Nevermind 'should', Plugins generally do run in the process-space of the browser, and can crash the browser.
(Actually with MS's COM/ActiveX system this should be optional, in theory, by using DCOM. Netscape, you get no choice, but that's a feeature [see LiveConnect]).
You have confused SCO OpenServer (formerly MS/SCO Xenix and SCO UNIX) and this product (formerly Novell/SCO UNIXWare), which is based on UNIX SVR4, just as Solaris is.
The 'many eyes' may be a minor point, not that lots of smart people haven't seen the UNIX codebase, but if this Unix contains substantially the same userspace as a Linux distro, it will probably have just about the exact same security issues.
Re:KHTML & IE compatibility. Bah!
on
KDE 2.2 Released
·
· Score: 1
" A web browser needs to follow the spec and do exactly what the web author says, not necessarily what the web author thought he/she said. "
Actually, (given that all malformed HTML is out of spec) IE's handling of malformed HTML is closer to the spirit of the specification than Netscape's or Mozilla's 'quirks' mode. It basically closes tags at the last legal place they could be closed, where Netscape does different things based on the element type. This means that in IE, text-level elements are always enclosed by block-level elements, as per HTML 3.2 and up and the DOM.
I posted a longer example at http://slashdot.org/comments.pl?sid=01/08/08/22542 26&cid=477
Yes, but unlike ILOVEYOU and so on, it doesn't send mail through outlook, and filtches addresses from other sources besides Outlook. It will fully affect any Win box that doesn't have Outlook installed.
And according to this, it doesn't use Outlook APIs, but instead combs through the Windows address book (WAB file) looking for addresses (which is only used by Outlook in 'internet mode' and is used by Outlook Express, which certainly doesn't support Outlook's COM API). The fact that it doesn't grab Netscape or Eudora's address book is probably just lazyness on the author's part.
Conclusion: Not a Outlook virus, except according to CmdrTaco.
Re:As a CLEC, this is how we have been coping.
on
Broadband Crackdown
·
· Score: 1
One thing to consider is that if you have a large DHCP or PPPoE network, just associating a IP address to a customer is probably a minor undertaking. Especially if you throw a legacy system to track customer accounts into the mix.
So, yeah, an automated scan/notify/block system could be put in place, but at a big cable/dsl ISP, it would take some work. It might be easier to block everyone and just enable those who complain and scan clean.
Umm, many of Yahoo Mail's features do in fact require JavaScript (multiple msg delete, attachments, for example). The basic functions are fine without tho.
(Someone needs to hack a text version of mozilla for you guys.)
Re:Mozilla ... Netscape ... what't the difference?
on
Netscape 6.1
·
· Score: 1
"* IE's HTML parser is crap, if the HTML is fscked it guesses what it should look like. it shouldn't do that"
Actually, IE usually guesses correctly what the HTML should be, in my observations.
Let's take the classic/. front page example:
<table><tr><td>
<i>Blah Blah Blah <!--According to the HTML specs the I element MUST end here, so IE silently closes the tag-->
</td>
<td>But Netscape shows this as italic, even moz in quirks mode</td>
</tr>
<!--According to the HTML specs the TABLE element MUST end here, so IE silently closes the tag-->
</body>
Now you can argue that IE should just invalidate the elements that don't have closing tags, but Netscape doesn't always do this either (see the italic example). Instead, IE does the reasonable thing that lets the DOM and CSS parser work properly.
You know the old saw about being liberal about what you accept, which IE is to a fault. But I've never seen something generates which would violate the HTML specification (unlike Netscape).
Of course Microsoft pretty much has to be loose in it's parsing, because they have to support a bunch of broken HTML converters in old versions of Word and so on.
A couple datapoints about the way Win2000 handles this:
1) Policy towards signed drivers can be controlled by the group policy manager
2) There are 'undocumented' ways to install drivers that bypass the cert check. These have been published on bugtraq, etc.
3) Windows Media Player is aware of the 'certified' status of your soundcard driver and can disable loopback or analog output using features that the certification requires.
however, I think many companies' time would be better spent trying to improve the bottlenecks that already occur in every-day usage (Disk, memory, bus, etc.)
