Organizations want to schedule their downtime and the "Black Teusday" policy makes it easier for them to do that and keep good looking metrics. All the places I've worked at have a scheduled outage the second Friday of every month. This gives a few days to do test deployments of the patches before rolling them out to the enterprise. Metrics still look great because IT can say they deployed all critical patches in under three days.
Well, I assess software for a living, and in my experience it's a combination of several things that makes browsers so difficult to secure.
Browsers are in general extremely complex apps and complexity leads to security issues
Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues
Browsers must deal with cross domain concerns (local system vs. remote sight), which can be very tricky
Most browsers were initially developed during the internet boom when features ruled and security was a foreign word
IE in particular has the deck stacked against it because it was pretty much ignored in the MS security push that started in 2002. The team had already been disolved and the app was in maintenance mode. They just didn't commit the resources to dig into the code and do a thorough security review like they did with most of their apps. Instead there were some tacked on fixes like shuffling the zones, modifying ActiveX prompts, and disabling most functionality in Server 2K3. I personally have no question that they regret that decision, and we'll see what happens with IE7 this summer.
I'm just curious how they claim that you cannot build the software without the proprietary bits, and still be compliant with the GPL. That's their words, not mine.
Because they are using "software build" to mean the entire software package including the OS, and all drivers and applications. This is a very common use of the term when referring to embedded systems. They are pretty much saying that most of the juicy bits are contained in seperate binaries in the form of proprietary applications and device drivers. This is completely within the bounds of the current GPL. As a side note, I've actually seen companies use CORBA wrappers to avoid GPL requirements; I consider that a much worse approach myself.
Sorry, but are you the Thunderbird project lead? If not, I'm confused where you get such definitive insight into it's future direction. I'm a fan of Evolution myself, but presently it's Linux only and thus not an option for the majority of enterprises. Also, Evolution's Exchange support is far from seamless. It relies on OWA WebDAV which doesn't expose the full Exchange functionality, causes some serious latency issues, and is unavailable in many enterprises for security reasons.
I'm also confused why you're talking about Thunderbird not being enterprise ready on one end, and then you're discussing POP3 and client AV on the other. Simply put, POP3 is not meant for the enterprise and neither is client filtering. I agree that presently Thunderbird is far from a complete enterprise groupware client. It is, however, perfectly acceptable for enterprise email using secure IMAP and SMTP. Enterprises are server centric; virus and spam filtering needs to be handled at the servers with solutions like ClamAV, SBL/XBL, Sieve filters. Enigmail is also extremely functional for encrypted email management and works well with a central keyserver.
Of course there are other areas that need improvement for real enterprise acceptance. It has no Sieve client, does not support writable LDAP, and lacks calendaring and scheduling. There is presently no Kerebos support or any other single sign on option. But most of these issues are being addressed rapidly, and TB already has a good framework with versatile extension mechanism and a clean intuitive user interface.
In the next year or two, I personally think TB could develop into a significant part of a robust groupware solution.
Sorry, I assumed a degree of familiarity with the backstory. Perhaps the editor should have provided some of that, instead of just the Dish Network link. Anyway, Dish Network releases source to the modded GPL software, but keeps the proprietary apps and drivers closed. They have done the exact same thing with their previous releases (721 for example); it's all legal according to the GPL. One can argue on the spirit of it, but they aren't breaking the law.
No it does not violate the GPL if they are not binary linking. Meaning they are most likely running proprietary applications on Linux to provide the PVR functionality. In that case they only need to provide the source for modifications to GPL software. Perhaps you should RTFA before commenting instead of making a disclaimer about it; it might lower the noise floor a bit.
I'd switch that one around. Kevin Smith may be the one of the few directors who can cast Affleck well. Honestly, I've really liked the majority roles he's played in Smith's movies.
In general though, I think I can trust Smith's take on Episode 3. The guys a died in the wool geek who's work includes writing on comics like Green Arrow and Daredevil. I'm not saying I like everything he's done, but I respect his geek cred and feel that this review is genuine. That's more than I can say for most reviews I read.
Yes PDF is well documented, however the ebook format is an example of a derivative format with protections that fall under the DMCA. Do a search on the Dmitry Sklyarov case to see how it played out. And I realize Adobe eventually dropped their pursuit of Sklyarov, but only after initiating a legal case that had it's own momentum in the US courts.
