Huh, I find that tutorial-as-documentation to be horrid (I don't want to do it in those steps, and it's a giant pain in the ass to look up any syntax). The standard library, though, does have excellent documentation in the same place. But that's not the syntax.
Kaspersky has had a very shakey reputation in the last couple years due to the data they were stuffing into the NTFS file system to help "speed up" their scanning performance.
I looked it up (horse's mouth, plus random google searches to collaborate). It seems to just be using NTFS streams to put a hash down that gets attached to the file to mark it as having been scanned. That seems totally legit to me (it's a documented NTFS thing, you can create your own via the command prompt). I assume it's only useful for the background scan stuff, since any malware can duplicate their signature...
I'm sure their software has actual bad points (everybody has some), but at least don't use invalid ones?
Yep, especially if you want to use git-svn - using MsysGit (which, as of the last time I installed it, uses a md5 implementation that's non-native), it was less painful to host my git-svn bridge repo on a VM.
(FWIW, hg was also pretty damned slow on my workloads. And the staging area in git plus better GUI tools has made git the better choice for me.)
It doesn't matter if you do it well; if you just do it in some way, that itself is a great tool for attracting attention. It's not like the first implementation is likely to be perfect anyway, might as well throw time figuring out the kinks.
This assumes you only care that the software gets done, not that you own it (inferring from the Sourceforge thing). If you actually want to have control over the project, then, yes, you need to go hire people and hope you hired right - and with that level of commitment it's more of a start-up.
1. create your own CA and tell your customers to import the CA by clicking here (before putting them in ssl mode). It's really not much trouble to set up your own CA.
So, umm, transmitting the cert via encrypted HTTP is safer than trusting a self-signed cert, why? The attacker would just need to clobber that connection instead.
Umm, isn't Flash JavaScript (err, ECMAScript variant) anyway? No matter how much Flash manages to beat JS, it'd still be there; see Tamarin (Adobe working on a JS engine with Mozilla).
It's not IE, it's the Java plugin (which, umm, MS doesn't even make anymore). It's just a normal cross-origin vulnerability.
(Umm, this is my best guess, but I believe it makes sense and not surprising.)
GIF files have a header (GIF89a and all). JAR (PKZIP) files have a footer (central directory, i.e. the TOC). When the attacker uploads the file, the server sees the GIF (/PNG/JPEG/BMP/...) header and accepts it as an image. Anybody going to the server's page would have their browser attempt to load the file as an image (and possibly succeed, if the attacker wanted it).
The Java plugin would be invoked by a page on a completely separate sever (that the attacker controls), with an <object> / <applet> tag. The plugin would load from the attacked server (e.g. facebook), and therefore for origin checking purposes it belongs to the attacked server.
It's like this old IOCCC entry which happens to be a shell script, a makefile, and C source all at the same time.
People have been doing similar things as weak stenography already - posting images which have been concatenated with archives (rar, zip) that show as images in the browser, but the archivers would search through the whole file for something to extract.
Or that bug report can just get filed with no patch, and nobody looks at it for a few years, until at some point somebody does go fix it completely independently of the report.
Or the reporter did manage to get things to build, make the fix, file the report with a patch, and... still completely no response. Has happened to me (I don't particularly blame them, I know how intractable bugzilla can be).
The only reliable way seems to be to spend months on an appropriate IRC channel, eventually figure out who to poke, and do that. Hardly an useful option.
Have you read their EULA? I wanted to upgrade from AVG 7, but read the EULA (which involved randomly looking around their website, because the installer just said it's on there somewhere!) and it's basically a WTFPL license, except it's licensing any and all of your data, to them.
No, you weren't supposed to actually use those DTDs - they should have came with the app. It's just got a URL to be a unique string, and actually exists as a service so you know where to copy the file from, not to be downloaded every time your app runs.
Umm, that just means they end up not running elevated. It's not like they magically gained privileges without the UAC prompt.
They have a crappy algorithm for guessing what files need the UAC prompt, because there's no other information; they can't tell if a setup app needs the privileges, and they went in favour of backward compatibility. What I do hate is the lack of "don't elevate" option, though...
Yes. Minus the bit where it keeps breaking because... well, the browser isn't done yet. Playing perpetual catch-up instead of doing stuff that's actually fun gets boring pretty fast. (RC1 should be close enough to release, though.)
