lack of market is far from the only reason a company can go under. Hell, 3D Realms had a huge market for Duke Nukem Forever and went bankrupt spending money on the project. From what I hear, the followup group delivered a mediocre game that's only useful as a reminder of how great Duke 3D was. Mismanagement has killed many a company that had a market.
Re:WebGL is not secure and MS are not actually stu by thePowerOfGrayskull · 2011-06-17 02:50 · Score: 1

Sorry. I've become better about controlling the Grammar Nazi within in recent years, but sometimes he still escapes my grasp and tries to wreak havoc on my karma.
Microsoft talking... by LordAzuzu · 2011-06-17 02:50 · Score: 1

about security concerns? ROFL
Secure a browser? by LWATCDR · 2011-06-17 02:52 · Score: 1

Maybe should just use a virtual-box like system for browsers. Just run the browser with some minimal version of Linux or BSD in a virtual machine on what every OS. Make a downloads and a config directory shared and be done with it.

--
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Re:For once don't bash M$, read the article instea by amn108 · 2011-06-17 02:52 · Score: 2

Sure, gladly. You have half a point - indeed systems that communicate invariably affect and potentially may compromise each other. That's a fact, which can also be seen in any other field of engineering. Like they say, the only secure system is the one that is not connected [to the Internet]. But since we do connect systems, the factor here is the interface cross-section. Flash Player and Silverlight, ok I won't speak for Silverlight because I never said it is much better than WebGL, so yeah - Flash Player uses fewer and more benign interfaces than WebGL - it certainly does not execute that much GPU code, in fact most of the SWF code interpreted by it is run on your average CPU eventually, and the parts that are abstracted by Windows, again, run in USER MODE - font rendering, printer, mouse, sound etc - hence my choosing of the word "more benign". If Flash Player crashes, your OS doesn't (hopefully this includes Linux based OSes.)
Granted, Flash Player DOES now expose the GPU indirectly through its that-3d-rendering-api-codename-i-dont-remember-the-name-of, and indeed it's much of the same dilemma as with WebGL - untrusted code programming your graphic driver has the same chance of crashing your box as those fancy desktop 3d games that give you BSOD or Linux kernel panic.
To sum it all up: it's the interface cross-section that matters and the domain of the code the interfaces abstract.
Difference between 2D and 3D? by tepples · 2011-06-17 02:54 · Score: 1

ActiveX at least ran as the current user, not kernel.
The 2D canvas ultimately runs as the kernel. Scripts call methods of a canvas drawing context in the web browser, which makes calls to 2D drawing APIs provided by the operating system, which are finally executed in device drivers that run as part of the kernel. What's the difference between 2D and 3D in this respect, other than defects in certain 3D paths in NV and AMD video drivers?
1. Re:Difference between 2D and 3D? by amliebsch · 2011-06-17 04:07 · Score: 1
  
  Isn't the difference that the 2D drawing calls that the websites are an API abstraction provided by the browser? This allows some sandboxing and sanity checking. WebGL essentially lets web code run directly on bare metal. It's NOT abstracted.
  
  --
  If you don't know where you are going, you will wind up somewhere else.
2. Re:Difference between 2D and 3D? by TheRaven64 · 2011-06-17 04:26 · Score: 1
  
  Your comment makes about as much sense as saying that sandboxed JavaScript code and compiled C code running in ring 0 are about as much of a security risk - they both run on the CPU in the end, after all...
  
  --
  I am TheRaven on Soylent News
3. Re:Difference between 2D and 3D? by tepples · 2011-06-17 04:41 · Score: 1
  
  Your comment makes about as much sense as saying that sandboxed JavaScript code and compiled C code running in ring 0 are about as much of a security risk
  Please help me understand why this is the case. In what specific way is WebGL code more like "compiled C code running in ring 0" than like "sandboxed JavaScript code"? And in what specific way is WebGL code more like "compiled C code running in ring 0" than 2D canvas code is like "compiled C code running in ring 0"?
4. Re:Difference between 2D and 3D? by TheRaven64 · 2011-06-17 05:19 · Score: 1
  
  I replied to another comment explaining the difference, and I thought that was one of yours. Anyway, here goes:
  When you use WebGL, you are running GLSL code from an untrusted source. This code is C-like and has things like pointer arithmetic. Validating it is about as hard as validating arbitrary C code - and if you can work out a way of doing that then you can make a lot of money. It's passed to the driver after a token amount of validation. The driver compiles it into native code for the GPU, where it runs. In a typical GPU, there is either no MMU or a badly designed, badly tested, buggy MMU isolating it from other code. You can almost certainly get at anything other programs are putting into VRAM (e.g. the contents of any documents displayed on the screen), and you can probably get at the contents of main memory via DMA if you're lucky.
  Now, let's compare that to the canvas tag. You call something like canvas.LineTo(). This is interpreted JavaScript code that calls out to C code. The JavaScript VM may validate that the arguments are floating point values, but it doesn't really need to - the worst that can happen is that the C code gets two random values that happened to be in floating point registers at the time. This then calls a well-tested library function for 2D drawing. This code runs in userspace by the way, not in the kernel as you claimed. It will test that its inputs are easy, but that's trivial for it to do because its inputs are just two floating point values.
  The fundamental difference between the canvas and WebGL is that canvas is providing untrusted data to a library while WebGL is providing untrusted code to the kernel. If you think these are equivalent, I really hope you never design any software that I have to use.
  
