I have been reading here on slashdot since a few days ago mentions of java virus(es), but I haven't actually read anyone mention of such a virus's name or what it does. Could somebody expand on this? Are these viruses applets that take advantage of a security hole in a browser's JVM [Sun's or MS's]? Are people finding plain malware or do they actually replicate by infecting executables?
They're trojans really, not viruses, as they do not spread themselves, usually they act as a vector for installing malware. The most common one takes advantage of a bytecode verifier bug in the MS JVM, which Sun allowed MS to patch in release 3012 (distributed as a critical update to Windows since about 2 years ago), despite being ordered by a court not to continue to release updates to their JVM.
There was a vulnerability with 1.4.2_04 (or maybe _05?) and earlier JVMs recently, but I have yet to see an exploit in the wild. People are probably becoming alarmed because their virus detection is picking up a "virus", since the exploit code was downloaded from a porn or warez site they visited, but if they are running an up to date JVM, then the exploit code was not executed, so its mere presence in the cache is not cause for concern in itself.
So instead of a descriptive name telling consumers they are buying a "Reduced Media Edition" of Windows, the EU would rather consumers saw the completely undescriptive and easy to miss "N". Whose side are they on again? It seems the only ones to benefit from this will be Microsoft, when people grab this off the shelf without knowing what it is then go out and buy another copy of uncrippled Windows when they realise their mistake.
javax.swing.JViewport: "Hey we have a cool and fast implementation but won't tell you what a JViewport is".
I don't know what version of the javadocs you are looking at, but in my version the first sentence of the class description tells you what a JViewport is.
So basically, you want us to give you ideas for how to take your concentration away from the road while you are at the wheel? I hope you don't drive the same route as I do.
Listen to something mindless that does not require your concentration.
The BBC now has one less episode they can sell on the international market. This will be paid for by yet another above inflation rise in the cost of the license fee next year.
It would seem MS is getting patents like these in a delevoped country that has no strong competitors - nor a very strong head when it comes to things IT.
Perhaps you have hit on their strategy. Many countries will grant automatic patents once a patent is recognized in 7 WIPO countries (though most will require at least 2 of the 7 to be US, Japan or EU). So maybe they're looking for the easiest way in through the back door.
I had an interesting idea the other day regarding this; what about "user-moderated" signings; the browser/JRE/active-x could query a server, with something like "applet GUID xxxx-xxxx-xxxx-xxxx, what's the current status?", and the server would return a hard (good/bad) or soft (percentages) ranking. Users could report if a given applet is bad, and leave comments. Those reports would also be moderated, of course, to prevent people from writing false reports.
Nice idea, but who does the meta-moderation, and how do they do the job any better than Verisign or Thawte? Without some trusted authority vetting this, it just sounds like a perfect tool for social engineering to me. How high a ranking do you think Joe Cracker is going to give his malicious certificates using his network of 0wn3d zombies?
Nothing happened to the sandbox, it is still there. But applets can request extra priviledges outside the sandbox. To do so, the applet must be signed, and the user must explicitly choose to trust the certificate. Most applets don't, so the user should be alarmed when they get a dialog which states "Caution: You should only accept this certificate if you trust COMPANYNAME" just above the buttons. But ActiveX always pops these things up, and users have sadly gotten used to clicking Yes and getting themselves infested with spyware & co.
The difference is that Java can do useful things without breaking out of the sandbox, so a security dialog is a rare event that should make people stop and think. It is only because of ActiveX that users have gotten used to clicking "Yes" without thinking.
Nope, it's not trusted. Even works on a clean install of XP/FireFox/J2RE. The cert's signed by Verisign.
You must have accepted the certificate and ticked the "always trust this certificate" at some point. I do a lot of work with signed applets across different browsers, and every combination of browser, OS and JVM prompts. The only difference having your cert signed by Verisign makes is that it prompts once instead of twice (once to tell you the signed applet is requesting access outside the sandbox, and once to tell you that the certificate you are accepting is not trusted).
When I lived in Birmingham 5 years ago, there were 2 free newspapers available there called "Metro". The one published by the Evening Standard/Daily Mail group, plus another one that was less widely available but I picked it up in New Street a few times when the other one was late arriving or had run out already when I got there.
[1] Not quite the sole exception. I've just had a battle with my phone company over some unsolicited reverse billed premium SMS's. They didn't back down until I threatened to take the dispute to Oftel (the UK telecoms regulator).
