If you were in Europe, where they use PAL (a higher quality standard) then the difference between Beta and VHS became more apparent.
The bottom line: VHS was "high enough" quality for the US market, and it had features that Beta didn't have (wider licensing, longer recording times).
In many ways, it's a similar situation to CDs today - none of the attempts to replace CDs have been successful because CDs are "good enough" for 99% of the consumers.
Hmm.. And as I wrote this, I realized: Windows is "good enough" for 99% of the consumers too. I wonder if Windows is successful for just the same reason - it was widely licensed, and "good enough".
gl4ss: My point exactly - there were no Windows viruses.
So a Windows advertisement wouldn't mention them.
Would you expect a Mac advertisement to advertise all the Mac init viruses that went around then? In 1985, viruses were a far bigger problem for Mac users than they were for PC users (Mac users seemed to download stuff from BBS systems more than PC users did - mostly little system utilities etc).
Grandma can't tell the difference between a plugin installed from mozilla.org and a plugin installed from malware.org.
All she sees is "Do you want to get your work done?" (or "Do you want to play this really cool game?").
Both signed ActiveX controls and DNS records provide evidence of the origination of code. Neither is inherently more trustworthy than the other - YOU may know that you can't trust any plugin that doesn't come from plugins.mozilla.org, but "Grandma" doesn't.
A hotlist that prevents downloading anycode from any site other than the approved ones might work, but Firefox doesn't have that today (mozilla.org pointed me to "freedownloadmanager.com", and instructed me to "enable browser integration").
So "Granny" got pointed to a cool download manager for firefox by the firefox website, downloaded the code and installed it. The only difference here is the number of steps that Granny had to go through.
"Granny" wants to play her game. If playing her game requires that she install a plugin for FireFox that installs a backdoor on her computer, then she'll install the backdoor.
Someone else posted that firefox plugins aren't really code, but are instead scripts (like JavaScript), but... I'm sceptical of that claim however, because if it was true, the scripting language would have to be a pretty impressive scripting language if that's true, since the flash and adobe PDF's plugins would have to be written in it.
Every version of Windows has had this cert in its CRL for quite some time now.
The biggest issue is whether or not the users browser updates the CRL from the CA in a timely fashion.
Which is a big deal for ALL certificates, not just activex certs. You'd be upset if someone hijacked amazon.com using a revoked certificate and you didn't know about it because your browser didn't check the CRL.
I agree 100%. The Java/.Net model of stack based attribution where the host of the control describes what the control can do is vastly superior to either model.
Actually I'm not defending ActiveX (although it may appear that I am).
What I'm saying is that the decision to put code on your machine is based on trust.
You trust that nobody has hijacked mozilla.org (or poisoned your DNS with fake records).
You trust the CA that issued the certificate for mozilla.org. The download page IS SSL encrypted so you can verify that it's the real downloads.mozilla.org, right?
And looking at plugindoc.mozdev.org, it points you to a boatload of 3rd party web sites. How do you know none of those have been hijacked?
It's all about trust. Code signing gives you the ability to verify that the author of the code had enough money to buy a code signing certificate from a CA. That may (or may not) be enough to let you trust the code.
You get to decide. The same rules apply to firefox extensions as applies to activeX controls.
The only real difference between the two is that ActiveX controls require that you trust the author of the code (whoever signed the binary), FireFox extensions require that you trust the publisher of the code (whoever is controlling the DNS records for downloads.mozilla.org).
The signature of ActiveX controls allows for 3rd parties to distribute the binaries - the signature ensures that the 3rd party (who might not be trusted) hasn't tampered with the code.
If you find a version of the acrobat reader plugin for FireFox on a random web site, can you trust that the binary's not been tampered with? The answer is "No".
For FireFox extensions, 3rd parties can't distribute extensions, instead you should go to an authoritative source (mozilla.org) to determine the "correct" location of the download.
In BOTH situations, the user is required to make a "trust" decision based on evidence provided by the binary.
In the case of an ActiveX control, the evidence is provided by the trust the users have of the validity and authenticity of the code signing certificate.
In the case of FireFox extensions, the evidence is provided by the trust that the user has of the author of the mozilla download catalog.
You don't trust signed activeX controls because the signing authorities can't be trusted But you do trust extensions on mozilla.org?
What's the difference?
How do you know that some hacker hasn't hijacked mozilla.org? Well, you can verify the SSL certificate. But that SSL certificate had to be signed by a signing authority.
Sure. But you know the signer. And you agree to install it.
Same is true for a firefox extension. By installing the extension, you're saying that you know and trust the originator of the extension.
Code signing allows you to KNOW the originator of the control - they had to pay money to Verisign (or whoever) to sign their code, which rules out a lot of random malware.
Now then, it IS possible to hide the origin of the control (if the control comes from "You must agree to load this control to view your DivX pr0n" what're you going to do?)
