While it's fun to accuse MS, Moore's Law (and whatever corollary applies to storage) has caught up to encryption. I believe Dictionary Attacks and ever increasing speed/storage have rendered passwords as we know them as obsolete. Other than biometrics, anybody have any ideas?
(Given of course that the average user can't remember a 6 digit voicemail password over a long weekend)
Yesterday. I use BSD for anything that I'd like to be more secure than the average distro. Anything on the frontline basically- w/ports open to the wild. Chroot'ing gives me a warm fuzzy. You gotta assume that now matter what software you're using it's going to have holes, and the holes will eventually be discovered. It's nice to know that when this happens the damage will be somewhat limited.
Starting a session over because a user lost his dialup connection is acceptable to every user I've run into.
This technique has been in use at several moderate (> 50k users/mo) traffic sites I've worked on with no problems and no complaints for several years. And, state control is completely server side.
If you like cookies, off you go. I'll choose the more secure solution for now.
But your point is well taken- the ability to disable the inclusion of the browser GUID is something I'd agree with. The need here is to be able to support web applications that involved a variable store without compromising security. Cookies aren't a good solution to me because too many developers blindly assume that they can put whatever they want in there without thinking about what somebody could do to their site if they dug in on what's in the cookies. MANY sites, with supposedly senior developers, are guilty of this.
Ummm- no it's not. Once more, for the cheap seats- The context ID is only valid from the IP address it was created for and within a certain window of time since last reference.
The purpose of the IP validation is to prevent it working when a link gets out in the wild (for example, 3rd Party Insecure Toolbar X sends it off somewhere without your knowledge, somebody hacks your shortcuts, etc)
You still have to know the context ID. If you're giving your URL (with the context ID) to somebody with the same IP address as you odds are you want it to work for them anyway.
I've always been opposed to cookies. There's practically no reason why state control should be put on the client side. It's virtually impossible to secure a site that exposes variables client side. Anything you can do with a cookie can be done with a GUID context ID paired w/server side variable store.
The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.
I understand why you say this. After purchasing an Apple Quadra 840 for around $6k in the early 1990's, I felt violated when PC's of comparable performance where available at a fraction of the cost. I learned my lesson- I don't pay the premium for the Apple brand anymore. It just doesn't make sense. (xServe's withstanding- they're a solid value)
However, I've gotten the impression that most Apple loyalists are immune to this phenomenon. They attribute the difference in price to the value of the superior engineering in Apple products. Huh. Yeah. More money for less mouse buttons is basically the situation. They must have put alot of effort into determining that it was in the users best interest to be denied those harmful context sensitive right click menus.
substitute {Presidential Campaign|Postseason Baseball}... it's all the same. Our culture seems bound and determined to be irrationally confrontational.
I'd like to recommend that we all practice our breathing, have some tea and listen to some reggae music.
I'm guilty of lumping Mozilla and Mosaic together. Sorry. And yes, even IE has Mosaic heritage.
The big flick here (or my interpretation of it) though is that once MS got into the browser arena, they sought and achieved popularity by increasing functionality (mainly cross app) through API's. The problem is they did it without regard to security. And I won't allow them the leeway that they couldn't forsee all the extensibility/plug-in development that was going to happen. The Java Sandbox debates were already in progress.
(Some/. staffer should move this subthread from the spyware post to the browser war post. It's a bit off topic, sorry again.)
I did read it. I was just contesting his implication that all software is untrustworthy. While I don't completely disagree with this, I would suggest that if we can select software that generally, by design, is much less suspectable to problems, it's a better choice. Firefox/Mozilla/other OSS browsers have chosen to not design shortcuts to cool functionality by tight integration with the OS like MS did with IE. In my day to day usage of Windows & Linux I truly don't find the API magic (read gaping security holes) that IE does to have gained me anything tangible. And certainly not at the cost of ~900% more vulnerabilities. Another important distinction mentioned in browser security analyses is that when IE gets compromised, usually the whole box is compromised, not so with non-Redmond browsers.
Visit a reputable vulnerabilities website, www.cert.org for example, and compare the number of Mozilla vulnerabilities (2) to that of Internet Explorer (179). I'm sorry, you don't have a reply to that? I thought as much.
Is there anything else the entire industry has accepted that you want to suggest is wrong?
It's been my experience that most organizations have problems because they're staff are inadequately trained. I myself and just as guilty of slapping up incredibly-complex-software-that-has-been-shrink-w rapped-and-commoditized (ie. firewalls, mailservers, database servers, etc...) and the post-incident debrief revealed that of course there were problems- I didn't RTFM.
Apples to Apples though- correctly implemented, it has been my experience that Linux/BSD/*ix stuff is faster, more stable, and just damn better designed. The product evolution strategy is always value driven vs. some other ulterior motive (ie. revenue, locking a customer into your product line, etc). Given this, the freely available Unix distros have always provided me, & the companies I've worked at, the maximum ROI.
Doesn't this have criminal negligence written all over it, at the very least class action?
I wonder if that's how their licensing is labelled internally:
Premium (we tell you about the fucked up shit that we shipped)
Standard (the FBI may come to your house some day because there were security vulnerabilities that allowed a kiddie porn ring to be based on your computer)
What do you think they'll be able to charge for software that actually works? We may never know. Managing customer expections is a sound business practice- don't set the bar too high or you'll just let them down.
Automotive Counter Part
BMW 720L
$50K
BMW 720 - steering wheel may fall off with no warning
$35K
BMW 720e - has been known to spontaneously combust
$30K
Now, now- no need to get snippy. They just assured us when we can expect security- 2011.