  --
  I am TheRaven on Soylent News
5. Re:Difference between 2D and 3D? by Anonymous Coward · 2011-06-17 20:32 · Score: 0
  
  > When you use WebGL, you are running GLSL code from an untrusted source. This code is C-like and has things like pointer arithmetic.
  GLSL doesn't even have pointers, let alone pointer arithmetic.
  > Validating it is about as hard as validating arbitrary C code
  Wrong. GLSL has C-like syntax, but it's far more restrictive than C. There are no pointers, array dimensions must be known at compile time, there are no "reinterpret" casts, etc.
  There may be bugs in specific GLSL implementations (e.g. omitting bounds checks), but there are no fundamental design flaws which make it inherently unsafe.
  > In a typical GPU, there is either no MMU or a badly designed, badly tested, buggy MMU isolating it from other code.
  You don't need an MMU. It's simple enough to determine that a program cannot access memory which it isn't supposed to access.
  > You can almost certainly get at anything other programs are putting into VRAM (e.g. the contents of any documents displayed on the screen),
  Wrong. GLSL can read variables, arrays (whose bounds are known at compile time) and samplers (textures which have been attached to one of the texture units).
  > and you can probably get at the contents of main memory via DMA if you're lucky.
  There is no way to do anything like this either.
  It's fairly clear that you don't have the first clue about how GLSL actually works. It's not C, where you can convert an arbitrary integer to a pointer then use it to read/write memory, or which relies upon the application to know where arrays begin and end.
uh-hu by Anonymous Coward · 2011-06-17 02:55 · Score: 0

harmful to whom?
Oh come on! WebDirectX? by GNUALMAFUERTE · 2011-06-17 02:56 · Score: 1

Are they really that obvious?
microsoft has consistently attacked OpenGL in order to push directx. They are working hard to keep people on windows. One of the few things tying people to it is applications, and within that, the biggest marketshare comes from games. Office suits, video and music, ERPs, CRMs, and just about everything else is going to the web. But games are still mostly actual executable files that depend on the OS. With WebGL, we can have games as complex as we want that just run on the browser. Microsoft DOESN'T want that, specially since their browser is going the way of the dodo.

--
WTF am I doing replying to an AC at 5 A.M on a Friday night?
WEBGL makes the drivers more visible. by leuk_he · 2011-06-17 02:57 · Score: 5, Insightful

Anything that gets drawn in a browser is controlled by the browser. After 10 years of failure that part mosty is sandboxed into safety. The Code of web gl has almost complete access to the video driver. The video driver was never written for security. Speed and picture quality were the number one priorities. Since the application that ran them was alrady a local application that had a lot of access security was not really an issue. The application that access the drivers did not have to be checked extra, because they had already full access to the machine.
Display drivers are complex software, that might show the same level of vulnerabilities that plagues the browser.
However a subset of WEBGL that is more easy check could be implemented safely i think.
1. Re:WEBGL makes the drivers more visible. by Entrope · 2011-06-17 03:09 · Score: 1
  
  How does the browser control what Flash draws to the screen? How does the browser control what (as many people here point out) Silverlight draws to the screen or touches on disk? The Canvas element certainly isn't 10 years old -- it adds a bunch of things to HTML that don't have 10 years of sandboxing experience behind them. I do not deny the security concerns relating to WebGL, but I think that they are distorted and overblown by people with an agenda; there are equally great security concerns with a lot of other new web client technologies.
2. Re:WEBGL makes the drivers more visible. by amliebsch · 2011-06-17 03:50 · Score: 1
  
  Flash and Silverlight are both plugins. They are not compiled directly into the browser. You might say it's a distinction without a difference, but I don't think it's an unreasonable distinction to make.
  
  --
  If you don't know where you are going, you will wind up somewhere else.
3. Re:WEBGL makes the drivers more visible. by TheRaven64 · 2011-06-17 04:07 · Score: 4, Informative
  
  You seem to have no idea of how a modern graphics stack works. Canvas drawing is mediated by the browser. You do something like lineTo() from JavaScript. The JavaScript code then translates this into a call to a host OS API call. The call comes from the browser and its arguments are checked by the browser for sanity, then they're checked by the graphics stack, then they're checked by the driver. In contrast, WebGL takes a blob of GLSL code and a blob of data and passes it straight to the driver. The browser can try checking this, but it doesn't really know what to look for. The drivers then compile this C-like code, using a compiler that wasn't designed for security. Then they chuck it over the bus and the card (which may have DMA access to all of system memory) runs it. Comparing the two is like comparing a telephone with someone dictating messages and a fax machine: you're only likely to be goatse'd by one...
  
  --
  I am TheRaven on Soylent News
4. Re:WEBGL makes the drivers more visible. by Entrope · 2011-06-17 05:59 · Score: 1
  
  Unless users disable them (coincidentally breaking plenty of web sites), those plugins run on their systems and are driven by web content. That makes the plugin thing a largely irrelevant distinction.
5. Re:WEBGL makes the drivers more visible. by Entrope · 2011-06-17 06:05 · Score: 1
  
  You seem to be a narrow-minded Microsoft shill with no tact. There is a lot more code in the rest of the web client stack than in the WebGL and OpenGL layers; there is only hand-waving support for the claim that GL shader code running on the video card could trigger undesired DMAs; there are only vague suggestions that bugs in the GL rendering stack are (a) exploitable via WebGL and (b) have any security impact. The code to handle a lot of web content -- for example, video or image data -- is also more complicated and more susceptible to remote exploits by its nature, compared to the GL compilation and rendering stack. Your proposed analogy is way off.
6. Re:WEBGL makes the drivers more visible. by BZ · 2011-06-17 06:13 · Score: 1
  
  For what it's worth, browsers that implement WebGL do in fact have a shader validator that restricts what code you can run (e.g. no variable-length loops, etc).
7. Re:WEBGL makes the drivers more visible. by TheRaven64 · 2011-06-17 06:29 · Score: 1
  
  A Microsoft shill, huh? Interesting, since I've not used a Microsoft OS for 8 years and have hacked on Linux / *BSD OpenGL stacks - but don't let that distract you from a good ad hominem.
  
