You hit the nail on the head regarding the source of my rant. The article is just cashing in on the craze and adds nothing of value to the broader subject of web app security as it applies to all of the non-AJAX world. The cashing in idea reminds me when I was a kid growing up in the 70's. When roller skating was popular all of these shows threw skating rink scenes into their episodes for no apparent reason just to cash in. Disco dancing obviously another sad, sad example too. Someone please mod me offtopic now:-)
I am growing sick of hype surrounding the AJAX bandwagon. It reminds me of the mid 1990's when the advent of Java had folks proclaiming how web based applications would be the preferred way of creating new applications across the board. Yeah, right. In short, web based apps have their purpose and can be effective. But they aren't the savior to mankind and the AJAX delivery method has been around for years now. We didn't use crudely fashioned stone tools then either.
And no, I'm not a hater. I personally count Ruby amongst my programming languages of choice and I have written a couple of Rails applications that my company currently has in production. But the AJAX hype is getting tired.
I frequently connect to Freenode for IRC'ing and automatically join several programming channels (#zaurus, #squeak, #ruby, #python, #scheme, etc.) and I check out the #openembedded channel as well. Not sure if channel users is a fair metric of an offering's popularity, but typically the #openembedded channel only has three users listed.
I personally have dabbled in developing on Embedded Linux PDA's and enjoyed it. But it seems as the hardware vendors out there (at least based on what's available in the U.S.) aren't leaning toward Embedded Linux as the platform of choice. A shame because it has so many available packages to make the hardware shine. Embedded Linux PDA's can function as anything you can imagine --- Samba client/server, FTP client/server, VNC client/server, SSH client/server, DB client/server, HTTP client/server, telnet client/server, etc. The Windows Mobile PDA's I have played with don't have nearly that toolset available that I could tell. At least for free:-)
At my workplace sometimes folks bring in their home PC's for me to clean off on my lunch break. A quick job pays a 6-pack of Mickey's. A longer job pays a 6-pack of Guinness. From those cleanup jobs I can vouch that the typical home user with an always-on DSL/cable Internet connection is in a world of hurt. I try to show folks how to Ghost their hard drive onto a DVD-R so that they can restore their system to a usable state rather than search through the haystack for all of the malware needles.
For example, the most recent cleanup I did entailed a laptop that had no antivirus software running on it. They did have a bundled AOL spyware app installed, but as far as I could tell it had never been run. I installed Avast! and Ad-aware from CD and ran full scans on the system. The result was over 300 virus and over 3,000 malware captures. Amazing that the computer could even launch an initial Windows Explorer session at all.
If things continue their downward spiral (i.e. - Microsoft dominance, widespread Internet exploits, monetary incentive for malware deployment, and foreign government turning a deaf ear on abuse reports) I would require that anyone with a Windows-based Internet-exposed PC have to earn an operator license. Much like someone would have to do to operate an automobile, motorcycle, ham radio, etc. This would include mandatory security training. And for God's sake, a brief explanation of imaging and recovering their hard drive in case they get hit with something later.
Seriously though, this scenario isn't viable. But perhaps virtualization technology offer a safe haven. Folks could just reboot their virtual image if they get slammed with something and get back to square one. Until the malware authors get one step ahead of that at least there would be some breathing room...
I can feel your pain. In terms of rolling out updated software releases I always thought that was the beauty of web applications. Rather than having to touch 700 workstations over 300 miles aren't the updates applied on the server(s) in a centralized manner? Maybe that's a simplified mindset on my part, I don't know...
Annoying yes. Chaotic no. It's kind of like if someone had their IE security settings to prompt them before running Active Scripting. They would be clicking multiple times per website visit for sure.
From TFA: However, sources tell eWEEK that the situation could be chaotic when the IE patch ships as an automatic update to users of IE 6 on Windows XP SP2 and Windows Server 2003.
Each page a user visits will require them to click a button to activate the underlying ActiveX control. Wow. BFD. And that is just for those websites that haven't updated their content by June. Chaotic? Far from it.