It's a NPAPI plugin with XPCOM interfaces to expose it to the UI. That is, it's tied to both sets of APIs. Notice how the back button actually seems to work?
If I remember correctly, one of the top crashes for Firefox 3 betas was... people whole force-enabled Google Toolbar.
Yes, top crash.
This preference is generally not useful unless you know how to deal with the fallout (including figuring out what problems are due to extensions and which ones are not, and possibly fixing things locally).
(Also RC1 killed compatibility with 'tabs menu' which is a brilliant little tool, it gives you 'tabs' up the top - much like 'windows' so you can change to whichever tab you like quickly) There's now a small button on the right end of the tab strip that gives a list of open tabs, built-in. Maybe that will replace tabs menu:) It only shows tabs in that window, though.
Hmm? No, it's not Microsoft's responsibility to work around bugs in apps; it's a service they're doing for their customers (the people with their new OS who want to use old software). I view it as a best-effort thing.
Not having to do something doesn't mean you shouldn't, sometimes. Some times, of course, you just shouldn't:p
MS should try, yes, but sometimes the existing software just has bugs (i.e. violates what the API says you should do). It previously worked if the OS had matching bugs that made it work.
Kinda like how people who write web pages by testing with IE and seeing it broken in Firefox etc. because the app they tested with wasn't quite obeying the standards, really...
GP is talking, I think, about VB (and related things). IIRC, True in VB (err, 4~6; never touched VB.net, dunno what that does) is -1, so that True is Not False. Yeah, there's only a bitwise Not and there's no boolean version. Makes interacting with C-oriented APIs (e.g. Win32) fun.
Of course, I may be remembering things wrong, it's been a few years.
Slashdot Mirror
Huh, I find that tutorial-as-documentation to be horrid (I don't want to do it in those steps, and it's a giant pain in the ass to look up any syntax). The standard library, though, does have excellent documentation in the same place. But that's not the syntax.
Kaspersky has had a very shakey reputation in the last couple years due to the data they were stuffing into the NTFS file system to help "speed up" their scanning performance.
I looked it up (horse's mouth, plus random google searches to collaborate). It seems to just be using NTFS streams to put a hash down that gets attached to the file to mark it as having been scanned. That seems totally legit to me (it's a documented NTFS thing, you can create your own via the command prompt). I assume it's only useful for the background scan stuff, since any malware can duplicate their signature...
I'm sure their software has actual bad points (everybody has some), but at least don't use invalid ones?
Yep, especially if you want to use git-svn - using MsysGit (which, as of the last time I installed it, uses a md5 implementation that's non-native), it was less painful to host my git-svn bridge repo on a VM.
(FWIW, hg was also pretty damned slow on my workloads. And the staging area in git plus better GUI tools has made git the better choice for me.)
Yes you do. If you didn't close them, your pages wouldn't work in any browser.
http://www.w3.org/TR/REC-html40/struct/text.html#h-9.3.1
<p> has an optional end tag in HTML 4.0. And <br> is forbidden to have an end tag. Sounds like that's perfectly valid to me!
Being standards-compliant is fun when your standard is so confusing!
It doesn't matter if you do it well; if you just do it in some way, that itself is a great tool for attracting attention. It's not like the first implementation is likely to be perfect anyway, might as well throw time figuring out the kinks.
This assumes you only care that the software gets done, not that you own it (inferring from the Sourceforge thing). If you actually want to have control over the project, then, yes, you need to go hire people and hope you hired right - and with that level of commitment it's more of a start-up.
1. create your own CA and tell your customers to import the CA by clicking here (before putting them in ssl mode). It's really not much trouble to set up your own CA.
So, umm, transmitting the cert via encrypted HTTP is safer than trusting a self-signed cert, why? The attacker would just need to clobber that connection instead.
Umm, isn't Flash JavaScript (err, ECMAScript variant) anyway? No matter how much Flash manages to beat JS, it'd still be there; see Tamarin (Adobe working on a JS engine with Mozilla).
It's not IE, it's the Java plugin (which, umm, MS doesn't even make anymore). It's just a normal cross-origin vulnerability.
(Umm, this is my best guess, but I believe it makes sense and not surprising.)
