And your proposition for a distributed system of trust information that is transparent to users is? Sure, PGP/GPG signing might benefit to those who watch where they step, but it does little for those who are most susceptible to trojan attacks.
GPG signing could be used to employ a traffic light system. Most of the developers in the Mozilla scene know one another so it is possible to build a web of trust and then represent that web with a simple metaphor such as a traffic light when installing the extension. Green could mean the person is one step away from the Mozilla.org official signature or fully trusted by 2 or more people who are. Amber might mean they don't meet the criteria for green but they do have some signatures and red means unsigned or unvalidated. If the installer wants to see more detail they click on the light for it and perhaps even add their own trusts to the list. Obviously such a system should fetch keys and revocations prior to making this test.
Secondly, when I update an extension Firefox, it should verify that it is signed with the same key as the previous version. If it isn't, it should put up a big warning to that affect.
Thirdly, by default Firefox policy should not be to install unsigned / untrusted extensions at all, and for the addons site to marginalise unsigned / untrusted extensions. They should not be spotlighted, not appear under "what's new", not appear categorised with the other extensions.
Nothing is failsafe, but the fact is there is no trust at all at the moment. It is a dereliction of common sense to allow extensions to continue the way they are.
Should it really be fair to restrict some online service to have to treat all clients the same way just because one version was derived from another?
No it shouldn't and in fact this clause alone would be enough reason for me not to use the GPL for some software. I'm writing a mud / MMPORG server & client kit in Java. It may never see the light of day of course since I'm just using the concept to play around with Hibernate and some other stuff but what if it did?
Should someone who uses my kit to produce a mud / MMO be forced to allow any client to connect to it? Is it reasonable that a bunch of assholes with a modified client start macro spamming some action to accumulate gold, or employ other techniques that give them an unfair advantage over other players? Is it fair that the server can't boot such people? Do I as the GM count as part of the online service, or am I able to boot such people? Should I be forced into an ever increasing arms race with modders simply because I can't enforce terms that make them use the official client?
This clause alone renders the GPL v3 totally unsuitable for any client / server game, or any kind of service where one abusive asshole could ruin the service for anyone else. In truth enforcing users to run an official client is almost intractable, but some measures can be employed, assuming the licence permitted it.
Therefore if my game did appear, I sure as hell would not release the source code under those terms.
This exploit might be a hacked Firefox, but even the vanilla Firefox is an easy attack vector.
The very first page you see after installing tells you to Install Extensions. And what is only a few clicks from that page? Hundreds of untrusted extensions, with the new ones helpfully listed first.
It would be TRIVIAL to insert a trojan onto that site. You can guarantee that people would download and install it without thinking twice. With a little more effort you could even hack a popular extension's home site and insert an additional payload. Firefox would even helpfully tell all the users there was an update. Sooner or later someone would catch on, but by then it is too late. At present there is no way to gauge the trustworthiness of an extension because no one signs them. And no one signs them because PKCS is shit and there is no alternative mechanism around PGP. There should be.
The funny thing is IE was panned for ActiveX control issues and yet Firefox contains something just as serious in extensions. It is true that extensions must be voluntarily fetched by a user so the user base as a whole has a lot of protection, but it does not excuse the lack of trust information for the poor sucker who caught a dose from Mozilla's own web site.
Well the should. In fact, I read just the other day that Debian will be signing packages at long last. It's not brain surgery to do either - Red Hat has been doing it for a very long time.
Well yes it is. Firefox extensions are an easy way to trojan a system. Anyone can write an extension and put it up on the addons site and there isn't even the requirement that it be signed. There is no enforcement of trust at all except for a primitive domain whitelist system. I think it would be fairly trivial to produce a malicious extension. Worse, you could even craft one that works on Linux, OS X and Windows in one fell swoop, since you have unfettered access to all of the XPCOM objects running in Firefox.
My feeling is that Firefox desperately needs to implement some kind of trust model. I can understand why that might not be RSA PKCS since the system is crap for small publishers. But something is needed. Even a trust model based on PGP signing would be of benefit.