  The code to handle a lot of web content -- for example, video or image data -- is also more complicated and more susceptible to remote exploits by its nature, compared to the GL compilation and rendering stack.
  There's a big difference between the two: a PNG or WebM library may contain exploitable bugs, but they are difficult to exploit because these formats are fundamentally data. GLSL is not, it is executable code which not only has to be run, it has to be run as fast as possible. This means that it's compiled to native code (if you're on an open source OS and not using blob drivers, odds are that it's compiled using code that I worked on). It takes very little in terms of bugs for this to be exploitable, and that's not helped by the fact that the target - the GPU - is typically a horrible design from a security standpoint. This is why 3D was one of the last things for VMs to support, and why they still recommended that you don't enable enable it if you care about security.
  
  --
  I am TheRaven on Soylent News
8. Re:WEBGL makes the drivers more visible. by Hobart · 2011-06-17 07:00 · Score: 1
  
  Perhaps (in the same way that Apple chose to reject the complex Mozilla codebase and went with KHTML to design WebKit), a project like Nouveau (is there a similar ATI from-scratch driver effort?) could produce stable, auditable graphics drivers that will run 3D graphics on modern hardware at speed.
  Maye some company can subcontract the OpenBSD dev teams to do it. :)
  
  --
  o/~ Join us now and share the software ...
9. Re:WEBGL makes the drivers more visible. by Anonymous Coward · 2011-06-17 07:21 · Score: 0
  
  A Microsoft shill, huh? Interesting, since I've not used a Microsoft OS for 8 years and have hacked on Linux / *BSD OpenGL stacks - but don't let that distract you from a good ad hominem.
  Microsoft shill is the new Godwin's law of Slashdot. When people don't have arguments but don't like that you disagree with them they call you Microsoft shill. They don't care that you are a Linux users with posting history full proving that, if you see anything in a different way than them you are obviously a Microsoft shill, there can't be any other explanation.
10. Re:WEBGL makes the drivers more visible. by Lord+of+Hyphens · 2011-06-17 09:24 · Score: 1
  
  (if you're on an open source OS and not using blob drivers, odds are that it's compiled using code that I worked on)
  <obligatory>Hey, I use an S3 ViRGE, you insensitive clod! </obligatory>
  
  --
  "I've spent my whole life figuring out crazy ways to do things. It'll work." -- Montgomery Scott, "Relics"
11. Re:WEBGL makes the drivers more visible. by del_diablo · 2011-06-17 12:20 · Score: 1
  
  I might actually miss what you are arguing over: But what is the difference between a website managing to get your computer to run as a part of a botnet via javascript, and doing the same thing over WebGL?
  In both cases you are doing something unintended, and in both cases the "security layer" will be only the browser.
  One could also argue that the CPU is also fundamentally unsecure, because it can run code...........
  But then again, I am just skimming(and a bit tired too), so I might have missed the entire point.
12. Re:WEBGL makes the drivers more visible. by baxissimo · 2011-06-17 16:43 · Score: 1
  
  There's a big difference between the two: a PNG or WebM library may contain exploitable bugs, but they are difficult to exploit because these formats are fundamentally data. GLSL is not, it is executable code which not only has to be run, it has to be run as fast as possible. This means that it's compiled to native code (if you're on an open source OS and not using blob drivers, odds are that it's compiled using code that I worked on). It takes very little in terms of bugs for this to be exploitable, and that's not helped by the fact that the target - the GPU - is typically a horrible design from a security standpoint. This is why 3D was one of the last things for VMs to support, and why they still recommended that you don't enable enable it if you care about security.
  News flash for you -- modern javascript engines also go to great pains to make javascript code run fast. Including things like compiling it down to native code. I could see exploiting bugs to crash people's systems, but beyond that I don't see how javascript code issuing WebGL commands is going to be able to do much.
Re:For once don't bash M$, read the article instea by John+Hasler · 2011-06-17 03:00 · Score: 1

You cannot trust a website you have never seen before to load code of its choosing to be executed on a driver supplied to you by third-party which may or may not have a stellar security record themselves.
Let's simplify that: You cannor trust a website to load code.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:For once don't bash M$, read the article instea by savuporo · 2011-06-17 03:11 · Score: 1

Do you really need a briefing on security risks of something running in kernel vs something running in (restricted) userspace ? Not that im lauding silverlight, activex or flash here ..

--
http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
Re:For once don't bash M$, read the article instea by Anonymous Coward · 2011-06-17 03:11 · Score: 0

The difference is that flash and silverlight are designed for running untrusted code, while graphics drivers are not. You should RTFA.
Fanboy BS aside.... by Anonymous Coward · 2011-06-17 03:16 · Score: 0

Can't we all just wait for independent confirmation from labs or something? It's not completely unheard of that M$ isn't just blowing FUD.
I'd like to see a researcher clear this up, and if it's bunk....slap M$ around publicly for lying yet again.
Re:For once don't bash M$, read the article instea by amn108 · 2011-06-17 03:20 · Score: 1

