I know IE/ActiveX supports trust levels for remote code. (I.e. "I don't want these users running ActiveX code from anything but the trusted servers on our intranet"). Does Java have similar capabilities?
OLE has the problem of having to run some other process's code in your own address space in order to read the data. I haven't RTFA, but I imagine that's one thing Microsoft wanted/wants to fix if they were going to do a full platform rearchitecting.
Stop submarining American companies by offering ridiculously low rates and shit service and you'll be able to afford a fucking certificate.
He had a fair enough point contextually. Fact of the matter is their cost of living is sufficiently low that they can charge significantly less. A start-up is going to have comparatively little starting capital to work with.
Sounds strange to me. What if someone signs a trojaned libary?
Was it someone you chose to trust? Then you're screwed. If it's not someone you chose to trust, then you still have the option of choosing whether or not to trust them before you run the library. In short, do your homework. Or let your package mantainer do it for you; your operating system should already be set up to ensure updates from upstream are trusted, and your package maintainer should be on the ball about being sure *his* upstream is trusted.
I don't know about Java and WebStart, but when I go to install or launch a signed-but-untrusted binary (such as something that's fresh out of a browser's download queue), Windows gives me the signer's name and other cert details, and asks me if I want to run code by them.
Cryptographically signing something only tells the end-user *who* it was signed by. You still have to decide whether or not to trust that Who. I expect the implementation details of that are going to be specific to WebStart and the JVM in question. Not my area of expertise.
I don't have a current passport, either. Mine expired years ago, even before 9/11.
Ultimately, I wound up sending them pictures of my state ID, birth certificate and cell phone bill. I tried sending two different photo IDs, but they sent me an email asking for a copy of the birth certificate. They're reasonably friendly and will work with you to identify the documents you'd need.
As for security updates...I don't know. It will depend on the context. Just a guess, but I imagine that, if you're using your own certs to verify updates, then push out an update including the new cert, before the old cert expires.
I got the StartSSL certs so I could have non-scary SSL certs for my website. It was only after I got the identity cert that I noticed they talk about certs for code signing. However, that's not something I've messed with.
Their attempts to copy the Chrome UI on Windows are cludgy as well. If you don't have Aero enabled on Win7, you get stretching and other weird artifacts.
That's true, if the program was poorly architected from the outset. In my experience, it's very unusual to encounter someone abusing operator overloading in ways that aren't very localized, or are otherwise counterintuitive.
C++ allows you to do bad things, but if you're playing with anyone but yourself, there are threats of physical harm to consider before you make life difficult for everyone else.
...take a look at the source code for Luminance-HDR. While it's buggy, I've been pleasantly surprised at how well-organized it is, and it should prove to be very hackable.
Unless there's something distinct between how pictures and regular post taggings work.
Fiancee just created a post that excluded me in the privacy controls by name, but tagged me in it. Not only can I see it, but FB dutifully emailed me that I was tagged in someone's post.
Seconding DDG. I've also been using it as my primary search engine. Instant reference and running things through Wolfram Alpha make it all the sweeter.
More seriously, thanks, Taco. I grew up here. Through here, I was integrated into a massive circle of about 100 or so people who still call themselves the Journal Circle. And that group of people is still pretty well tied together. It wouldn't have happened without what you built.
The problem with salting: transfer the matter into "security by obscurity".
Which is what passwords are in the first place, and, by extension, any mechanism of manipulating or digesting them.
If the repo of you passwords leaks, one can assume the salt grains would leak too. Then you are not better than having the hashed password alone to attack.
Password hashes are typically stored in a database. The salt is typically part of the configuration store. Most systems (Wordpress being the singular counterexample I can think of) store user data separate from configuration data, and configuration data is usually left flat files. (LDAP is an alternative, but I don't believe most services use it)
So even if the password hashes leak, it's unlikely the salt will leak.
Not to dismiss the serious amount of time and effort you, Ondej, Raphael and all packagers put in, but I'm pretty sure the parent was making a joking reference to the OpenSSL entropy bug.
Slashdot Mirror
but I don't currently see anything like Flash for HTML5 applet authoring
ISTR hearing about Adobe having HTML5 export options.
Or Microsoft? They give their compilers away, but charge you for the IDE.
Wait...er, now they give away the IDE, too, but charge you for MFC.
I know IE/ActiveX supports trust levels for remote code. (I.e. "I don't want these users running ActiveX code from anything but the trusted servers on our intranet"). Does Java have similar capabilities?
IIRC, rsync was the culmination of its original author's thesis.
Great, just what I needed. Yet another news article for nerds, about stuff that matters.
(Actually, /.'s article quality has gone up a bit this year. I've been back more times these last few months than in the prior 2-3 years)
OLE has the problem of having to run some other process's code in your own address space in order to read the data. I haven't RTFA, but I imagine that's one thing Microsoft wanted/wants to fix if they were going to do a full platform rearchitecting.