I'm sure some would argue that no one looks at signatures anyway, which might be an exaggeration, but it does have some truth. It is certainly no excuse for offering no trust model at all, or for Firefox UI designers to not be able to produce some simple traffic light trust system with sensible defaults to simplify it for those who can't or won't look at the certs.
Actually it does preload large parts of IE, but in the way you say. Whole subsystems such as Wininet, common controls (coolbars etc.), mime, jpeg & png loading were originally created for IE but have been folded into the operating system. And as soon as you open a help page, or Add/Remove programs, or enabled certain folder effects in Explorer which invoke ShDocVw.dll, then you *have* loaded IE since the IE browser component is used to render those things.
Therefore by the time you start IE, big chunks of it are already preloaded and memory resident. The actual iexplore.exe is just a shell around DLLs which are mostly comprised of things in your Windows\System folder.
Who knows what they will do with IE7 but it would not surprise me if a reboot is required to install it.
Having said all that, I don't think Firefox is particularly slow to load, but it does have more work to do than IE to start for all of the reasons above.
Firefox works on the principle that if you have the memory, it will use it. If you don't like the amount of memory it consumes, you can tune the memory cache, the session history length and indeed your browsing habits (don't use a gazillion tabs) and the footprint will be lower. Note also that if you start to run out of memory that Firefox responds to memory "pressure" and will start flushing out things that it is hanging on to.
Better yet, open an account with someone like Fidelity, Vanguard or Schwab. They all offer hundreds of mutual funds to choose from (with search capabilities to find the right one for your risk), and their entry / exit fees are bound to be far lower than a bank. Fidelity even has offices all over the place, so might not be much harder to open an account than walking into a bank.
Most supermarkets put the ripest fruit and other perishables at the front on the principle that most people pick from the front. Which is why I pick from the back. Sometimes the difference in expiry dates can be a week or more.
I wouldn't say XML is a silver bullet, but the act of forcing you to structure your data and use extremely robust libs to read / write it sure has its benefits. I wish in fact that all apps read and wrote their configs through common libs. Something akin to PAM, but for config files would be an enormous benefit to Linux where every app and its uncle seems to use a different format.
Web services are probably being overtouted as a silver bullet, but the fact is that they serve a very useful purpose. I maintain a legacy app which uses ad-hoc XML over HTTPS. Since I have no idea what the format of the request and response is, I must constantly refer to the code to figure it out. I must also invent my own error responses if the format is incorrect. Web services mean I could just define the interface in WSDL (using WTP in Eclipse for example) and more or less forget about it. I can even use Axis or.NET's wsdl.exe to auto generate the stubs that make the call and just concentrate on the business logic. Bad calls throw a soap fault which is turned into an exception or whatnot by the client lib that makes the call. It doesn't make all my problems disappear, but it does mean I can be looking at the functionality of the app rather than wasting time rolling my own XML format.
And even the ad-hoc XML over HTTPS is quite an improvement over what came before. Then you'd be talking about opening a port and defining the whole handshake and transfer of data using messages, complete with all the bugs and security issues that go with that. Standards are a great thing even if they initially seem confusing.
Certainly any standard is open to abuse. I expect that anyone who has to deal with Microsoft's new Office format over XML will be in a world of hurt. But you have Microsoft to blame for that, not the standard.
Modern PCs consume a *horrible* amounts of power. I bet if power consumption were taxable that consumption could miraculously drop by a third without any loss in performance. Suddenly you would find that hardware & software makers flip on the power saving functionality by default rather than expecting people to find it. And the Nvidia & ATIs of this world producing desktop GPUs which have performance characteristics closer to their laptop versions. If Intel can produce CPUs that consume less power than the last generation then the GPU makers sure as hell can too. Who knows, it might even lead to cheaper graphics cards since they won't need so much circuitry including power connectors and massive fans to keep them cool.
