Funny you mention XMPP. Facebook actually supported that until they didn't: https://developers.facebook.co...
Can't drive the cattle with these open protocols, you see. Of course, this also serves as evidence that open protocols are not some silver bullet. When a monolith like Facebook is in control, they can quite easily swap in their own proprietary protocols at any time, just as they've done.
No, it's not. The title is trite, click-bait garbage intended to garner Microsoft hate. "Windows' Built-In PDF Reader Exposes Edge Browser To Hacking" implies active exploitation (or at least the discovery of a vulnerability), when in fact no such "hacking" is known to have occurred. Further, expansion of attack surface is hardly newsworthy, especially when it parallels extant attack surface of competitors. Having been a/. reader for some time, I can't think of a single article comparable to this seemingly new low.
Did you read the original article? There's nothing in it that suggests they have discovered any vulnerabilities, let alone developed any working exploits. The article seems to indicate nothing more than a discussion about attack surface (which is a legitimate topic, but the difference seems to be lost to most of/.) and the cost of exploitation.
Of course, they may be underselling their talk by failing to state that they did find and exploit vulnerabilities, but generally that's not how this works.
No vulnerabilities cited, let alone exploits? As others have pointed out, this is a non-story about something that could happen, but hasn't yet. This is pure clickbait, and serves little use apart from generating advertising revenue and revealing commenters that know nothing about information security.
I can't speak for AqD, but quite often, yes. When I was developing business apps using.NET, desktop was my first choice. Unfortunately, most clients were adamant about a web UI, so Silverlight was my first fallback since it let me reuse a lot of the same code. Only if they resisted that did I go with HTML/JS and ASP.NET. Web app development sucks so I rarely do anything of the sort anymore, but Silverlight made it more tolerable.
Sorry, but merely being acquainted with the CLI does not make you a "FOSS expert", nor does it provide any degree of security assurance when running tools compiled from code you are unable to reason about. Unless you can actually read and reason about code at a level that enables you to discover vulnerabilities, backdoors, etc., you do not have the expertise necessary to stay safe, and you should be careful about saying things that imply otherwise.
This is a glorified IPS, and those in the know are aware of how ineffective such systems are. You might stop a few skiddies attacking the internet en masse, but this is a speed bump for anything remotely close to an advanced persistent threat.
You don't get me, huh? Perhaps I need to be a bit more explicit: I don't give a shit what you use, but if start spewing vitriolic claims about a given technology, you'd best be adequately informed so that you can defend said claims. In this instance, your unsubstantiated, shallow assertions attracted the attention of a Powershell user, who challenged them. You failed to provide anything of substance indicating that "Powershell is a joke", making you look like yet another zealot who disregarded it for religious reasons. To reiterate: your choice didn't bother me, it was your attempt to position yourself as some sort of expert.
You haven't provided a single concrete example of what you can easily achieve with the Linux CLI that can't be done with PS. Both have their obvious strengths and weaknesses, so doing so shouldn't be hard. It makes me question your competency, you know? In fact, the only example you've given makes me want to vomit. You think that is elegant or intuitive? Fuck man. But yeah, I actually do work with servers, being that I do a lot of work with distributed computing. In fact, I specialize in distributed test automation, so I'm getting a laugh out of your lone, pitiable example.
IPC is possible, albeit differently than Linux. Is this alone enough to discount Powershell entirely? Perhaps if you're a zealot. Personally, I prefer the object oriented nature of PS to the hacky string parsing of the Linux CLI. I write enough string processing code as it is, I'd rather not write anymore performing menial tasks. Taking a dependency on a blob of text is generally a bad idea, and that's precisely why PS' approach is so elegant.
Anyway, if you genuinely recommend WSH over PS, you can be safely disregarded.
Your mentioning of findstr and robocopy, two tools completely unrelated to Powershell, make it apparent that you're either disingenuous or completely ignorant of what Powershell is.
What are you blathering about? I was correcting his misuse of the term "exploit". Vulnerability and exploit are often used as synonyms, but they're not.
I think you're confusing read overruns with more general read access violations. If you're trying to predict valid addresses, sure, you're probably going to crash the program with a read AV. However, a read overrun implies that the read begins in valid memory, so unless you hit a guard page or something while reading off the end of the buffer, you're probably in the clear.
Competent programmer here. Exploits are programs developed to take advantage of flaws and vulnerabilities, so most software is not "stuffed" with them. Anyway, the post I was responding to seemed to be insinuating that bugs like this go unfixed in proprietary software simply because it is proprietary. I can tell you that is not that case. There are researchers out there combing through everything, open or closed.
Slashdot Mirror
AV? That's adorable.
Why? That can be leveraged to extend the powers of the state. Sounds great!
Terrorism is just a scapegoat used to target encryption. The siege will continue unabated.
Funny you mention XMPP. Facebook actually supported that until they didn't: https://developers.facebook.co... Can't drive the cattle with these open protocols, you see. Of course, this also serves as evidence that open protocols are not some silver bullet. When a monolith like Facebook is in control, they can quite easily swap in their own proprietary protocols at any time, just as they've done.