GIF files have a header (GIF89a and all). JAR (PKZIP) files have a footer (central directory, i.e. the TOC). When the attacker uploads the file, the server sees the GIF (/PNG/JPEG/BMP/...) header and accepts it as an image. Anybody going to the server's page would have their browser attempt to load the file as an image (and possibly succeed, if the attacker wanted it).
The Java plugin would be invoked by a page on a completely separate sever (that the attacker controls), with an <object> / <applet> tag. The plugin would load from the attacked server (e.g. facebook), and therefore for origin checking purposes it belongs to the attacked server.
It's like this old IOCCC entry which happens to be a shell script, a makefile, and C source all at the same time.
People have been doing similar things as weak stenography already - posting images which have been concatenated with archives (rar, zip) that show as images in the browser, but the archivers would search through the whole file for something to extract.
Bugzilla's demo site is http://landfill.bugzilla.org/ - go ahead and file junk bugs there, nobody would care.
Completely irrelevant, but thought it was annoying...
uneval() output (from Firefox 3 at least) isn't, strictly speaking, JSON. It hasn't got quotes around the names.
Only sayin' because my old uneval output can't be used for the new JSON based replacement :(
Or that bug report can just get filed with no patch, and nobody looks at it for a few years, until at some point somebody does go fix it completely independently of the report.
Or the reporter did manage to get things to build, make the fix, file the report with a patch, and... still completely no response. Has happened to me (I don't particularly blame them, I know how intractable bugzilla can be).
The only reliable way seems to be to spend months on an appropriate IRC channel, eventually figure out who to poke, and do that. Hardly an useful option.
2000 should be fine (it's a NT). See http://www.mozilla.com/en-US/firefox/system-requirements.html.
Have you read their EULA? I wanted to upgrade from AVG 7, but read the EULA (which involved randomly looking around their website, because the installer just said it's on there somewhere!) and it's basically a WTFPL license, except it's licensing any and all of your data, to them.
No, you weren't supposed to actually use those DTDs - they should have came with the app. It's just got a URL to be a unique string, and actually exists as a service so you know where to copy the file from, not to be downloaded every time your app runs.
A better analogy is.. AOL and dojo.
Umm, that just means they end up not running elevated. It's not like they magically gained privileges without the UAC prompt.
They have a crappy algorithm for guessing what files need the UAC prompt, because there's no other information; they can't tell if a setup app needs the privileges, and they went in favour of backward compatibility. What I do hate is the lack of "don't elevate" option, though...
Umm, yeah... Gecko doesn't do (MS) COM. It's a NPAPI (as in, old Netscape plugin, np*.dll) plugin to Gecko, which hosts the Trident COM control.
Actually, for Firefox 3 you want Firebug 1.2 (not done yet).
Yes. Minus the bit where it keeps breaking because... well, the browser isn't done yet. Playing perpetual catch-up instead of doing stuff that's actually fun gets boring pretty fast. (RC1 should be close enough to release, though.)
It's a NPAPI plugin with XPCOM interfaces to expose it to the UI. That is, it's tied to both sets of APIs. Notice how the back button actually seems to work?
And 2, actually. That phishing protection thing? :)
If I remember correctly, one of the top crashes for Firefox 3 betas was... people whole force-enabled Google Toolbar.
Yes, top crash.
This preference is generally not useful unless you know how to deal with the fallout (including figuring out what problems are due to extensions and which ones are not, and possibly fixing things locally).
Hmm? No, it's not Microsoft's responsibility to work around bugs in apps; it's a service they're doing for their customers (the people with their new OS who want to use old software). I view it as a best-effort thing.
:p
Not having to do something doesn't mean you shouldn't, sometimes. Some times, of course, you just shouldn't
MS should try, yes, but sometimes the existing software just has bugs (i.e. violates what the API says you should do). It previously worked if the OS had matching bugs that made it work.
Kinda like how people who write web pages by testing with IE and seeing it broken in Firefox etc. because the app they tested with wasn't quite obeying the standards, really...
GP is talking, I think, about VB (and related things). IIRC, True in VB (err, 4~6; never touched VB.net, dunno what that does) is -1, so that True is Not False. Yeah, there's only a bitwise Not and there's no boolean version. Makes interacting with C-oriented APIs (e.g. Win32) fun.
Of course, I may be remembering things wrong, it's been a few years.
Yes, the part about 1 being -1 is totally bunk.