but the BSD license also implictly allows you to release derivative works under GPL if that is your wont. This MS license forces to to extend the BSD license with a 'you cant ever release derived works under GPL clause'
It's a kind of 'anti-copyleft'; BSD code built on it cant ever be truly free:)
A fair bit of stuff in soap land (ws-routing, now the MS GXA stuff) is about soap messages sent using some store and forward mechanism, routing it to the final destination without the sender knowing the actuall endpoint.
One stated objective for this is to allow asynchronous replies/callbacks/events, which means that you will have to allow these messages back through the firewall.
If this is done using SMTP or an IM protocol, we are in trouble as there is not enough validation by the firewall (esp. with IM), but for any of this stuff, it all boils down to 'do you trust MS and Sun (and Apache) to write code that is secure out the box', and 'do you trust the people who write SOAP based apps to not make things worse. I have more faith on apache than the other two infrastructure providers, even though Apache Axis has its own security issued (filed one on bugzilla last week). As a web service developer, I dont even trust my own code to be secure
If they really are reskinning browsers then they need to get a skin onto IE/netscape. Netscape's chrome downloads ask you if you want them, IE will need win32 code client side, which means activeX.
Now some vendors do already provide IE toolbars of use; google's is convenient, yahoo's sucks. but both are manual installs.
Only if some spyware horror gets onto the system would auto-reskinning work dynamically.
XMLRPC is too limited...no IDL like spec language, no rich fault, and no easy inclusion of XML inside the envelope. But it is easy to implement.
regarding dbox on soap, he seemed more minded last week towards SOAP as documents, not SOAP as RPC, which ties in with store and forward transports like, um, SMTP.
Bruce hasnt looked at the protocol enough, he is being paranoid.
well, doing SOAP callbacks into the firewall is hard because you have to have an accessible endpoint...for this reason you cant do SOAP callbacks over HTTP. But some of the other transports: SMTP, Jabber, do work and go through firewalls like nobodies business.
Another issue is that you can't tell whether the message is good or bad from the header; it will always be a POST and the same endpoint/URL could be used from everything from a side effect free get to a malicious bufferstomping write.
You need to look inside the XML payload, and, being XML, that means understanding XML...string matching is not enough, not when you can disguise stuff with escaping, UTF or Unicode formats, etc.
I think quanta kit always has a very low AFR (annual failure rate), though laptops are always the unlucky sibling of the pc world: the slow clumsy one that always hurts itself, primarily because most people dont chuck their servers around so much.
Even ODM designs give the vendor control over the BIOS, the casing, who they get their hard disks from, etc. A no name laptop from the same ODM will have a less mature BIOS (matters a lot for ACPI), maybe a worse hard disk (I say maybe), and less chance of Microsoft caring bout and fixing ACPI issues with that laptop. Indeed, MS may not even test white box laptops.
I have nothing against building my own desktop PC, but laptops I delegate to people that know what they are doing. Little things like how the HDD is mounted can double the lifespan of a disk, and getting power management right is hard.
if you use IE, save the following xml file and then import it as a custom privacy setting. It makes all internet zone site cookies into session cookies; sites you like can be moved into trusted sites, whose security options you can ramp up into a secure level:
-----------
it is not real XML; you cant include comments in the file. wierd
there is already someone with a new token called 'everything else here is untrue' or words to that effect, so you can have all the statements about how well you adhere to privacy rules, which the browser believes, followed by this disclaimer, which IE ignores.
result, it thinks you respect privacy, you get to do what you want *and* your P3P privacy statement is actually honest.
passsafe by Bruce Schneir's Counterpane group is pretty secure because (a) Bruce wrote it, he knows about strongly encrypting stuff on your HDD (it uses blowfish, I believe), and (b) the source is on sourceforge for you to check.
it is currently windows only, but being on sforge now the core could be ported to anything with C++ to hand.
