How is even a malicious javascript code on one web page going to see the the content of a page that I have manuallly opened up in an entirely separate window?
It can't, but it can load that same page's URL in an iframe, and it will contain the same confidential information. Browsers try to prevent pages from reading the contents of cross-domain iframes, which is extremely difficult to do in a completely airtight manner. A much better solution would be not sending cookies on cross-domain requests and thus making it impossible for one site to load the secrets a different site is storing for you, but so far everybody is focused on treating the symptoms and not the disease.
This is the ITU, the same geniuses behind the "leap second" that crashed computer systems all over the world last June (because god forbid our clocks should ever be out of synch with the Earth's rotation by more than one second - never mind that given the way time zones are set up, many places are off by over an hour anyway). I'd be surprised if they even know what a patent is let alone why it's a bad thing to have on a standardized file format.
The hosts file can only be modified by administrators. Any additional protection is useless because if malware has gotten itself running as administrator, it can just kill or modify windows defender anyway.
The designers of Java tried to do two things regarding security: 1. allow running untrusted code (applets) without letting it break out of its sandbox 2. prevent unsafe memory access by bounds checking, type checking on casts, no explicit deallocation
#2 is a prerequisite for #1, since if code can write to arbitrary memory locations then it can take over the Java runtime process. However, #1 is not a prerequisite for #2. Java has in practice done poorly at meeting goal #1 but has been quite solid at #2.
Finding a security vulnerability is not "making viruses". Would you prefer that this be first discovered by someone who's not so nice as to disclose their findings, so that insulin pumps just start mysteriously "malfunctioning" and killing patients?
Regardless of what you may think of the quality of McAfee's software, they're not being anything besides white-hat here.
That could have been believable back in the DOS days, when most viruses seemed to have no real purpose besides amusement, but today the vast majority of malware is written for profit. Selling antivirus software would be counterproductive if you're making a lot more money from owning a botnet and the antivirus would eat into that.
So-called "democracy" as it exists in countries like the US is a complete sham. The government can act against the public interest on literally every single issue and still stay in power: any individual is only going to be knowledgeable about a small fraction of what the government does, and a majority of people will just take the media's word for it that they're doing right on most everything else.
The only issues on which the public actually has any influence are those which our rulers recognize to be of relatively minor importance, so the parties can put on a show of virulently disagreeing on them, which makes people feel like they're actually making a difference when they throw out corporate-owned party A and put into power corporate-owned party B. On the most important issues, there's always bipartisan agreement on the wrong side.
TCP port numbers are unencrypted so a serious attacker will be able to find out your sequence anyway. All you're doing is wasting your own time by making legitimate connections take longer.
Only garbage websites don't work properly without javascript
I agree. But unfortunately, Sturgeon's Law applies - 90% of websites are garbage, so if you want to use the web you'll have to go "dumpster diving" (enabling JS) a lot.
I used to think of Flash as a CPU hog, but it pales in comparison to Javascript/HTML5. Even simple 2D games in Javascript will run at about 3 frames per second despite constantly using 100% CPU, and they often hog memory too (which Flash has never been all that bad about in my experience, unless you leave a dozen YouTube tabs open or something).
Annoying ads won't go away just because Flash does; they'll move to HTML5 and will be just as annoying, more resource hungry, and harder to block (disabling Javascript everywhere makes the Web unusable; a whitelist system like NoScript is going to be a necessity).
Are judges and jury members more likely to need organ transplants than anyone else? If not, it makes no sense to say there's a perverse incentive for them to order more executions; they have no more interest in it than the rest of the public does.
If you type {} + [] into the console, it's not actually parsing as addition, it's an empty block followed by a +[] expression (unary plus operator used to convert an empty array to a number).
And worse, to supposedly "protect" the programmer from himself (pointers are evil, GAHHHHH)? If the developer does not know how to make a good program in one language, it will still not know how to do in any other language.
It's not about "protecting the programmer from himself", it's about protecting the users. Practically nobody can write secure code in C or C++, where a very significant portion of bugs allow an attacker to run arbitrary code.
And if you don't want that application to put your security at risk via the arbitrary code execution exploit du jour, all you have to do is run that application in a separate limited user account. And make sure all your important files' ACLs prohibit access from that account. And don't use runas, use an actual separate login session, because of window shatter attacks. It's so easy, I bet everyone runs their applications this way. I'm sure you do....Right?