But at least signing gives you verifiability.
Of course you have to trust the CA who issued the certificate that signed the control, the same thing holds true for SSL web pages and firefox extensions.
First off, it's only been a MS product for a month - hard to rewrite it in that time.
Also, that article seems to indicate that the undocumented APIs are somehow "faster" than their documented equivilants, but it doesn't cite any evidence of that...
Um... Ever tried to use a bluetooth remote control in your LIVING ROOM?
We're talking about a technology that has a 3 foot range here, I suspect your S/O might be a SMIDGE upset if they had to stand 3 feet from the TV to use the remote control.
IR is cheap and it works just great in the living room.
How do you know that the worm's just fixing the problem?
What happens when someone releases a version of the worm with a rootkit attached? It'll fix the vulnerability, and then install its rootkit (which will then hide its traces).
ALL worms are evil, even the worms in sheeps clothing (ok, I'm mixing metaphors, but...)
Slashdot Mirror
Both Beta and VHS were limited by NTSC quality.
If you were in Europe, where they use PAL (a higher quality standard) then the difference between Beta and VHS became more apparent.
The bottom line: VHS was "high enough" quality for the US market, and it had features that Beta didn't have (wider licensing, longer recording times).
In many ways, it's a similar situation to CDs today - none of the attempts to replace CDs have been successful because CDs are "good enough" for 99% of the consumers.
Hmm.. And as I wrote this, I realized: Windows is "good enough" for 99% of the consumers too. I wonder if Windows is successful for just the same reason - it was widely licensed, and "good enough".
gl4ss: My point exactly - there were no Windows viruses.
So a Windows advertisement wouldn't mention them.
Would you expect a Mac advertisement to advertise all the Mac init viruses that went around then? In 1985, viruses were a far bigger problem for Mac users than they were for PC users (Mac users seemed to download stuff from BBS systems more than PC users did - mostly little system utilities etc).
I'm plenty old enough. There were hundreds of DOS based viruses. And hundreds of Mac based viruses. And no Unix viruses (to my knowledge).
And absolutely no Windows based viruses. The virus writers never bothered to write viruses that could infect Windows executables.
The root cause of all of those viruses? File swapping on dial up BBSs. They weren't self propogating, the user had to install them.
Maybe.
But there weren't Windows viruses.
Don't forget that the first big worm (the Morris worm) didn't hit until about 4 years after this.
Hey, there were no Windows 1.0 viruses or worms.
Windows 95, yes, but Windows 1.0? Nope.
There wasn't a WWW, and DNS was only 1 year old at the time... There were maybe 2000 hosts on the internet.
Same way you reformat a drive on Windows :)
What sandbox? How do they sandbox native code?
There is no firefox sandbox, just like there's no activex sandbox. Code is code, it can break your machine.
Now Java/.Net provides a sandbox, and they're pretty decent sandboxes, but the flash viewer running in firefox isn't running sandboxed.
Grandma can't tell the difference between a plugin installed from mozilla.org and a plugin installed from malware.org.
All she sees is "Do you want to get your work done?" (or "Do you want to play this really cool game?").
Both signed ActiveX controls and DNS records provide evidence of the origination of code. Neither is inherently more trustworthy than the other - YOU may know that you can't trust any plugin that doesn't come from plugins.mozilla.org, but "Grandma" doesn't.
A hotlist that prevents downloading anycode from any site other than the approved ones might work, but Firefox doesn't have that today (mozilla.org pointed me to "freedownloadmanager.com", and instructed me to "enable browser integration").
So "Granny" got pointed to a cool download manager for firefox by the firefox website, downloaded the code and installed it. The only difference here is the number of steps that Granny had to go through.
"Granny" wants to play her game. If playing her game requires that she install a plugin for FireFox that installs a backdoor on her computer, then she'll install the backdoor.
As far as I know, it's code.
Someone else posted that firefox plugins aren't really code, but are instead scripts (like JavaScript), but... I'm sceptical of that claim however, because if it was true, the scripting language would have to be a pretty impressive scripting language if that's true, since the flash and adobe PDF's plugins would have to be written in it.
Expired certs are different from revoked certs.
Every version of Windows has had this cert in its CRL for quite some time now.
The biggest issue is whether or not the users browser updates the CRL from the CA in a timely fashion.
Which is a big deal for ALL certificates, not just activex certs. You'd be upset if someone hijacked amazon.com using a revoked certificate and you didn't know about it because your browser didn't check the CRL.
I agree 100%. The Java/.Net model of stack based attribution where the host of the control describes what the control can do is vastly superior to either model.
Actually I'm not defending ActiveX (although it may appear that I am).
What I'm saying is that the decision to put code on your machine is based on trust.
You trust that nobody has hijacked mozilla.org (or poisoned your DNS with fake records).
