for an equation 1/x = y, y approaches infinity as x approaches 0.
No, y approaches infinity as x approaches 0 from above (x > 0). As x approaches 0 from below (x < 0), y approaches negative infinity. The two limits are not the same, in fact the closer you get the more they diverge. That is why At x=0, y is undefined.
I don't think I ever advocated gmail for all usage scenarios, you're right that it's not always acceptable because it's not under the user or user's organisation's control. You're also right that many applications do need to process arbitrary files.
However, there are a lot of options that you have not considered. Had you thought that an in-house server would be under the organisation's control? Or that an applications running off a known intranet server could be granted higher permissions than those off random internet sites? Or that reading and writing files that the user has selected with a dialog is not the same as reading and writing arbitrary files (yes,.net does have a permissions specifically for this). And finally, I don't think that I ever suggested that partial trust was appropriate for all applications. Some will be run with full trust.
Microsoft will poke a hole in their security model in order to satisfy (temporarily) their customers
It's ironic that it's your side of the argument that now relies on nothing but FUD.
This got modded up? Oh dear. Picking your sample that carefully (a group who all have the same bank balance and education) and then generalising wildly from it to a discussion that was originally about the whole world's population is generally known as a "straw man" argument.
Beware the erroneous implication -- that because wealth is concentrated, the people at the bottom are in worse shape than they were when wealth is not so concentrated.
So it's not proven true, does that make it necessarily erroneous? I think not.
Wrong. Zimbabwe is in no way an example of equitable wealth distribution. In fact it's a good example of kleptocrats run riot.
Look to Denmark and Sweden for examples of equitable wealth distribution. They are consistently rated as the most liveable in the world. yes, better than the USA.
It doesn't stop you from achieving your goals, you have to work to get there and earn your way the same.... gripe about how you deserve more money without doing anything to earn it.
Oh look, a sane and rational comment! Yes, the.NET VM does have a fine-grained security model. In general though, if the remote code does not have a permission (e.g. general file access, or call out to non-VM code), then a prompt to the user is not going to give it.
Not the best analogy, no. here's a better one: If you go into a bank, you have access to the bank teller, and the bank teller has access to the cash drawer, but that doesn't mean that you have total access to the cash drawer. They vet and audit your requests, and limit the operations that you can perform.
I don't think that this architecture is in any way specific to.net, in fact I think you'll find it all over the place. If you have a problem with it, you have a problem with computers.
Isolated storage is actually a good example for this - the code that calls IsolatedStorage does not need permission to write to arbitrary files; and it doesn't, it writes to its own sandbox. On the caller's behalf, the code inside the IsolatedStorage classes can read and write any file, but it exposes a small subset of this to the caller. And does not tell the caller the complete path that it is using.
Look, all a would-be trojan writer has to do is cause the.NET virtual machine (which has all of the access of any other Win32 program) to make certain types of malformed GDI or window manager calls and arbitrary code execution can result.
I'm unconvinced that.net (or Java for that matter) has general flaws that will inevitably result in this. it's a long way from "Button aButton = new Button("hello"); " to "arbitrary code execution due to malformed window manager calls". Fixable bugs, potentially. But where's the general hole?
Excuse the semantic ambiguity. In version 1 and 2 the runtime and the class library were released in lockstep. What you are referring to is version 3 of the class library (mostly Vista and workflow stuff), which came out last month. What I was talking about was version 3 of the runtime, which is still more than a year away.
Does.net "off the internet" prevent COM or Win32 calls?
That is correct: It would require the UnmanagedCodePermission, which code in the Internet or Local Internet zone does not have. You know, if you can think of a hole in 5 minutes, the.net team might just have covered in in the last 5 or so years.
In my experience.net is just a poor copy of java.
Well, I prefer c# to Java, I found it to be an improved copy. But your mileage may vary.
Since you ask, 2.0 is stable now, and 3.0 is likely to arrive within 2 years, but not so to arrive likely within one. I don't know of any internet malware written in.net. For the obvious reasons that would have to first break the Virtual machine's security.
I've seen interesting ways to break the VM presented by Dinis Cruz, so I won't say it's impossible If in a few years "people are clicking once and getting pwned all the time" by.net code (it would have to do something like executing an escalation of privilege attack on it's VM, or disable code access security checks) then I will agree that one of the following must be true:
1) That Microsoft would have been negligent in patching the bugs in their design. 2) That Microsoft would have been negligent is not setting default security levels high enough. 3) That the whole concept of running secure code from the internet not workable.
