other browser vendors cannot hope to pay the patent licensing fees that Eolas will charge them. Additionally, it will be difficult for other browser vendors to change their software as quickly
If I understand this correctly, the change affects ActiveX. To my knowledge, (almost?) all alternative browsers based on different engines (Firefox, Netscape, Opera, Konqueror, Safari, etc) are not supporting ActiveX at all. If you're talking about MSIE based browsers, like Maxthon I imagine the changes will be immediately available to them.
Does this story affect any other browser element besides ActiveX? I'm not familiar with the Eolas case.
"Uncle Scrooge's fortune stands at precisely... Five billion quintiplitilion unptuplatillion multuplatillion impossibidillion fantasticatrillion dollars. This translates into three cubic acres of money housed in the McDuck Money Bin." - Carl Barks 1994
You give a very clear description of the problem. I understand that you are not bashing Google.
And yet, someone modded me flaimbait! At least some people pay attention.
To rebut that argument, one could argue that when some other hypothetical exploit comes along (and there have been some in the past) that allows www.badguy.com to execute arbitrary code, that then www.badguy.com could still exploit Google's program. Should Google have to design to guard against any hypothetical vulnerability in Microsoft's browser?
No, but it shouldn't make things easy either. For example, GDS could store indexes in encrypted files, use a small custom client to access the data and ensure that only users running interactively are able to access this client. Wouldn't things become much more difficult for the attacker? Security is all about good design, trust and compromises. If, for example, we trusted all software in our pc we wouldn't use firewalls. Since we don't we sacrifise some usability by restricting our own software, this is good design.
Another rebuttal to that argument is that designing a program's user interface as a local web server is not an unreasonable design. GDS is not the first or only program to do this. I've seen several programs that offer a user interface via. a locally served web page. So all of those programs should be similarly blamed in the damage caused by www.badguy.com?
As another user noted, it is common nowdays to pass everything through the browser since IT admins allow nothing to be installed in users machines. But the fact that many people do it doesn't make it a good secure choice. A lot of people use Windows nowdays, browse using IE with ActiveX enabled, open every mail attachment they receive and store their password on a post-it on their monitor. Is any of the above a good choice?
And then it also depends a lot on what the software does. Using a browser for a calendar application is one thing, but indexing all local files? It starts to become risky.
Btw, it makes much more sense now why Google is sponsoring Firefox through it's refferals system. Depending on your competitor's software (end especially one known to be insecure) for your security is dangerous. Microsoft could very well delay this fix (and I expect them to delay it) hurting much more Google than themselves. I wouldn't be surprised if GDS starts shipping with Firefox intergrated sometime soon.
Since it's IE requesting the file, wouldn't "file:///c:/stealme/creditcrd.txt" work just as well?
Good point. I cannot answer, it would be a very good question for the author of the exploit. Maybe it would work, maybe "file://" urls are treated differently by browsers for security reasons. But, of course, GDS makes things way too easy by allowing badguy.com to actually search for "password" in local files. Knowing the filename "stealme/creditcrd.txt" or opening thousands of files to search for a keyword is far more difficult.
Anyway, as I said, I don't think it's really google's fault, I simply stated that it has some responsibility and that we shouldn't give right to them because GoogleIsNotEvil (TM).
Btw, the question about "file:///" urls is very interesting. Could anyone inform us about the way these urls are treated by firefox? On the one hand they are practical. However, IMHO, it would be a good idea to disallow ANY DOM access to these urls whatsoever. It would be rather strange for a script to require access to such a url.
The answer is not so simple. Sit down for a second a think.
The flaw allows a malicious web page to open a window with a different web page and read information from there. So a script in 'www.badguy.com' can read data from 'www.goodguy.com'. Now how bad is up to here? Pretty bad, but not catastrophic. badguy.com could open, say, mail.yahoo.com, and provided you have a yahoo mail account and you login, it could read some of your mails. Is there a chance of reading private info? Yes. Is there a chance of reading a file in your disk. NO! badguy.com can't read a file in your disk using yahoo mail. And given the fact that really critical data are stored in the local disk, not webmail accounts, the danger is limited.
Now imagine there exists a web site containing all your private local files! This is exactly what Google Desktop Search is! GDS creates a local web server at port 4664, bound only to the 127.0.0.1 to avoid remote access. It is a web site accessible only from your pc and google takes a lot of measures to ensure that. But the script at badguy.com runs in your pc, and using the exploit it can access this personal web site. Now how bad is the situation? Catastrophic. All indexed data, pretty much your whole hard disk, are accessible to badguy.com.