This gets into a structural problem with the PC industry. All the real profit in the system is made by the CPU manufacturers and Microsoft, and therefore they are the only ones doing significant R+D work. Everything else in the system is tagging along. (Well, the disk drive people have made huge accomplishments, but it sounds pretty much like a break-even business.)
It still is sorta dishearting to see a retail store sell a superduper 1.5Ghz Pentium IV system with a crappy disk and crappy video and a crappy monitor and not much memory, and lots of MS shovelware.
Re:It is fast. But it Can't render worth anything.
on
Mozilla 0.9.3 Released
·
· Score: 1
The nested tag issue makes for ugly code, but supporting it isn't going to penalize people who do it the right way.
Building a solid DOM renderer that supports that sort of HTML would seem to me to be significantly more complex (what happens when you refer to the I element?) I think that's why IE refuses to support that sort of thing.
Re:Be made a lot of good choices and still they're
on
Be Buyout Looms Closer
·
· Score: 1
You miss the point. Be only makes $100 or whatever off those workstations. The profit is in the hardware config. Most of that market is reselling Macs or NT machines at insane margins because it removes the burden of hardware support from the user that just wants a tool.
And, yes, that approach would have sucked for desktop Be users such as yourself. But my argument is that neither Be nor Linux provide any significant infrastructural value over Windows on the average user desktop, even with the hundred bucks you save.
Well, they could have shipped either BeOS or NeXTStep with a mac look-n-feel and no API compatibility (remember Rhapsody?). While on their shopping spree, they apparently forgot that their mission was to fix MacOS, not replace it.
Re:Be made a lot of good choices and still they're
on
Be Buyout Looms Closer
·
· Score: 1
You are right -- they should have stayed with the custom hardware. They could have then written or partnered with someone to get some high-end video/sound editing software and sold them as super profitable multimedia workstations. They'd probably be still in business.
Instead they thought that Joe Consumer would plunk down money for this thing just because it could play 3 simultaneous quicktime videos
The fact that you can't change the colors or fonts without obtaining a MS-certified theme makes the interface worse than Windows 3.1 in my opinion. I could probably deal with the Romper Room look otherwise.
The good point is that you can fall back the Win2000 interface (but the next version will probably drop this...)
Re:It is fast. But it Can't render worth anything.
on
Mozilla 0.9.3 Released
·
· Score: 1
Unfortunately, Mozilla's TRANSITIONAL mode is a little too transitional for my tastes -- It supports utterly broken Netscape-isms like
<table><tr>
<td><i>This is italic</td>
<td>This shouldn't be italic, but it is!</i></td>
This sorta thing will end up preserving cruddy HTML for all eternity. The fact they support this, but hold the hard line on document.all is puzzling.
Hopefully this outbreak will bring to light the enormous possibilities of industrial espionage that e-mailed executables have. While for the most part this stuff has been for the annoyance factor only, it would be easy to imagine a modified version that attacked a particular company or companies, searching for key words in documents and mailing them back to a specific address or posting them to usenet or whatever.
IT's response has been pretty much limited to updating virus definitions. That's not good enough if somebody is out specifically for your company in particular. Time to either get smarter users (yeah, right!) or block all executables at the mail server.
In particular, I'd like to only dissallow Window.open calls when they are hooked up to BODY's event handlers
That's an interesting idea because it would still allow informational pop-ups that were the result of a specific user action (clicking on a link or button for example). It's probably not the only way to prevent pop-ups, tho.
The root problem is that JavaScript doesn't differentiate between user and system generated events. While you could have a different security sandbox for these events, it might break a lot of legitimate scripts that run from body.onLoad (the traditional place to run page-level scripts), especially because those onLoad scripts can share information with the rest of the page and even call the event handlers of page level objects (such as onClick).
For example, something like this seems to work (in IE - I'm sure there's a w3c way also):
I can see why it's easier just to wrap the window.open method and not worry about the context. Still doesn't solve those annoying onClose events that can prevent you from shutting down the browser.