I think the reason behind this is Python seems geared toward Win32 implementations. Installing extension libraries and interfacing with the Win32 API is built into the Python environment. But Ruby seems to still be heavily rooted in Linux/GCC. There are many Ruby extension libraries that won't install on Win32/MSVC and not many people in the community complain. Perhaps it's because there is some unsaid beliefs that Windows isn't an ideal target amongst the core development team? Not sure, perhaps it is my own paranoia and frustration. Since I prefer Ruby over other languages but fitting everything into my Win32 requirements isn't the smoothest proposition...
Reminds me of back around 1997 or so when Microsoft released Windows NT 4.0 Server Service Pack 6. It was released and my company was one of the many larger ones to roll it out ASAP. Without proper testing we were bitten in the ass big time. This Service Pack broke TCP/IP. Hence Microsoft releasing Windows NT 4.0 Server Service Pack 6a. You would think that someone in the Ivory Towers of Redmond would have noticed it broke TCP/IP:-)
I personally haven't run into anything in Ruby that would pull this off, although I think that Python offers such things. The languages aren't that far removed from one another. If you are into dabbling I would check out Python too...
Re:Javascript is insecure - AJAX is security hole
on
Ruby On Rails Goes 1.1
·
· Score: 1
We're not talking about you (i.e. the context of a web applications developer). We are talking about the general public using a website containing AJAX-delivered applications. And, hate it as you might, the majority of website visitors are still using Internet Explorer. And proposing a patch for the Javascript hole in IE is the point of my post...
There are tools for making Ruby into self-extracting executables --> http://www.erikveen.dds.nl/rubyscript2exe/index.ht ml. But for a true compiled solution that will likely be bundled with Ruby 2.0. It should include a VM --> http://www.atdot.net/yarv/. As for GUI apps there are extension libraries for Tk, Qt, Fox, WxWindows, GTK, etc.
Re:Javascript is insecure - AJAX is security hole
on
Ruby On Rails Goes 1.1
·
· Score: 5, Informative
Ever heard of using the Trusted Sites list in Internet Explorer? seems to work for me for per-site permissions.
For now Windows-based implementations are a "piece of cake." But in time Mac OS X will be as well. This RoR project is still relatively young so I think the hype is moving forward faster than the underlying technology. Nevertheless a good thing to investigate...
I meant 30 minutes for the initial setup of a clean box, with all of the Windows Updates. The ghosting process takes longer, granted. Setting up 5 new Dell PC's from an initial image probably takes about 3-4 hours total for all 5 to be rolled out.
From the sounds of your other post Mac OS X does have lots of remote admin and software deployment tools to make an admin's job a lot easier and more efficient. I wasn't aware of them, but it does likely put it above and beyond where Windows XP currently stands (by the way SMS also stands for Systems Management Server, a legacy Microsoft app for remotely admining a Windows network).
As for the Windows software updates, I don't have workstations setup for Automatic Updates since then things are out of my hands. I disabled that service and deploy applications using logon scripts that combine KixTart and a poor man's InstallShield called Little Setup Builder. Just whip up a Ruby or Python script for parsing all of the installation log files and I instantly know how successful the software push was.
I base this assessment on the undeniable fact that any other solution is less complex, requires less hands on f-ing with the machine to get it set up
Dude, have you ever heard of Norton Ghost? Like I said, hardware/software standardization should be a given for any company serious about its technology. For me I order, say, 5 new Dell PC's. It takes maybe 30 minutes to get one setup. And most of that time is all of the Windows Updates automatically downloading and installing themselves. Then I Ghost that machine onto a disc and then pop the disc into the other new Dells. Not the most time consuming routine for sure. Then if one of those Dells gets garbage software installed on it from an enduser guess what? Pop in the original Ghost CD, lather, rinse, and repeat.
In my 10+ years of IT work I have perhaps setup 1,000 workstations. Most of them Windows. And I can tell you from experience (not just bias) that Windows workstations aren't the worst or hardest to setup and support. Try installing one of the old Linux distributions from the mid 1990's with all of the countless text-based steps. Or try installing DEC OpenVMS on an old VAX box. Or try installing Solaris 7 on an old Sun box. I will grant you that it's easier to turn on Mac OS X and go through the handful of setup options. I have done so perhaps 20 times now for different folks and it's a breeze. But Windows XP isn't that far removed comparatively.