1. Trust, although essential, is not everything in security. So, to answer your question, if you trust me as much as you trust Microsoft, even though I don't think one can measure trust simply like this, I would say on the grounds where this trust can be used, you are equally secure. But like I said, besides trust there are other things that are volatile - time being one of them. Example: even though you trust Microsoft, one of the two things may happen: their site is rewritten one day with the same security certificate remaining and the new code doesn't play well with your computer and 2) software on your end is updated, the web browser for instance, and again same thing happens. I feel like you should have answered your question yourself actually.
2. I didn't say first-party is paramount to security. You did. Even though your driver is supplied by your OS vendor, does not make it automatically secure. You still have to trust it. Do you? Sufficiently you say? Well, sufficiency does not figure here. You are either secure or compromised. If you haven't been compromised yet, it's doesn't mean you won't - maybe you haven't feed the "right" sequence of calls to your driver yet :-) To answer your question: no, I wouldn't trust a website I have seen before, because of a very simple observation: websites change, while their signatures (names, certificates) remain, fooling our sense of trust. Maybe you can trust the people that built the website, but again, people come and go. Can Microsoft be trusted? I dunno, 90000 employees and all...
3. True. For the sake of the argument, some of DRI - 'drm' kernel module and another one - run in kernel space. Also, the closed source drivers run in kernel space again, as does my open-source video driver (ATI Mobile Radeon) and some others. Ideally, DRI should rule, but the diverse and thriving Linux ecosystem somehow manages to live on its own. But you are sort of right, and I do admit I was a bit too fast on the trigger. Maybe its because in general, I am a bit paranoid thinking that I have around 15Mb of binary code running in kernel space right now :/
4. There is no unknown state - the state is enforced by hardware - process removed from process stack, memory reclaimed. That is all. It's a basic principle behind process isolation on pretty much any computer platform invented in and after the 80s. I thought you knew that? Or have I misunderstood you?
5. Only if there is temperature variations between them :-) Seriously though, beautiful comparison, but I really really really don't know how to apply it to the discussion! I think my brain may explode if I attempt to.
6. Is it fair to say that it is exactly because of their security track record, that they may be expected to finally take what they have learnt the hard way and do something about it? Take Apple as an example - they have been openly advocating Mac OS as a more secure system, then someone cared enough to write a trojan and where are we now? It's the same story really, except that little brother is so proud he has gotten to the top he hasn't noticed that he was following in his big brothers footsteps.
7. Me neither.
All graphics layer access will be an attack vector by rzei · 2011-06-17 03:29 · Score: 1

Lets face it; either you do WebGL or you do some Microsoft Silverlight Direct3D mambojambo it does not matter. As long as it touches something and even possibly uses data from somewhere it's a security risk. And this applies to everything.
However, given the open nature of WebGL compared to some Microsoft closed-source solution, static/runtime analysis tools can be developed (and integrated) in WebGL implementations to lower the risk, the standard (or what ever we call it) can be changed so that more dangerious things are disallowed (or for example to the screenshot thingy Mozilla has right now, limited), where as with Microrsoft you just pretty much hope that it will not go sideways, and that they will not later on screw it up with updates.
Plus, WebGL is cross-platform by design, which is the number one downside for Microsoft. Still, I can't believe they are still going down this path... Wasn't Ballmer already fired or was that just hearsay? Also, it'd sound really strange if you couldn't adapt GL paths to Direct3D, as Wine is already doing the same other way around, and AFAIK succeeding [in small steps].
Why is WebGL even needed? by DaveV1.0 · 2011-06-17 03:30 · Score: 2

Seriously, why is it needed? Why don't developers just write their own UI instead of trying to push everything into the browser?

--
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Re:For once don't bash M$, read the article instea by zeroshade · 2011-06-17 03:32 · Score: 1

You cannot trust an application you have never seen before to load code of its choosing to be executed on a driver supplied to you by third-party which may or may not have a stellar security record themselves.
I fail to see the difference between this and using some client-side application, other than the fact that WebGL is a cross-platform spec.
Looking a little bit into the article... by Anonymous Coward · 2011-06-17 03:38 · Score: 0

The /. post title should be "Microsoft security researchers says that WebGL is Harmful", because "Microsoft" != "Microsoft security researchers".
For example, the arguments used against WebGL could be used against Silverlight, Flash, Java or ActiveX (just search and replace WebGL for your preferred plugin).
But there is a big difference between is "considered bad for the MS security researchers" and "considered bad for MS". If MS executives sees that there is a competitive advantage over WebGL... I'm sure that they are going to adopt it.
Now the good concern that raises the article to me is this: since JavaScript is intended to be used as the Web Platform Language, I think that some method to handle fine grained permissions of JS should be needed in next browser versions.
Harmful [to continued DirectX adoption] by brunes69 · 2011-06-17 03:38 · Score: 1

There fixed that for you
3D vs. 2D by tepples · 2011-06-17 03:48 · Score: 1

Considering that most accelerated 3D drivers for video controllers are utter crap full security flaws, or “optimizations“, as some call them
At one point, weren't accelerated 2D drivers for video controllers also utter crap full security flaws, or “optimizations“, as some call them?
Who uses Microsoft browsers? by Anonymous Coward · 2011-06-17 03:54 · Score: 0

No issues...
Comment removed by account_deleted · 2011-06-17 04:05 · Score: 1

Comment removed based on user account deletion
Yeah they would by TheGreatMcCluck · 2011-06-17 04:11 · Score: 1

Learning from past mistakes is not their area of expertise. If it was, I wouldn't have to install a critical security update every other day... I'm not suggesting they're wrong, because I don't know WebGL, but I would say that their motives are suspect. MS says anything they perceive as a threat to their market share is bad... until they just can't convince people of it. If WebGL becomes popular enough, they'll jump on board without a word about how "dangerous" it is. And then we'll have a critical security update every day...
Re:For once don't bash M$, read the article instea by Anonymous Coward · 2011-06-17 04:20 · Score: 0

Flash does not have access to the underlying hardware on the machine, and indeed may be running on an unpriviledged account.
In order to compromise the operating system, you have to find a buggy openGL driver.
In many cases, this vulnerability will not be easily patched, as the vendor does not really care enough to maintain older, or even newer cards with prompt upgrades.
This is really very similar to ActiveX.
You not only need to trust the website. (say slashdot or sourceforge).
You also need to trust the website coders, their ISP, anyone that may steal their keys.
You also need to trust that the website is secure against code injection.
And if the last firewall against security is openGL drivers supplied as binary blobs, that have never been designed to be secure as they are not expected to be exposed to this sort of threat - your 'defence in depth' just got a whole lot shallower.
Re:For once don't bash M$, read the article instea by tepples · 2011-06-17 04:24 · Score: 1