AFAIK, most IMAP servers support only messages OR folders in any particular folder. The only one of which I am aware that supports both messages AND folders in the same folder is Cyrus.
Exchange, despite all its faults, supports this too.
That is easily solved. Just have IRS develop this software.
This is exactly what Inland Revenue has done in the UK. They have their own web application that you can fill in online, in addition to allowing you to upload your returns from the commercial software packages. I guess if your tax situation is remotely complex, the commercial packages will still make life much easier, but for simple PAYE, you don't need much more than the online forms.
They aren't going to ban themselves but they will ban you.
It seems strange that they would do this to increase their ranking in their own search engine, when they could just hardcode their search engine to return their own results near the top. Its more likely to be for other search engines. They can ban google, and would probably be looking for any excuse to do so without looking like a bad sport.
I'm sure people with huge losses to make (like VISA)
VISA does not make losses. The risk on every transaction that goes through their systems can be passed on to the customer, the merchant, or the issuing bank.
Note for non-UK readers. We name our regulatory bodies along these lines: OfGas, Office for the Gas industry. OfWat, Office for the Water industry. For some reason the Rail watchdog's office isn't called OfRail though...
Maybe its about time Orwell's 1984 was made compulsory reading for schoolchildren and government ministers.
I work for company xyz making product abc. Abc uses some new proprietary algorithms (the 'a' of abc), and per management the source code for the implementation of these algs MUST remain undisclosed to keep competitive advantage. The 'b' and 'c' of 'abc' are known problems, and there's some great GPL's solutions usable off the shelf. So our final product is 'a' (properietary license for binaries only), 'b' (GPL) 'c' (GPL, and glue code (could possibly be GPL).
Can management remain happy by keeping their baby to themselves, or would GPL require that the source to 'a' be made available?
No. You would be required to refrain from using b and c, or disclose a, since this is a single product, so the whole thing would have to be Free software to comply with the GPL on b and c.
The above assumes someone else wrote 'b' and 'c'. How would the scenario change if I wrote 'b' and 'c'? Would it then be possible to keep management happy, and if so what would the licensing structure be?
It changes things completely. If a and b are your code, you can relicense them to your employer however you wish.
One of the nice things about the British system of measurement (which pretty nearly only the Americans use officially, though with a few changes) is that the units are exactly the sort of thing you often want about one of. A pint of beer, a gallon of kerosene, a bale of hay, a pint of milk if you live alone or a quart or a gallon depending on the size of your family, half an acre of land, etc. (yes, yes, I don't think a bale is an Imperial measurement).
The metric equivalents never seem to be just right, but we'll just have to live with them
A large part of your perception is based on the way SI units are used in countries that have recently changed over from imperial. Instead of selling milk or beer in 560ml multiples, countries where the metric unit is more entrenched will sell in 500ml multiples. Instead of a pound of butter, they'll buy 500g. If you've grown up buying your kerosene by the gallon, it might seem the natural unit to you, but someone who has grown up buying it by the litre will find that similarly natural.
Before I get flamed for giving inaccurate info, I don't know where I got 3012 from, it should be 3810.
They're trojans really, not viruses, as they do not spread themselves, usually they act as a vector for installing malware. The most common one takes advantage of a bytecode verifier bug in the MS JVM, which Sun allowed MS to patch in release 3012 (distributed as a critical update to Windows since about 2 years ago), despite being ordered by a court not to continue to release updates to their JVM.
There was a vulnerability with 1.4.2_04 (or maybe _05?) and earlier JVMs recently, but I have yet to see an exploit in the wild. People are probably becoming alarmed because their virus detection is picking up a "virus", since the exploit code was downloaded from a porn or warez site they visited, but if they are running an up to date JVM, then the exploit code was not executed, so its mere presence in the cache is not cause for concern in itself.
So instead of a descriptive name telling consumers they are buying a "Reduced Media Edition" of Windows, the EU would rather consumers saw the completely undescriptive and easy to miss "N". Whose side are they on again? It seems the only ones to benefit from this will be Microsoft, when people grab this off the shelf without knowing what it is then go out and buy another copy of uncrippled Windows when they realise their mistake.
I don't know what version of the javadocs you are looking at, but in my version the first sentence of the class description tells you what a JViewport is.
Listen to something mindless that does not require your concentration.
The BBC now has one less episode they can sell on the international market. This will be paid for by yet another above inflation rise in the cost of the license fee next year.
People in the UK whose TV license funded this stunt, perhaps.