A floppy disk sector is 512 bytes, so even with just a single unreadable sector there are 256^512 possible combinations, more than there are atoms in the universe.
If the majority of people used a Mac, then there would be Mac rootkits all over the place, and a few people would be bragging about how secure Windows is.
Complain to your application's maintainer. Windows notifies applications before the system is about to restart for updates. Applications that don't save the user's work are defective.
If the user's not present, where is it supposed to save the work to? You certainly don't want to overwrite the previous save without asking. %APPDATA%\myapp? And now you have to check on startup to see if anything was saved there and let the user know about it if so, because the user sure is going to have a hard time finding it otherwise.
Yay, more logic that has to be implemented in every program. And if the developers of a program fail to do so, there is absolutely no indication to them that they've done something wrong. When you make it easy to do the wrong thing and hard to do the right thing, people are going to do the wrong thing. An OS designed with ignorance to this fact is what's really defective.
I also hope that some state gets its hands on him, and he ends up serving some time in a fuck you in the ass state pen with thugs and violent offenders.
Really, you're happy with thugs and violent offenders being given free sex slaves paid for by your tax dollars?
If this country had a single ounce of sense we would just shoot the guy.
Slashdot Mirror
It can't, but it can load that same page's URL in an iframe, and it will contain the same confidential information. Browsers try to prevent pages from reading the contents of cross-domain iframes, which is extremely difficult to do in a completely airtight manner. A much better solution would be not sending cookies on cross-domain requests and thus making it impossible for one site to load the secrets a different site is storing for you, but so far everybody is focused on treating the symptoms and not the disease.
This is the ITU, the same geniuses behind the "leap second" that crashed computer systems all over the world last June (because god forbid our clocks should ever be out of synch with the Earth's rotation by more than one second - never mind that given the way time zones are set up, many places are off by over an hour anyway). I'd be surprised if they even know what a patent is let alone why it's a bad thing to have on a standardized file format.
From the linked atariage.com post:
The hosts file can only be modified by administrators. Any additional protection is useless because if malware has gotten itself running as administrator, it can just kill or modify windows defender anyway.
The designers of Java tried to do two things regarding security:
1. allow running untrusted code (applets) without letting it break out of its sandbox
2. prevent unsafe memory access by bounds checking, type checking on casts, no explicit deallocation
#2 is a prerequisite for #1, since if code can write to arbitrary memory locations then it can take over the Java runtime process. However, #1 is not a prerequisite for #2. Java has in practice done poorly at meeting goal #1 but has been quite solid at #2.
Finding a security vulnerability is not "making viruses". Would you prefer that this be first discovered by someone who's not so nice as to disclose their findings, so that insulin pumps just start mysteriously "malfunctioning" and killing patients?
Regardless of what you may think of the quality of McAfee's software, they're not being anything besides white-hat here.
That could have been believable back in the DOS days, when most viruses seemed to have no real purpose besides amusement, but today the vast majority of malware is written for profit. Selling antivirus software would be counterproductive if you're making a lot more money from owning a botnet and the antivirus would eat into that.
From the summary:
Your "small-government" Republicans are just as much on board with this as the "big-government" Democrats.
So-called "democracy" as it exists in countries like the US is a complete sham. The government can act against the public interest on literally every single issue and still stay in power: any individual is only going to be knowledgeable about a small fraction of what the government does, and a majority of people will just take the media's word for it that they're doing right on most everything else.
The only issues on which the public actually has any influence are those which our rulers recognize to be of relatively minor importance, so the parties can put on a show of virulently disagreeing on them, which makes people feel like they're actually making a difference when they throw out corporate-owned party A and put into power corporate-owned party B. On the most important issues, there's always bipartisan agreement on the wrong side.
TCP port numbers are unencrypted so a serious attacker will be able to find out your sequence anyway. All you're doing is wasting your own time by making legitimate connections take longer.
I agree. But unfortunately, Sturgeon's Law applies - 90% of websites are garbage, so if you want to use the web you'll have to go "dumpster diving" (enabling JS) a lot.