I'd expect Adobe would shy away more because they see the DMCA as protecting their own interests. To publicly challenge it would invalidate their own DMCA claims concerning the PDF format.
I'm sorry you misunderstood my post; I'll attempt to clarify it for you. My comment about built-in features versus extensions had to do with web browser functionality, not download size. When viewed in that light perhaps you can understand it better.
Comparing application functionality versus download size is inaccurate and, simply put, would make Opera look bad. Opera is a browser, and from what I hear a pretty good one. Firefox, however, is a browser that includes the Mozilla application platform. As such, it provides features and open ended functionality that Opera never will. The extra size of the download is that platform itself.
I do agree that the download size could stand to be reduced (of course it is 4.7m, not the 8.8m you stated). However the foundation is in the process of separating out the platform functionality into XULRunner. This will be shared between Mozilla applications and drastically reduce the binary size, memory footprint, and development effort required for all apps. Additionally, it will simplify integration and data exchange between Mozilla applications.
I hope that resolves any confusion. Discussion is always better when both sides are on even footing.
Re:Not being trollish, but...
on
Opera 8 Released
·
· Score: 2, Interesting
Believe it or not, there are some people who like the idea of using non-MS products, and also like to pay a set amount of money up front, to establish a market.
I realize it's not a fixed price, but I donate annually to the Mozilla foundation for the same reason. Honestly my donation to MoFo is more than Opera would cost me, but I consider it a genuinely usefull charity and a little extra tax writeoff is fine by me. Hell, even my parents donate to MoFo because I suggested they do so if they find the software useful enough.
Re:Not being trollish, but...
on
Opera 8 Released
·
· Score: 3, Interesting
Actually, Opera has SVG Tiny profile support. It's ported from their cell phone browser and it's a long way the SVG complete profile that Mozilla is shooting for. Also, Firefox 1.1 will ship with SVG support in June, though most of the animation features are not yet available.
As for Opera having functionality built-in, it's really just a difference of approach. Opera gives you everything and you can shut off what you don't want. Firefox gives you the basics and a simple extension system to add any extras. I prefer the Firefox approach because I already spend enough time minimizing systems. I can easily see how one could prefer the Opera approach, however.
Maybe my attitude towards Dreamweaver and Photoshop would be best described by the ad slogan: "The right tools to get the job done even if you have no clue".
Damn I wish I had mod points today. That is one of the funniest and yet most appropriate lines I've seen in a long time.
I work for a very reputable company that provides network and application vulnerability assessments along with some other security related offerings. In the last few years I've seen a lot of companies pop up doing just what you describe. They charge a few thousand dollars, run a few automated tools, and provide an extremely large report that's basically just a big useless nessus dump with prettier formatting.
This sucks for my company because we charge quite a bit more, but also offer an extremely valuable service for that price. We perform detailed manual analysis in addition to automated scans and verify if there is a real threat associated with a finding. For each finding we provide detailed remediation guidance, which means we have to work closely people like you who develop and maintain the systems. That's the only way an assessment can really be of any use.
So my guess is that your boss went with the bargain basement security consultants and that's why you're dealing with a steaming pile of crap. Your only recourse in this situation to provide enough information to show your boss how shoddy this job really was. In the future perhaps you can provide input that might help in choosing a better security assessment firm, or determining if an assessment is really necessary.
The big reasons beta lost were shorter play/recording time and the fact that manufacturers had to pay licensing fees to Sony to use it. VHS was the free and open standard that won. Also, as the above poster pointed out, beta came first.
I understand the point you're trying to make, but the analogy was the wrong choice.
Generally you'll just get mysterious application failures due to version issues or (if you're lucky) GetProcAddress failures. It's not something you would see unless you're installing and removing software often, or maintaining a moderate to large number of systems.
Windows XP added the file protection service to basically resolve this for system libraries. It used to be a really serious problem in general, but now it's usually only an issue with shared third party libraries. Of course, a malicious or really dumb application can still kill the file protection too.
I'm sorry, but your post is so horribly innaccurate that I don't want to spend the time correct you thoroughly. I realize that's somewhat unkind, but the thread is fairly stale at this point and it's quite obvious you didn't read the article or have any real familiarity with the topic.
You make some interesting points, but I have to disagree a bit. The privelege restrictions are only required by the "Optimized for Enterprise" logo; this is listed in section S5 (primarily S5.9) of 2.3 version the requirements. Given that this is not a general logo requirement, only a very small portion of the industry has any reason to even acknowledge the existence of this section. Plus, if you look at the rest of the requirements in this category you'll see that most enterprise software doesn't even comply with several portions such as S5.11 (secure network protocols) and S5.12 (signed executables).
