OF course I still have a point - a point that the original author agrees with, as shown by the quote you yourself chose to include - that while this does show a problem in firefox (and other browsers), this does not show IE to be more secure. It does the kind of test IE is good at - not crashing on random HTML. It avoids the kind of test IE is bad at - abuse of its specialized features.
The point wasn't about user experience - it was about whether it is better to follow HTML standards or be lenient. If the standards were followed, the users wouldn't be seeing those broken pages because the page authors wouldn't write them that way in the first place. They get written that way because there exist browsers that allow it to work that way. You're acting like the browsers are written to deal with the HTML that people write. It's the other way around. People write the HTML that works with the browsers people use. Therefore the end-user is blissfully ignorant of which way around the web-authoring and browser-authoring community is doing it.
The point is that if you declare that a mark of a bad OS, you've just damned all that major players in the OS market - they all have problems with that scenario. (It won't lead to a crash, but it will render the system so slow and unusable that it takes less time to reboot and check the disk than it does to actually kill the offending program.)
My fear is that the sort of problems these are going to cause in the meantime might make the very concept of elections themselves rather obsolete, once the wrong people use this flawed system to get into power.
IE didn't just match Netscape's overly tolerant HTML parsing and stop. They did the same thing back, and the two duked it out. They are both responsible.
NO, no, no, no!! It is a BAD thing, because at the very minimum it's a sign of non-existent exception handling. You should never get a runtime error from bad input. In some cases, you create an infinite loop-- is there any excuse for that?
Yes. There is a perfect excuse for that - to fix it you have to solve the unsolvable halting problem from computer science which I assume you are already aware of. Can a C compiler determine if the C code it is running will loop forever? No. Can an interpreted language like the Bourne shell figure out if the input shell script it is processing will result in an infinite loop? No - being an interpreted instead of compiled language doesn't let you fix the halting problem. Looked at this way, the HTML engine inside a browser is in fact actually a program interpreter, with HTML as the source code. Thus the only way to catch the halting problem is to deny possibly valid runs, as we all learned in CompSci. In this case, that's probably exactly what IE is doing (for example, in theory rendering a table of 10,000 columns is a finishable task and not an infinite loop, andtherefore it would be wrong for an interpreter to deny the program the ability to do it. But in the case of a rendering engine for viewable content, it can safely assume that such a task would never work anyway, and cut it off at a max cap.)
And considering the nature of the crashes (one of the links caused Firefox 1.0PR to die with a windows memory error, shutting down ALL instances of firefox) this means that some memory was accessed that shouldn't have been,
This is not necessarily true. When some kinds of input trigger a crash when others don't, the cause MIGHT be a case where the input can stuff values into buffer overruns, but it doesn't have to be. The unusual input could trigger a conditional branch that is not normally run, and has a bug in it that crashes. The unusual input could case a variable initialization to be skipped because of such a conditional check (such that it did cause a variable to be altered, but not in a way that the input could control). The unusual input could simply be a case of picking a bigger number than the program was expecting to have to handle, and thus causing a hardcoded loop somewhere to process too far through an array (in which case there is a buffer overflow, but not one that lets the user stuff whatever he likes into that overflow.) It could be a case of the program not being able to handle the large amount of memory it would need to (validly) perform the request (as in, "try to render this 100,000 column table."), and the crash could just be the result of such a thing leading to a failed malloc().
Those millions have no opinion becasue they don't even know what the hell is going on. Do you actually think they sit around going, "gosh, I wish this rendered table HTML this way instead of that way when it encounters the such-and-such tag."
Since you don't seem to get it yet, there is no way you can argue against this.
Speaking of not getting it, the person you are arguing with never once argued against this. