and the inevitable retro-reboot, just called 'HTML'
Re:Bad security model still unchallenged... ugh!
on
PC Virus Turns 25
·
· Score: 1
It's still no guarantee tho, sure they're more likely to make the right choice but I bet there would still be loads of people who would be fooled by fake antivirus or system update popups etc.
The fake system message popups are interesting in their own right, because the average user simply has no way to determine whether a given dialog box is speaking for the application or organisation it claims to be. This seems to be a similar fundamental problem to the failure of the SMTP Sender field to be authoritative.
I think this exposes a deep problem in GUI design which has not really been addressed since the dawn of the field: we have created a set of graphic 'design languages' which are not, in fact, formal languages. In other words, we've created a set of loose visual conventions about what a system alert should look like,what a button should do, etc - but none of these conventions are binding on any applications. They're just guidelines to be used by well-mannered programmers, but like the SMPT Sender field, encode no actual information. But we're now in an Internet full of overtly hostile code which is attempting to subvert the user's machine at every point. We must make it hard for remote attackers to fake their visual credentials.
What I think we should have done instead - and is perhaps a very hard problem, but perhaps not - is to create a GUI language with formal properties. For example, define visual 'containment' - a box being displayed within another box - to literally mean some kind of subprocess or trust relationship such that it would be impossible for a rogue process to display anything inside a place it didn't own. If the user saw an 'error, install antivirus' box appear inside a clearly marked 'user space box' then they would know it was not actually the system talking to them. Even better, no visual entities inside the userspace box should be able to make any modifications to the system at all.
This would require a tight, 100%, one-to-one relationship between GUI 'design language' elements and the formal security properties of the underlying information system, instead of the very loose, laissez-faire approach we have now where there is no relation at all between what you see in a GUI and what's really going on under the hood. Something like the naked objects pattern would be required to really make this work, but we could start right now to reevaluate the trustworthiness of our GUIs based on this principle.
Some immediate offenders come to mind. Firefox 4 removing the Status Bar seems like a huge step in the wrong direction - visually, it makes a browser window look more like a system window, when the opposite should be the case - it should really be impossible for Javascript to remove the URL and status bars from any Web-launched windows, so that popups never look like legitimate system dialogs.
Second, it becomes clearly obvious why popups are such a huge annoyance to users, and why they must be removed: a pop-up window is spoofing its ownership information, breaking out of its visual location inheritance, and therefore is acting as a rogue process. This should never happen in a well-designed GUI with security in mind.
Third, keyboard focus stealing should be impossible. This also allows one window to manipulate the whole visual inheritance chain by putting itself 'on top' and receive messages intended for another.
Fourth, GNOME's 'notification' popup is a major problem for visual trustworthiness, because it puts messages onscreen which don't associate with any window but just hover, detached from everything, on the screen. Who is the user to think these messages come from? All system notifications should be framed within a clearly visible container, so the user gets in the habit of recognising that anything inside that box is from the system, and everything outside is not.
Finally, the whole Windows and X-Window approach to GUIs needs to be overhauled (though X-Window's strict window m
fundamentally technical incompatibilities between how HTML rendering works and what SVG fonts require if you try to implement them as specified
How do we end up with fundamentally unimplementable standards? A standard which can't be built should never have got out the door. Worse, it calls the entire standards process and branding mechanisms into disrepute.
Shouldn't we be calling for the resignations of some or all of the W3C for a bungle like that?
Re:Bad security model still unchallenged... ugh!
on
PC Virus Turns 25
·
· Score: 1
You could create an operating system with no vulnerabilities of flaws whatsoever, but as long as the user wants to view dancing_puppy_avi.exe in an email they received they will happily bypass any barriers you place in front of them.
There's a big false assumption in that cute insult to users' intelligence: that any executable file can and should be able to do anything on the user's system, and that there is always and forever no way for user to verify what capabilities an executable is requesting or to reliably sandbox anything from semi-trusted sources.
But surely we don't have to solve the Halting Problem in order to be able to restrict applications from doing evil things to the root of C: Heck, Flash is nothing but a literal dancing bunny delivery mechanism, and it only has security problems when the actual Flash implementors stuff up. It's pretty rare for a.swf to be able to root you.
Why haven't we thought of taking advantage of this abundant, renewable and FREE resource before????
Because it involves a risky and highly experimental procedure called 'going outside'. Our best scientific minds admit they have no adequate theoretical model of the conditions in that realm of existence, but intensive computational simulation techniques suggest that it may contain 'girls'.
I wouldn't suggest using "meatspace" in general conversation - it's the sort of thing that gets you beaten up and stuffed into a locker.
Retraction: Did I say that out loud? I apologize, master. While you are a meatbag, I suppose I should not call you such.
Explanation: It's just that... you have all these squishy parts, master. And all that water! How the constant sloshing doesn't drive you mad, I have no idea...
The manufacturer of the pistol is probably innocent. Less innocent is the marketing man who, for cash, put it into the hands of someone prepared to use it.
Except that pistols are only designed for one purpose, and that is to kill whatever they are pointed at. It would seem rather disingenuous for a gun manufacturer to say 'I built the device - but I never intended it to be used on a living being! I'm shocked, shocked that someone would do such a thing!'
It ain't guns that kill people - its the idiots that distribute them.
Strictly speaking, it's not actually bullets that kill people either, it's kinetic energy. Newton's dead hand strikes from beyond the grave! It's all his fault.
Meanwhile, in the real world, it exactly is guns that kill people. It's what they're designed and built to do - you can't wash the windows with a revolver, or mow the lawns with a shotgun. They are tools which serve the purpose for which they are constructed, and do it well. Things well made.
For me, there are two important things about the target URL: the main site (whether I'm being sent to a different, potentially untrusted site) and (to a much less extent) the file extension of the linked file. Often, that latter reason can be left until after I've clicked.
Even if the file extension is a.exe?
I'd rather know first and not click. I don't trust my antivirus THAT much.
The basic issue at hand is that the majority of people don't have time for anything more than "it just works." What they want is appliance computing, and that's what App stores enable.
They don't, though, compared to the Web.
App Stores are a step up from the old proprietary desktop way of installing applications - custom installers, manual downloads, etc.
They're a step down, or at the very least sideways, from the Debian/Ubuntu/Redhat unified repository, which Linux people have had for over ten years. Now at last Apple users get the same install convenience that Ubuntu users have been happily having, for free, for years. Good for them. A step forwards.
And they're a big step down from the convenience of just going to a mobile-friendly website and accessing the data you want.
Ah, I see it's now called the "Ubuntu Software Centre" - that's the term I should have used.
No, not really. The Software Centre is just one of many applications which provide a view of the Ubuntu and Debian Repositories. The others being Synaptic, Upgrade Manager, and good old command-line aptitude and apt-get. I find myself using them all at various times - Synaptic gives a bit more fine-grained control than Software Centre does, and is indispensible for administrators. If Ubuntu had replaced all the other tools with the brittle and unfriendly Software Centre, I'd be seriously considering bailing from the whole distribution.
And yes, Debian has had apt and.deb since forever - long before Windows had.MSI, even. Ubuntu just stepped into the breach after the Debian folks took too long to release a stable desktop distribution.
I’m personally not a fan of the whole “app” thing. Feels like we are going backwards.
You had specialized viewers and clients for various data, then gradually the web became more mature and more and more data was simply put on a website. Now we are gradually going back to the specialized viewer mentality
This.
I'm old enough to remember the 1980s: specialised 'apps' for everything, no standards, a real mess. The Web was such a breath of fresh air in comparison. The iPhone reminds me of the bad old days. Let's not do that again.
Are the kids of today so young that they really can't conceive of how bad it used to be? Lawn, off, get.
[H.264] is open in all the ways that everyone who is *not* distributing open source software and wants to use it cares about.