Of course this wouldn't happen if there was no IE flaw. But who put all your data at a (local) web server? Google Desktop Search. IMHO, the problem is once again the tight integration of a browser to the rest of the system. If Google used a custom client to query the local index instead of the browser this wouldn't happen. It would require a flaw that allows remote code execution and these flaws are more rare and more difficult to exploit (ok, in case of MSIE it's every day routine, I agree). This exploit is a piece of cake, because local data are promptly served by GDS.
Just to make things clear, I don't really blame Google for this. But to achieve good security you need good software design and integrating a browser with everything is not a good idea. Google made a decision on that so it has some responsibility.
And then public opinion is a totally different subject. I totally understand someone who loses its credit card number and blames google for indexing this number and making it accessible to badguy.com. If amazon stores your credit card number in an Oracle database and the number gets stolen because of an Oracle flaw, will you blame Oracle or Amazon?
There is an online petition against the bill here. It started today and there are already 2087 signatures by individuals and 40 by organisations. Go on and sign.
So, yes, the government is considering passing a bill which would allow these organizations to sue the free software authors.
Agreed, but saying "the goverment is examining a bill proposed by the french MPAA" is very different from saying "French Department of Culture is telling free (as in speech) software providers that 'You will be required to change your license".
Especially when you quote an article that says "SNEP and SCPP have told Free Software authors:", you can't quote an FSF article and replace "MPAA" by "the Goverment" in an article posted on Slashdot's main page, its fucking crazy!
That's the image of the media these days, but I expected something better from slashdot.
The statement "In the event that you no longer possess or have the right under such license to use the original CD product." can be rewritten as two seperate statements, "In the event that you no longer possess the original CD product." and "In the event that you no longer have the right under such license to use the original CD product."
I dissagree, I think you missed a parenthesis in your interpretation of the text (of course I can't be sure, I don't speak legaleese). The phrase "In the event" is not repeated so if we put parentheses it would probably be "In the event that you (no longer( possess [the cd] or have the right under such license to use the original CD product))."
Formally this should be written
event( NOT (possess OR have_right) )
which is equivalent to
event( (NOT possess) AND (NOT have_right) )
If the cd is stolen then possess is false but have_right is still true (I guess). So the hole formula is false, no clause is triggered!
But that's a fine exampe why EULAs should not stand in any court. They are very ambiguous texts and no individual should be required to understand them. And of course the whole sony story is just ridiculus, we don't need fine interpretations of EULA clauses to understand that.
1) Microsoft has a trademark on "Microsoft Windows" and this mark is used in connection with computer software.
As you said, "Microsoft Windows".
2) A computer software developer using the name "Windows Defender" voluntarily handed over the name to Microsoft.
It wasn't "voluntarily", he was threatened. Makes a huge difference.
"Windows Defender" could be argued to generate confusion in the market because when it comes to the word "Windows" with respect to computer software, most of the market (ie. John Q Citizen) is going to assume that it is a Microsoft product. This is the purpose of a trademark.
IMHO it couldn't generate confusion but in any case this is irrelevent. When we say that microsoft has a trademark on "Microsoft Windows" and not merely "Windows" we mean exactly that "Windows" by itself can be freely used. If we allow an argument of the style "X Windows", for all X, cannot be used because it generates confusion then what difference does it make from having a trademerk on "Windows"? Windows is a goddamn common word.
Microsoft just didn't respect the man's right to use the name and lied to him to *make him* give the rights. Ethically (and, I guess, legally in any countries) this is fraud!
But the more interesting question is, could some technology X, that nobody has even though of yet, kill xG's technology before killing WiMax? And could another technology Y kill X before even being though of?
oh, come on, what's all this "could kill" mania lately?
In my previous reply I misunderstood what you said. After submitting I realised that what you want is to not allow scripts to open non-resizable windows or windows that don't have a menu bar.
Take a look at the dom.disable_window_open_feature.* options in about:config, in particular the following two:
dom.disable_window_open_feature.resizable
dom.disable_window_open_feature.menubar By setting them to true all windows will be resizable and will have a menu bar.
Alse note that firefox lets you resize even non-resizable windows by dragging the window resizing grippy at the right end of the status bar. dom.disable_window_open_feature.status is true by default so the status bar will always be visible if enabled in view menu.
I'd like to see a plugin that lets me override annoying javascript that prevents resizing windows.
Goto to Edit/Preferences/Web Features, click "Advanced..." (near the "Enable javascript" checkbox) and disable the options you don't want like "move or resize existing windows".