In the mean time, please enjoy this feature rich extension that enables you to listen to your favorite piano riff while an Uzbekestanian terrorist markets kiddy porn and automatic weapons from your PC.
Slashdot Mirror
While it's fun to accuse MS, Moore's Law (and whatever corollary applies to storage) has caught up to encryption. I believe Dictionary Attacks and ever increasing speed/storage have rendered passwords as we know them as obsolete. Other than biometrics, anybody have any ideas? (Given of course that the average user can't remember a 6 digit voicemail password over a long weekend)
It might be quicker to generate than to download via bt.
Yesterday. I use BSD for anything that I'd like to be more secure than the average distro. Anything on the frontline basically- w/ports open to the wild. Chroot'ing gives me a warm fuzzy. You gotta assume that now matter what software you're using it's going to have holes, and the holes will eventually be discovered. It's nice to know that when this happens the damage will be somewhat limited.
This technique has been in use at several moderate (> 50k users/mo) traffic sites I've worked on with no problems and no complaints for several years. And, state control is completely server side.
If you like cookies, off you go. I'll choose the more secure solution for now.
But your point is well taken- the ability to disable the inclusion of the browser GUID is something I'd agree with. The need here is to be able to support web applications that involved a variable store without compromising security. Cookies aren't a good solution to me because too many developers blindly assume that they can put whatever they want in there without thinking about what somebody could do to their site if they dug in on what's in the cookies. MANY sites, with supposedly senior developers, are guilty of this.
Cookies compromise privacy in the same way, but also can give the client state control if not used properly. Which would you rather have?
Ummm- no it's not. Once more, for the cheap seats- The context ID is only valid from the IP address it was created for and within a certain window of time since last reference.
You still have to know the context ID. If you're giving your URL (with the context ID) to somebody with the same IP address as you odds are you want it to work for them anyway.
Wait, I have. AOL and some foreign satellite access providers but not lately- it's been a couple of years.
IP's that change in the middle of a session?! Well that would suck. I've never run across that.
Context ID's of course have to be validated so they're invalidated if used from an IP other then the one they were created for.
The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.
However, I've gotten the impression that most Apple loyalists are immune to this phenomenon. They attribute the difference in price to the value of the superior engineering in Apple products. Huh. Yeah. More money for less mouse buttons is basically the situation. They must have put alot of effort into determining that it was in the users best interest to be denied those harmful context sensitive right click menus.
For example, MS Windows.
I'd like to recommend that we all practice our breathing, have some tea and listen to some reggae music.
The big flick here (or my interpretation of it) though is that once MS got into the browser arena, they sought and achieved popularity by increasing functionality (mainly cross app) through API's. The problem is they did it without regard to security. And I won't allow them the leeway that they couldn't forsee all the extensibility/plug-in development that was going to happen. The Java Sandbox debates were already in progress.
(Some /. staffer should move this subthread from the spyware post to the browser war post. It's a bit off topic, sorry again.)
I did read it. I was just contesting his implication that all software is untrustworthy. While I don't completely disagree with this, I would suggest that if we can select software that generally, by design, is much less suspectable to problems, it's a better choice. Firefox/Mozilla/other OSS browsers have chosen to not design shortcuts to cool functionality by tight integration with the OS like MS did with IE. In my day to day usage of Windows & Linux I truly don't find the API magic (read gaping security holes) that IE does to have gained me anything tangible. And certainly not at the cost of ~900% more vulnerabilities. Another important distinction mentioned in browser security analyses is that when IE gets compromised, usually the whole box is compromised, not so with non-Redmond browsers.
Well it's about time- we were damn close to having actual web standards. Glad we dodged that bullet.
Mosaic Netscape 0.9 - October 13, 1994
Interenet Explorer is derived from Spyglass, Inc.'s version of Mosaic. Microsoft licensed Spyglass's software in 1995
(reference www.wikipedia.org)
Is there anything else the entire industry has accepted that you want to suggest is wrong?
But yes, that's my point- they (we) have to be trained either way.
It's been my experience that most organizations have problems because they're staff are inadequately trained. I myself and just as guilty of slapping up incredibly-complex-software-that-has-been-shrink-w rapped-and-commoditized (ie. firewalls, mailservers, database servers, etc...) and the post-incident debrief revealed that of course there were problems- I didn't RTFM.
Apples to Apples though- correctly implemented, it has been my experience that Linux/BSD/*ix stuff is faster, more stable, and just damn better designed. The product evolution strategy is always value driven vs. some other ulterior motive (ie. revenue, locking a customer into your product line, etc). Given this, the freely available Unix distros have always provided me, & the companies I've worked at, the maximum ROI.
According to people that make dictionaries (ie. Merriam-Webster & Oxford), they're the same.
Doesn't this have criminal negligence written all over it, at the very least class action? I wonder if that's how their licensing is labelled internally: Premium (we tell you about the fucked up shit that we shipped) Standard (the FBI may come to your house some day because there were security vulnerabilities that allowed a kiddie porn ring to be based on your computer) What do you think they'll be able to charge for software that actually works? We may never know. Managing customer expections is a sound business practice- don't set the bar too high or you'll just let them down. Automotive Counter Part BMW 720L $50K BMW 720 - steering wheel may fall off with no warning $35K BMW 720e - has been known to spontaneously combust $30K
Now, now- no need to get snippy. They just assured us when we can expect security- 2011. In the mean time, please enjoy this feature rich extension that enables you to listen to your favorite piano riff while an Uzbekestanian terrorist markets kiddy porn and automatic weapons from your PC.