Yes.
If you are willing to abandon all hope of the Web being implementable in open source software, then by all means adopt a non-open-source compatible "standard".
But you will be abandoning the entire future of the Web by doing so.
There is open source versus closed source (x264 versus apple's H.264 coder) There is unencumbered versus encumbered by patents and license fees.
Incorrect. By definition, Open Source code cannot be patent-encumbered because it is illegal to distribute if patent indemnity is not passed on to the users.
Therefore, no H.264 implementation can be legally distributed as Open Source in any jurisdiction that respects MPEG-LA patents. The only reason Open Source H.264 codecs exist is because software patents are not currently enforceable in all regimes. However, in the USA, these codecs are illegal to distribute. Just because nobody has yet been arrested does not mean it is okay.
. H.264 is *vastly* more open, consumer, and business friendly than that which it replaces - proprietary, nonstandard, closed video players from Adobe, Apple, Microsoft, and Real.
No it is not because it is illegal.
The codec you do not get arrested for is always more open than the one you do.
The reason H.264 costs money is that there is a shitload of patents that all have been dealt with as part of the patent pool.
In other words, it is exactly patent encumbered and therefore not open in the Open Source sense. Thank you for making the parent poster's point for him.
Slashdot Mirror
That has a lot to do with man bashing.
Let's leave the Unix command shell documentation out of this, okay?
denounce even the sanest solution to any problem as "statist"
That's exactly what I would expect you to say, you, you - dynamist, you!
That Ford Perfect thinks he's too good for the likes of us.
he may have just been worn out from trying to uphold it for as large and diverse a company as Google is.
In support of our corporate "alignment diversity" initiative, Google are now revising our policy from "don't be evil" to "chaotic neutral Fridays".
We want to create a work culture where all ethical stances are welcome - especially in Marketing.
The governments have the armies and the guns, remember?
Colt, Group 4 LLC, Xe and McDonnell-Douglas would beg to differ.
But the government does have the money to pay the people who actually make the guns.
I wonder when will people stop wasting time with wind/solar and man up to nuclear energy.
When we learn to stop worrying and love catastrophic radiation leaks.
* HTMLS
* HVF: HTML Vs Flash
* HTML Free With A Harder Vengeance
* The HTML Who Kissed Me
* HTML Rises
* HTML Episode Five: Attack of the Phantom Hope
* HTML: Turn Off The Web
and the inevitable retro-reboot, just called 'HTML'
It's still no guarantee tho, sure they're more likely to make the right choice but I bet there would still be loads of people who would be fooled by fake antivirus or system update popups etc.
The fake system message popups are interesting in their own right, because the average user simply has no way to determine whether a given dialog box is speaking for the application or organisation it claims to be. This seems to be a similar fundamental problem to the failure of the SMTP Sender field to be authoritative.
I think this exposes a deep problem in GUI design which has not really been addressed since the dawn of the field: we have created a set of graphic 'design languages' which are not, in fact, formal languages. In other words, we've created a set of loose visual conventions about what a system alert should look like,what a button should do, etc - but none of these conventions are binding on any applications. They're just guidelines to be used by well-mannered programmers, but like the SMPT Sender field, encode no actual information. But we're now in an Internet full of overtly hostile code which is attempting to subvert the user's machine at every point. We must make it hard for remote attackers to fake their visual credentials.
What I think we should have done instead - and is perhaps a very hard problem, but perhaps not - is to create a GUI language with formal properties. For example, define visual 'containment' - a box being displayed within another box - to literally mean some kind of subprocess or trust relationship such that it would be impossible for a rogue process to display anything inside a place it didn't own. If the user saw an 'error, install antivirus' box appear inside a clearly marked 'user space box' then they would know it was not actually the system talking to them. Even better, no visual entities inside the userspace box should be able to make any modifications to the system at all.
