would almost certainly be perceived as proposals to introduce 'backdoors'
Yes, that is exactly the definition of a backdoor: a way to bypass the owner's security measures. Any suggestion that it isn't would mean that the government is the owner of the device, not you or me.
To steal a credit card this is what they did (AFAICT):
1) Found a website with two-pieces, one that remembers/reads credit card numbers, and one that receives submitted card numbers.
2) The user logs in to the website with his account.
3) The website piece that receives credit card numbers gets logged in with someone else's account.
4) One website piece sends the credit card to the other website piece.
5) Retrieve the credit card (probably on the verification page or something).
They didn't go into great detail on that example, but that is my understanding of the situation.
The clarifying example for me was google chat. Gmail has a google chat window, which is actually loaded from a different URL and composed together on the page. Using that, the attacker can inject the cookie for a different chat account. The user thinks he is on his own page, but is chatting with someone else.
That seems a little far-fetched (though possible). A more likely attack vector is single sign-on services, where you think you've logged in with your Facebook account somewhere else, but actually you signed in with someone else's account. Using that technique, they were able to steal money from payment services.
So the cookie itself is not a vulnerability, but combined with slightly careless coding, it can give an attacker an entrance.
Let me say it a different way, and relate it to geekiness with a J.R.R. Tolkien quote:
“I wish it need not have happened in my time," said Frodo.
"So do I," said Gandalf, "and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us.”
Nobody gets the job they want, perfectly. But when you are in that situation, you need to either figure out how to make it work, or find another job. And writing an integer math library for Javascript is something you are capable of.
AFAICT it's not a bug, more of a feature request. The problem was that style sheets were not being shared between pages, even if they were identical. So AdBlockPro had a copy of its style sheets shared in each tab. Apparently it uses a large style sheet?
If you have no other choice, you need to write it. Javascript is deficient, work around it.
Writing a fixed-point integer library is something you should be capable of doing. If you've never done it, then you should try it: it's fun.
Serious question......
Game programmers often use C++ (for various reasons). Since you are a game programmer who doesn't like C++,
What do you typically use to write programs?
"It's quite apparent that the evolution of the C family of languages (C, C++, Java, C#) is converging on a language very like Ada, except unfortunately as a kludgepile rather than a clean design."
You get fired. Then you sue for wrongful termination. Then you expose the company in court (public record) about how shitty they are threatening you with termination (you have proof? right?) for doing something dubious.
that far too many who call themselves coders can't be bothered to sit down and work out a detailed plan before barging ahead.
That's a good description of the C++ design process, and why the "approved" way of using the language is completely different than the "approved" way of not long ago.
How many ways are there to allocate memory in C++? I'm starting to lose count.
Where I live we have the most amazing roads for motorcycling and driving sports cars: no speed limit outside of the towns, and fun, twisty roads with little traffic. But the overwhelming majority of sports cars are doing about 45 mph, being a rolling roadblock.
Twisty roads at 45 can still be fun in a Ferrari, but I don't know what those people are doing. Maybe they're afraid of going over 45 in their fancy car?
The only thing I can figure from talking to people (people who say, "my new [low end] Buick has nice power!) is that it really sucks trying to get on a freeway on-ramp in a lower-powered car. Going up the ramp in Chevy Spark, "OMG I floored it and it won't go over 55!!" Not a fun experience.
When I was in college, someone bragged to me that his used car could go up a hill accelerating completely loaded with people. I guess that's another use case.
BTW, if it is public, it's reasonable to request that the final source code be opened, but to only choose open source to begin with, that's a silly requirement.
It's far more likely that TCP/IPv6 will be around in 30 years
Come to think of it, you can probably make sure a technology lasts by wishing it wouldn't stick around. Based on that, they should use IPv4 with Flash+Javascript written in COBOL on Windows ME. It'll last forever.
I don't think you can rely on any platform to be around for 30 years, even if it's open source.
Some platforms have lasted that long, but trying to guess which platforms will last and which won't is not the reason to choose open source.
How accurate does that method tend to be?
would almost certainly be perceived as proposals to introduce 'backdoors'
Yes, that is exactly the definition of a backdoor: a way to bypass the owner's security measures. Any suggestion that it isn't would mean that the government is the owner of the device, not you or me.
I clarified what I meant in a different comment.
He's also pushing it in Vanity Fair, like the true geek he is.
No, I'm just talking about on the heap. I've got these, probably missing some:
....)
malloc (alloc, calloc, etc)
new
new[]
new (nothrow)[]
make_shared
shared_ptr(new
allocate_shared
std::allocator::allocate
make_unique
make_unique(new...)