I used to think of Flash as a CPU hog, but it pales in comparison to Javascript/HTML5. Even simple 2D games in Javascript will run at about 3 frames per second despite constantly using 100% CPU, and they often hog memory too (which Flash has never been all that bad about in my experience, unless you leave a dozen YouTube tabs open or something).
Annoying ads won't go away just because Flash does; they'll move to HTML5 and will be just as annoying, more resource hungry, and harder to block (disabling Javascript everywhere makes the Web unusable; a whitelist system like NoScript is going to be a necessity).
Are judges and jury members more likely to need organ transplants than anyone else? If not, it makes no sense to say there's a perverse incentive for them to order more executions; they have no more interest in it than the rest of the public does.
WebM supporters: Free Software Foundation, Participatory Culture Foundation, Xiph, Android, Codecian, Collabora, CoreCodec, Digital Rapids, FFmpeg, Adobe Flash Player, Flumotion Services, Google Chrome, Grab Networks, iLink, Inlet Technologies, Oracle Java, Matroska, Moovida, Mozilla, ooVoo, Opera, Oracle, Harmonic Rhozet, Skype, SightSpeed, Sorenson, Telestream, Tixeo, Ucentrik, VideoLAN, Wildform, Winamp Media Player, Wowza Media Server, XBMC Media Center, Allwinner Tech, AMD, Anyka, ARM, Broadcom, Chinachip, Chips&Media, C2 Microsystems, DSP Group, Freescale, GeneralPlus, Hisilicon, Hydra Control Freak, Imagination Technologies, Shanghai InfoTM Microelectronics, Leadcore Technology, Logitech, Marvell, MIPS, MStar Semiconductor, nVidia, Qualcomm, Rockchip Microelectronics, RayComm Group, SEUIC, Socle Technology Corp., ST-Ericsson, Texas Instruments, Verisilicon, Videantis, ViewCast, ZiiLABS, ZTE Corporation, Anevia, Brightcove, Delve Networks, Encoding.com, EntropyWave, Flumotion Services, HD Cloud, HeyWatch.com, Kaltura, Media Core, MetaCDN, ooyala, Panda, Panvidea, Sorenson 360, thePlatform, VideoRX.com, VMIX, YouTube, Zencoder
Sure there is: e^(tau * i) + 0 = 1.
Hey, it's really not any more ridiculous than "... + 1 = 0".
If you type {} + [] into the console, it's not actually parsing as addition, it's an empty block followed by a +[] expression (unary plus operator used to convert an empty array to a number).
It's not about "protecting the programmer from himself", it's about protecting the users. Practically nobody can write secure code in C or C++, where a very significant portion of bugs allow an attacker to run arbitrary code.
And if you don't want that application to put your security at risk via the arbitrary code execution exploit du jour, all you have to do is run that application in a separate limited user account. And make sure all your important files' ACLs prohibit access from that account. And don't use runas, use an actual separate login session, because of window shatter attacks. It's so easy, I bet everyone runs their applications this way. I'm sure you do. ...Right?
A floppy disk sector is 512 bytes, so even with just a single unreadable sector there are 256^512 possible combinations, more than there are atoms in the universe.
If the majority of people used a Mac, then there would be Mac rootkits all over the place, and a few people would be bragging about how secure Windows is.
Why are mount points better than drive letters, and why is / better than \? Unix's own particular way of naming files is far from universal.
If the user's not present, where is it supposed to save the work to? You certainly don't want to overwrite the previous save without asking. %APPDATA%\myapp? And now you have to check on startup to see if anything was saved there and let the user know about it if so, because the user sure is going to have a hard time finding it otherwise.
Yay, more logic that has to be implemented in every program. And if the developers of a program fail to do so, there is absolutely no indication to them that they've done something wrong. When you make it easy to do the wrong thing and hard to do the right thing, people are going to do the wrong thing. An OS designed with ignorance to this fact is what's really defective.
That's the original (single) DES; Triple DES is still not feasible to crack.
Really, you're happy with thugs and violent offenders being given free sex slaves paid for by your tax dollars?
If this country had a single ounce of sense we would just shoot the guy.
If you download and run a program without sandboxing it, then you are trusting its source by definition.
Don't confuse "trusted" with "trustworthy".