This would require a tight, 100%, one-to-one relationship between GUI 'design language' elements and the formal security properties of the underlying information system, instead of the very loose, laissez-faire approach we have now where there is no relation at all between what you see in a GUI and what's really going on under the hood. Something like the naked objects pattern would be required to really make this work, but we could start right now to reevaluate the trustworthiness of our GUIs based on this principle.
Some immediate offenders come to mind. Firefox 4 removing the Status Bar seems like a huge step in the wrong direction - visually, it makes a browser window look more like a system window, when the opposite should be the case - it should really be impossible for Javascript to remove the URL and status bars from any Web-launched windows, so that popups never look like legitimate system dialogs.
Second, it becomes clearly obvious why popups are such a huge annoyance to users, and why they must be removed: a pop-up window is spoofing its ownership information, breaking out of its visual location inheritance, and therefore is acting as a rogue process. This should never happen in a well-designed GUI with security in mind.
Third, keyboard focus stealing should be impossible. This also allows one window to manipulate the whole visual inheritance chain by putting itself 'on top' and receive messages intended for another.
Fourth, GNOME's 'notification' popup is a major problem for visual trustworthiness, because it puts messages onscreen which don't associate with any window but just hover, detached from everything, on the screen. Who is the user to think these messages come from? All system notifications should be framed within a clearly visible container, so the user gets in the habit of recognising that anything inside that box is from the system, and everything outside is not.
Finally, the whole Windows and X-Window approach to GUIs needs to be overhauled (though X-Window's strict window m
fundamentally technical incompatibilities between how HTML rendering works and what SVG fonts require if you try to implement them as specified
How do we end up with fundamentally unimplementable standards? A standard which can't be built should never have got out the door. Worse, it calls the entire standards process and branding mechanisms into disrepute.
Shouldn't we be calling for the resignations of some or all of the W3C for a bungle like that?
You could create an operating system with no vulnerabilities of flaws whatsoever, but as long as the user wants to view dancing_puppy_avi.exe in an email they received they will happily bypass any barriers you place in front of them.
There's a big false assumption in that cute insult to users' intelligence: that any executable file can and should be able to do anything on the user's system, and that there is always and forever no way for user to verify what capabilities an executable is requesting or to reliably sandbox anything from semi-trusted sources.
But surely we don't have to solve the Halting Problem in order to be able to restrict applications from doing evil things to the root of C: Heck, Flash is nothing but a literal dancing bunny delivery mechanism, and it only has security problems when the actual Flash implementors stuff up. It's pretty rare for a .swf to be able to root you.
tl;dr: EXE, you're doing security wrong.
Why haven't we thought of taking advantage of this abundant, renewable and FREE resource before????
Because it involves a risky and highly experimental procedure called 'going outside'. Our best scientific minds admit they have no adequate theoretical model of the conditions in that realm of existence, but intensive computational simulation techniques suggest that it may contain 'girls'.
customer information in the filial on the cayman islands disappeared...
Why, that son of a...
I wouldn't suggest using "meatspace" in general conversation - it's the sort of thing that gets you beaten up and stuffed into a locker.
Retraction: Did I say that out loud? I apologize, master. While you are a meatbag, I suppose I should not call you such.
Explanation: It's just that... you have all these squishy parts, master. And all that water! How the constant sloshing doesn't drive you mad, I have no idea...
The manufacturer of the pistol is probably innocent. Less innocent is the marketing man who, for cash, put it into the hands of someone prepared to use it.
Except that pistols are only designed for one purpose, and that is to kill whatever they are pointed at. It would seem rather disingenuous for a gun manufacturer to say 'I built the device - but I never intended it to be used on a living being! I'm shocked, shocked that someone would do such a thing!'
It ain't guns that kill people - its the idiots that distribute them.
Strictly speaking, it's not actually bullets that kill people either, it's kinetic energy. Newton's dead hand strikes from beyond the grave! It's all his fault.
Meanwhile, in the real world, it exactly is guns that kill people. It's what they're designed and built to do - you can't wash the windows with a revolver, or mow the lawns with a shotgun. They are tools which serve the purpose for which they are constructed, and do it well. Things well made.