In addition to the fact that it is not a general logo requirement, it's simply not explicit enough to be completely functional. It's just three short paragraphs and a template. Couple that with a lack of supporting applications to make this reasonable for app developers and it becomes pretty inconsequential.
The security attributes of CAS serve an entirely different purpose. While the principles of least privelege apply to both, CAS allows.NET apps to be run in a sandbox in the same manner as Java applets.
In contrast, the LUA initiative addresses designing and implementing software such that end user privelege requirements are seperated from administrative privelege requirements. This impacts two main concerns. Enterprise admins can deploy and configure software without having to grant users dangerous additional priveleges. And home users can safely run as a normal user and only be prompted for admin credentials when installing software, hardware, or significantly altering the system in some way.
This is a good thing for many reasons. For example, if a home user is browsing with an account that does not have the rights to alter the system, most malware cannot install and removal is much simpler. For businesses, many commercial apps currently require at least power user privelege, and a moderate script kiddy can escalate from power user to admin quite easily which is a dangerous foothold in an enterprise network.
There's no speculation at all, it is a fact. Windows NT is heavily derived from VMS; the lead architect for both is the same person. This is openly referenced in MS literature even. Why try to make it sound like a conspiracy?
As for the rest, no it is not harder to muck up a *nix system than windows, it is just much harder to configure and run a Windows NT/2K/XP system with multi-user priveleges. This is not due to the base OS, which has all the necessary support. It has been bad policy on MS' part by failing to standardize, promote and enforce these requirements in applications. Because of this, application developers (MS included in many cases) take the easy way out and build software that requires admin privs.
Please, do some basic fact checking in the future. Your entire post was very deceptive.
Seriously, the security community as been screaming about this for years just so MS could have parity with other multi-user systems. Of course, the big issue will be pushing other software vendors to compliance. Regardless, at least average users may finally not (by default) browse the web with an admin priveleged account. That should cut down on a lot of the malware issues that are encountered.
You're kidding right? The MPL tri-license includes the MPL, GPL, and LGPL. All of the Mozilla apps are distributed this way; the MPL portion allows for certain proprietary binary components like the talkback debugger and installer in the binary only distributions. The CDDL is *similar* to the MPL portion, but is not compatible with either the GPL or LGPL so it lacks that whole tri-license aspect. Nice to hear you're happy with OpenSolaris, but please stop spreading mis-information
Slashdot Mirror
Organizations want to schedule their downtime and the "Black Teusday" policy makes it easier for them to do that and keep good looking metrics. All the places I've worked at have a scheduled outage the second Friday of every month. This gives a few days to do test deployments of the patches before rolling them out to the enterprise. Metrics still look great because IT can say they deployed all critical patches in under three days.
-
Browsers are in general extremely complex apps and complexity leads to security issues
-
Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues
-
Browsers must deal with cross domain concerns (local system vs. remote sight), which can be very tricky
-
Most browsers were initially developed during the internet boom when features ruled and security was a foreign word
IE in particular has the deck stacked against it because it was pretty much ignored in the MS security push that started in 2002. The team had already been disolved and the app was in maintenance mode. They just didn't commit the resources to dig into the code and do a thorough security review like they did with most of their apps. Instead there were some tacked on fixes like shuffling the zones, modifying ActiveX prompts, and disabling most functionality in Server 2K3. I personally have no question that they regret that decision, and we'll see what happens with IE7 this summer.Thunderbird already has the best IMAP support of any Windows mail client I've used. It works great with my Cyrus mail server at work and home for me.
Sorry, but are you the Thunderbird project lead? If not, I'm confused where you get such definitive insight into it's future direction. I'm a fan of Evolution myself, but presently it's Linux only and thus not an option for the majority of enterprises. Also, Evolution's Exchange support is far from seamless. It relies on OWA WebDAV which doesn't expose the full Exchange functionality, causes some serious latency issues, and is unavailable in many enterprises for security reasons.