Print on Demand (POD) is simply the latest incarnation of vanity publishing. They will sell any rubbish because they DON'T CARE what they print. All they care is that you, the author pay up front for one of their price plans, and get suckered by the selling up. There is no quality threshold - you pay and you're in. They won't even spell check, typeset, edit, or market your book unless you pay them and for that you probably get some drone scanning your guff. That is the definition of vanity publishing. It would not surprise me if the majority of their sales were back to the author themselves.
There may be a limited number of instances where you might want to use them, but I can't think of many. Perhaps a highly technical book with a limited audience, but then you're going make a pittance from your sales since you can't even set the price of your book. The worth of your book is dictated by the amount of paper it uses, not the words. Certainly no mainstream author would ever want to use the service unless they struck a deal with the POD service outside of the scales that the other schmucks get.
There is a lot of detailed info from an author's perspective about POD here.
How do you know what is in the box? Have Nintendo listed the contents as shipped? Why do you believe they are going to ship two controllers when the wii-mote is virtually the only unique selling point of the system?
And if they don't ship the regular controller in the box well... read what I said. Game companies have to support what is in the box. If they don't and expect people to buy another controller then they cut their sales in half. It's not hard to comprehend, even for a fanboy.
Yes ad blockers do like that, but in general you have to train them. You have to tell them not to get ads from a certain IP address and to do that you generally have to see the add and then block it specifically or with a wildcard. Some blockers like JunkBuster / Privoxy might come with a general list but it's not going to catch everything.
I suspect that US / EU sports games don't make it to Japan for much the same reason that US games don't or just barely make it to Europe and vice versa. Because they're unappealing to those markets.
While I am sure that there are distributors in the US for Brian Lara's Cricket or Gaelic Football, those titles aren't exactly likely to be flying off the shelves. Likewise in Europe with US sports like (American) Football & Baseball. They might sell, but it would be a tiny fraction compared to the home market.
Localizing content such as commentary tracks for Japan would also be a huge pain in the butt and might cost too much to recoup anything. The same in the other direction, especially for weird titles, or long adventure games where there are lots of words to translate and the foreign market doesn't exactly like those titles much to begin with.
People on non-Windows platforms hardly have to fear WMF exploits.
Exactly. The law of diminishing returns makes it considerably harder to target Linux (or even Firefox users) and expect a reasonable return from doing so. In short, the more heterogeneous your machine is, the more built-in immunity you have to any kind of exploit.
Some natural immunity is not a substitute for safe browsing practices, but it's hard to see how due diligence would have helped in this sort of case. We automatically assume that trusted sites deliver only trusted content, but this example makes clear that it is not always true. Ad blocker only works so far, since you have to see an advert to block it which obviously gives a window for infection.
Viable requires that the DVDs in question be desirable and value for money. If I can buy the full 2-disc special, platinum, collectors edition of some piece of shit like Charlies Angels II for less, why the hell would I waste a significant part of a day downloading the same from the internet? Heck, you can even rent the DVD for half the price and copy it.
Anyway, tech like this is almost certain to fail. What do you bet that you have to download and install some shitty DRM laden "burner" which controls how many copies you make and ensures to install some Sony-esque DRM laden cdrom driver onto the disc to infect any user's machine that it is inserted to. It is almost certain that this is how their copy protection will work, and combined with the silly prices it will guarantee the service will DOA.
When will the studios get a clue? If Netflix can send out unlimited DVDs a month for $15.99 then it does not seem unreasonable that the studios should be able to make money from a similar scheme. How do they protect their content from copying? It's already copied! Besides, I'm sure there are numerous watermarking schemes that could be applied to an unencumbered format but would still allow them to crush any abuser of their service like a bug if they chose.
Hmm, amazing games with great gameplay can be had on all platforms. For the Wii to succeed requires a) that the controller is good (and there are plenty of ways that it could suck), b) the games to be suitable for the controller and not suck too, c) gamers to like playing all their games through a hand waving device.
