It's all fun and games until the people salivating at this over the perceived "defeat" for the eevil Microsoft realize that they've just traded one problem for another.
It doesn't matter how well designed the authentication system is if the attacker is a valid user.
If your application can be attacked by a "valid user" then you might as well not have any security at all. This has nothing to do with what tier the authentication or authorization takes place in, or how the request is issued from the client.
Be especially careful when the AJAX does a DB update/insert - sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.
Well yes, but usually you're doing cookie-based authentication, which flows with out of band requests as well. So it's no different than a normal POST operation. Ajax is not particularly less or more secure, unless you have an insecure app to begin with.
[disclaimer]I'm not an Amazon fanboy...[/disclaimer]
I'm not either, but I completely agree. I saw one a few days ago and it's really amazing. Much better than I expected, and I never even used the previous model. I was kind of jaded after all the hype but I have to say I was very impressed. The DRM might be another issue, but the device is really good. I guess it's a bit like the iPod or iPhone. Amazing devices, crappy service and draconian app store policies, DRM, etc. Yet people use them.
No you wouldn't. Not for something like this. You wouldn't even need to post bail. No imprisonment involved in an inherently non-criminal case. Again, the system works.
You wouldn't be incarcerated for something like this. Another indication that the system is better.
As to the expense, yes, you do have a point. There are ways to get around that, but it is a problem. I don't think it stops many people from speaking out though.
You have a point, but the important thing is that it would never be allowed to stand, which means the blogger would never see the inside of a jail cell. The system might not be ideal, but it works.
But anyway, to echo some of the comments above, good luck with this at the corporate level. People who organize these things are usually completely ignorant about how companies deploy and upgrade the browser.
Having said that, I hope IE6 does die off. It will take a looong time though, unfortunately.
Once all those Windows users start migrating to Linux because it's safer, do you think they'll suddenly be infused with large doses of simple common sense? apt-get install effin-common-sense-0.2.3 or something like that? =)
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it. I don't even need root access. More sophisticated? Fine, how about I do the same thing but use, say, Python and a simple wxWidgets UI to ask for your root password? You know, because I need it to "update your system". Chances are good you have all that installed on your system if you use the average distro.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS. I don't need to code an ELF binary in x86 assembler to do damage, and no one writes destructive viruses anymore. Neither you nor your data are the target. The commodity being sought here is your machine and its network connection.
Yes, and this is really the main valid argument against technological monocultures. Stupid people (sorry, inexperienced people) running [Another OS/Another Browser] will do the same stupid (sorry, inexperienced) things they do now. But as long as there isn't a browser gobbling up 90% of the installed user base, the number of available targets is substantially reduced. The black hats rely on the sheer weight of numbers to succeed, and let's face it, exploits are written for profit now, not to prove something or because it's cool. Shrink the target pool and you'll minimize the amount of damage done to the targets and everyone sharing the same tubes.
As an architect I tend to see databases are fancy storage systems, and in general they annoy me. I love object databases and distributed key-value pair store mechanisms. But even as jaded as I am I can see that the RDMBS isn't going anywhere any time. There are a lot of things that alternative storage systems simply cannot do well.
As for the Google argument (i.e., "bug Google does it and it works"), I've heard it a few times in meetings where a bright-eyed company executive is trying to make a case for their use. My response is usually "yeah, all you need now is to hire people like the ones that work at Google", at which point the argument is usually dropped. Making applications work with storage systems like that take an engineering mindset that's simply different than the talent at the average Fortune 500. RDBMS are pretty good at masking crappy development practices.
Windows was (and still is, to a large part) built off what was originally a single-user system that would exist ENTIRELY as a standalone unit that was never connected to any other computers
True for Win9x (and their predecessors). Not so for NT.
Yeah, this is way old. Except that Slashdot's search function doesn't seem to return an article on the release, so I guess you can't call it a dupe. OTOH you kind of wonder why a site like Slashdot would not publish that news to begin with. Since it's impossible to know if someone submitted it last year, we'll never know.
However, like Netscape, Microsoft rested on its laurels and IE became a bloated mess.
I wouldn't characterize IE6 as bloated, just stagnated and requiring undue amounts of caution, security-wise.
I think the problem with IE is that once Netscape died (and I do believe they died because they sucked, not because Microsoft did evil anti-competitive things to them), Microsoft simply rested on their laurels and decided they could dictate the state of web standards because they had 95% market share.
Along comes Firefox, and suddenly you have Microsoft all worried about producing a viable browser again instead of just patching the old crap indefinitely. Without Firefox that would have never happened.
That's why I think Firefox is valuable. Not necessarily as a better browser (which it is anyway), but as disruptive of the status quo. My puny donations and recommendations to friends and family to use it cannot begin to repay the Mozilla Foundation for that.
I can't believe that people working at Firefox could have missed these issues and suspect PCPro of selectively quoting people to deliver a M$ friendly message.... That Mozilla would be accused of anti-trust practices like M$ is pure FUD
More like the Mozilla folks are lacking some strategic business sense and they made a statement that is either wrong or could be construed as such.
That wouldn't surprise me one bit, but then the Mozilla Foundation is not exactly a business powerhouse. They're bound to make mistakes like these. No need to go berserk with the "M$ IS TEH GHEY" routine. No one is dumb enough to believe that you can make a monopoly with free software.
