Then, it was supposed to turn the web into an application delivery platform, and it failed miserably at that, too (Ajax is now succeeding there).
What the hell does that even mean? "AJAX" is not a web platform - and boy am I sick and tired of people totally misusing the term AJAX. AJAX enables web applications to make asynchronous requests, which are going to pull updated information back from the web application. How is that information generated? Well, quite possibly with some Java server-side code!
In fact, the proliferation of AJAX-enabled web apps has made Gosling's points even more valid. Now that we're demanding more interactive and real-time-updating web applications, we need more robust and scalable design to support those applications. And he notes that Java is a language that can deliver such robustness and scalability.
If they really cared one way or another about seeing the issue fixed, why not show up at WWDC, meet w/ some of the Apple engineers onsite, demo the issue, and work with Apple towards a resolution?
I saw the same presentation at DefCon (I wasn't at BlackHat), and they did mention explicitly that they had been in contact with Apple about this and were not revealing the details until Apple was able to make some headway towards a resolution. TFA fails to mention this, conveniently.
Safety is everything for Forumula One. Anything Microsoft writes will get inspected with fine tooth combs, then inspected again just to be sure.
Actually, it really has (almost) nothing to do with safety. Formula 1 has long been wary of teams hiding triky ways of doing things like traction control, ABS, etc, within ECU code. If you think about it, it would be very hard to find/control such a thing if the code was coming from all over the the place. It's not as much of an issue now that some of these things (traction control) are back into the "allowed" rules, but it's still a concern I'm sure.
I have to disagree with your statements. There's two things to keep in mind here - one is minimizing the risk of compromise, and the other is minimizing the damage. The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.
I certainly don't claim that the damage will be reduced, and as always it depends on the situation. If password compromise leads to total administrative control of your network by a malicious entity, well, then, you're a bit screwed. But if someone manages to obtain one or two user passwords through social engineering and is biding their time, poking around a bit, then a user being forced to change their password suddenly closes up that hole.
Of course, you're still not dealing with the root cause (in the case of Social Engineering, user education, but there are many others). But regardless of passwords being changed regularly or not, those root causes will exist and need to be address. My argument is simply that regular password changing can provide enough benefit to make it worthwhile to enforce.
To that tech school on the other side of town, Rose-Hulman. They've required school-standard laptops since before I was a freshman there, I think around 1998 or so.
It's an exploit of functionality built into Windows (it allows you to view thumbnails in folders full of pictures, for example). The reason it's more dangerous with IE is that IE by default will open these files, while Firefox (or some other browsers) will give you the good old Open/Save box first. If you open at this point, you're still screwed.
... another Dvorak post. This will undoubtably be followed by 400 comments about how he should stick to making keyboards by people who have no clue that this isn't the same guy.
...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.
Someone didn't quite get the point. This has nothing to do with any vulnerability in AJAX. Cross-site scripting is a result of a web app doing a poor job of redisplaying input that it was given. This was combined with a javascript object to do some malicious stuff. While that javascript object is used in AJAX applications, this is certainly not an AJAX vulnerability.
We spend way too much time bashing Microsoft and Windows. For all of their flaws (and I'll admit, there are quite a few), Microsoft has done a lot to advance personal computing. The combination of Microsoft's operating system and Intel's chips have consistantly driven down the price of PC hardware to a point where many people that once could never think about affording a computer can now own one relatively easily.
Don't get me wrong. I love (and use) Linux. I think Macs are great. I understand Windows ain't perfect. But can we, just this once, look at one way that it has actually advanced and spread computing?
As much as I love (and use) mySQL, it's still not, nor will it likely ever be (never say never) an enterprise solution. Prove to me that mySQL is robust enough to be the backend service for a major bank's mortgage application, for example. It's simply not. As a previous poster already mentioned, mySQL has finally caught up to the base set of features that all major DBMS's had years ago.
Now, after that rant, I will say this. mySQL is great at what it's designed to do. I use mySQL as the backend for personal websites and applications. It's (relatively) lightweight, simple, easy to administer, and, best of all, free as in beer (not withstanding products purchased from mySQL AB). So before you get all huffy about what I said in the first paragraph, just remember that mySQL is great at what it's made for, it's just not made to be an enterprise solution.
Cross-site scripting attacks have been used to attack more vulnerabilities in Mozilla browsers over the last six months than IE
Am I the only one who doesn't quite understand this? How is a web-application level vulnerability such as cross-site scripting dependant on the browser being used? Does IE magically detect cross-site scripting and fix it (ha! at any browser doing that)? If there is an XSS problem, it is a fault in the design of the web application. If it is being used to exploit a trusted zone, then that's a misconfiguration of the browser, not a security problem with the browser. Period.