Word - a macro virus execution engine Outlook express - virus inbox Internet Explorer - Another security hole IIS - server side security hole Front Page - cheesy web site designer
MS might have been working on windows since '83, but they didnt ship till about '86. More to the point, the copyright statement of winXP says '1985-2001', so they dont claim they wrote any code before '85
I aint going to javaOne because I despair at sun trying to control it too much; for example they wouldnt allow sessions on the Eclipse windowing stuff, which is an interesting alternative to swing. Too much control like that stops conferences being interesting; makes them more like reruns of the XVI congress of the communist party of the union of soviet socalist republics: "the java developers of the 13th Gulag would like to praise commissar McNealy for adding the assert statement to Java", that kind of thing. Same reason I dont go to any Windows conferences either.
Go to things like the Ubicomp conference and you get to see some really interesting stuff, like people putting a java web server inside a normal GMS handset (via a java smartcard), which responds to requests proxied over SMS. Slick.
I had a run in 2 years ago with an alcohol burning camping stove going in the hold, all nice and empty. I got the 'why are you endangering the plane' lecture; trying to explain that they were selling the fuel and encouraging people to buy in litres got too complex. I saw where things were going and let them confiscate it before they took me into the side room.
once you start having exceptions to security rules, even sensible ones, you have to have smarter staff, and that just costs more.
I always just filed him away as daft. He was banned from the MIT bookstore for reading books with a camera over his head right? And the girlfriends of his roommates were always nervous of him wandering around the house with the same camera...
yeah I have acess to a STEM and all it takes is a conversation with the right people at a university; I bet for $250K you could set up your own.
Given that GSM auth and the next generation of credit cards are all smart based, I would expect one or two 'illicit' SEMs and STEMs to become available. And to reverse engineer an algorithm, you only need to crack the chip once
the guardian article on the subject implied they used a scanning electron microscope to reverse engineer the IC, and that only a few people worldwide could do it. All good universities have a STEM and smart enough people with time on their hands.
What this does show that smartcards are hackable, given enough financial incentive...
BT has some kind of shared secret thing, but it is limited to the size of pin codes or something.
I wouldnt bother with listening to phone conversations though; I'd dial up to check my email over their cellphone. Hey, maybe I could have my laptop act as an 802.11 base station and bridge out all wireless over the cellphones of people in BT range on the other antenna.
dont worry, SSSCAA will put the encryption in there to stop you using your keyboard to type in the words to any disney cartoon. You will get as far as typing 'mickey mou' or 'cinderel' and suddenly the device will stop working.
The mouse? Same thing. Try drawing any disney like artwork in the gimp and it'll lock up.
I thought the problem with releasing code under GPL was that if it took off, RMS would claim credit for it. And while certainly he and the FSF do deserve the credit for evangelising the open source movement, I find their argument that Linux should be called GNU/Linux somehow ignores all the work that people like XFree86 put into the product.
oops. I hope saying that doesnt mean RMS will visit my house with his accoutrements.
The FCC mandated things like 1-800 number roaming; in the UK you can change cellphone vendor and keep the same number, why cant aol and MSN be 'encouraged' to provide redirection to users who move away. I know they dont want to, but I think MSN might benefit by getting people off aol too...
.NET has two means of talking to peers (ignoring COM+).
First it has SOAP over HTTP, which is what dbox was criticising as flawed (agreed, it doesnt work for web services, not without standard things like checksums to verify the response is complete, not without decent two way comms over a single channel)
But it also has.NET remoting, which is only between.NET boxes. Maybe that is what MS want everyone to use...
Hey, CDE wasnt just Sun's fault. Sun NeWS used to be slick even if it crawled on 68010 sunos4 boxes with 8MB ram. Too bad they dont stick the src up on an ftp server; bet it'd fly now. Bring back oddly shaped windows!
Slashdot Mirror
agreed.
:)
but the BSD license also implictly allows you to release derivative works under GPL if that is your wont. This MS license forces to to extend the BSD license with a 'you cant ever release derived works under GPL clause'
It's a kind of 'anti-copyleft'; BSD code built on it cant ever be truly free
-steve
maybe he is being prescient.
A fair bit of stuff in soap land (ws-routing, now the MS GXA stuff) is about soap messages sent using some store and forward mechanism, routing it to the final destination without the sender knowing the actuall endpoint.
One stated objective for this is to allow asynchronous replies/callbacks/events, which means that you will have to allow these messages back through the firewall.