How do you remotely support Mac OS X workstations? Do you run a VNC client, pcANYWHERE, etc.? How do you remotely deploy software installations? Windows has had SMS for over 10 years, and now it must exist as some other three letter acronym undoubtedly. I'm not sure what remote software deployment package exists for Mac OS X. How would you apply an Mac OS X patch to remote workstations? Just curious.
I have administerd Mac workstations since 1995 back when I had departments of graphic designers using Quadras. I have also administered Linux workstations since 1997. But those Linux users were more computer literate and I didn't have to worry so much about all of the remote support and software deployment tools. I did for the Mac users, however, and it involved hands-on work for sure. Maybe I was oblivious to remote admin tools that might have existed.
The questions are genuine regarding remote support and software deployment tools. If they exist for Mac OS X then that's a great step toward bridging the gap. Hell, just using a Windows network login script utility like KixTart can make administering things a lot easier.
And I respectfully disagree. At my workplace I admin about 65 Dell workstations (Win2K/XP) and don't run into situations where Windows "will periodically break itself with use." Perhaps the temp folder or temporary internet files folder will need to be cleaned out, but in a corporate environment with hardware and software standardization administering these boxes is far from a nightmare. The worst I have to deal with is periodic hardware failure due to some poor Dell QC.
I will admit that the Mac OS X user interface is more intuitive, less cluttered, and more friendly than Windows XP. That makes the users feel more comfortable on a Mac. Plus they don't feel like they're fighting the system to get things done if they aren't extremely PC literate to begin with. Most people aesthetically prefer the Mac OS X look and feel over Windows XP, although Microsoft made some strides compared to Windows 98 and 2000 in those areas.
But as for the admin functions as long as there are firewalls, AV, anti-spyware, etc. measures in place administering a Windows network isn't the end of the world.
I second that motion. A lot of time I will choose my software solutions based on the user community that backs it. For example, it's obvious reading a few newsgroup postings that there is a difference between say a Java programmers group and a Ruby one. In terms of friendliness, arrogance, etc. Same with OpenBSD compared to one of the other BSD's. Makes a difference for sure...
I haven't looked at MySQL in a couple of years but the last time I checked they didn't have row level locking, triggers, stored procedures, subselect ability, etc. There were so many gotchas at that time there was no way I would have implemeneted it for anything other than processing really basic select statement lookups.
'I want the people responsible for those features in my office early next week'
I recall maybe 8-9 years ago at my large former employer. There were some screw-ups going on coming from an IT subdepartment at corporate headquarters. After trying in vain to work around things on my end I finally picked up the phone and called up the person in charge. Before I could launch into my tirade the person said, "I'm in charge, but I'm not responsible." Reminds me of what will happen Monday morning amidst the chair-littered corridors of Redmond. Lots of finger pointing and ducking...
Slashdot Mirror
You hit the nail on the head regarding the source of my rant. The article is just cashing in on the craze and adds nothing of value to the broader subject of web app security as it applies to all of the non-AJAX world. The cashing in idea reminds me when I was a kid growing up in the 70's. When roller skating was popular all of these shows threw skating rink scenes into their episodes for no apparent reason just to cash in. Disco dancing obviously another sad, sad example too. Someone please mod me offtopic now :-)
And no, I'm not a hater. I personally count Ruby amongst my programming languages of choice and I have written a couple of Rails applications that my company currently has in production. But the AJAX hype is getting tired.
I personally have dabbled in developing on Embedded Linux PDA's and enjoyed it. But it seems as the hardware vendors out there (at least based on what's available in the U.S.) aren't leaning toward Embedded Linux as the platform of choice. A shame because it has so many available packages to make the hardware shine. Embedded Linux PDA's can function as anything you can imagine --- Samba client/server, FTP client/server, VNC client/server, SSH client/server, DB client/server, HTTP client/server, telnet client/server, etc. The Windows Mobile PDA's I have played with don't have nearly that toolset available that I could tell. At least for free :-)
At my workplace sometimes folks bring in their home PC's for me to clean off on my lunch break. A quick job pays a 6-pack of Mickey's. A longer job pays a 6-pack of Guinness. From those cleanup jobs I can vouch that the typical home user with an always-on DSL/cable Internet connection is in a world of hurt. I try to show folks how to Ghost their hard drive onto a DVD-R so that they can restore their system to a usable state rather than search through the haystack for all of the malware needles.