Stop submarining American companies by offering ridiculously low rates and shit service and you'll be able to afford a fucking certificate.
He had a fair enough point contextually. Fact of the matter is their cost of living is sufficiently low that they can charge significantly less. A start-up is going to have comparatively little starting capital to work with.
TL;DR version of my other reply.
So anyone can sign those java libraries
Sure.
and have them work without problems?
Probably not.
Sounds strange to me. What if someone signs a trojaned libary?
Was it someone you chose to trust? Then you're screwed. If it's not someone you chose to trust, then you still have the option of choosing whether or not to trust them before you run the library. In short, do your homework. Or let your package mantainer do it for you; your operating system should already be set up to ensure updates from upstream are trusted, and your package maintainer should be on the ball about being sure *his* upstream is trusted.
I don't know about Java and WebStart, but when I go to install or launch a signed-but-untrusted binary (such as something that's fresh out of a browser's download queue), Windows gives me the signer's name and other cert details, and asks me if I want to run code by them.
Cryptographically signing something only tells the end-user *who* it was signed by. You still have to decide whether or not to trust that Who. I expect the implementation details of that are going to be specific to WebStart and the JVM in question. Not my area of expertise.
I don't have a current passport, either. Mine expired years ago, even before 9/11.
Ultimately, I wound up sending them pictures of my state ID, birth certificate and cell phone bill. I tried sending two different photo IDs, but they sent me an email asking for a copy of the birth certificate. They're reasonably friendly and will work with you to identify the documents you'd need.
As for security updates...I don't know. It will depend on the context. Just a guess, but I imagine that, if you're using your own certs to verify updates, then push out an update including the new cert, before the old cert expires.
I got the StartSSL certs so I could have non-scary SSL certs for my website. It was only after I got the identity cert that I noticed they talk about certs for code signing. However, that's not something I've messed with.
Their attempts to copy the Chrome UI on Windows are cludgy as well. If you don't have Aero enabled on Win7, you get stretching and other weird artifacts.
And a how many minute job to earn money to buy the certificate from a CA to sign your signature?
$60, and about an hour of back-and-forth emails in identity verification for a class 2 identity cert. Surprisingly cheap and easy.
but do we really want 10,000 "linksys" APs showing up when doing a scan?
It'll provide more input for wireless-survey-driven location detection logic.
That's true, if the program was poorly architected from the outset. In my experience, it's very unusual to encounter someone abusing operator overloading in ways that aren't very localized, or are otherwise counterintuitive.
C++ allows you to do bad things, but if you're playing with anyone but yourself, there are threats of physical harm to consider before you make life difficult for everyone else.
...take a look at the source code for Luminance-HDR. While it's buggy, I've been pleasantly surprised at how well-organized it is, and it should prove to be very hackable.
Unless there's something distinct between how pictures and regular post taggings work.
Fiancee just created a post that excluded me in the privacy controls by name, but tagged me in it. Not only can I see it, but FB dutifully emailed me that I was tagged in someone's post.
Seconding DDG. I've also been using it as my primary search engine. Instant reference and running things through Wolfram Alpha make it all the sweeter.
"some users" can mean "users who happened to connect to a particular server bank" rather than "users who had a flag set in their profile"
Taco, you magnificent bastard!
But he hasn't written the book yet!
More seriously, thanks, Taco. I grew up here. Through here, I was integrated into a massive circle of about 100 or so people who still call themselves the Journal Circle. And that group of people is still pretty well tied together. It wouldn't have happened without what you built.
I remember rainbow tables...and I remember that salting was the counter to them.
That's not how I've generally seen salts used. Generally, I've seen salts used like "echo $SALT$DATA|md5sum".
I'm not disputing that the method you describe isn't done, I just haven't seen it done that way.
The problem with salting: transfer the matter into "security by obscurity".
Which is what passwords are in the first place, and, by extension, any mechanism of manipulating or digesting them.
If the repo of you passwords leaks, one can assume the salt grains would leak too. Then you are not better than having the hashed password alone to attack.
Password hashes are typically stored in a database. The salt is typically part of the configuration store. Most systems (Wordpress being the singular counterexample I can think of) store user data separate from configuration data, and configuration data is usually left flat files. (LDAP is an alternative, but I don't believe most services use it)
So even if the password hashes leak, it's unlikely the salt will leak.
Not to dismiss the serious amount of time and effort you, Ondej, Raphael and all packagers put in, but I'm pretty sure the parent was making a joking reference to the OpenSSL entropy bug.
We've got a fair amount of tasks over on Rosetta Code that could use your attention, I suspect.
I've worked in shops where the team was a bunch of guys with 10+ years experience and one young guy. C++ can work well there.
Sounds like my first programming job. :)