In order to have a successful application, Microsoft will either have to disable that protection, or require users to store their documents on a remote server.
Wrong. I said "Arbitrary files" not "any files". Go look up "isolated storage" - it allows a partially trusted app to read and write files, while ensuring that the only app that it is capable of messing with is itself. And what's so bad about remote servers? It works for gmail. This is yet more argument from ignorance.
Additionally, single click 'installs' will eliminate the 'code running off the internet' problem.
Wrong. Such code runs with partial trust, in the internet zone.
I'm ignoring mod points to reply to this. Do you know anything about code access security in.net? Can you tell me, for instance if.net code off running the internet has permission to read and write arbitrary files? Hint: starts with a "n".
We're not talking about "will get it right... introducing some practically workable mechanism for allowing only trustworthy code", We're talking talking about a model laid out in.net 1.0 and refined in 2.0 about a year ago.
Do you in fact know anything about what you're talking about? You can work against MS all you want, but blind ignorance won't help you do that. Know your enemy.
You make it sound like an intentional troll. As the original poster pointed out, before Peter Jackson's LotR trilogy, buying these options may have been high risk. They're certainly not a risky investment now.
Wouldn't it be nice if linux came in only 2 or 3 flavors... if you owned one of those flavors?
I think you've found the genius of it: The problem for MS is that open source is so slippery. For instance, every time they turn around there's a new linux distribution, and they can become popular quickly - e.g. Ubuntu. If an open-source business goes under, it's code assets are still out there for any hobbysit or business to improve.
But if there were only 2 or 3 legitimate flavours of Linux from large vendors, then those can be contained or attacked by conventional tactics. And the best thing is that the big Linux vendors won't object at first, since by going after their smaller competitors you're doing them a favour.
You've mentioned some of the practices that can help: have source control, have a build server attached to it. Look into why this is a good idea: it automates ad-hoc, lengthy and painful build processes. Why are you getting "changes uploaded to our website when they aren't ready" ? make it so that going via the check-in and automated build is the best way to do this.
Look into code review methods.
Get some of your co-workers interested in best practices, and in being agents of change themselves. Are the problems apparent to them, or are they happy with the status quo? Can they get on your side here? Remember what the wise man (Martin Fowler) said: "if you can't change Your Organization, change Your Organization."
You don't say what tools you are working with, but in the.net world, tools like fxCop and nCover can be used, even integrated into the build process. The build can be set to break if the quality or coverage criteria aren't met. There may be such tools for your environment.
In the Perl company hackers make technical choices
That's likely but not assured; small shops often revolve around one big ego. http://www.thedailywtf.com/ supplies a steady stream of examples. I'd ask questions that might turn up something in the interviews.
What you also need to watch out for is the possibility that in the small company, hackers make business choices too
ancient humans and Neanderthals decided to make love and not war
Try rape. It's both!
Seriously. This wasn't exactly uncommon thousands of years ago. From the old Testament, Numbers 31: 7 And they warred against Midian, as the LORD commanded Moses; and they slew every male. 8 And they slew the kings of Midian with the rest of their slain: Evi, and Rekem, and Zur, and Hur, and Reba, the five kings of Midian; Balaam also the son of Beor they slew with the sword. 9 And the children of Israel took captive the women of Midian and their little ones;
For the first false assumption: I doubt that any offspring of human/neanderthal -- if such offspring was possible at all -- would have been able to reproduce.
Are you an expert on neanderthal genetics, or are you just guessing? It's not totally unknown for there to be viable hybrids. Look up "bengal cat" or "savannah cat" some time for examples.
Slashdot Mirror
for an equation 1/x = y, y approaches infinity as x approaches 0.
No, y approaches infinity as x approaches 0 from above (x > 0). As x approaches 0 from below (x < 0), y approaches negative infinity. The two limits are not the same, in fact the closer you get the more they diverge.
That is why At x=0, y is undefined.
I'm left wondering if you think that simply because you are too young to understand what it means to base an opinion on experience
Look, an ad-hominem insult. Also, given slashdot's demographics, odds are I'm older than you. This is now officially offtopic and pointless.