In order to compromise the operating system, you have to find a buggy openGL driver.
And in order to compromise the operating system with Flash or HTML5 Canvas, you have to find a buggy 2D driver. All I get out of this article is that 2D drivers are more mature than 3D drivers.
The old Kettle and Pot, gotta love em both by Anonymous Coward · 2011-06-17 04:25 · Score: 0

Hey Kettle, ur black. Ha! take that Pot your dirty dish!
meanwhile the microwave oven is kicking both ur asses. Microsoft should speak, the day they make a stable and secure product is the day... Hell freezes over???
Just amazing. Like don't buy an iPhone it has security issues, buy Windows Mobile 6.5! :-)
Firefox, WebGL, Direct3D, bare metal by tepples · 2011-06-17 04:28 · Score: 1

WebGL essentially lets web code run directly on bare metal.
Firefox for Windows runs WebGL, which is based on OpenGL, on top of Direct3D, which isn't based on OpenGL. If Firefox is translating WebGL calls into Direct3D calls, how is this "directly on bare metal"?
/home mounted noexec by tepples · 2011-06-17 04:30 · Score: 1

it will run quite easily installed as a normal, non-administrative user in some directory that the user can reasonably be expected to have write access to, %USERPROFILE%\My Documents\Firefox
Windows supports Software Restriction Policies to disallow execution from %USERPROFILE% or removable media.

or ~/bin
Many UNIX-clone operating systems support mounting /home and removable media as noexec.
1. Re:/home mounted noexec by tepples · 2011-06-17 05:15 · Score: 1
  
  Or maybe it's just that I haven't noticed much evidence of a culture of carrying around portable applications on USB drives.
2. Re:/home mounted noexec by metacell · 2011-06-17 05:20 · Score: 1
  
  Yes, but most systems are not configured in such a restrictive way.
3. Re:/home mounted noexec by Aighearach · 2011-06-18 20:41 · Score: 1
  
  The University of Oregon Knight Library public terminals restrict executables everywhere a user has write access to, and on removable media.
  Luckily, they do offer a choice of browsers.
duh. so are webfonts, and html5 video/audio/canvas by bussdriver · 2011-06-17 04:39 · Score: 1

EVERY file format added to browsers creates a larger attack surface. Remember the JPEG security issues in the 90s??
OpenGL is not a file format but it is a similar problem; arguably bigger and far more difficult to patch because of its size, scope and long time focus on SPEED over everything else. It is going to be a bigger problem than webfonts, canvas and any other outside technology being integrated.
Putting OpenGL on the web is like putting NFS on the WAN and it will take a lot of work before it will be "safe" and I think that somehow it may be a long time before the drivers are forced to change; you can only do so much with a bridge API to protect the backend.

--
Democracy Now! - uncensored, anti-establishment news
Becareful what you wish for by Anonymous Coward · 2011-06-17 04:48 · Score: 0

Personally I'll pass on the thought of an ad network or visiting link farm/crap site running shader programs on my GPU.
The web is annoying enough without also having to deal with fan noise and the lights dimming as some bottom feeder attempts to mine a few extra bitcoins at my expense.
Even if you could somehow guarantee safety I would still be against it.
Comment removed by account_deleted · 2011-06-17 04:52 · Score: 1

Comment removed based on user account deletion
Re:For once don't bash M$, read the article instea by Anonymous Coward · 2011-06-17 04:59 · Score: 0

So anything that access 3D hardware to get good performance is unsafe regardless whether it's WebGL, Silverlight or Flash.
I assume it's because they all go through OpenGL or DirectX to get to the GPU and both API are not designed to protect from abuse.
MS seems to think they have a better way of doing it ... Put another software layer on top of OpenGL and DirectX?
In other words... by Anonymous Coward · 2011-06-17 05:45 · Score: 0

WebGL considered harmful.
The problem is that MS are d***s. by Anonymous Coward · 2011-06-17 06:11 · Score: 0

These are the guys that ruined the internet. People are forgetting just how bad they've delayed progress before Fireforx/Chrome forced their hand. Microsoft wants to delay everything from moving away from the old application model that makes them so much money. That's why upgrading IE6-7 isn't a mandatory upgrade, this is why IE9 won't run on XP. They know that as long as the internet needs to support their software, they make more money.
They ruin the internet.
Because they're d***s.
poor internet explorer users by bmullan · 2011-06-17 06:35 · Score: 1

So just one more reason why people will leave IE behind ... when they find out that there are tons of websites they won't be able to watch videos from in the future.
But will it work? by mcrbids · 2011-06-17 06:59 · Score: 1

It may well be that MS is making this decision for self-fulfilling reasons, EG to protect Silverlight in the marketplace. But with IE continuing to lose market share year after year (from its high of about 90%, it's under half nowadays with nary an uptick in sight) one has to ask if they can afford to, once again, be "the big guy who couldn't".
For the past two years, we've simply told our clients that, to use our system, they had to be running Firefox or Chrome, and that we didn't support IE - it simply couldn't do what we needed and we found that having the features is more important to our clients than having compatibility. They *will* switch if they need to, if you provide features they need.
Finally, with IE 9, we may consider supporting it this upcoming fiscal year. Now, in this market place, if I developed software that needed or used 3D effects in a browser, I wouldn't hesitate to drop IE support for even a second. Microsoft doesn't control the game, anymore. This may be their version of IBM's PS/2 Micro-channel debacle.
(For those who don't remember, IBM created the "PC-compatible" marketplace and thought they ruled the roost. They decided to come out with an incompatible schema for hardware called the Microchannel bus which offered numerous technical advantages over the industry standard ISA bus, which failed miserably because nobody else wanted to license the tech)