Personally I think the Wii is a very interesting console, but game companies are going to have to work damned hard to make the thing any use for a whole raft of traditional game genres. Anything from platformers, to rpgs, to real time sims, to sporting games (which don't involve swinging something) could royally suck on the Wii. Even the PSP suffers with bad PS2 ports due to a missing analogue stick so I can imagine what will happen on the Wii. I'm sure Nintendo will have to put out a regular controller to compensate for this, but authors will still be forced with making their games work with what's in the box, or face marginalisation.
Shortages are part and parcel of new product but I also expect that they are cynically engineered to ensure demand outstrips supply. If they have more boxes than they can sell, it makes the product look like it is selling badly. Therefore if you cut the stock to the bone, you can ensure lots of juicy headlines about fights breaking out between people trying to buy the last PS3.
Sony is not alone on this. Microsoft did it with the XBox 360, and no doubt Nintendo will too with theirs.
For the dubious privilege of being the first kid / man-child on the block with a PS3, you get to pay for a handful of mediocre games, uncertainty over whether your new console will work correctly, long waits for restocking if it doesn't, an online service that will invariably lag / buckle / crash on day one and a lucky dip of the usual problems that plague all new releases.
Let other people be paying beta testers. If the system is worth buying, it will soon become apparent once the hype dies down, what problems exist are sorted and supplies increase.
Anyway despite this, I do hope the PS3 does well, simply because the console market needs competition. The price and Blu-Ray drive don't do anything for me, but if Sony have garnished themselves a clue in the last year or so, they might produce something which is worthy of premium position (and price) it commands by the TV. A PS3 could do some tantalising things if it isn't encumbered with stupid DRM or other restrictions. But time will tell. I'll let the early adopters discover if its a piece of crap first with their own money.
Well there you go :) The obvious advantage is that someone can't replace some .deb file with their own without it being noticed by the installer.
GPG signing could be used to employ a traffic light system. Most of the developers in the Mozilla scene know one another so it is possible to build a web of trust and then represent that web with a simple metaphor such as a traffic light when installing the extension. Green could mean the person is one step away from the Mozilla.org official signature or fully trusted by 2 or more people who are. Amber might mean they don't meet the criteria for green but they do have some signatures and red means unsigned or unvalidated. If the installer wants to see more detail they click on the light for it and perhaps even add their own trusts to the list. Obviously such a system should fetch keys and revocations prior to making this test.
Secondly, when I update an extension Firefox, it should verify that it is signed with the same key as the previous version. If it isn't, it should put up a big warning to that affect.
Thirdly, by default Firefox policy should not be to install unsigned / untrusted extensions at all, and for the addons site to marginalise unsigned / untrusted extensions. They should not be spotlighted, not appear under "what's new", not appear categorised with the other extensions.
Nothing is failsafe, but the fact is there is no trust at all at the moment. It is a dereliction of common sense to allow extensions to continue the way they are.
No it shouldn't and in fact this clause alone would be enough reason for me not to use the GPL for some software. I'm writing a mud / MMPORG server & client kit in Java. It may never see the light of day of course since I'm just using the concept to play around with Hibernate and some other stuff but what if it did?
Should someone who uses my kit to produce a mud / MMO be forced to allow any client to connect to it? Is it reasonable that a bunch of assholes with a modified client start macro spamming some action to accumulate gold, or employ other techniques that give them an unfair advantage over other players? Is it fair that the server can't boot such people? Do I as the GM count as part of the online service, or am I able to boot such people? Should I be forced into an ever increasing arms race with modders simply because I can't enforce terms that make them use the official client?
This clause alone renders the GPL v3 totally unsuitable for any client / server game, or any kind of service where one abusive asshole could ruin the service for anyone else. In truth enforcing users to run an official client is almost intractable, but some measures can be employed, assuming the licence permitted it.
Therefore if my game did appear, I sure as hell would not release the source code under those terms.
The very first page you see after installing tells you to Install Extensions. And what is only a few clicks from that page? Hundreds of untrusted extensions, with the new ones helpfully listed first.
