By the way, I find this really frustrating. The NT kernel has a lot of really nice capabilities that I'd like to be able to use, but there's this great zombie dragon with bad breath and appalling taste in friends called "Windows" that you have to chum up to to get into the kernel.
...all that's left is COM/DCOM and some new libraries.
And honestly, thats pretty much how we plan on using it.;)
I hope that works for you, but the way you described it it sounded like you were going to be depending on its security model as well... and that's just asking for the foul-up fairy to come calling.
Rather than just completely denounce an idea because of where it came from, I'm at least willing to give it a try.
This has nothing to do with "holding a grudge". You can't evaulate the security of a system by "giving it a try".
The problem is that there is a deep and fundamental flaw in the security of ActiveX and derived technologies. The problem is that the design is based on discretionary access conrol policies and models, but it's operating on objects that have to be limited by mandatory access controls.
When you assign privileges to potentially untrusted objects in a mandatory access control system, it must not be possible for an object to increase its trust level. The only way to ensure this, is for there to be no mechanism by which an object can request additional privileges for itself or for any object it introduces to the system. There must be no way for an object, in Microsoft's terminology, in a less trusted security zone to reference an object in a more trusted security zone. Once you give up privileges there must be no way to get them back.
But that operation, the launching of trusted objects from an untrusted environment, is exactly what ActiveX and.NET are there for. It's their whole reason for being. Without that operation, all that's left is COM/DCOM and some new libraries.
why issue a press release when a member of the University has already written an entire article?
It's the whole "peer reviewed publication" business, of course. THe paper itself can't be published without the journal's permission, even by the original author, and they are reluctant to give that because they want to sell copies. And, admittedly, they need to sell copies to pay for the whole editorial and review process.
One of the dev's on the team brought up that.Net includes a set of security features that help to lock down scripts fairly tight
Using a design descended from Internet Explorer and Active Desktop, whose security zones and certificates and ad-hoc definitions of zone boundaries has proven fatallay and unfixably flawed.
Why should I trust.NET to have finally fixed the unfixable?
The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.
It doesn't really even tell you that much. All it does is authenticate the DNS name in the URL. In a few cases it might be possible for the certificate issuer to do more than a cursory investigation of the company name, but not routinely at the prices they have to charge to actually sell certificates.
The other solution is to quit treating digital certificates as something to do with trust (the authorization-vs-authentication fallacy). Microsoft's stupid "security zones" model takes this blatant idiocy further than anyone, but all browsers have adopted some similar conceptual structure.
A certificate doesn't tell you anything about whether a web site is secure, trustable, or anything else. It simply provides a slightly better verification of identity.
No, but the Ohio University one has to be considered the source copy, since they issued the press release. And it provides links to other material at Ohio University, including (after a couple of hops) to at least one of the author's own web-pages and both author's contact information.
The PhysOrg one only provides links to imaginary eBay auctions for quantum dots.
Physorg doesn't "go into the details". It doesn't do anything but reprint press releases. Every time I hit a physorg article on/., I have been able to google up the original PR elsewhere... usually on the website of the organization that released the information. The text is ALWAYS word-for-word identical, and there's frequently useful links and additional material as well.
It requires 5 minutes at the most, why not take the time?
Basicly, make [the HTML control] a local-only content renderer.
Not good enough. The classic Outlook "cross zone scripting" attacks involving dropping a script into a local location and linking to it would still work. And it would break applications like Realplayer (and BOY would Microsoft have to eat a ration of used food if they did that).
They need to separate three functions of the HTML control:
1. Rendering. Leave the HTML control the rendering engine.
2. Object access. Create an HTTP access library applications like IE can use to access objects that aren't local, and open local ones themselves.
3. Embedding. This needs to be turned inside out, so the application calling the HTML control embeds controls in it, like the KDE "IO Slaves", and only those applets provided by that application get to fire.
Anything that isn't equivalent to this separation of privileges and responsibilities will continue to have new and exciting exploitable holes...
Is there some relationship between/. and PhysOrg? If so, Commander Taco should be ashamed of it... PhysOrg is an eyeball tarpit, it NEVER credits the original article or provides a link back to it. Never. Not once. It might as well be dead trees...