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Really?!?! by KewlPC · 2011-06-17 07:11 · Score: 1

This BS *again*?!?!
GPU shaders != running code on the CPU.
WebGL allowing shader usage is pretty much a non-issue security wise. GLSL shaders are *extremely* limited in scope. They can't access anything besides model data and textures, and even then only the model data and textures provided to them by the host program. GLSL is very domain-specific and doesn't support pointers or any way to access things outside the purview of the GPU.
Furthermore, they aren't pre-compiled (aside from some vendor-specific methods on *OpenGL ES*, and even those only compile to bytecode IIRC), so WebGL can at least attempt to do some shader validation. OpenGL and WebGL programs literally hand the GLSL source code to the driver, which is then responsible for compiling it. This actually turns out to be good for performance, since future compiler improvements in the driver can result in the same shader on the same hardware running faster. It also means WebGL could do validation on the shaders before handing them off to the driver, to keep an eye out for any obvious attempts to do something bad.
And when it comes to malicious shaders, only two attacks can be executed: try to crash the GPU by running a very intensive shader, or try to peek at other web pages via what seems to be an implementation flaw in WebGL/HTML5 Canvas.
The first attack can be easily avoided. In fact, it *shouldn't* be possible at all on Windows, which is supposed to restart the GPU if the GPU crashes, and when it can't that's a *Windows* bug.
The second is a little harder but, again, looks to be an *implementation* flaw, not a fundamental flaw in WebGL or shaders or anything like that.
Face facts, modern GPUs don't offer any of the old fixed-function pipeline anymore. It's not anywhere to be found on the silicon; modern GPU drivers merely emulate it for old OpenGL programs. This means that if WebGL didn't have shader support it would be completely useless.
Also they killed WebSQL by mAriuZ · 2011-06-17 07:49 · Score: 1

It was pretty dangerous for microsoft to have sql in the webbrowser : who would buy let's say access, sql from their shop then
http://html5doctor.com/introducing-web-sql-databases/

--
developer http://flamerobin.org
Re:For once don't bash M$, read the article instea by shutdown+-p+now · 2011-06-17 08:33 · Score: 1

This has nothing to do with Windows. WebGL allows for GLSL code. This is going to be passed to the driver (and ultimately to hardware) on any OS which implements hardware acceleration.
Re:For once don't bash M$, read the article instea by shutdown+-p+now · 2011-06-17 08:37 · Score: 1

VMs for Flash and Silverlight (and JavaScript) know that their input comes from untrusted sources. Therefore, such a VM is typically coded for security from grounds up, with meticulous attention to design of the sandbox and its verification, and a lot of testing.
GLSL was, historically, not coming from untrusted sources. Therefore, any code in video driver or GPU hardware that handles it would generally be coded for performance, disregarding security issues. Nor would security be heavily tested. Once you suddenly change the rules of the game, such that the code comes from arbitrary untrusted sources, your existing implementations become a security clusterfuck.
If you want a historical example, it's like what happened with Windows 9x when it - not designed or coded with security in mind - was shoved onto the Web. Hilarity ensued.
Re:For once don't bash M$, read the article instea by NatasRevol · 2011-06-17 08:55 · Score: 1

No, but given all the hacks/security risks that allow flash to run in unrestricted userspace, there really isn't much difference.

--
There are two types of people in the world: Those who crave closure
Re:For once don't bash M$, read the article instea by Plombo · 2011-06-17 10:52 · Score: 1

I fail to see the difference between this and using some client-side application, other than the fact that WebGL is a cross-platform spec.
The difference is that even legitimate websites are vulnerable to XSS. Consider all of the recent headlines of the websites of large companies and organizations being cracked. Virtually any site can be cracked and made to run a rogue JavaScript - this actually happened to the OpenGL website itself at one point last year. WebGL makes the threat of XSS even worse than it already is - the driver compiles GLSL to native GPU code, so you don't even have a sandbox.

Not to mention the fact that people, in general, give less thought to clicking on links than they do to running applications on their computer.
A token amount of validation by tepples · 2011-06-17 12:49 · Score: 1

[GLSL] code is C-like and has things like pointer arithmetic. Validating it is about as hard as validating arbitrary C code - and if you can work out a way of doing that then you can make a lot of money.
Google Native Client defines a safe subset of x86 machine language into which C can be compiled. Google will make a lot of money.

It's passed to the driver after a token amount of validation.
Firefox and Chrome appear to use a library called ANGLE to translate GLSL into DirectX shader language. How is this translation merely "a token amount of validation"? If it is in fact more than "a token amount of validation", then what is passed to the kernel is not untrusted code. Can you recommend any web pages explaining GLSL validation or lack thereof in practical implementations of WebGL? Is there a better way for untrusted code to draw 3D graphics, and if so, what is it?