It would be TRIVIAL to insert a trojan onto that site. You can guarantee that people would download and install it without thinking twice. With a little more effort you could even hack a popular extension's home site and insert an additional payload. Firefox would even helpfully tell all the users there was an update. Sooner or later someone would catch on, but by then it is too late. At present there is no way to gauge the trustworthiness of an extension because no one signs them. And no one signs them because PKCS is shit and there is no alternative mechanism around PGP. There should be.
The funny thing is IE was panned for ActiveX control issues and yet Firefox contains something just as serious in extensions. It is true that extensions must be voluntarily fetched by a user so the user base as a whole has a lot of protection, but it does not excuse the lack of trust information for the poor sucker who caught a dose from Mozilla's own web site.
Well the should. In fact, I read just the other day that Debian will be signing packages at long last. It's not brain surgery to do either - Red Hat has been doing it for a very long time.
My feeling is that Firefox desperately needs to implement some kind of trust model. I can understand why that might not be RSA PKCS since the system is crap for small publishers. But something is needed. Even a trust model based on PGP signing would be of benefit.
I'm sure some would argue that no one looks at signatures anyway, which might be an exaggeration, but it does have some truth. It is certainly no excuse for offering no trust model at all, or for Firefox UI designers to not be able to produce some simple traffic light trust system with sensible defaults to simplify it for those who can't or won't look at the certs.
Therefore by the time you start IE, big chunks of it are already preloaded and memory resident. The actual iexplore.exe is just a shell around DLLs which are mostly comprised of things in your Windows\System folder.
Who knows what they will do with IE7 but it would not surprise me if a reboot is required to install it.
Having said all that, I don't think Firefox is particularly slow to load, but it does have more work to do than IE to start for all of the reasons above.
Firefox works on the principle that if you have the memory, it will use it. If you don't like the amount of memory it consumes, you can tune the memory cache, the session history length and indeed your browsing habits (don't use a gazillion tabs) and the footprint will be lower. Note also that if you start to run out of memory that Firefox responds to memory "pressure" and will start flushing out things that it is hanging on to.
Better yet, open an account with someone like Fidelity, Vanguard or Schwab. They all offer hundreds of mutual funds to choose from (with search capabilities to find the right one for your risk), and their entry / exit fees are bound to be far lower than a bank. Fidelity even has offices all over the place, so might not be much harder to open an account than walking into a bank.
Most supermarkets put the ripest fruit and other perishables at the front on the principle that most people pick from the front. Which is why I pick from the back. Sometimes the difference in expiry dates can be a week or more.
Or 35 litres as everyone outside the US spells it.
B5 video tapes are sold in my local Eurosaver store for 2 euros each. That should be sufficient to figure what their commercial worth is these days.
The main question being why the hell codify it at all?
Web services are probably being overtouted as a silver bullet, but the fact is that they serve a very useful purpose. I maintain a legacy app which uses ad-hoc XML over HTTPS. Since I have no idea what the format of the request and response is, I must constantly refer to the code to figure it out. I must also invent my own error responses if the format is incorrect. Web services mean I could just define the interface in WSDL (using WTP in Eclipse for example) and more or less forget about it. I can even use Axis or .NET's wsdl.exe to auto generate the stubs that make the call and just concentrate on the business logic. Bad calls throw a soap fault which is turned into an exception or whatnot by the client lib that makes the call. It doesn't make all my problems disappear, but it does mean I can be looking at the functionality of the app rather than wasting time rolling my own XML format.
And even the ad-hoc XML over HTTPS is quite an improvement over what came before. Then you'd be talking about opening a port and defining the whole handshake and transfer of data using messages, complete with all the bugs and security issues that go with that. Standards are a great thing even if they initially seem confusing.
Certainly any standard is open to abuse. I expect that anyone who has to deal with Microsoft's new Office format over XML will be in a world of hurt. But you have Microsoft to blame for that, not the standard.
Modern PCs consume a *horrible* amounts of power. I bet if power consumption were taxable that consumption could miraculously drop by a third without any loss in performance. Suddenly you would find that hardware & software makers flip on the power saving functionality by default rather than expecting people to find it. And the Nvidia & ATIs of this world producing desktop GPUs which have performance characteristics closer to their laptop versions. If Intel can produce CPUs that consume less power than the last generation then the GPU makers sure as hell can too. Who knows, it might even lead to cheaper graphics cards since they won't need so much circuitry including power connectors and massive fans to keep them cool.
