The Jatravartid People of Viltvodle Six firmly believe that the entire universe was sneezed out of the nose of a being called The Great Green Arkleseizure. They live in perpetual fear of the time they call The Coming Of The Great White Handkerchief.
It seems to me that if the IE team is capable of telling that a combination of features is potentially dangerous, then why would they edit the source of the page to avoid triggering the vulnerability, rather than actually eliminating the vulnerability being attacked?
It's easy enough to see what it does. When Google Update opens a browser to perform the download, view the source of the web page it pulls up. Observe that the GU*() API allows it to trigger a download and install without user intervention.
Well, if right clicking is painful for you, you can still simulate a right click using ctrl-left click on a Mac
Or I can save about fifty bucks AND get a better mouse that doesn't force me into stupid bleeding workarounds for Apple's idiot mouse designs. Yes, it's from Microsoft, but it doesn't ACTUALLY cause an explosion when I plug it into my Macbook.
I'm reminded of JWZ's rant about Linux audio. "Well, if that doesn't work reinstall this other version of Linux from scratch". "Say what?"
Once you start talking about using click-and-hold or control-click to work around Apple's passive-aggressive relationship with the right mouse button you're square in the middle of raving loonie fanboy territory.
Christ on a crutch, do you think I haven't actually tried this?
Yes
You're not so good on that reading comprehension thing then. I had one of Apple's capacitively coupled mice. I had to return it. It caused me physical pain to use it.
However according to timster and HoqGeek in their replies above, you can click as normal without that extra step (presumably added for emphasis in the video to show when the user was clicking).
For a left click, you don't have to lift your finger. For a right click, you do have to lift your finger, just like Apple's previous mouse. I have tried using the Mighty Mouse and it caused me intense pain after even a short period of time... so I would say that, at least for people with RSI, your original impression was correct.
No, I think you still don't quite understand. You don't have to lift any fingers for a left-click. Only for a right-click. That aspect works the exact same way that Apple mice have for some years now.
You are correct, Apple mice have sucked for some years now.
This is one of those things that sounds really complicated if you think about it, but is actually very simple to use.
And soon after I started using a Mighty Mouse, my right arm was a bar of pain. OK, it's my fault for damaging my ulnar nerve on ADM-3As in the basement of Cory Hall all these years ago, but I've read the same report from people with CTS and other kinds of RSI... it's an unnatural movement that causes intense pain.
The IE8 sandbox is deliberately leaky, and doesn't protect you against people stealing access tokens (passwords, etcetera) for your online assets. It is a mitigating factor, but doesn't reduce the surface area exposed to attack.
And so long as design flaws like ActiveX remain part of the Microsoft HTML ecosystem, IE will continue to have a larger surface area.
The anti-TEMPEST fonts seem to have been withdrawn:
Q: Where can I download low-pass filtered Soft Tempest fonts
Unfortunately, the existing font display mechanics in operating systems does not make it possible to implement this protection technique simply by installing a new font file.
For this reason, I am not providing any filtered font files.
Snow Crash is overrated. Go back to Vinge's "True Names" for a more credible "Metaverse".
As for ideas, well, speaking of Vinge... as we get closer to the Singularity then you'd expect *near future* SF to start hitting a near future event horizon. But Vinge is still trowing out some interesting stuff... the library eater in Vinge's "Rainbow's End" turns out to be Google, but there's a boatload of ideas in there that haven't come true yet...
But in all those cases the operation is triggered by an agent running on the local computer.
Google Update installs a plugin that allows a web page to request the download and installation of a component on your computer without notification or authorization just by visiting that web page.
I don't understand what you mean by "allows a web page to push an update on you".
I looked at the Javascript wrappers around the API that Google Update installs in your browser, and the process of querying the user whether they want to install the package or not is implemented in the Javascript. Their plugin will download and install a component without any user interaction if the web page asks it to. No matter how good their security, implementing it in this way does increase the surface are to attack.