Novel's premier Linux distribution, SUSE, is historically based on KDE yet the individual projects that they're supporting (Beagle, Evolution) are gnome apps. I think in the long run KDE will become the de-facto standard primarily because of the tight integration among its applications and excitement in its developer and user base about KDE 4. If you don't believe me, take a look at how many more posts there are in KDE-Look than in Gnome-Look. In fact, there is KDE-Apps for independent apps built with the KDE/QT framework, while there is no such place to aggregate gnome apps.
In conclusion, Novel should get their gnome developers to work on KDE so that they have a tightly integrated system with no duplicated functionality.
WTF?
Novell is a main contributor to Mono (very important to bring developers/applications to linux), Evolution (best Exchange alternative for linux), Beagle (best desktop search for linux), Hula, F-Spot, etc, all very important applications for linux that happen to be mostly built around gnome. And you suggest that they should abandon these apps and start working on KDE because you like it better and because some web site with kde screenshots happen to have more traffic that another one with similar name. I'm sorry but that's pure BS! Please stop trolling so bad because this is/. and sometimes trolls are modded as insightful.
I don't care about the desktop wars. I use both gnome and kde apps and the only thing that I care about is having great quality apps for linux.
Today, Windows' damage to humanity has been multiplied by.95 times the number of world's computer users.
Well, to be fair, Windows has transformed personal computers from a happy hippie hacker's toy to a world phenomenon. Of course this may have happened in spite of and not because of Windows, still it has to be said.
The point is that No you can't do what you please even if you own property. Don't like that? change 200 Years of case law, otherwise stop whining.
I am not whining, I *am* trying to change 200 years of case law and 100 years of music industry tradition. How? By sharing music. It's a kind of revolution. I don't like the current situation and I have the means to change it. I believe that music should be free for anyone to listen in their homes, cars, pcs, boats, planes or spaceships. I don't care about the 200 years of law, I only care about how I imagine the world.
Piracy kills the music industry. Let's help it die.
You can blame guns for violence... or you can blame their owners. Same with TNT. You know people's lives have been ended by radiation right? Well, lives have been saved by it too... it's all about how it's used.
I totally agree with your reasoning, but your examples are a little bit extreme. Owning a gun, for no matter which purpose, is just beyond reason. At least in most places of the world.
Blaming P2P for illegal firesharing, though, is like blaming flowers for the death of an allergic person.
Slashdot Mirror
other browser vendors cannot hope to pay the patent licensing fees that Eolas will charge them. Additionally, it will be difficult for other browser vendors to change their software as quickly
If I understand this correctly, the change affects ActiveX. To my knowledge, (almost?) all alternative browsers based on different engines (Firefox, Netscape, Opera, Konqueror, Safari, etc) are not supporting ActiveX at all. If you're talking about MSIE based browsers, like Maxthon I imagine the changes will be immediately available to them.
Does this story affect any other browser element besides ActiveX? I'm not familiar with the Eolas case.
Nonsense, according to Carl Barks himself:
Source: Uncle Carl - His Life and Times
You give a very clear description of the problem.
I understand that you are not bashing Google.
And yet, someone modded me flaimbait! At least some people pay attention.
To rebut that argument, one could argue that when some other hypothetical exploit comes along (and there have been some in the past) that allows www.badguy.com to execute arbitrary code, that then www.badguy.com could still exploit Google's program. Should Google have to design to guard against any hypothetical vulnerability in Microsoft's browser?
No, but it shouldn't make things easy either. For example, GDS could store indexes in encrypted files, use a small custom client to access the data and ensure that only users running interactively are able to access this client. Wouldn't things become much more difficult for the attacker? Security is all about good design, trust and compromises. If, for example, we trusted all software in our pc we wouldn't use firewalls. Since we don't we sacrifise some usability by restricting our own software, this is good design.
Another rebuttal to that argument is that designing a program's user interface as a local web server is not an unreasonable design. GDS is not the first or only program to do this. I've seen several programs that offer a user interface via. a locally served web page. So all of those programs should be similarly blamed in the damage caused by www.badguy.com?
As another user noted, it is common nowdays to pass everything through the browser since IT admins allow nothing to be installed in users machines. But the fact that many people do it doesn't make it a good secure choice. A lot of people use Windows nowdays, browse using IE with ActiveX enabled, open every mail attachment they receive and store their password on a post-it on their monitor. Is any of the above a good choice?
And then it also depends a lot on what the software does. Using a browser for a calendar application is one thing, but indexing all local files? It starts to become risky.
Btw, it makes much more sense now why Google is sponsoring Firefox through it's refferals system. Depending on your competitor's software (end especially one known to be insecure) for your security is dangerous. Microsoft could very well delay this fix (and I expect them to delay it) hurting much more Google than themselves. I wouldn't be surprised if GDS starts shipping with Firefox intergrated sometime soon.