I have to say, I personally wouldn't replace Mac OS X with Linux. On the rare occasions where a piece of Linux software really is the best tool for the job (eg. GIMP, Ethereal) it's usually easy enough to get it up and running under Apple's X11.
Indeed. Maybe back when Macs were running Mac OS 9, or even OS X 10.0 and 10.1, there might have been an advantage to Linux... but since Jaguar came out I've been hard-pressed to come up with a reason to run FreeBSD, let alone BSD's adopted cousin Linux. People talk about running Linux on a Mac laptop and I look at them like they've grown an extra head... Apple's laptops are uninspiring if you don't get to run Apple's software on them.
If in a few years Ocelot requires more beef than the Mini can provide (unlikely, my daughter's running Panther on a 1999 iMac and it's actually faster than with Jaguar), you'd do way better with Darwin than Linux.
I can maybe see an advantage to the Mini hardware for a little while, but as soon as someone comes out with a nice slab case for your Mini-ITX boards, maybe 8" by 10" but only an inch thick, why spend more for a less expandible box?
Internet Explorer is a security risk, too, but to remove Internet Explorer from the OS would involve replacing the functionality that IE provides with a local-only HTML control or else applications like Windows Explorer, the Control Panel and many of its applets, Outlook and Outlook Express, and even Realplayer woudl need to be modified.
One of the advantages of a chord keyboard is that it allows one-handed typing, which is essential for wearable computing: you shouldn't need to put down your "keyboard" to open a door or pick up a glass or whatever else you need to do in the "real world".
. Otherwise I have to go hunting for other parts of the app.
If the app comes in "parts" that you need to work together and don't automatically follow the focused window, that's a design flaw in the app... and in any case a real MDI design won't help because it's based on documents.
And, finally, Opera doesn't "need" MDI for that reason anyway... its pages are fungible.
. MDI is a windows convention, and works well in windows.
Windows is the only place I've used Opera, and I don't like MDI there, either. I find it incredibly frustrating to click on a window and have the whole application dragged willy-nilly up to the top of the stack with it.
MDI is a leftover from the original "patent-dodging" Windows design with the *paned* windows, to give people a way to use tiled windows at least within an application.
Can I open (say) a terminal window in an Opera MDI window?
No?
Virtual desktops can have any number and type of windows associated with them. MDI is limited to windows of a specific app that are children of the surrounding MDI window. Hardly seems worth it.
There's no reason something comparable couldn't be done on windows, except that it would be a lot of engineering.
That's the problem. They'd have to completely redesign the way the HTML control works to make it viable: Microsoft considers the ability of the HTML control to break out of its sandbox so important a feature that they risked having the company broken up rather than let it be merely another component in the system.
And, ironically, just doing that would make the system so much more secure that Microsoft's security boasts could be made true... even without adding MAC. But they'd lose so much face that if it hasn't happened by now it never will.
The problem with MDI is that MDI only gives you one window per application, with multiple views. Tabs give you many windows per application, with multiple views per window.
What MDI is faking is multiple workspaces, which is MUCH more useful because it allows you to mix applications in a workspace.
There's no reason you couldn't build a virtual machine or emulation layer to run those apps inside of that completely blocks an app from messing up your system.
They'd have to do that for the entire HTML control and any application that used the HTML control, including Windows Explorer. You'd end up with the whole OS in a sandbox.
Not that this is a bad thing, necessarily, but it does kind of defeta the purpose.
What they're really saying is "Our programmers and development processes are better than your programmers and processes."
It doesn't matter. Windows problems are fundamental to the design, particularly Active Desktop and all that involves. Best programmers in the world couldn't make that secure, not if they couldn't back out most of the design and do it over.
By the way, I find this really frustrating. The NT kernel has a lot of really nice capabilities that I'd like to be able to use, but there's this great zombie dragon with bad breath and appalling taste in friends called "Windows" that you have to chum up to to get into the kernel.
...all that's left is COM/DCOM and some new libraries.
;)
And honestly, thats pretty much how we plan on using it.