I don't think I ever advocated gmail for all usage scenarios, you're right that it's not always acceptable because it's not under the user or user's organisation's control. You're also right that many applications do need to process arbitrary files.
.net does have a permissions specifically for this). And finally, I don't think that I ever suggested that partial trust was appropriate for all applications. Some will be run with full trust.
However, there are a lot of options that you have not considered. Had you thought that an in-house server would be under the organisation's control? Or that an applications running off a known intranet server could be granted higher permissions than those off random internet sites? Or that reading and writing files that the user has selected with a dialog is not the same as reading and writing arbitrary files (yes,
Microsoft will poke a hole in their security model in order to satisfy (temporarily) their customers
It's ironic that it's your side of the argument that now relies on nothing but FUD.
This got modded up? Oh dear. Picking your sample that carefully (a group who all have the same bank balance and education) and then generalising wildly from it to a discussion that was originally about the whole world's population is generally known as a "straw man" argument.
Beware the erroneous implication -- that because wealth is concentrated, the people at the bottom are in worse shape than they were when wealth is not so concentrated.
So it's not proven true, does that make it necessarily erroneous? I think not.
Wrong. Zimbabwe is in no way an example of equitable wealth distribution. In fact it's a good example of kleptocrats run riot.
Look to Denmark and Sweden for examples of equitable wealth distribution. They are consistently rated as the most liveable in the world. yes, better than the USA.
It doesn't stop you from achieving your goals, you have to work to get there and earn your way the same. ... gripe about how you deserve more money without doing anything to earn it.
Barbara Ehrenreich called bullshit on this attitude.
Oh look, a sane and rational comment! .NET VM does have a fine-grained security model. In general though, if the remote code does not have a permission (e.g. general file access, or call out to non-VM code), then a prompt to the user is not going to give it.
Yes, the
That's a horrible analogy.
.net, in fact I think you'll find it all over the place. If you have a problem with it, you have a problem with computers.
.NET virtual machine (which has all of the access of any other Win32 program) to make certain types of malformed GDI or window manager calls and arbitrary code execution can result.
.net (or Java for that matter) has general flaws that will inevitably result in this. it's a long way from "Button aButton = new Button("hello"); " to "arbitrary code execution due to malformed window manager calls". Fixable bugs, potentially. But where's the general hole?
Not the best analogy, no. here's a better one: If you go into a bank, you have access to the bank teller, and the bank teller has access to the cash drawer, but that doesn't mean that you have total access to the cash drawer. They vet and audit your requests, and limit the operations that you can perform.
I don't think that this architecture is in any way specific to
Isolated storage is actually a good example for this - the code that calls IsolatedStorage does not need permission to write to arbitrary files; and it doesn't, it writes to its own sandbox. On the caller's behalf, the code inside the IsolatedStorage classes can read and write any file, but it exposes a small subset of this to the caller. And does not tell the caller the complete path that it is using.
Look, all a would-be trojan writer has to do is cause the
I'm unconvinced that
And why might I want to know old news that everyone knows? It's still not related to isolated storage.
By that logic, the IRS's main database is accessible to you since you pay taxes.
Version 3 of the runtime (not the class library that you have linked to) is still more then a year away. Sorry for not making that clear.
What on earth have buggy third-party graphics card drivers got to do with .net isolated storage?
Excuse the semantic ambiguity.
In version 1 and 2 the runtime and the class library were released in lockstep.
What you are referring to is version 3 of the class library (mostly Vista and workflow stuff), which came out last month.
What I was talking about was version 3 of the runtime, which is still more than a year away.
Does .net "off the internet" prevent COM or Win32 calls?
.net team might just have covered in in the last 5 or so years.
.net is just a poor copy of java.
That is correct: It would require the UnmanagedCodePermission, which code in the Internet or Local Internet zone does not have. You know, if you can think of a hole in 5 minutes, the
In my experience
Well, I prefer c# to Java, I found it to be an improved copy. But your mileage may vary.
Since you ask, 2.0 is stable now, and 3.0 is likely to arrive within 2 years, but not so to arrive likely within one. I don't know of any internet malware written in .net. For the obvious reasons that would have to first break the Virtual machine's security.
.net code (it would have to do something like executing an escalation of privilege attack on it's VM, or disable code access security checks) then I will agree that one of the following must be true:
I've seen interesting ways to break the VM presented by Dinis Cruz, so I won't say it's impossible
If in a few years "people are clicking once and getting pwned all the time" by
1) That Microsoft would have been negligent in patching the bugs in their design.