Sure, and in that case I inline reply. Top reply still makes more sense for that.
Again, makes sense, but I'd say that isn't the common case. And nothing is stopping you from re-reading what you wrote if you need to.
Still not the common case.
Software should be written for the common case and top reply makes sense for that.
--- Original Message ---
But if I ask many questions, or discuss many topics, then it makes sense to indicate which part you are referring to.
It also often makes sense to re-read what I wrote, since I have been dealing with many other things since I wrote you.
I also often get copied into the middle of a thread, so I have to read from the bottom up to figure out what is going on.
Clients that wordwrap nested replies complete with > signs.
Perhaps you have hit on their strategy. Many countries will grant automatic patents once a patent is recognized in 7 WIPO countries (though most will require at least 2 of the 7 to be US, Japan or EU). So maybe they're looking for the easiest way in through the back door.
Nice idea, but who does the meta-moderation, and how do they do the job any better than Verisign or Thawte? Without some trusted authority vetting this, it just sounds like a perfect tool for social engineering to me. How high a ranking do you think Joe Cracker is going to give his malicious certificates using his network of 0wn3d zombies?
Nothing happened to the sandbox, it is still there. But applets can request extra priviledges outside the sandbox. To do so, the applet must be signed, and the user must explicitly choose to trust the certificate. Most applets don't, so the user should be alarmed when they get a dialog which states "Caution: You should only accept this certificate if you trust COMPANYNAME" just above the buttons. But ActiveX always pops these things up, and users have sadly gotten used to clicking Yes and getting themselves infested with spyware & co.
The difference is that Java can do useful things without breaking out of the sandbox, so a security dialog is a rare event that should make people stop and think. It is only because of ActiveX that users have gotten used to clicking "Yes" without thinking.
You must have accepted the certificate and ticked the "always trust this certificate" at some point. I do a lot of work with signed applets across different browsers, and every combination of browser, OS and JVM prompts. The only difference having your cert signed by Verisign makes is that it prompts once instead of twice (once to tell you the signed applet is requesting access outside the sandbox, and once to tell you that the certificate you are accepting is not trusted).
When I lived in Birmingham 5 years ago, there were 2 free newspapers available there called "Metro". The one published by the Evening Standard/Daily Mail group, plus another one that was less widely available but I picked it up in New Street a few times when the other one was late arriving or had run out already when I got there.
[1] Not quite the sole exception. I've just had a battle with my phone company over some unsolicited reverse billed premium SMS's. They didn't back down until I threatened to take the dispute to Oftel (the UK telecoms regulator).
Exchange, despite all its faults, supports this too.
This is exactly what Inland Revenue has done in the UK. They have their own web application that you can fill in online, in addition to allowing you to upload your returns from the commercial software packages. I guess if your tax situation is remotely complex, the commercial packages will still make life much easier, but for simple PAYE, you don't need much more than the online forms.
It seems strange that they would do this to increase their ranking in their own search engine, when they could just hardcode their search engine to return their own results near the top. Its more likely to be for other search engines. They can ban google, and would probably be looking for any excuse to do so without looking like a bad sport.
VISA does not make losses. The risk on every transaction that goes through their systems can be passed on to the customer, the merchant, or the issuing bank.
Maybe its about time Orwell's 1984 was made compulsory reading for schoolchildren and government ministers.
I wasn't talking about PIN on cards, just a PIN offset, which is used when you change your own PIN. Do US banks let you change your PIN?
Maybe it varies with banks or countries, but the cards that I've dealt with have PIN offsets encoded on them.
Can management remain happy by keeping their baby to themselves, or would GPL require that the source to 'a' be made available?
No. You would be required to refrain from using b and c, or disclose a, since this is a single product, so the whole thing would have to be Free software to comply with the GPL on b and c.
The above assumes someone else wrote 'b' and 'c'. How would the scenario change if I wrote 'b' and 'c'? Would it then be possible to keep management happy, and if so what would the licensing structure be?
It changes things completely. If a and b are your code, you can relicense them to your employer however you wish.
The metric equivalents never seem to be just right, but we'll just have to live with them
A large part of your perception is based on the way SI units are used in countries that have recently changed over from imperial. Instead of selling milk or beer in 560ml multiples, countries where the metric unit is more entrenched will sell in 500ml multiples. Instead of a pound of butter, they'll buy 500g. If you've grown up buying your kerosene by the gallon, it might seem the natural unit to you, but someone who has grown up buying it by the litre will find that similarly natural.