If this is done using SMTP or an IM protocol, we are in trouble as there is not enough validation by the firewall (esp. with IM), but for any of this stuff, it all boils down to 'do you trust MS and Sun (and Apache) to write code that is secure out the box', and 'do you trust the people who write SOAP based apps to not make things worse. I have more faith on apache than the other two infrastructure providers, even though Apache Axis has its own security issued (filed one on bugzilla last week). As a web service developer, I dont even trust my own code to be secure
Oh, I use it on my production code too; look at the 'when web services go bad' paper off my home page.
It is just more limited than SOAP. Maybe that is a good thing -like you say, it works, and it doesnt have SOAP interop grief.
If they really are reskinning browsers then they need to get a skin onto IE/netscape. Netscape's chrome downloads ask you if you want them, IE will need win32 code client side, which means activeX.
Now some vendors do already provide IE toolbars of use; google's is convenient, yahoo's sucks. but both are manual installs.
Only if some spyware horror gets onto the system would auto-reskinning work dynamically.
XMLRPC is too limited...no IDL like spec language, no rich fault, and no easy inclusion of XML inside the envelope. But it is easy to implement.
regarding dbox on soap, he seemed more minded last week towards SOAP as documents, not SOAP as RPC, which ties in with store and forward transports like, um, SMTP.
Bruce hasnt looked at the protocol enough, he is being paranoid.
well, doing SOAP callbacks into the firewall is hard because you have to have an accessible endpoint...for this reason you cant do SOAP callbacks over HTTP. But some of the other transports: SMTP, Jabber, do work and go through firewalls like nobodies business.
Another issue is that you can't tell whether the message is good or bad from the header; it will always be a POST and the same endpoint/URL could be used from everything from a side effect free get to a malicious bufferstomping write.
You need to look inside the XML payload, and, being XML, that means understanding XML...string matching is not enough, not when you can disguise stuff with escaping, UTF or Unicode formats, etc.
I think quanta kit always has a very low AFR (annual failure rate), though laptops are always the unlucky sibling of the pc world: the slow clumsy one that always hurts itself, primarily because most people dont chuck their servers around so much.
Even ODM designs give the vendor control over the BIOS, the casing, who they get their hard disks from, etc. A no name laptop from the same ODM will have a less mature BIOS (matters a lot for ACPI), maybe a worse hard disk (I say maybe), and less chance of Microsoft caring bout and fixing ACPI issues with that laptop. Indeed, MS may not even test white box laptops.
I have nothing against building my own desktop PC, but laptops I delegate to people that know what they are doing. Little things like how the HDD is mounted can double the lifespan of a disk, and getting power management right is hard.
I remember a few years back someone french talking about how they used Win32/MFC in the code in french nuclear submarines.
I would argue that is putting the entire planet (or at least france, its neighbours and probably greenpeace) in extreme danger.
At least with GNU/submarine when you sell the sub onto the taiwanese later they get the source to maintain it.
here it is without tags being dropped as invalid
t tings formatVersion="6">E Privacy>
<?xml version="1.0" encoding="UTF-8"?>
<MSIEPrivacy>
<MSIEPrivacySe
<p3pCookiePolicy zone="internet">
<firstParty noPolicyDefault="forceSession"
noRuleDefault="forceSession"
alwaysAllowSession="yes"/>
<thirdParty noPolicyDefault="forceSession"
noRuleDefault="forceSession"
alwaysAllowSession="yes"/>
</p3pCookiePolicy>
</MSIEPrivacySettings>
</MSI
if you use mozilla, turn off cookie persistence.
if you use IE, save the following xml file and then import it as a custom privacy setting. It makes all internet zone site cookies into session cookies; sites you like can be moved into trusted sites, whose security options you can ramp up into a secure level:
-----------
it is not real XML; you cant include comments in the file. wierd
there is already someone with a new token called 'everything else here is untrue' or words to that effect, so you can have all the statements about how well you adhere to privacy rules, which the browser believes, followed by this disclaimer, which IE ignores.
result, it thinks you respect privacy, you get to do what you want *and* your P3P privacy statement is actually honest.
what the US needs is the EU data protection act.
passsafe by Bruce Schneir's Counterpane group is pretty secure because (a) Bruce wrote it, he knows about strongly encrypting stuff on your HDD (it uses blowfish, I believe), and (b) the source is on sourceforge for you to check.
it is currently windows only, but being on sforge now the core could be ported to anything with C++ to hand.