For example, the most recent cleanup I did entailed a laptop that had no antivirus software running on it. They did have a bundled AOL spyware app installed, but as far as I could tell it had never been run. I installed Avast! and Ad-aware from CD and ran full scans on the system. The result was over 300 virus and over 3,000 malware captures. Amazing that the computer could even launch an initial Windows Explorer session at all.
If things continue their downward spiral (i.e. - Microsoft dominance, widespread Internet exploits, monetary incentive for malware deployment, and foreign government turning a deaf ear on abuse reports) I would require that anyone with a Windows-based Internet-exposed PC have to earn an operator license. Much like someone would have to do to operate an automobile, motorcycle, ham radio, etc. This would include mandatory security training. And for God's sake, a brief explanation of imaging and recovering their hard drive in case they get hit with something later.
Seriously though, this scenario isn't viable. But perhaps virtualization technology offer a safe haven. Folks could just reboot their virtual image if they get slammed with something and get back to square one. Until the malware authors get one step ahead of that at least there would be some breathing room...
I can feel your pain. In terms of rolling out updated software releases I always thought that was the beauty of web applications. Rather than having to touch 700 workstations over 300 miles aren't the updates applied on the server(s) in a centralized manner? Maybe that's a simplified mindset on my part, I don't know...
Annoying yes. Chaotic no. It's kind of like if someone had their IE security settings to prompt them before running Active Scripting. They would be clicking multiple times per website visit for sure.
Each page a user visits will require them to click a button to activate the underlying ActiveX control. Wow. BFD. And that is just for those websites that haven't updated their content by June. Chaotic? Far from it.
I think the reason behind this is Python seems geared toward Win32 implementations. Installing extension libraries and interfacing with the Win32 API is built into the Python environment. But Ruby seems to still be heavily rooted in Linux/GCC. There are many Ruby extension libraries that won't install on Win32/MSVC and not many people in the community complain. Perhaps it's because there is some unsaid beliefs that Windows isn't an ideal target amongst the core development team? Not sure, perhaps it is my own paranoia and frustration. Since I prefer Ruby over other languages but fitting everything into my Win32 requirements isn't the smoothest proposition...
Reminds me of back around 1997 or so when Microsoft released Windows NT 4.0 Server Service Pack 6. It was released and my company was one of the many larger ones to roll it out ASAP. Without proper testing we were bitten in the ass big time. This Service Pack broke TCP/IP. Hence Microsoft releasing Windows NT 4.0 Server Service Pack 6a. You would think that someone in the Ivory Towers of Redmond would have noticed it broke TCP/IP :-)
I personally haven't run into anything in Ruby that would pull this off, although I think that Python offers such things. The languages aren't that far removed from one another. If you are into dabbling I would check out Python too...
We're not talking about you (i.e. the context of a web applications developer). We are talking about the general public using a website containing AJAX-delivered applications. And, hate it as you might, the majority of website visitors are still using Internet Explorer. And proposing a patch for the Javascript hole in IE is the point of my post...
There are tools for making Ruby into self-extracting executables --> http://www.erikveen.dds.nl/rubyscript2exe/index.ht ml. But for a true compiled solution that will likely be bundled with Ruby 2.0. It should include a VM --> http://www.atdot.net/yarv/. As for GUI apps there are extension libraries for Tk, Qt, Fox, WxWindows, GTK, etc.
Ever heard of using the Trusted Sites list in Internet Explorer? seems to work for me for per-site permissions.
For now Windows-based implementations are a "piece of cake." But in time Mac OS X will be as well. This RoR project is still relatively young so I think the hype is moving forward faster than the underlying technology. Nevertheless a good thing to investigate...
From the sounds of your other post Mac OS X does have lots of remote admin and software deployment tools to make an admin's job a lot easier and more efficient. I wasn't aware of them, but it does likely put it above and beyond where Windows XP currently stands (by the way SMS also stands for Systems Management Server, a legacy Microsoft app for remotely admining a Windows network).