In a typical GPU, there is either no MMU or a badly designed, badly tested, buggy MMU
Then the "badly designed, badly tested, buggy MMU" should be replaced.
Harmful? Yikes! by Anonymous Coward · 2011-06-17 17:02 · Score: 0

Ever since "gotos considered harmful", harmful is is about the biggest insult you can give in the computer world.
http://en.wikipedia.org/wiki/Considered_harmful
Re:For once don't bash M$, read the article instea by EdgeCreeper · 2011-06-17 19:18 · Score: 1

So, if an application is running with limited privileges does that mean there is a massive security hole which would allow it to have complete control over the system because it could call unsecure drivers using OpenGL or perhaps DirectX? I ask this because I know precious little about this and would like to be illuminated. It just doesn't seem likely that such a situation would still exist, especially on newer operating systems.
Re:For once don't bash M$, read the article instea by amn108 · 2011-06-17 19:53 · Score: 1

Potentially, yes. It's your typical error propagation scenario. There doesn't have to be an error in the application itself, nor will an error in application process itself crash the system, but if a path of application code - arbitrary or carefully and maliciously designed - causes a deliberate disruption of service in a component that has enough privilege to cause collateral damage in the system (a kernel mode driver for example) - even though ultimately the blame lies on that component, in practice the catalyst for the crash is your benign user-mode application. It is the detonator, if you want a car bomb analogy :) Isolation of system components to the level where the detonation described cannot occur is part of securing logical systems.
Ultimately the system is secure against the aforementioned attack if no application can indirectly corrupt system state. The important thing to consider here is also that most users don't care whether the "crash" is to be blamed on one component or the other. For them, it's the picture that matters. For the rest of us, we should blame NVidia if their driver can be compromised through its own public interface, but until it is fixed, we do a disservice to our users inviting them to use software that "detonates" said driver. One has to start from the bottom, not from the top, in my opinion. An infrastracture, a strategy has to be in place PREVENTING such chain reactions from occuring in the first place.
So, the goal is to prevent any component from corrupting global state. The devil is in the details. If you can't prevent a component from crashing itself, contain the damage. A video driver for instance is traditionally written for speed. That often causes developers to turn a blind eye on the more traditional security implications, and so the driver is released that is very fragile to unusual patterns of access. They crash it. In that case, at least contain the damage. Minix for instace will clean up as much as it can and "reload" the driver. It's all art of what is possible, but we instead hammer our way in a bit of a wrong direction. I think of our users, really. That said, I am no hater of WebGL, I just think the most dire problem with computers today is not how websites can take advantage of your GPU, it's security.
Re:For once don't bash M$, read the article instea by Keeper · 2011-06-17 20:49 · Score: 1

WebGL effectively executes code from the web (effectively) in ring0. Silverlight and flash execute code from the web in (effectively) a sandbox.
Re:WebGL is not secure and MS are not actually stu by kangsterizer · 2011-06-18 01:46 · Score: 1

Point noted. Actually meant "the people at Microsoft" this time, not the entity (it's still a fault), that said "it" would have worked there too both in meaning and grammar.
Reverse psychology & FACTS too by Anonymous Coward · 2011-06-18 02:08 · Score: 0

AHEM: Apparently NOT when *NIX dorks say it here though!

"Security is just the biggest argument in the FUD arsenal" - by bzipitidoo (647217) on Friday June 17, @09:13AM (#36473372)
Now, for years here I have been hearing "Windows is a security nightmare full of security holes, (insert *NIX variant here) is not"
LMAO! Total b.s. & what's below will disprove THAT, with ease (and facts from a reputable source).
So - Who are you *trying* to fool with that then?
Hmmm?
Apple went around saying the same, even on T.V. in their ads (implying/inferring it, & MORE) as well.
So, what's "MacDefender" then for they also??
Hmmm??
* What a CROCK OF SHIT!
Still, in regards to that? Well, ok - let's take a peek @ the # of unpatched security vulnerabilities on not ONLY Windows 7, but nearly the ENTIRE GAMUT/ARRAY of what Microsoft gives us to do development & business with online, vs. THE LINUX LATEST-GREATEST KERNEL ONLY then, shall we?
This data's ALL from a respected source for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft SQL Server 2008: (06/18/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (06/18/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (06/18/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (06/18/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (06/18/2011)
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Office 2010: (06/18/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 7 Secunia advisories)
Vulnerability Report: Microsoft Virtual PC 2007: (06/18/2011)
http://secunia.com/advisories/product/14315/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (06/18/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (06/18/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 0% (0 of 2 Secunia advisories)
Vulnerability Report: Microsoft DirectX 10.x:
(06/18/2011)
http://secunia.com/advisories/product/16896/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft .NET Framework 4.x
(06/18/2011)
http://secunia.com/advisories/product/29592/
Unpatched 0% (0 of 5 Secunia advisories)
Vulnerability Report: Microsoft Silverlight 4.x: (06/18/2011)
Facts here, vs. "Pro-*NIX" FICTION by Anonymous Coward · 2011-06-18 02:17 · Score: 0

For years here I have been hearing "Windows is a security nightmare full of security holes, (insert *NIX variant here) is not"
LMAO! Total b.s. & what's below will disprove THAT, with ease (and facts from a reputable source).
Apple also went around saying the same, even on T.V. in their ads (implying/inferring it, & MORE) as well.
So, what's "MacDefender" then for they also??
Hmmm??
* What a CROCK OF SHIT!
Still, in regards to that? Well, ok - let's take a peek @ the # of unpatched security vulnerabilities on not ONLY Windows 7, but nearly the ENTIRE GAMUT/ARRAY of what Microsoft gives us to do development & business with online, vs. THE LINUX LATEST-GREATEST KERNEL ONLY then, shall we?
This data's ALL from a respected source for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft SQL Server 2008: (06/18/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (06/18/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (06/18/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (06/18/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (06/18/2011)
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Office 2010: (06/18/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 7 Secunia advisories)
Vulnerability Report: Microsoft Virtual PC 2007: (06/18/2011)
http://secunia.com/advisories/product/14315/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (06/18/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (06/18/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 0% (0 of 2 Secunia advisories)
Vulnerability Report: Microsoft DirectX 10.x:
(06/18/2011)
http://secunia.com/advisories/product/16896/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft .NET Framework 4.x
(06/18/2011)
http://secunia.com/advisories/product/29592/
Unpatched 0% (0 of 5 Secunia advisories)
Vulnerability Report: Microsoft Silverlight 4.x: (06/18/2011)
http://secunia.com/advisories/product/28947/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (06/18/2011)
http://secunia.com/advisories/product/6473/
LINUX has more "security concerns" by Anonymous Coward · 2011-06-18 02:19 · Score: 0