Incorrect. Wiktionary is a free dictionary. This one is open. The distinction is important.
Thanks for the update, Richard.
Seriously, I totally agree. I would mod you up if I had some points.
Since it's IE requesting the file, wouldn't "file:///c:/stealme/creditcrd.txt" work just as well?
Good point. I cannot answer, it would be a very good question for the author of the exploit. Maybe it would work, maybe "file://" urls are treated differently by browsers for security reasons. But, of course, GDS makes things way too easy by allowing badguy.com to actually search for "password" in local files. Knowing the filename "stealme/creditcrd.txt" or opening thousands of files to search for a keyword is far more difficult.
Anyway, as I said, I don't think it's really google's fault, I simply stated that it has some responsibility and that we shouldn't give right to them because GoogleIsNotEvil (TM).
Btw, the question about "file:///" urls is very interesting. Could anyone inform us about the way these urls are treated by firefox? On the one hand they are practical. However, IMHO, it would be a good idea to disallow ANY DOM access to these urls whatsoever. It would be rather strange for a script to require access to such a url.
The answer is not so simple. Sit down for a second a think.
The flaw allows a malicious web page to open a window with a different web page and read information from there. So a script in 'www.badguy.com' can read data from 'www.goodguy.com'. Now how bad is up to here? Pretty bad, but not catastrophic. badguy.com could open, say, mail.yahoo.com, and provided you have a yahoo mail account and you login, it could read some of your mails. Is there a chance of reading private info? Yes. Is there a chance of reading a file in your disk. NO! badguy.com can't read a file in your disk using yahoo mail. And given the fact that really critical data are stored in the local disk, not webmail accounts, the danger is limited.
Now imagine there exists a web site containing all your private local files! This is exactly what Google Desktop Search is! GDS creates a local web server at port 4664, bound only to the 127.0.0.1 to avoid remote access. It is a web site accessible only from your pc and google takes a lot of measures to ensure that. But the script at badguy.com runs in your pc, and using the exploit it can access this personal web site. Now how bad is the situation? Catastrophic. All indexed data, pretty much your whole hard disk, are accessible to badguy.com.
Of course this wouldn't happen if there was no IE flaw. But who put all your data at a (local) web server? Google Desktop Search. IMHO, the problem is once again the tight integration of a browser to the rest of the system. If Google used a custom client to query the local index instead of the browser this wouldn't happen. It would require a flaw that allows remote code execution and these flaws are more rare and more difficult to exploit (ok, in case of MSIE it's every day routine, I agree). This exploit is a piece of cake, because local data are promptly served by GDS.
Just to make things clear, I don't really blame Google for this. But to achieve good security you need good software design and integrating a browser with everything is not a good idea. Google made a decision on that so it has some responsibility.
And then public opinion is a totally different subject. I totally understand someone who loses its credit card number and blames google for indexing this number and making it accessible to badguy.com. If amazon stores your credit card number in an Oracle database and the number gets stolen because of an Oracle flaw, will you blame Oracle or Amazon?
There is an online petition against the bill here. It started today and there are already 2087 signatures by individuals and 40 by organisations. Go on and sign.
So, yes, the government is considering passing a bill which would allow these organizations to sue the free software authors.
Agreed, but saying "the goverment is examining a bill proposed by the french MPAA" is very different from saying "French Department of Culture is telling free (as in speech) software providers that 'You will be required to change your license".
Especially when you quote an article that says "SNEP and SCPP have told Free Software authors:", you can't quote an FSF article and replace "MPAA" by "the Goverment" in an article posted on Slashdot's main page, its fucking crazy!
That's the image of the media these days, but I expected something better from slashdot.
I dissagree, I think you missed a parenthesis in your interpretation of the text (of course I can't be sure, I don't speak legaleese). The phrase "In the event" is not repeated so if we put parentheses it would probably be "In the event that you (no longer( possess [the cd] or have the right under such license to use the original CD product))."
Formally this should be writtenwhich is equivalent toIf the cd is stolen then possess is false but have_right is still true (I guess). So the hole formula is false, no clause is triggered!
But that's a fine exampe why EULAs should not stand in any court. They are very ambiguous texts and no individual should be required to understand them. And of course the whole sony story is just ridiculus, we don't need fine interpretations of EULA clauses to understand that.
Take a loot at the videos on the following page. 3x3x3 in 20.55, still amazing!
1) Microsoft has a trademark on "Microsoft Windows" and this mark is used in connection with computer software.
As you said, "Microsoft Windows".