The OS side has enormous revenue, but very low growth prospects, and enormous upcoming price competition. Furthermore, Windows development is pretty much finished -- there's not much more they can or should add to the system.
Don't get me wrong, they would rather have a captive OEM market to pre-install the.NET platform onto. But if they were broken up in the way the judge outlined, my $2 says that both Gates and Ballmer end up with.NET in the Apps company. MS Office could be used as a very effective software distribution tool.
f you think that.NET is simply a language war then you just don't get it, C# is not central to the.NET architecture. It is however central to getting developers to pay for another edition of Visual Studio.
Agreed. C# is a wonderful PR tool, both because of the standards submission, and that it will be treated with similar respect from the academic community as Java.
Bug, so far,.NET has been marketed most heavily at Microsoft's existing corporate developer base -- VB Coders. And cheap and/or existing programmers will certainly be part of the enterprise sell, especially when you consider some of the obscure environments that many ERP programmers have to work in.
Actually, most people would vote {Gore,Bush} or {Bush,Gore}, or simply {Bush} or {Gore}, because most people do not vote ideologically and those are the two candidates with the greatest name recognition. Then we are back in the same situation where we started.
Did Bleem circumvent any access controls, or was it a simple case of reverse engineering?
The nasty bit about the DMCA is that one could take a an easily understandable device (say PC hardware) and slap a crypto lock on it (say the X-Box bootloader), and it would then be illegal for anyone to reverse engineer (meaning the manufacturer could force software companies to buy licences).
(And I think you got moderated up mainly because people got the video game reference.)
1) Certain internal apps require a richer interface than just plain HTML provides. You need JavaScript.
2) Because of standards forking by Netscape and to a far lesser extent Microsoft, it's virutally impossible to write any cross-browser DHTML. As they guy mentioned, you end up with two or three code paths. Most people don't bother, so internal applications get written for IE only. Public applications are dumping DHTML for Flash, which at least is write once, run almost anywhere the same way.
3) Nobody in the business world cares about your 1995-era HTML sensibilities.
So what's worse? Javascript or IE-only sites and lots of Flash. You decide.
Slashdot Mirror
Nevermind 'should', Plugins generally do run in the process-space of the browser, and can crash the browser.
(Actually with MS's COM/ActiveX system this should be optional, in theory, by using DCOM. Netscape, you get no choice, but that's a feeature [see LiveConnect]).
You have confused SCO OpenServer (formerly MS/SCO Xenix and SCO UNIX) and this product (formerly Novell/SCO UNIXWare), which is based on UNIX SVR4, just as Solaris is.
The 'many eyes' may be a minor point, not that lots of smart people haven't seen the UNIX codebase, but if this Unix contains substantially the same userspace as a Linux distro, it will probably have just about the exact same security issues.
" A web browser needs to follow the spec and do exactly what the web author says, not necessarily what the web author thought he/she said. "
2 26&cid=477
Actually, (given that all malformed HTML is out of spec) IE's handling of malformed HTML is closer to the spirit of the specification than Netscape's or Mozilla's 'quirks' mode. It basically closes tags at the last legal place they could be closed, where Netscape does different things based on the element type. This means that in IE, text-level elements are always enclosed by block-level elements, as per HTML 3.2 and up and the DOM.
I posted a longer example at http://slashdot.org/comments.pl?sid=01/08/08/2254
In what way has Portland's development policies not had their intended consequenses?
And, just as an FYI, the typical urban sprawl style of development is entirely an outcome of legally mandated social engineering.
Yes, but unlike ILOVEYOU and so on, it doesn't send mail through outlook, and filtches addresses from other sources besides Outlook. It will fully affect any Win box that doesn't have Outlook installed.
And according to this, it doesn't use Outlook APIs, but instead combs through the Windows address book (WAB file) looking for addresses (which is only used by Outlook in 'internet mode' and is used by Outlook Express, which certainly doesn't support Outlook's COM API). The fact that it doesn't grab Netscape or Eudora's address book is probably just lazyness on the author's part.
Conclusion: Not a Outlook virus, except according to CmdrTaco.