For years here I have been hearing "Windows is a security nightmare full of security holes, (insert *NIX variant here) is not"
LMAO! Total b.s. & what's below will disprove THAT, with ease (and facts from a reputable source).
Apple also went around saying the same, even on T.V. in their ads (implying/inferring it, & MORE) as well.
So, what's "MacDefender" then for they also??
Hmmm??
* What a CROCK OF SHIT!
Still, in regards to that? Well, ok - let's take a peek @ the # of unpatched security vulnerabilities on not ONLY Windows 7, but nearly the ENTIRE GAMUT/ARRAY of what Microsoft gives us to do development & business with online, vs. THE LINUX LATEST-GREATEST KERNEL ONLY then, shall we?
This data's ALL from a respected source for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft SQL Server 2008: (06/18/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (06/18/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (06/18/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (06/18/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (06/18/2011)
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Office 2010: (06/18/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 7 Secunia advisories)
Vulnerability Report: Microsoft Virtual PC 2007: (06/18/2011)
http://secunia.com/advisories/product/14315/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (06/18/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (06/18/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 0% (0 of 2 Secunia advisories)
Vulnerability Report: Microsoft DirectX 10.x:
(06/18/2011)
http://secunia.com/advisories/product/16896/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft .NET Framework 4.x
(06/18/2011)
http://secunia.com/advisories/product/29592/
Unpatched 0% (0 of 5 Secunia advisories)
Vulnerability Report: Microsoft Silverlight 4.x: (06/18/2011)
http://secunia.com/advisories/product/28947/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (06/18/2011)
http://secunia.com/advisories/product/6473/
More VALID POINTS on security, MS vs. *NIX by Anonymous Coward · 2011-06-18 02:25 · Score: 1

For years here I have been hearing "Windows is a security nightmare full of security holes, (insert *NIX variant here) is not"
LMAO! Total b.s. & what's below will disprove THAT, with ease (and facts from a reputable source).
Apple also went around saying the same, even on T.V. in their ads (implying/inferring it, & MORE) as well.
So, what's "MacDefender" then for they also??
Hmmm??
* What a CROCK OF SHIT!
Still, in regards to that? Well, ok - let's take a peek @ the # of unpatched security vulnerabilities on not ONLY Windows 7, but nearly the ENTIRE GAMUT/ARRAY of what Microsoft gives us to do development & business with online, vs. THE LINUX LATEST-GREATEST KERNEL ONLY then, shall we?
This data's ALL from a respected source for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft SQL Server 2008: (06/18/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (06/18/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (06/18/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (06/18/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (06/18/2011)
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Office 2010: (06/18/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 7 Secunia advisories)
Vulnerability Report: Microsoft Virtual PC 2007: (06/18/2011)
http://secunia.com/advisories/product/14315/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (06/18/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (06/18/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 0% (0 of 2 Secunia advisories)
Vulnerability Report: Microsoft DirectX 10.x:
(06/18/2011)
http://secunia.com/advisories/product/16896/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft .NET Framework 4.x
(06/18/2011)
http://secunia.com/advisories/product/29592/
Unpatched 0% (0 of 5 Secunia advisories)
Vulnerability Report: Microsoft Silverlight 4.x: (06/18/2011)
http://secunia.com/advisories/product/28947/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (06/18/2011)
http://secunia.com/advisories/product/6473/
Re:For once don't bash M$, read the article instea by snemarch · 2011-06-18 02:42 · Score: 1

And in order to compromise the operating system with Flash or HTML5 Canvas, you have to find a buggy 2D driver. All I get out of this article is that 2D drivers are more mature than 3D drivers.
Indeed.
The 2D APIs are less complex, they have a smaller attack surface, and you don't get direct access to the OS's 2D API from the browser (thinly wrapped access to Windows GDI would be almost as bad an idea as thinly wrapped access to OpenGL).

--
Coffee-driven development.
Re:For once don't bash M$, read the article instea by snemarch · 2011-06-18 02:52 · Score: 1

I fail to see the difference between this and using some client-side application, other than the fact that WebGL is a cross-platform spec.
Drive-by exploits.

--
Coffee-driven development.
Re:For once don't bash M$, read the article instea by tepples · 2011-06-18 03:00 · Score: 1

thinly wrapped access to Windows GDI would be almost as bad an idea as thinly wrapped access to OpenGL
The "ANGLE" library in Firefox and Chrome for Windows translates OpenGL calls into Direct3D 9 calls. How is this "thinly wrapped"? If not, then one workaround on platforms other than Windows might involve running ANGLE on top of Wine's implementation of Direct3D.
Re:For once don't bash M$, read the article instea by NatasRevol · 2011-06-18 08:43 · Score: 1

But the sandbox isn't very effective, which is my point.

--
There are two types of people in the world: Those who crave closure
Re:WebGL is not secure and MS are not actually stu by spiralx · 2011-06-18 09:21 · Score: 1

Company names are plural in British English, singular in American English. I would say "Microsoft are doing ...", an American would say "Microsoft is doing..."
Re:WebGL is not secure and MS are not actually stu by spiralx · 2011-06-18 09:22 · Score: 1

Actually, company names are plural in British English, singular in American English. I would say "Microsoft are doing ...", an American would say "Microsoft is doing..." Without knowing his nationality, you can't say he's wrong.
Re:WebGL is not secure and MS are not actually stu by kangsterizer · 2011-06-18 12:58 · Score: 1

Every of them are ok in French English.
Uhm.