As for the Windows software updates, I don't have workstations setup for Automatic Updates since then things are out of my hands. I disabled that service and deploy applications using logon scripts that combine KixTart and a poor man's InstallShield called Little Setup Builder. Just whip up a Ruby or Python script for parsing all of the installation log files and I instantly know how successful the software push was.
Dude, have you ever heard of Norton Ghost? Like I said, hardware/software standardization should be a given for any company serious about its technology. For me I order, say, 5 new Dell PC's. It takes maybe 30 minutes to get one setup. And most of that time is all of the Windows Updates automatically downloading and installing themselves. Then I Ghost that machine onto a disc and then pop the disc into the other new Dells. Not the most time consuming routine for sure. Then if one of those Dells gets garbage software installed on it from an enduser guess what? Pop in the original Ghost CD, lather, rinse, and repeat.
In my 10+ years of IT work I have perhaps setup 1,000 workstations. Most of them Windows. And I can tell you from experience (not just bias) that Windows workstations aren't the worst or hardest to setup and support. Try installing one of the old Linux distributions from the mid 1990's with all of the countless text-based steps. Or try installing DEC OpenVMS on an old VAX box. Or try installing Solaris 7 on an old Sun box. I will grant you that it's easier to turn on Mac OS X and go through the handful of setup options. I have done so perhaps 20 times now for different folks and it's a breeze. But Windows XP isn't that far removed comparatively.
I have administerd Mac workstations since 1995 back when I had departments of graphic designers using Quadras. I have also administered Linux workstations since 1997. But those Linux users were more computer literate and I didn't have to worry so much about all of the remote support and software deployment tools. I did for the Mac users, however, and it involved hands-on work for sure. Maybe I was oblivious to remote admin tools that might have existed. The questions are genuine regarding remote support and software deployment tools. If they exist for Mac OS X then that's a great step toward bridging the gap. Hell, just using a Windows network login script utility like KixTart can make administering things a lot easier.
And I respectfully disagree. At my workplace I admin about 65 Dell workstations (Win2K/XP) and don't run into situations where Windows "will periodically break itself with use." Perhaps the temp folder or temporary internet files folder will need to be cleaned out, but in a corporate environment with hardware and software standardization administering these boxes is far from a nightmare. The worst I have to deal with is periodic hardware failure due to some poor Dell QC. I will admit that the Mac OS X user interface is more intuitive, less cluttered, and more friendly than Windows XP. That makes the users feel more comfortable on a Mac. Plus they don't feel like they're fighting the system to get things done if they aren't extremely PC literate to begin with. Most people aesthetically prefer the Mac OS X look and feel over Windows XP, although Microsoft made some strides compared to Windows 98 and 2000 in those areas. But as for the admin functions as long as there are firewalls, AV, anti-spyware, etc. measures in place administering a Windows network isn't the end of the world.
Don't forget about "another crippling bombshell has hit the..."
I second that motion. A lot of time I will choose my software solutions based on the user community that backs it. For example, it's obvious reading a few newsgroup postings that there is a difference between say a Java programmers group and a Ruby one. In terms of friendliness, arrogance, etc. Same with OpenBSD compared to one of the other BSD's. Makes a difference for sure...
...for Netcraft to weigh in on this one :-)
Other than commercial support, is there any reason to choose a Cadillac over a Yugo?
ROFLMAO!!!!
I haven't looked at MySQL in a couple of years but the last time I checked they didn't have row level locking, triggers, stored procedures, subselect ability, etc. There were so many gotchas at that time there was no way I would have implemeneted it for anything other than processing really basic select statement lookups.
Let's all give them GMail invites. Oh wait, I guess that wouldn't be good for top secret clearance data. Oh well...
'I want the people responsible for those features in my office early next week'
I recall maybe 8-9 years ago at my large former employer. There were some screw-ups going on coming from an IT subdepartment at corporate headquarters. After trying in vain to work around things on my end I finally picked up the phone and called up the person in charge. Before I could launch into my tirade the person said, "I'm in charge, but I'm not responsible." Reminds me of what will happen Monday morning amidst the chair-littered corridors of Redmond. Lots of finger pointing and ducking...