One thing to consider is that if you have a large DHCP or PPPoE network, just associating a IP address to a customer is probably a minor undertaking. Especially if you throw a legacy system to track customer accounts into the mix.
So, yeah, an automated scan/notify/block system could be put in place, but at a big cable/dsl ISP, it would take some work. It might be easier to block everyone and just enable those who complain and scan clean.
Umm, many of Yahoo Mail's features do in fact require JavaScript (multiple msg delete, attachments, for example). The basic functions are fine without tho.
(Someone needs to hack a text version of mozilla for you guys.)
"* IE's HTML parser is crap, if the HTML is fscked it guesses what it should look like. it shouldn't do that"
/. front page example:
Actually, IE usually guesses correctly what the HTML should be, in my observations.
Let's take the classic
<table><tr><td>
<i>Blah Blah Blah <!--According to the HTML specs the I element MUST end here, so IE silently closes the tag-->
</td>
<td>But Netscape shows this as italic, even moz in quirks mode</td>
</tr>
<!--According to the HTML specs the TABLE element MUST end here, so IE silently closes the tag-->
</body>
Now you can argue that IE should just invalidate the elements that don't have closing tags, but Netscape doesn't always do this either (see the italic example). Instead, IE does the reasonable thing that lets the DOM and CSS parser work properly.
You know the old saw about being liberal about what you accept, which IE is to a fault. But I've never seen something generates which would violate the HTML specification (unlike Netscape).
Of course Microsoft pretty much has to be loose in it's parsing, because they have to support a bunch of broken HTML converters in old versions of Word and so on.
A couple datapoints about the way Win2000 handles this:
1) Policy towards signed drivers can be controlled by the group policy manager
2) There are 'undocumented' ways to install drivers that bypass the cert check. These have been published on bugtraq, etc.
3) Windows Media Player is aware of the 'certified' status of your soundcard driver and can disable loopback or analog output using features that the certification requires.
however, I think many companies' time would be better spent trying to improve the bottlenecks that already occur in every-day usage (Disk, memory, bus, etc.)
This gets into a structural problem with the PC industry. All the real profit in the system is made by the CPU manufacturers and Microsoft, and therefore they are the only ones doing significant R+D work. Everything else in the system is tagging along. (Well, the disk drive people have made huge accomplishments, but it sounds pretty much like a break-even business.)
It still is sorta dishearting to see a retail store sell a superduper 1.5Ghz Pentium IV system with a crappy disk and crappy video and a crappy monitor and not much memory, and lots of MS shovelware.
The nested tag issue makes for ugly code, but supporting it isn't going to penalize people who do it the right way.
Building a solid DOM renderer that supports that sort of HTML would seem to me to be significantly more complex (what happens when you refer to the I element?) I think that's why IE refuses to support that sort of thing.
You miss the point. Be only makes $100 or whatever off those workstations. The profit is in the hardware config. Most of that market is reselling Macs or NT machines at insane margins because it removes the burden of hardware support from the user that just wants a tool.
And, yes, that approach would have sucked for desktop Be users such as yourself. But my argument is that neither Be nor Linux provide any significant infrastructural value over Windows on the average user desktop, even with the hundred bucks you save.
Well, they could have shipped either BeOS or NeXTStep with a mac look-n-feel and no API compatibility (remember Rhapsody?). While on their shopping spree, they apparently forgot that their mission was to fix MacOS, not replace it.
You are right -- they should have stayed with the custom hardware. They could have then written or partnered with someone to get some high-end video/sound editing software and sold them as super profitable multimedia workstations. They'd probably be still in business.
Instead they thought that Joe Consumer would plunk down money for this thing just because it could play 3 simultaneous quicktime videos
The fact that you can't change the colors or fonts without obtaining a MS-certified theme makes the interface worse than Windows 3.1 in my opinion. I could probably deal with the Romper Room look otherwise.
The good point is that you can fall back the Win2000 interface (but the next version will probably drop this...)