You, sir, are clearly not a lobbiest for the Banking industry.
No, but he's lobbier than most.
Cairo isn't controlled by Firefox developers.
Then shouldn't they submit patches to upstream, and fork it in the meantime, just like Ubuntu does to Gnome?
For me, there are two important things about the target URL: the main site (whether I'm being sent to a different, potentially untrusted site) and (to a much less extent) the file extension of the linked file. Often, that latter reason can be left until after I've clicked.
Even if the file extension is a .exe?
I'd rather know first and not click. I don't trust my antivirus THAT much.
I Lost On Jeopardy
Because the world always needs more Weird Al.
I'll inform Skynet. It will want to know that if it wins we all win.
A strange game. The only way to win is... to play?
The basic issue at hand is that the majority of people don't have time for anything more than "it just works." What they want is appliance computing, and that's what App stores enable.
They don't, though, compared to the Web.
App Stores are a step up from the old proprietary desktop way of installing applications - custom installers, manual downloads, etc.
They're a step down, or at the very least sideways, from the Debian/Ubuntu/Redhat unified repository, which Linux people have had for over ten years. Now at last Apple users get the same install convenience that Ubuntu users have been happily having, for free, for years. Good for them. A step forwards.
And they're a big step down from the convenience of just going to a mobile-friendly website and accessing the data you want.
Ah, I see it's now called the "Ubuntu Software Centre" - that's the term I should have used.
No, not really. The Software Centre is just one of many applications which provide a view of the Ubuntu and Debian Repositories. The others being Synaptic, Upgrade Manager, and good old command-line aptitude and apt-get. I find myself using them all at various times - Synaptic gives a bit more fine-grained control than Software Centre does, and is indispensible for administrators. If Ubuntu had replaced all the other tools with the brittle and unfriendly Software Centre, I'd be seriously considering bailing from the whole distribution.
And yes, Debian has had apt and .deb since forever - long before Windows had .MSI, even. Ubuntu just stepped into the breach after the Debian folks took too long to release a stable desktop distribution.
I’m personally not a fan of the whole “app” thing. Feels like we are going backwards.
You had specialized viewers and clients for various data, then gradually the web became more mature and more and more data was simply put on a website. Now we are gradually going back to the specialized viewer mentality
This.
I'm old enough to remember the 1980s: specialised 'apps' for everything, no standards, a real mess. The Web was such a breath of fresh air in comparison. The iPhone reminds me of the bad old days. Let's not do that again.
Are the kids of today so young that they really can't conceive of how bad it used to be? Lawn, off, get.
[H.264] is open in all the ways that everyone who is *not* distributing open source software and wants to use it cares about.
Yes.
If you are willing to abandon all hope of the Web being implementable in open source software, then by all means adopt a non-open-source compatible "standard".
But you will be abandoning the entire future of the Web by doing so.
There is open source versus closed source (x264 versus apple's H.264 coder)
There is unencumbered versus encumbered by patents and license fees.
Incorrect. By definition, Open Source code cannot be patent-encumbered because it is illegal to distribute if patent indemnity is not passed on to the users.
Therefore, no H.264 implementation can be legally distributed as Open Source in any jurisdiction that respects MPEG-LA patents. The only reason Open Source H.264 codecs exist is because software patents are not currently enforceable in all regimes. However, in the USA, these codecs are illegal to distribute. Just because nobody has yet been arrested does not mean it is okay.
. H.264 is *vastly* more open, consumer, and business friendly than that which it replaces - proprietary, nonstandard, closed video players from Adobe, Apple, Microsoft, and Real.
No it is not because it is illegal.
The codec you do not get arrested for is always more open than the one you do.
The reason H.264 costs money is that there is a shitload of patents that all have been dealt with as part of the patent pool.
In other words, it is exactly patent encumbered and therefore not open in the Open Source sense. Thank you for making the parent poster's point for him.