Don't forget testing by the end user as well. If I get a new software patch for something mission critical to my company, I'm being irresponsible if I wait to patch my system. But I'm also irresponsible if I just throw it on there without testing. Let's say I'm a bank and I have a critical core application that runs on a device. Lets say I get a patch. I have to be 100% certain that this patch will not adversely affect the functionality of my system. Plus, I have to find an appropriate time to take it down - remember, this is a mission critical server. So ASAP doesn't always necessarily mean NOW, and smart people understand this. No matter what, we'll always be one step behind the hackers.
Ok, so you if you disable RestrictAnonymous (set it to zero, as it is by default in 2k), the worm still won't be able to access the PnP service. What if you also modify the EveryoneIncludesAnonymous key included in those versions to set it to 1 (default is zero in XP Sp2 and 2k3), so that NULL sessions have user access. Will the exploit work then?
Of course, any admin that did that is either seriously nuts or is really having some NT-2k3 compatibility issues...
Thank you for assuming that anyone reading that article is probably an idiot and would actually let it influence the way they vote. I'm sorry that I am not as smart as you and cannot just read the article because I find it interested and still vote on a candidate because of his policies.
I am currently a junior at Rose-Hulman Institute of Technology. I was lucky enough to pick up a CS internship (paid, of course) the summer after my freshmen year at a small internet company in Indianapolis. The job is really a great job, and being in the right place at the right time helped. I've been able to keep that job, so I am entering my 3rd summer there in June.
I guess I was just lucky, and the job market was a lot better then. But, working hard helped me to keep that job, and I think that was more important.
Can anyone compare Makdrake 9.1 to RedHat 8.0? Any reason for me to switch? I have to completely re-install a system on one box, so it wouldn't be that big of a deal to switch. Is there a major advantage to using 9.1 instead of RedHat? The last Mandrake I used was 8.0, and I liked RedHat 8.0 better, for sure.
Slashdot Mirror
Then, it was supposed to turn the web into an application delivery platform, and it failed miserably at that, too (Ajax is now succeeding there).
What the hell does that even mean? "AJAX" is not a web platform - and boy am I sick and tired of people totally misusing the term AJAX. AJAX enables web applications to make asynchronous requests, which are going to pull updated information back from the web application. How is that information generated? Well, quite possibly with some Java server-side code!
In fact, the proliferation of AJAX-enabled web apps has made Gosling's points even more valid. Now that we're demanding more interactive and real-time-updating web applications, we need more robust and scalable design to support those applications. And he notes that Java is a language that can deliver such robustness and scalability.
If they really cared one way or another about seeing the issue fixed, why not show up at WWDC, meet w/ some of the Apple engineers onsite, demo the issue, and work with Apple towards a resolution?
I saw the same presentation at DefCon (I wasn't at BlackHat), and they did mention explicitly that they had been in contact with Apple about this and were not revealing the details until Apple was able to make some headway towards a resolution. TFA fails to mention this, conveniently.
Safety is everything for Forumula One. Anything Microsoft writes will get inspected with fine tooth combs, then inspected again just to be sure.
Actually, it really has (almost) nothing to do with safety. Formula 1 has long been wary of teams hiding triky ways of doing things like traction control, ABS, etc, within ECU code. If you think about it, it would be very hard to find/control such a thing if the code was coming from all over the the place. It's not as much of an issue now that some of these things (traction control) are back into the "allowed" rules, but it's still a concern I'm sure.
I have to disagree with your statements. There's two things to keep in mind here - one is minimizing the risk of compromise, and the other is minimizing the damage. The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.
I certainly don't claim that the damage will be reduced, and as always it depends on the situation. If password compromise leads to total administrative control of your network by a malicious entity, well, then, you're a bit screwed. But if someone manages to obtain one or two user passwords through social engineering and is biding their time, poking around a bit, then a user being forced to change their password suddenly closes up that hole.
Of course, you're still not dealing with the root cause (in the case of Social Engineering, user education, but there are many others). But regardless of passwords being changed regularly or not, those root causes will exist and need to be address. My argument is simply that regular password changing can provide enough benefit to make it worthwhile to enforce.
To that tech school on the other side of town, Rose-Hulman. They've required school-standard laptops since before I was a freshman there, I think around 1998 or so.
Want even better blogging? Try /. You can find way more there than you can in your current directory.
I really don't trust anyone who uses the word "uberleet" on his professional resume.
Then again, he uses lots of thesaurus words like prevenient, paradigmatic, and seminal.
Am I mistaken, or did you just refer to Plan 9 as a "great alternative"?