2) That Microsoft would have been negligent is not setting default security levels high enough.
3) That the whole concept of running secure code from the internet not workable.
In order to have a successful application, Microsoft will either have to disable that protection, or require users to store their documents on a remote server.
Wrong. I said "Arbitrary files" not "any files". Go look up "isolated storage" - it allows a partially trusted app to read and write files, while ensuring that the only app that it is capable of messing with is itself. And what's so bad about remote servers? It works for gmail.
This is yet more argument from ignorance.
Additionally, single click 'installs' will eliminate the 'code running off the internet' problem.
Wrong. Such code runs with partial trust, in the internet zone.
Please, know what you're saying before replying.
I'm ignoring mod points to reply to this. Do you know anything about code access security in .net? Can you tell me, for instance if .net code off running the internet has permission to read and write arbitrary files? Hint: starts with a "n".
... introducing some practically workable mechanism for allowing only trustworthy code", We're talking talking about a model laid out in .net 1.0 and refined in 2.0 about a year ago.
We're not talking about "will get it right
Do you in fact know anything about what you're talking about?
You can work against MS all you want, but blind ignorance won't help you do that. Know your enemy.
You make it sound like an intentional troll. As the original poster pointed out, before Peter Jackson's LotR trilogy, buying these options may have been high risk. They're certainly not a risky investment now.
In the case of The Hobbit ... such a movie is high risk
A prequel to a blockbuster is not exactly high-risk.
Wouldn't it be nice if linux came in only 2 or 3 flavors... if you owned one of those flavors?
I think you've found the genius of it: The problem for MS is that open source is so slippery. For instance, every time they turn around there's a new linux distribution, and they can become popular quickly - e.g. Ubuntu. If an open-source business goes under, it's code assets are still out there for any hobbysit or business to improve.
But if there were only 2 or 3 legitimate flavours of Linux from large vendors, then those can be contained or attacked by conventional tactics. And the best thing is that the big Linux vendors won't object at first, since by going after their smaller competitors you're doing them a favour.
It's a vague and non-specific question.
.net world, tools like fxCop and nCover can be used, even integrated into the build process. The build can be set to break if the quality or coverage criteria aren't met. There may be such tools for your environment.
You've mentioned some of the practices that can help: have source control, have a build server attached to it.
Look into why this is a good idea: it automates ad-hoc, lengthy and painful build processes. Why are you getting "changes uploaded to our website when they aren't ready" ? make it so that going via the check-in and automated build is the best way to do this.
Look into code review methods.
Get some of your co-workers interested in best practices, and in being agents of change themselves. Are the problems apparent to them, or are they happy with the status quo? Can they get on your side here? Remember what the wise man (Martin Fowler) said: "if you can't change Your Organization, change Your Organization."
You don't say what tools you are working with, but in the
In the Perl company hackers make technical choices
That's likely but not assured; small shops often revolve around one big ego. http://www.thedailywtf.com/ supplies a steady stream of examples. I'd ask questions that might turn up something in the interviews.
What you also need to watch out for is the possibility that in the small company, hackers make business choices too
ancient humans and Neanderthals decided to make love and not war
Try rape. It's both!
Seriously. This wasn't exactly uncommon thousands of years ago. From the old Testament, Numbers 31:
7 And they warred against Midian, as the LORD commanded Moses; and they slew every male.
8 And they slew the kings of Midian with the rest of their slain: Evi, and Rekem, and Zur, and Hur, and Reba, the five kings of Midian; Balaam also the son of Beor they slew with the sword.
9 And the children of Israel took captive the women of Midian and their little ones;
have always felt that the blending of the two humanoid Races is what created modern humans
1) theories based of feelings is a hallmark of a crank. Spelling random words in capitals because they are important (and poorly defined) is another.
far more valued then raw intelligents.
Being able to spell "more valued than raw intelligence" wouldn't hurt either.
For the first false assumption: I doubt that any offspring of human/neanderthal -- if such offspring was possible at all -- would have been able to reproduce.
Are you an expert on neanderthal genetics, or are you just guessing? It's not totally unknown for there to be viable hybrids. Look up "bengal cat" or "savannah cat" some time for examples.