I am sure I'm missing some. I think most of those are deprecated.
To steal a credit card this is what they did (AFAICT):
1) Found a website with two-pieces, one that remembers/reads credit card numbers, and one that receives submitted card numbers.
2) The user logs in to the website with his account.
3) The website piece that receives credit card numbers gets logged in with someone else's account.
4) One website piece sends the credit card to the other website piece.
5) Retrieve the credit card (probably on the verification page or something).
They didn't go into great detail on that example, but that is my understanding of the situation.
The clarifying example for me was google chat. Gmail has a google chat window, which is actually loaded from a different URL and composed together on the page. Using that, the attacker can inject the cookie for a different chat account. The user thinks he is on his own page, but is chatting with someone else.
That seems a little far-fetched (though possible). A more likely attack vector is single sign-on services, where you think you've logged in with your Facebook account somewhere else, but actually you signed in with someone else's account. Using that technique, they were able to steal money from payment services.
So the cookie itself is not a vulnerability, but combined with slightly careless coding, it can give an attacker an entrance.
I can't imagine that matching all those rules against the page as it loads is particularly fast either...
I think you're probably right, but compared to actually loading the ads, it seems to be an order of magnitude faster.
“I wish it need not have happened in my time," said Frodo.
"So do I," said Gandalf, "and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us.”
Nobody gets the job they want, perfectly. But when you are in that situation, you need to either figure out how to make it work, or find another job.
And writing an integer math library for Javascript is something you are capable of.
AFAICT it's not a bug, more of a feature request.
The problem was that style sheets were not being shared between pages, even if they were identical. So AdBlockPro had a copy of its style sheets shared in each tab. Apparently it uses a large style sheet?
So this change allowed for some de-duplication.
If you have no other choice, you need to write it. Javascript is deficient, work around it.
Writing a fixed-point integer library is something you should be capable of doing. If you've never done it, then you should try it: it's fun.
Serious question......
Game programmers often use C++ (for various reasons). Since you are a game programmer who doesn't like C++,
What do you typically use to write programs?
"It's quite apparent that the evolution of the C family of languages (C, C++, Java, C#) is converging on a language very like Ada, except unfortunately as a kludgepile rather than a clean design."
You're a programmer so write one.
Well said.
You get fired. Then you sue for wrongful termination. Then you expose the company in court (public record) about how shitty they are threatening you with termination (you have proof? right?) for doing something dubious.
That's a lot of work for dubious benefit.
that far too many who call themselves coders can't be bothered to sit down and work out a detailed plan before barging ahead.
That's a good description of the C++ design process, and why the "approved" way of using the language is completely different than the "approved" way of not long ago.
How many ways are there to allocate memory in C++? I'm starting to lose count.
Where I live we have the most amazing roads for motorcycling and driving sports cars: no speed limit outside of the towns, and fun, twisty roads with little traffic. But the overwhelming majority of sports cars are doing about 45 mph, being a rolling roadblock.
Twisty roads at 45 can still be fun in a Ferrari, but I don't know what those people are doing. Maybe they're afraid of going over 45 in their fancy car?
The only thing I can figure from talking to people (people who say, "my new [low end] Buick has nice power!) is that it really sucks trying to get on a freeway on-ramp in a lower-powered car. Going up the ramp in Chevy Spark, "OMG I floored it and it won't go over 55!!" Not a fun experience.
When I was in college, someone bragged to me that his used car could go up a hill accelerating completely loaded with people. I guess that's another use case.
If you think back to your school years or meet a few students you'll find plenty of examples of people who could not succeed
There were certainly people who didn't, but none that couldn't.
Your comment is a perfect illustration of the saying, Hindsight is 20/20.
BTW, if it is public, it's reasonable to request that the final source code be opened, but to only choose open source to begin with, that's a silly requirement.
It's far more likely that TCP/IPv6 will be around in 30 years
Come to think of it, you can probably make sure a technology lasts by wishing it wouldn't stick around. Based on that, they should use IPv4 with Flash+Javascript written in COBOL on Windows ME. It'll last forever.
I don't think you can rely on any platform to be around for 30 years, even if it's open source.
Some platforms have lasted that long, but trying to guess which platforms will last and which won't is not the reason to choose open source.
Here you go man, this guy says it much better than I do.
I......work hard to ensure that every line I write IS secure.
Then keep up the good work, we need more programmers like you.
I've given you examples, which you [fail to] try to explain away.
I've given you techniques you can use to improve yourself, but you don't want them.
Read a book or something, what else can I do to help you?