I do not see the benefit to implementing this functionality as a web plugin instead of a standalone application that performs all the verification and user interaction.
Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.
For example, FTA: "All users should be updated automatically,"
Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.
Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.
It doesn't matter whether he "had it coming" or not.
Contacting the school violated the stated privacy policy of the site, whether it was a student or staff. We're talking about a newspaper, for god's sake. A newspaper should be the first to stand behind their privacy policy. Reporters have gone to jail to maintain the privacy of their sources, and while the online equivalent of "letters to the editor" isn't quite in the same league as "Deep Throat", this was still unacceptable behavior.
The St Louis Post-Dispatch needs to step up to the plate and bat for their own goddamn rights. If they DON'T do something about this violation of privacy, they weaken their own ability to protect their sources.
I would like to turn the XPI installation mechanism off completely, and only install extensions by downloading them to the local file system and installing them explicitly from a command line or menu. There doesn't seem to be a way to do this.
This kind of thing makes me wish there was a good alternate gecko-based browser on Windows, like Camino on the Mac, so the whole XPI/XUL/Chrome mess could be avoided.
I guess it depends on whether you see GNUstep as being NeXTStep Junior or a useful platform in its own right. If you're just trying to be NeXTStep Junior and track OS X, I think you're doomed to fail. I'd rather have a useful platform that happens to be source-compatible with a subset of OS X, so you can develop GNUstep apps and port them easily to OS X.
Slashdot Mirror
The Jatravartid People of Viltvodle Six firmly believe that the entire universe was sneezed out of the nose of a being called The Great Green Arkleseizure. They live in perpetual fear of the time they call The Coming Of The Great White Handkerchief.
It seems to me that if the IE team is capable of telling that a combination of features is potentially dangerous, then why would they edit the source of the page to avoid triggering the vulnerability, rather than actually eliminating the vulnerability being attacked?
It's easy enough to see what it does. When Google Update opens a browser to perform the download, view the source of the web page it pulls up. Observe that the GU*() API allows it to trigger a download and install without user intervention.
Well, if right clicking is painful for you, you can still simulate a right click using ctrl-left click on a Mac
Or I can save about fifty bucks AND get a better mouse that doesn't force me into stupid bleeding workarounds for Apple's idiot mouse designs. Yes, it's from Microsoft, but it doesn't ACTUALLY cause an explosion when I plug it into my Macbook.
I'm reminded of JWZ's rant about Linux audio. "Well, if that doesn't work reinstall this other version of Linux from scratch". "Say what?"
Once you start talking about using click-and-hold or control-click to work around Apple's passive-aggressive relationship with the right mouse button you're square in the middle of raving loonie fanboy territory.
You're not so good on that reading comprehension thing then. I had one of Apple's capacitively coupled mice. I had to return it. It caused me physical pain to use it.
as the shell moves down it separates from your left finger
NO it bloody well DOES NOT. My finger is resting on the top of the mouse. When the mouse moves, my finger moves.
Christ on a crutch, do you think I haven't actually tried this?
However according to timster and HoqGeek in their replies above, you can click as normal without that extra step (presumably added for emphasis in the video to show when the user was clicking).
For a left click, you don't have to lift your finger. For a right click, you do have to lift your finger, just like Apple's previous mouse. I have tried using the Mighty Mouse and it caused me intense pain after even a short period of time... so I would say that, at least for people with RSI, your original impression was correct.
No, I think you still don't quite understand. You don't have to lift any fingers for a left-click. Only for a right-click. That aspect works the exact same way that Apple mice have for some years now.
You are correct, Apple mice have sucked for some years now.
This is one of those things that sounds really complicated if you think about it, but is actually very simple to use.
And soon after I started using a Mighty Mouse, my right arm was a bar of pain. OK, it's my fault for damaging my ulnar nerve on ADM-3As in the basement of Cory Hall all these years ago, but I've read the same report from people with CTS and other kinds of RSI... it's an unnatural movement that causes intense pain.