You trust the CA that issued the certificate for mozilla.org. The download page IS SSL encrypted so you can verify that it's the real downloads.mozilla.org, right?
And looking at plugindoc.mozdev.org, it points you to a boatload of 3rd party web sites. How do you know none of those have been hijacked?
It's all about trust. Code signing gives you the ability to verify that the author of the code had enough money to buy a code signing certificate from a CA. That may (or may not) be enough to let you trust the code.
You get to decide. The same rules apply to firefox extensions as applies to activeX controls.
The only real difference between the two is that ActiveX controls require that you trust the author of the code (whoever signed the binary), FireFox extensions require that you trust the publisher of the code (whoever is controlling the DNS records for downloads.mozilla.org).
The signature of ActiveX controls allows for 3rd parties to distribute the binaries - the signature ensures that the 3rd party (who might not be trusted) hasn't tampered with the code.
If you find a version of the acrobat reader plugin for FireFox on a random web site, can you trust that the binary's not been tampered with? The answer is "No".
For FireFox extensions, 3rd parties can't distribute extensions, instead you should go to an authoritative source (mozilla.org) to determine the "correct" location of the download.
In BOTH situations, the user is required to make a "trust" decision based on evidence provided by the binary.
In the case of an ActiveX control, the evidence is provided by the trust the users have of the validity and authenticity of the code signing certificate.
In the case of FireFox extensions, the evidence is provided by the trust that the user has of the author of the mozilla download catalog.
You don't trust signed activeX controls because the signing authorities can't be trusted But you do trust extensions on mozilla.org?
What's the difference?
How do you know that some hacker hasn't hijacked mozilla.org? Well, you can verify the SSL certificate. But that SSL certificate had to be signed by a signing authority.
And you said you don't trust signing authorities.
My question is: What's the difference between a signed ActiveX control and a browser extension?
Can you meet all of your requirements for a random FF extension?
Code signing provides evidence to you of the author of the code. So does an extension being located on mozilla.org.
But you as the user ultimately need to decide if you trust the person who authored (or published) the code.
You're right - verisign gave someone from outside Microsoft the MS certificate sometime about 3 or 4 years ago.
The certificate was revoked at the same time (when it was discovered), nobody can use it any more.
I don't know. I'll answer after you answer my question:
What makes a firefox extension that you downloaded from mozilla.com any less dangerous than one you downloaded from malware.com?
There's nothing inherently different between a firefox extension and an ActiveX control - they're both code running on your machine outside a sandbox.
Sure. But you know the signer. And you agree to install it.
Same is true for a firefox extension. By installing the extension, you're saying that you know and trust the originator of the extension.
Code signing allows you to KNOW the originator of the control - they had to pay money to Verisign (or whoever) to sign their code, which rules out a lot of random malware.
Now then, it IS possible to hide the origin of the control (if the control comes from "You must agree to load this control to view your DivX pr0n" what're you going to do?)
But at least signing gives you verifiability.
Of course you have to trust the CA who issued the certificate that signed the control, the same thing holds true for SSL web pages and firefox extensions.
You know the author.
An unsigned control can come from anywhere, a signed control comes from the signing authority.
Would you install a firefox extension from a random web site or only from those that you trust?
First off, it's only been a MS product for a month - hard to rewrite it in that time.
Also, that article seems to indicate that the undocumented APIs are somehow "faster" than their documented equivilants, but it doesn't cite any evidence of that...
Mod parent up please - one of the best posts I've seen explaining the difference.
Speciation in action:
Breed a horse and a donkey. You get either a mule or a hinny, both infertile.
Breed a tiger and a lion. You get a liger, again infertile.
But nobody believes that tigers and lions are the same species (or horses and donkeys).
Bluetooth?
Um... Ever tried to use a bluetooth remote control in your LIVING ROOM?
We're talking about a technology that has a 3 foot range here, I suspect your S/O might be a SMIDGE upset if they had to stand 3 feet from the TV to use the remote control.
IR is cheap and it works just great in the living room.
Because a large part of the problem isn't the OS.
...) installed spyware?
When you download Kazaa (or DivX, or...) is it the OS's fault that Kazaa (or DivX, or
I didn't think so.
If there's a security hole that the spyware people are exploiting, then Microsoft needs to fix those.
But the vast majority of spyware is installed by users that don't know what they're doing.
They already did that with IE - it's call XP SP2.
With XP SP2, modulo security holes, the defaults on downloading code are all NO - the user has to decide that they want the rubbish or not.
After that, it's a question of user education.
How do you know that the worm's just fixing the problem?
What happens when someone releases a version of the worm with a rootkit attached? It'll fix the vulnerability, and then install its rootkit (which will then hide its traces).
ALL worms are evil, even the worms in sheeps clothing (ok, I'm mixing metaphors, but...)