I hope that works for you, but the way you described it it sounded like you were going to be depending on its security model as well... and that's just asking for the foul-up fairy to come calling.
Rather than just completely denounce an idea because of where it came from, I'm at least willing to give it a try.
.NET are there for. It's their whole reason for being. Without that operation, all that's left is COM/DCOM and some new libraries.
This has nothing to do with "holding a grudge". You can't evaulate the security of a system by "giving it a try".
The problem is that there is a deep and fundamental flaw in the security of ActiveX and derived technologies. The problem is that the design is based on discretionary access conrol policies and models, but it's operating on objects that have to be limited by mandatory access controls.
When you assign privileges to potentially untrusted objects in a mandatory access control system, it must not be possible for an object to increase its trust level. The only way to ensure this, is for there to be no mechanism by which an object can request additional privileges for itself or for any object it introduces to the system. There must be no way for an object, in Microsoft's terminology, in a less trusted security zone to reference an object in a more trusted security zone. Once you give up privileges there must be no way to get them back.
But that operation, the launching of trusted objects from an untrusted environment, is exactly what ActiveX and
why issue a press release when a member of the University has already written an entire article?
It's the whole "peer reviewed publication" business, of course. THe paper itself can't be published without the journal's permission, even by the original author, and they are reluctant to give that because they want to sell copies. And, admittedly, they need to sell copies to pay for the whole editorial and review process.
One of the dev's on the team brought up that
Using a design descended from Internet Explorer and Active Desktop, whose security zones and certificates and ad-hoc definitions of zone boundaries has proven fatallay and unfixably flawed.
Why should I trust
Ironically (and in restrospect obviously) the album is not available on iTMS in their "Grammy Winners" section. :)
The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.
It doesn't really even tell you that much. All it does is authenticate the DNS name in the URL. In a few cases it might be possible for the certificate issuer to do more than a cursory investigation of the company name, but not routinely at the prices they have to charge to actually sell certificates.
The other solution is to quit treating digital certificates as something to do with trust (the authorization-vs-authentication fallacy). Microsoft's stupid "security zones" model takes this blatant idiocy further than anyone, but all browsers have adopted some similar conceptual structure.
A certificate doesn't tell you anything about whether a web site is secure, trustable, or anything else. It simply provides a slightly better verification of identity.
Neither provides a link to PRL.
No, but the Ohio University one has to be considered the source copy, since they issued the press release. And it provides links to other material at Ohio University, including (after a couple of hops) to at least one of the author's own web-pages and both author's contact information.
The PhysOrg one only provides links to imaginary eBay auctions for quantum dots.
From the UOHIO site:
Contact: Jose Villas-Boas, (740) 593-9611, villasb@phy.ohiou.edu; Sergio Ulloa, (740) 593-1729, ulloa@ohio.edu
The most recent papers I can find online by either are from 1988.
I don't go to Ohio University website to read the news.
/. you're not just a reader, you're a reporter as well. Do the footwork so your own readers don't have to.
When you submit an article to
Physorg doesn't "go into the details". It doesn't do anything but reprint press releases. Every time I hit a physorg article on /., I have been able to google up the original PR elsewhere... usually on the website of the organization that released the information. The text is ALWAYS word-for-word identical, and there's frequently useful links and additional material as well.
It requires 5 minutes at the most, why not take the time?
Basicly, make [the HTML control] a local-only content renderer.
Not good enough. The classic Outlook "cross zone scripting" attacks involving dropping a script into a local location and linking to it would still work. And it would break applications like Realplayer (and BOY would Microsoft have to eat a ration of used food if they did that).
They need to separate three functions of the HTML control:
1. Rendering. Leave the HTML control the rendering engine.
2. Object access. Create an HTTP access library applications like IE can use to access objects that aren't local, and open local ones themselves.
3. Embedding. This needs to be turned inside out, so the application calling the HTML control embeds controls in it, like the KDE "IO Slaves", and only those applets provided by that application get to fire.
Anything that isn't equivalent to this separation of privileges and responsibilities will continue to have new and exciting exploitable holes...