I'm also confused why you're talking about Thunderbird not being enterprise ready on one end, and then you're discussing POP3 and client AV on the other. Simply put, POP3 is not meant for the enterprise and neither is client filtering. I agree that presently Thunderbird is far from a complete enterprise groupware client. It is, however, perfectly acceptable for enterprise email using secure IMAP and SMTP. Enterprises are server centric; virus and spam filtering needs to be handled at the servers with solutions like ClamAV, SBL/XBL, Sieve filters. Enigmail is also extremely functional for encrypted email management and works well with a central keyserver.
Of course there are other areas that need improvement for real enterprise acceptance. It has no Sieve client, does not support writable LDAP, and lacks calendaring and scheduling. There is presently no Kerebos support or any other single sign on option. But most of these issues are being addressed rapidly, and TB already has a good framework with versatile extension mechanism and a clean intuitive user interface.
In the next year or two, I personally think TB could develop into a significant part of a robust groupware solution.
Sorry, I assumed a degree of familiarity with the backstory. Perhaps the editor should have provided some of that, instead of just the Dish Network link. Anyway, Dish Network releases source to the modded GPL software, but keeps the proprietary apps and drivers closed. They have done the exact same thing with their previous releases (721 for example); it's all legal according to the GPL. One can argue on the spirit of it, but they aren't breaking the law.
No it does not violate the GPL if they are not binary linking. Meaning they are most likely running proprietary applications on Linux to provide the PVR functionality. In that case they only need to provide the source for modifications to GPL software. Perhaps you should RTFA before commenting instead of making a disclaimer about it; it might lower the noise floor a bit.
I'd switch that one around. Kevin Smith may be the one of the few directors who can cast Affleck well. Honestly, I've really liked the majority roles he's played in Smith's movies.
In general though, I think I can trust Smith's take on Episode 3. The guys a died in the wool geek who's work includes writing on comics like Green Arrow and Daredevil. I'm not saying I like everything he's done, but I respect his geek cred and feel that this review is genuine. That's more than I can say for most reviews I read.
Yes PDF is well documented, however the ebook format is an example of a derivative format with protections that fall under the DMCA. Do a search on the Dmitry Sklyarov case to see how it played out. And I realize Adobe eventually dropped their pursuit of Sklyarov, but only after initiating a legal case that had it's own momentum in the US courts.
I'd expect Adobe would shy away more because they see the DMCA as protecting their own interests. To publicly challenge it would invalidate their own DMCA claims concerning the PDF format.
I'm sorry you misunderstood my post; I'll attempt to clarify it for you. My comment about built-in features versus extensions had to do with web browser functionality, not download size. When viewed in that light perhaps you can understand it better.
Comparing application functionality versus download size is inaccurate and, simply put, would make Opera look bad. Opera is a browser, and from what I hear a pretty good one. Firefox, however, is a browser that includes the Mozilla application platform. As such, it provides features and open ended functionality that Opera never will. The extra size of the download is that platform itself.
I do agree that the download size could stand to be reduced (of course it is 4.7m, not the 8.8m you stated). However the foundation is in the process of separating out the platform functionality into XULRunner. This will be shared between Mozilla applications and drastically reduce the binary size, memory footprint, and development effort required for all apps. Additionally, it will simplify integration and data exchange between Mozilla applications.
I hope that resolves any confusion. Discussion is always better when both sides are on even footing.
I realize it's not a fixed price, but I donate annually to the Mozilla foundation for the same reason. Honestly my donation to MoFo is more than Opera would cost me, but I consider it a genuinely usefull charity and a little extra tax writeoff is fine by me. Hell, even my parents donate to MoFo because I suggested they do so if they find the software useful enough.
Actually, Opera has SVG Tiny profile support. It's ported from their cell phone browser and it's a long way the SVG complete profile that Mozilla is shooting for. Also, Firefox 1.1 will ship with SVG support in June, though most of the animation features are not yet available.
As for Opera having functionality built-in, it's really just a difference of approach. Opera gives you everything and you can shut off what you don't want. Firefox gives you the basics and a simple extension system to add any extras. I prefer the Firefox approach because I already spend enough time minimizing systems. I can easily see how one could prefer the Opera approach, however.
Quote:
Damn I wish I had mod points today. That is one of the funniest and yet most appropriate lines I've seen in a long time.
I work for a very reputable company that provides network and application vulnerability assessments along with some other security related offerings. In the last few years I've seen a lot of companies pop up doing just what you describe. They charge a few thousand dollars, run a few automated tools, and provide an extremely large report that's basically just a big useless nessus dump with prettier formatting.