There may be a limited number of instances where you might want to use them, but I can't think of many. Perhaps a highly technical book with a limited audience, but then you're going make a pittance from your sales since you can't even set the price of your book. The worth of your book is dictated by the amount of paper it uses, not the words. Certainly no mainstream author would ever want to use the service unless they struck a deal with the POD service outside of the scales that the other schmucks get.
There is a lot of detailed info from an author's perspective about POD here.
How about walking around without listening to music the whole time?
And if they don't ship the regular controller in the box well... read what I said. Game companies have to support what is in the box. If they don't and expect people to buy another controller then they cut their sales in half. It's not hard to comprehend, even for a fanboy.
Yes ad blockers do like that, but in general you have to train them. You have to tell them not to get ads from a certain IP address and to do that you generally have to see the add and then block it specifically or with a wildcard. Some blockers like JunkBuster / Privoxy might come with a general list but it's not going to catch everything.
While I am sure that there are distributors in the US for Brian Lara's Cricket or Gaelic Football, those titles aren't exactly likely to be flying off the shelves. Likewise in Europe with US sports like (American) Football & Baseball. They might sell, but it would be a tiny fraction compared to the home market.
Localizing content such as commentary tracks for Japan would also be a huge pain in the butt and might cost too much to recoup anything. The same in the other direction, especially for weird titles, or long adventure games where there are lots of words to translate and the foreign market doesn't exactly like those titles much to begin with.
Exactly. The law of diminishing returns makes it considerably harder to target Linux (or even Firefox users) and expect a reasonable return from doing so. In short, the more heterogeneous your machine is, the more built-in immunity you have to any kind of exploit.
Some natural immunity is not a substitute for safe browsing practices, but it's hard to see how due diligence would have helped in this sort of case. We automatically assume that trusted sites deliver only trusted content, but this example makes clear that it is not always true. Ad blocker only works so far, since you have to see an advert to block it which obviously gives a window for infection.
Anyway, tech like this is almost certain to fail. What do you bet that you have to download and install some shitty DRM laden "burner" which controls how many copies you make and ensures to install some Sony-esque DRM laden cdrom driver onto the disc to infect any user's machine that it is inserted to. It is almost certain that this is how their copy protection will work, and combined with the silly prices it will guarantee the service will DOA.
When will the studios get a clue? If Netflix can send out unlimited DVDs a month for $15.99 then it does not seem unreasonable that the studios should be able to make money from a similar scheme. How do they protect their content from copying? It's already copied! Besides, I'm sure there are numerous watermarking schemes that could be applied to an unencumbered format but would still allow them to crush any abuser of their service like a bug if they chose.
Personally I think the Wii is a very interesting console, but game companies are going to have to work damned hard to make the thing any use for a whole raft of traditional game genres. Anything from platformers, to rpgs, to real time sims, to sporting games (which don't involve swinging something) could royally suck on the Wii. Even the PSP suffers with bad PS2 ports due to a missing analogue stick so I can imagine what will happen on the Wii. I'm sure Nintendo will have to put out a regular controller to compensate for this, but authors will still be forced with making their games work with what's in the box, or face marginalisation.
Sony is not alone on this. Microsoft did it with the XBox 360, and no doubt Nintendo will too with theirs.
Let other people be paying beta testers. If the system is worth buying, it will soon become apparent once the hype dies down, what problems exist are sorted and supplies increase.
Anyway despite this, I do hope the PS3 does well, simply because the console market needs competition. The price and Blu-Ray drive don't do anything for me, but if Sony have garnished themselves a clue in the last year or so, they might produce something which is worthy of premium position (and price) it commands by the TV. A PS3 could do some tantalising things if it isn't encumbered with stupid DRM or other restrictions. But time will tell. I'll let the early adopters discover if its a piece of crap first with their own money.