Is there some relationship between /. and PhysOrg? If so, Commander Taco should be ashamed of it... PhysOrg is an eyeball tarpit, it NEVER credits the original article or provides a link back to it. Never. Not once. It might as well be dead trees...
Here's the original article at Ohio University without the PhysOrg spam.
I have to say, I personally wouldn't replace Mac OS X with Linux. On the rare occasions where a piece of Linux software really is the best tool for the job (eg. GIMP, Ethereal) it's usually easy enough to get it up and running under Apple's X11.
Indeed. Maybe back when Macs were running Mac OS 9, or even OS X 10.0 and 10.1, there might have been an advantage to Linux... but since Jaguar came out I've been hard-pressed to come up with a reason to run FreeBSD, let alone BSD's adopted cousin Linux. People talk about running Linux on a Mac laptop and I look at them like they've grown an extra head... Apple's laptops are uninspiring if you don't get to run Apple's software on them.
If in a few years Ocelot requires more beef than the Mini can provide (unlikely, my daughter's running Panther on a 1999 iMac and it's actually faster than with Jaguar), you'd do way better with Darwin than Linux.
I can maybe see an advantage to the Mini hardware for a little while, but as soon as someone comes out with a nice slab case for your Mini-ITX boards, maybe 8" by 10" but only an inch thick, why spend more for a less expandible box?
Windows Media Player is a security risk.
Internet Explorer is a security risk, too, but to remove Internet Explorer from the OS would involve replacing the functionality that IE provides with a local-only HTML control or else applications like Windows Explorer, the Control Panel and many of its applets, Outlook and Outlook Express, and even Realplayer woudl need to be modified.
Windows Update is just the tip of the iceberg.
One of the advantages of a chord keyboard is that it allows one-handed typing, which is essential for wearable computing: you shouldn't need to put down your "keyboard" to open a door or pick up a glass or whatever else you need to do in the "real world".
. Otherwise I have to go hunting for other parts of the app.
If the app comes in "parts" that you need to work together and don't automatically follow the focused window, that's a design flaw in the app... and in any case a real MDI design won't help because it's based on documents.
And, finally, Opera doesn't "need" MDI for that reason anyway... its pages are fungible.
. MDI is a windows convention, and works well in windows.
Windows is the only place I've used Opera, and I don't like MDI there, either. I find it incredibly frustrating to click on a window and have the whole application dragged willy-nilly up to the top of the stack with it.
MDI is a leftover from the original "patent-dodging" Windows design with the *paned* windows, to give people a way to use tiled windows at least within an application.
Can I open (say) a terminal window in an Opera MDI window?
No?
Virtual desktops can have any number and type of windows associated with them. MDI is limited to windows of a specific app that are children of the surrounding MDI window. Hardly seems worth it.
There's no reason something comparable couldn't be done on windows, except that it would be a lot of engineering.
That's the problem. They'd have to completely redesign the way the HTML control works to make it viable: Microsoft considers the ability of the HTML control to break out of its sandbox so important a feature that they risked having the company broken up rather than let it be merely another component in the system.
And, ironically, just doing that would make the system so much more secure that Microsoft's security boasts could be made true... even without adding MAC. But they'd lose so much face that if it hasn't happened by now it never will.
The problem with MDI is that MDI only gives you one window per application, with multiple views. Tabs give you many windows per application, with multiple views per window.
What MDI is faking is multiple workspaces, which is MUCH more useful because it allows you to mix applications in a workspace.
Last time I used Opera it was faking tabs using MDI, which drove me around the bend. Does it have real tabs yet?
There's no reason you couldn't build a virtual machine or emulation layer to run those apps inside of that completely blocks an app from messing up your system.
They'd have to do that for the entire HTML control and any application that used the HTML control, including Windows Explorer. You'd end up with the whole OS in a sandbox.
Not that this is a bad thing, necessarily, but it does kind of defeta the purpose.
What they're really saying is "Our programmers and development processes are better than your programmers and processes."
It doesn't matter. Windows problems are fundamental to the design, particularly Active Desktop and all that involves. Best programmers in the world couldn't make that secure, not if they couldn't back out most of the design and do it over.