I dont think those names are accurate at all:
Word - a macro virus execution engine
Outlook express - virus inbox
Internet Explorer - Another security hole
IIS - server side security hole
Front Page - cheesy web site designer
MS might have been working on windows since '83, but they didnt ship till about '86. More to the point, the copyright statement of winXP says '1985-2001', so they dont claim they wrote any code before '85
I aint going to javaOne because I despair at sun trying to control it too much; for example they wouldnt allow sessions on the Eclipse windowing stuff, which is an interesting alternative to swing. Too much control like that stops conferences being interesting; makes them more like reruns of the XVI congress of the communist party of the union of soviet socalist republics: "the java developers of the 13th Gulag would like to praise commissar McNealy for adding the assert statement to Java", that kind of thing. Same reason I dont go to any Windows conferences either.
Go to things like the Ubicomp conference and you get to see some really interesting stuff, like people putting a java web server inside a normal GMS handset (via a java smartcard), which responds to requests proxied over SMS. Slick.
I had a run in 2 years ago with an alcohol burning camping stove going in the hold, all nice and empty. I got the 'why are you endangering the plane' lecture; trying to explain that they were selling the fuel and encouraging people to buy in litres got too complex. I saw where things were going and let them confiscate it before they took me into the side room.
once you start having exceptions to security rules, even sensible ones, you have to have smarter staff, and that just costs more.
I always just filed him away as daft. He was banned from the MIT bookstore for reading books with a camera over his head right? And the girlfriends of his roommates were always nervous of him wandering around the house with the same camera...
yeah I have acess to a STEM and all it takes is a conversation with the right people at a university; I bet for $250K you could set up your own.
Given that GSM auth and the next generation of credit cards are all smart based, I would expect one or two 'illicit' SEMs and STEMs to become available. And to reverse engineer an algorithm, you only need to crack the chip once
the guardian article on the subject implied they used a scanning electron microscope to reverse engineer the IC, and that only a few people worldwide could do it. All good universities have a STEM and smart enough people with time on their hands.
What this does show that smartcards are hackable, given enough financial incentive...
BT has some kind of shared secret thing, but it is limited to the size of pin codes or something.
I wouldnt bother with listening to phone conversations though; I'd dial up to check my email over their cellphone. Hey, maybe I could have my laptop act as an 802.11 base station and bridge out all wireless over the cellphones of people in BT range on the other antenna.
dont worry, SSSCAA will put the encryption in there to stop you using your keyboard to type in the words to any disney cartoon. You will get as far as typing 'mickey mou' or 'cinderel' and suddenly the device will stop working.
The mouse? Same thing. Try drawing any disney like artwork in the gimp and it'll lock up.
I thought the problem with releasing code under GPL was that if it took off, RMS would claim credit for it. And while certainly he and the FSF do deserve the credit for evangelising the open source movement, I find their argument that Linux should be called GNU/Linux somehow ignores all the work that people like XFree86 put into the product.
oops. I hope saying that doesnt mean RMS will visit my house with his accoutrements.
good point.
The FCC mandated things like 1-800 number roaming; in the UK you can change cellphone vendor and keep the same number, why cant aol and MSN be 'encouraged' to provide redirection to users who move away. I know they dont want to, but I think MSN might benefit by getting people off aol too...
.NET has two means of talking to peers (ignoring COM+).
.NET remoting, which is only between .NET boxes. Maybe that is what MS want everyone to use...
First it has SOAP over HTTP, which is what dbox was criticising as flawed (agreed, it doesnt work for web services, not without standard things like checksums to verify the response is complete, not without decent two way comms over a single channel)
But it also has
Hey, CDE wasnt just Sun's fault. Sun NeWS used to be slick even if it crawled on 68010 sunos4 boxes with 8MB ram. Too bad they dont stick the src up on an ftp server; bet it'd fly now. Bring back oddly shaped windows!
(course, java swing on NeWS would still crawl)