It's an exploit of functionality built into Windows (it allows you to view thumbnails in folders full of pictures, for example). The reason it's more dangerous with IE is that IE by default will open these files, while Firefox (or some other browsers) will give you the good old Open/Save box first. If you open at this point, you're still screwed.
... another Dvorak post. This will undoubtably be followed by 400 comments about how he should stick to making keyboards by people who have no clue that this isn't the same guy.
Some people have no sense of humor at all. :)
Yup. They're called blue-staters.
...is definately the way to go for high-security environments. Something you have and something you know. It's hard for someone to steal both, at least without you knowing it. However, I wonder if this is practical for consumer markets like this. That's all we need is for both of my banks to send me a key card, my cell phone company to send me one (so I can pay online), my credit card companies to send me one, etc. In the end, lazy people will just find tricks around them, the same way lazy people write down passwords when complexity rules are enforced.
TFA seems to be written by a used car salesman. Or maybe those guys on the infomercials late night for different "enhancement" drugs.
Someone didn't quite get the point. This has nothing to do with any vulnerability in AJAX. Cross-site scripting is a result of a web app doing a poor job of redisplaying input that it was given. This was combined with a javascript object to do some malicious stuff. While that javascript object is used in AJAX applications, this is certainly not an AJAX vulnerability.
We spend way too much time bashing Microsoft and Windows. For all of their flaws (and I'll admit, there are quite a few), Microsoft has done a lot to advance personal computing. The combination of Microsoft's operating system and Intel's chips have consistantly driven down the price of PC hardware to a point where many people that once could never think about affording a computer can now own one relatively easily.
Don't get me wrong. I love (and use) Linux. I think Macs are great. I understand Windows ain't perfect. But can we, just this once, look at one way that it has actually advanced and spread computing?
As much as I love (and use) mySQL, it's still not, nor will it likely ever be (never say never) an enterprise solution. Prove to me that mySQL is robust enough to be the backend service for a major bank's mortgage application, for example. It's simply not. As a previous poster already mentioned, mySQL has finally caught up to the base set of features that all major DBMS's had years ago. Now, after that rant, I will say this. mySQL is great at what it's designed to do. I use mySQL as the backend for personal websites and applications. It's (relatively) lightweight, simple, easy to administer, and, best of all, free as in beer (not withstanding products purchased from mySQL AB). So before you get all huffy about what I said in the first paragraph, just remember that mySQL is great at what it's made for, it's just not made to be an enterprise solution.
...but am I the only one who still prefers pine?
I've never met anyone with a phone that has cut-down features either.
/. window and walking out of your house. You'd be amazed what you learn when you meet actual people.
Try closing the open
Don't forget testing by the end user as well. If I get a new software patch for something mission critical to my company, I'm being irresponsible if I wait to patch my system. But I'm also irresponsible if I just throw it on there without testing. Let's say I'm a bank and I have a critical core application that runs on a device. Lets say I get a patch. I have to be 100% certain that this patch will not adversely affect the functionality of my system. Plus, I have to find an appropriate time to take it down - remember, this is a mission critical server. So ASAP doesn't always necessarily mean NOW, and smart people understand this. No matter what, we'll always be one step behind the hackers.
Ok, so you if you disable RestrictAnonymous (set it to zero, as it is by default in 2k), the worm still won't be able to access the PnP service. What if you also modify the EveryoneIncludesAnonymous key included in those versions to set it to 1 (default is zero in XP Sp2 and 2k3), so that NULL sessions have user access. Will the exploit work then?
Of course, any admin that did that is either seriously nuts or is really having some NT-2k3 compatibility issues...
When corporations see things happening that they don't like, they call the congressmen that they've bought and paid for and tell them to fix it.
How is this NEW to America?
Thank you for assuming that anyone reading that article is probably an idiot and would actually let it influence the way they vote. I'm sorry that I am not as smart as you and cannot just read the article because I find it interested and still vote on a candidate because of his policies.
I am currently a junior at Rose-Hulman Institute of Technology. I was lucky enough to pick up a CS internship (paid, of course) the summer after my freshmen year at a small internet company in Indianapolis. The job is really a great job, and being in the right place at the right time helped. I've been able to keep that job, so I am entering my 3rd summer there in June. I guess I was just lucky, and the job market was a lot better then. But, working hard helped me to keep that job, and I think that was more important.
Can anyone compare Makdrake 9.1 to RedHat 8.0? Any reason for me to switch? I have to completely re-install a system on one box, so it wouldn't be that big of a deal to switch. Is there a major advantage to using 9.1 instead of RedHat? The last Mandrake I used was 8.0, and I liked RedHat 8.0 better, for sure.