Unfortunately, Mozilla's TRANSITIONAL mode is a little too transitional for my tastes -- It supports utterly broken Netscape-isms like
<table><tr>
<td><i>This is italic</td>
<td>This shouldn't be italic, but it is!</i></td>
This sorta thing will end up preserving cruddy HTML for all eternity. The fact they support this, but hold the hard line on document.all is puzzling.
If you can get someone to download an activex control or a plug-in, anything goes.
Hopefully this outbreak will bring to light the enormous possibilities of industrial espionage that e-mailed executables have. While for the most part this stuff has been for the annoyance factor only, it would be easy to imagine a modified version that attacked a particular company or companies, searching for key words in documents and mailing them back to a specific address or posting them to usenet or whatever.
IT's response has been pretty much limited to updating virus definitions. That's not good enough if somebody is out specifically for your company in particular. Time to either get smarter users (yeah, right!) or block all executables at the mail server.
In particular, I'd like to only dissallow Window.open calls when they are hooked up to BODY's event handlers
That's an interesting idea because it would still allow informational pop-ups that were the result of a specific user action (clicking on a link or button for example). It's probably not the only way to prevent pop-ups, tho.
The root problem is that JavaScript doesn't differentiate between user and system generated events. While you could have a different security sandbox for these events, it might break a lot of legitimate scripts that run from body.onLoad (the traditional place to run page-level scripts), especially because those onLoad scripts can share information with the rest of the page and even call the event handlers of page level objects (such as onClick).
For example, something like this seems to work (in IE - I'm sure there's a w3c way also):
<html>
<head>
<script language='javascript'>
function loaded() {
document.getElementById('popuplink').click();
}
</script>
</head>
<body onload='javascript:loaded()'>
<a id='popuplink' href='javascript:window.open()'>Click Here</a>
</body>
</html>
I can see why it's easier just to wrap the window.open method and not worry about the context. Still doesn't solve those annoying onClose events that can prevent you from shutting down the browser.
The OS side has enormous revenue, but very low growth prospects, and enormous upcoming price competition. Furthermore, Windows development is pretty much finished -- there's not much more they can or should add to the system.
.NET platform onto. But if they were broken up in the way the judge outlined, my $2 says that both Gates and Ballmer end up with .NET in the Apps company. MS Office could be used as a very effective software distribution tool.
Don't get me wrong, they would rather have a captive OEM market to pre-install the
f you think that .NET is simply a language war then you just don't get it, C# is not central to the .NET architecture. It is however central to getting developers to pay for another edition of Visual Studio.
.NET has been marketed most heavily at Microsoft's existing corporate developer base -- VB Coders. And cheap and/or existing programmers will certainly be part of the enterprise sell, especially when you consider some of the obscure environments that many ERP programmers have to work in.
Agreed. C# is a wonderful PR tool, both because of the standards submission, and that it will be treated with similar respect from the academic community as Java.
Bug, so far,
Nah, I would suggest the VW bug was drafting behind the Sun 18-wheeler.
Actually, most people would vote {Gore,Bush} or {Bush,Gore}, or simply {Bush} or {Gore}, because most people do not vote ideologically and those are the two candidates with the greatest name recognition. Then we are back in the same situation where we started.
Did Bleem circumvent any access controls, or was it a simple case of reverse engineering?
The nasty bit about the DMCA is that one could take a an easily understandable device (say PC hardware) and slap a crypto lock on it (say the X-Box bootloader), and it would then be illegal for anyone to reverse engineer (meaning the manufacturer could force software companies to buy licences).
(And I think you got moderated up mainly because people got the video game reference.)
1) Certain internal apps require a richer interface than just plain HTML provides. You need JavaScript.
2) Because of standards forking by Netscape and to a far lesser extent Microsoft, it's virutally impossible to write any cross-browser DHTML. As they guy mentioned, you end up with two or three code paths. Most people don't bother, so internal applications get written for IE only. Public applications are dumping DHTML for Flash, which at least is write once, run almost anywhere the same way.
3) Nobody in the business world cares about your 1995-era HTML sensibilities.
So what's worse? Javascript or IE-only sites and lots of Flash. You decide.