This sucks for my company because we charge quite a bit more, but also offer an extremely valuable service for that price. We perform detailed manual analysis in addition to automated scans and verify if there is a real threat associated with a finding. For each finding we provide detailed remediation guidance, which means we have to work closely people like you who develop and maintain the systems. That's the only way an assessment can really be of any use.
So my guess is that your boss went with the bargain basement security consultants and that's why you're dealing with a steaming pile of crap. Your only recourse in this situation to provide enough information to show your boss how shoddy this job really was. In the future perhaps you can provide input that might help in choosing a better security assessment firm, or determining if an assessment is really necessary.
The big reasons beta lost were shorter play/recording time and the fact that manufacturers had to pay licensing fees to Sony to use it. VHS was the free and open standard that won. Also, as the above poster pointed out, beta came first.
I understand the point you're trying to make, but the analogy was the wrong choice.
Generally you'll just get mysterious application failures due to version issues or (if you're lucky) GetProcAddress failures. It's not something you would see unless you're installing and removing software often, or maintaining a moderate to large number of systems.
Windows XP added the file protection service to basically resolve this for system libraries. It used to be a really serious problem in general, but now it's usually only an issue with shared third party libraries. Of course, a malicious or really dumb application can still kill the file protection too.
I'm sorry, but your post is so horribly innaccurate that I don't want to spend the time correct you thoroughly. I realize that's somewhat unkind, but the thread is fairly stale at this point and it's quite obvious you didn't read the article or have any real familiarity with the topic.
You make some interesting points, but I have to disagree a bit. The privelege restrictions are only required by the "Optimized for Enterprise" logo; this is listed in section S5 (primarily S5.9) of 2.3 version the requirements. Given that this is not a general logo requirement, only a very small portion of the industry has any reason to even acknowledge the existence of this section. Plus, if you look at the rest of the requirements in this category you'll see that most enterprise software doesn't even comply with several portions such as S5.11 (secure network protocols) and S5.12 (signed executables).
In addition to the fact that it is not a general logo requirement, it's simply not explicit enough to be completely functional. It's just three short paragraphs and a template. Couple that with a lack of supporting applications to make this reasonable for app developers and it becomes pretty inconsequential.
The security attributes of CAS serve an entirely different purpose. While the principles of least privelege apply to both, CAS allows .NET apps to be run in a sandbox in the same manner as Java applets.
In contrast, the LUA initiative addresses designing and implementing software such that end user privelege requirements are seperated from administrative privelege requirements. This impacts two main concerns. Enterprise admins can deploy and configure software without having to grant users dangerous additional priveleges. And home users can safely run as a normal user and only be prompted for admin credentials when installing software, hardware, or significantly altering the system in some way.
This is a good thing for many reasons. For example, if a home user is browsing with an account that does not have the rights to alter the system, most malware cannot install and removal is much simpler. For businesses, many commercial apps currently require at least power user privelege, and a moderate script kiddy can escalate from power user to admin quite easily which is a dangerous foothold in an enterprise network.
There's no speculation at all, it is a fact. Windows NT is heavily derived from VMS; the lead architect for both is the same person. This is openly referenced in MS literature even. Why try to make it sound like a conspiracy?
As for the rest, no it is not harder to muck up a *nix system than windows, it is just much harder to configure and run a Windows NT/2K/XP system with multi-user priveleges. This is not due to the base OS, which has all the necessary support. It has been bad policy on MS' part by failing to standardize, promote and enforce these requirements in applications. Because of this, application developers (MS included in many cases) take the easy way out and build software that requires admin privs.
Please, do some basic fact checking in the future. Your entire post was very deceptive.
Seriously, the security community as been screaming about this for years just so MS could have parity with other multi-user systems. Of course, the big issue will be pushing other software vendors to compliance. Regardless, at least average users may finally not (by default) browse the web with an admin priveleged account. That should cut down on a lot of the malware issues that are encountered.
Dammit, I wanted to say "muzzle flash." Now it's just redundant.
You're kidding right? The MPL tri-license includes the MPL, GPL, and LGPL. All of the Mozilla apps are distributed this way; the MPL portion allows for certain proprietary binary components like the talkback debugger and installer in the binary only distributions. The CDDL is *similar* to the MPL portion, but is not compatible with either the GPL or LGPL so it lacks that whole tri-license aspect.
Nice to hear you're happy with OpenSolaris, but please stop spreading mis-information