No, it's not. The title is trite, click-bait garbage intended to garner Microsoft hate. "Windows' Built-In PDF Reader Exposes Edge Browser To Hacking" implies active exploitation (or at least the discovery of a vulnerability), when in fact no such "hacking" is known to have occurred. Further, expansion of attack surface is hardly newsworthy, especially when it parallels extant attack surface of competitors. Having been a /. reader for some time, I can't think of a single article comparable to this seemingly new low.
Did you read the original article? There's nothing in it that suggests they have discovered any vulnerabilities, let alone developed any working exploits. The article seems to indicate nothing more than a discussion about attack surface (which is a legitimate topic, but the difference seems to be lost to most of /.) and the cost of exploitation.
Of course, they may be underselling their talk by failing to state that they did find and exploit vulnerabilities, but generally that's not how this works.
Yeah, Windows 10 has had a plethora of highly publicized, named exploits a la heartbleed, shellshock, stagefright, drown, etc. Hey, wait a second...
No vulnerabilities cited, let alone exploits? As others have pointed out, this is a non-story about something that could happen, but hasn't yet. This is pure clickbait, and serves little use apart from generating advertising revenue and revealing commenters that know nothing about information security.
It turns out software development is engineering, not clerical work.
I can't speak for AqD, but quite often, yes. When I was developing business apps using .NET, desktop was my first choice. Unfortunately, most clients were adamant about a web UI, so Silverlight was my first fallback since it let me reuse a lot of the same code. Only if they resisted that did I go with HTML/JS and ASP.NET. Web app development sucks so I rarely do anything of the sort anymore, but Silverlight made it more tolerable.
Sorry, but merely being acquainted with the CLI does not make you a "FOSS expert", nor does it provide any degree of security assurance when running tools compiled from code you are unable to reason about. Unless you can actually read and reason about code at a level that enables you to discover vulnerabilities, backdoors, etc., you do not have the expertise necessary to stay safe, and you should be careful about saying things that imply otherwise.
This is a glorified IPS, and those in the know are aware of how ineffective such systems are. You might stop a few skiddies attacking the internet en masse, but this is a speed bump for anything remotely close to an advanced persistent threat.
I was losing sleep over this.
An assembler is a program that translates assembly into object code. Assembly is the language.
I'm sick of all that advertising on Wikpedia. Oh wait
You don't get me, huh? Perhaps I need to be a bit more explicit: I don't give a shit what you use, but if start spewing vitriolic claims about a given technology, you'd best be adequately informed so that you can defend said claims. In this instance, your unsubstantiated, shallow assertions attracted the attention of a Powershell user, who challenged them. You failed to provide anything of substance indicating that "Powershell is a joke", making you look like yet another zealot who disregarded it for religious reasons. To reiterate: your choice didn't bother me, it was your attempt to position yourself as some sort of expert.
You haven't provided a single concrete example of what you can easily achieve with the Linux CLI that can't be done with PS. Both have their obvious strengths and weaknesses, so doing so shouldn't be hard. It makes me question your competency, you know? In fact, the only example you've given makes me want to vomit. You think that is elegant or intuitive? Fuck man. But yeah, I actually do work with servers, being that I do a lot of work with distributed computing. In fact, I specialize in distributed test automation, so I'm getting a laugh out of your lone, pitiable example.
Nope, too vain to post as AC, AC.
IPC is possible, albeit differently than Linux. Is this alone enough to discount Powershell entirely? Perhaps if you're a zealot. Personally, I prefer the object oriented nature of PS to the hacky string parsing of the Linux CLI. I write enough string processing code as it is, I'd rather not write anymore performing menial tasks. Taking a dependency on a blob of text is generally a bad idea, and that's precisely why PS' approach is so elegant.
Anyway, if you genuinely recommend WSH over PS, you can be safely disregarded.
Your mentioning of findstr and robocopy, two tools completely unrelated to Powershell, make it apparent that you're either disingenuous or completely ignorant of what Powershell is.
What are you blathering about? I was correcting his misuse of the term "exploit". Vulnerability and exploit are often used as synonyms, but they're not.
I think you're confusing read overruns with more general read access violations. If you're trying to predict valid addresses, sure, you're probably going to crash the program with a read AV. However, a read overrun implies that the read begins in valid memory, so unless you hit a guard page or something while reading off the end of the buffer, you're probably in the clear.
Competent programmer here. Exploits are programs developed to take advantage of flaws and vulnerabilities, so most software is not "stuffed" with them. Anyway, the post I was responding to seemed to be insinuating that bugs like this go unfixed in proprietary software simply because it is proprietary. I can tell you that is not that case. There are researchers out there combing through everything, open or closed.
This is a read overrun, so ASLR won't save you. Ignore the guy above who posted about ASLR bypasses--that's not really relevant to this.
Got any actual evidence, or are you simply going to try to deflect blame away from this glaring black eye?