Slashdot Mirror
At MIT, they give the test to the professors the award to the machines. Yeeeaaahhh
It's all fun and games until the people salivating at this over the perceived "defeat" for the eevil Microsoft realize that they've just traded one problem for another.
If your application can be attacked by a "valid user" then you might as well not have any security at all. This has nothing to do with what tier the authentication or authorization takes place in, or how the request is issued from the client.
Well yes, but usually you're doing cookie-based authentication, which flows with out of band requests as well. So it's no different than a normal POST operation. Ajax is not particularly less or more secure, unless you have an insecure app to begin with.
In North Korea, the government waives them for you.
(sorry, couldn't resit)
I'm not either, but I completely agree. I saw one a few days ago and it's really amazing. Much better than I expected, and I never even used the previous model. I was kind of jaded after all the hype but I have to say I was very impressed. The DRM might be another issue, but the device is really good. I guess it's a bit like the iPod or iPhone. Amazing devices, crappy service and draconian app store policies, DRM, etc. Yet people use them.
The "goddess" part of course defeats the whole damn point.
No you wouldn't. Not for something like this. You wouldn't even need to post bail. No imprisonment involved in an inherently non-criminal case. Again, the system works.
Screw that, I want wireless. Put some WiFi on that thing and I'll buy five with fries on the side.
You wouldn't be incarcerated for something like this. Another indication that the system is better.
As to the expense, yes, you do have a point. There are ways to get around that, but it is a problem. I don't think it stops many people from speaking out though.
You have a point, but the important thing is that it would never be allowed to stand, which means the blogger would never see the inside of a jail cell. The system might not be ideal, but it works.
I can read that campaign page with IE6.
But anyway, to echo some of the comments above, good luck with this at the corporate level. People who organize these things are usually completely ignorant about how companies deploy and upgrade the browser.
Having said that, I hope IE6 does die off. It will take a looong time though, unfortunately.
Once all those Windows users start migrating to Linux because it's safer, do you think they'll suddenly be infused with large doses of simple common sense? apt-get install effin-common-sense-0.2.3 or something like that? =)
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it. I don't even need root access. More sophisticated? Fine, how about I do the same thing but use, say, Python and a simple wxWidgets UI to ask for your root password? You know, because I need it to "update your system". Chances are good you have all that installed on your system if you use the average distro.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS. I don't need to code an ELF binary in x86 assembler to do damage, and no one writes destructive viruses anymore. Neither you nor your data are the target. The commodity being sought here is your machine and its network connection.
Yes, and this is really the main valid argument against technological monocultures. Stupid people (sorry, inexperienced people) running [Another OS/Another Browser] will do the same stupid (sorry, inexperienced) things they do now. But as long as there isn't a browser gobbling up 90% of the installed user base, the number of available targets is substantially reduced. The black hats rely on the sheer weight of numbers to succeed, and let's face it, exploits are written for profit now, not to prove something or because it's cool. Shrink the target pool and you'll minimize the amount of damage done to the targets and everyone sharing the same tubes.
Nope, sorry. Not even close. Maybe you've been reading Slashdot a bit too much?
As an architect I tend to see databases are fancy storage systems, and in general they annoy me. I love object databases and distributed key-value pair store mechanisms. But even as jaded as I am I can see that the RDMBS isn't going anywhere any time. There are a lot of things that alternative storage systems simply cannot do well.
As for the Google argument (i.e., "bug Google does it and it works"), I've heard it a few times in meetings where a bright-eyed company executive is trying to make a case for their use. My response is usually "yeah, all you need now is to hire people like the ones that work at Google", at which point the argument is usually dropped. Making applications work with storage systems like that take an engineering mindset that's simply different than the talent at the average Fortune 500. RDBMS are pretty good at masking crappy development practices.
True for Win9x (and their predecessors). Not so for NT.
Yeah, this is way old. Except that Slashdot's search function doesn't seem to return an article on the release, so I guess you can't call it a dupe. OTOH you kind of wonder why a site like Slashdot would not publish that news to begin with. Since it's impossible to know if someone submitted it last year, we'll never know.
This is because they can't compete with Firefox, not IE. Which makes this "partnership" all the more ironic.
I wouldn't characterize IE6 as bloated, just stagnated and requiring undue amounts of caution, security-wise.
I think the problem with IE is that once Netscape died (and I do believe they died because they sucked, not because Microsoft did evil anti-competitive things to them), Microsoft simply rested on their laurels and decided they could dictate the state of web standards because they had 95% market share.
Along comes Firefox, and suddenly you have Microsoft all worried about producing a viable browser again instead of just patching the old crap indefinitely. Without Firefox that would have never happened.
That's why I think Firefox is valuable. Not necessarily as a better browser (which it is anyway), but as disruptive of the status quo. My puny donations and recommendations to friends and family to use it cannot begin to repay the Mozilla Foundation for that.
They're already out shilling for fun and profit. Expect a few more to jump in shortly.
More like the Mozilla folks are lacking some strategic business sense and they made a statement that is either wrong or could be construed as such.
That wouldn't surprise me one bit, but then the Mozilla Foundation is not exactly a business powerhouse. They're bound to make mistakes like these. No need to go berserk with the "M$ IS TEH GHEY" routine. No one is dumb enough to believe that you can make a monopoly with free software.
Malware = stupidity (or more gently, lack of common sense).
Reminds me of a recent xkcd.
Look up the term market segmentation.