2) A computer software developer using the name "Windows Defender" voluntarily handed over the name to Microsoft.
It wasn't "voluntarily", he was threatened. Makes a huge difference.
"Windows Defender" could be argued to generate confusion in the market because when it comes to the word "Windows" with respect to computer software, most of the market (ie. John Q Citizen) is going to assume that it is a Microsoft product. This is the purpose of a trademark.
IMHO it couldn't generate confusion but in any case this is irrelevent. When we say that microsoft has a trademark on "Microsoft Windows" and not merely "Windows" we mean exactly that "Windows" by itself can be freely used. If we allow an argument of the style "X Windows", for all X, cannot be used because it generates confusion then what difference does it make from having a trademerk on "Windows"? Windows is a goddamn common word.
Microsoft just didn't respect the man's right to use the name and lied to him to *make him* give the rights. Ethically (and, I guess, legally in any countries) this is fraud!
You could work in a nice virtual environment together with Jenna Jameson, Jesse Jane and Briana Banks.
But the more interesting question is, could some technology X, that nobody has even though of yet, kill xG's technology before killing WiMax? And could another technology Y kill X before even being though of?
oh, come on, what's all this "could kill" mania lately?
In my previous reply I misunderstood what you said. After submitting I realised that what you want is to not allow scripts to open non-resizable windows or windows that don't have a menu bar.
Take a look at the dom.disable_window_open_feature.* options in about:config, in particular the following two:
dom.disable_window_open_feature.resizable
dom.disable_window_open_feature.menubar
By setting them to true all windows will be resizable and will have a menu bar.
Alse note that firefox lets you resize even non-resizable windows by dragging the window resizing grippy at the right end of the status bar. dom.disable_window_open_feature.status is true by default so the status bar will always be visible if enabled in view menu.
I'd like to see a plugin that lets me override annoying javascript that prevents resizing windows.
Goto to Edit/Preferences/Web Features, click "Advanced..." (near the "Enable javascript" checkbox) and disable the options you don't want like "move or resize existing windows".
No extension is required.
WTF?
Novell is a main contributor to Mono (very important to bring developers/applications to linux), Evolution (best Exchange alternative for linux), Beagle (best desktop search for linux), Hula, F-Spot, etc, all very important applications for linux that happen to be mostly built around gnome. And you suggest that they should abandon these apps and start working on KDE because you like it better and because some web site with kde screenshots happen to have more traffic that another one with similar name. I'm sorry but that's pure BS! Please stop trolling so bad because this is
I don't care about the desktop wars. I use both gnome and kde apps and the only thing that I care about is having great quality apps for linux.
Nice trick, thanks man. I can't wait to try it on my girlf.....
oh crap.
I though you were speaking about porn. But then, did you forget about your porn???? Are you ok man?
Okay.....so how is it any different today?
.95 times the number of world's computer users.
Today, Windows' damage to humanity has been multiplied by
Well, to be fair, Windows has transformed personal computers from a happy hippie hacker's toy to a world phenomenon. Of course this may have happened in spite of and not because of Windows, still it has to be said.
- Grandpa, simply unpack the tarball, run ./configure; make, sudo to root, then make install.
./configure && make && sudo make install
/long_story_here
- Whaaaat
- tar -xzf gaim.tar.gz && cd gaim &&
- Whaaaat
- Ok, let's use apt-get, it's easier
- Whaaat, I can't hear a damn thing
- Synaptic?
- Kids nowdays have no values. I remember when I was fighting the germans, they were a dozen and I only had a swiss knife,
The point is that No you can't do what you please even if you own property. Don't like that? change 200 Years of case law, otherwise stop whining.
I am not whining, I *am* trying to change 200 years of case law and 100 years of music industry tradition. How? By sharing music. It's a kind of revolution. I don't like the current situation and I have the means to change it. I believe that music should be free for anyone to listen in their homes, cars, pcs, boats, planes or spaceships. I don't care about the 200 years of law, I only care about how I imagine the world.
Piracy kills the music industry.
Let's help it die.
#!/bin/bash
kview http://tinyurl.com/8v6re
Emulates most windows apps, all functionality is preserved.
Now where is my money.
for a rolling duck with arms? I don't give a f*** what it runs inside, you can keep it.
You can blame guns for violence... or you can blame their owners. Same with TNT. You know people's lives have been ended by radiation right? Well, lives have been saved by it too... it's all about how it's used.
I totally agree with your reasoning, but your examples are a little bit extreme. Owning a gun, for no matter which purpose, is just beyond reason. At least in most places of the world.
Blaming P2P for illegal firesharing, though, is like blaming flowers for the death of an allergic person.