I'm using a Microsoft two-button optical mouse now, and I don't have to lift my index finger to right-click.
My experience precisely.
Which multi-touch mouse do you want the most? Or are they all gimmicks?
Nice card-forcing there.
I like Microsoft's basic wheel mouse on Windows and Mac, and HP's 3-button optical mouse on X11.
You could run all your text through a CAPTCHA filter. :)
The IE8 sandbox is deliberately leaky, and doesn't protect you against people stealing access tokens (passwords, etcetera) for your online assets. It is a mitigating factor, but doesn't reduce the surface area exposed to attack.
And so long as design flaws like ActiveX remain part of the Microsoft HTML ecosystem, IE will continue to have a larger surface area.
Seems like 3 bits per cell will make for some interesting block allocation algorithms. :)
I personally think SATA is done. We need a new physical HD transport layer for this.
You're right, 3 gig SATA isn't as fast as 6 gig SAS, 8 gig FC, or 10 gig iSCSI/FCoE?
The anti-TEMPEST fonts seem to have been withdrawn:
Snow Crash is overrated. Go back to Vinge's "True Names" for a more credible "Metaverse".
As for ideas, well, speaking of Vinge... as we get closer to the Singularity then you'd expect *near future* SF to start hitting a near future event horizon. But Vinge is still trowing out some interesting stuff... the library eater in Vinge's "Rainbow's End" turns out to be Google, but there's a boatload of ideas in there that haven't come true yet...
We Americans by nature are assholes, so we may as well do something productive with it.
Yes, let's put the "fun" back in "dysfunctional". :)
But in all those cases the operation is triggered by an agent running on the local computer.
Google Update installs a plugin that allows a web page to request the download and installation of a component on your computer without notification or authorization just by visiting that web page.
I don't understand what you mean by "allows a web page to push an update on you".
I looked at the Javascript wrappers around the API that Google Update installs in your browser, and the process of querying the user whether they want to install the package or not is implemented in the Javascript. Their plugin will download and install a component without any user interaction if the web page asks it to. No matter how good their security, implementing it in this way does increase the surface are to attack.
I do not see the benefit to implementing this functionality as a web plugin instead of a standalone application that performs all the verification and user interaction.
Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.
For example, FTA: "All users should be updated automatically,"
Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.
Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.
It doesn't matter whether he "had it coming" or not.
Contacting the school violated the stated privacy policy of the site, whether it was a student or staff. We're talking about a newspaper, for god's sake. A newspaper should be the first to stand behind their privacy policy. Reporters have gone to jail to maintain the privacy of their sources, and while the online equivalent of "letters to the editor" isn't quite in the same league as "Deep Throat", this was still unacceptable behavior.
The St Louis Post-Dispatch needs to step up to the plate and bat for their own goddamn rights. If they DON'T do something about this violation of privacy, they weaken their own ability to protect their sources.
This is an old one, Same-origin violation with InstallTrigger callback, but there have been later errors in XPInstall. the whole installation mechanism is unnecessarily tricky.
I would like to turn the XPI installation mechanism off completely, and only install extensions by downloading them to the local file system and installing them explicitly from a command line or menu. There doesn't seem to be a way to do this.
Also, recently found was Chrome privilege escalation in XPCVariant::VariantDataToJS(), and a few other privilege escalation attacks in Chrome.
This kind of thing makes me wish there was a good alternate gecko-based browser on Windows, like Camino on the Mac, so the whole XPI/XUL/Chrome mess could be avoided.
I guess it depends on whether you see GNUstep as being NeXTStep Junior or a useful platform in its own right. If you're just trying to be NeXTStep Junior and track OS X, I think you're doomed to fail. I'd rather have a useful platform that happens to be source-compatible with a subset of OS X, so you can develop GNUstep apps and port them easily to OS X.
I wish someone would do the same with Windowmaker and GNUstep, but I suspect the licensing has closed off that path.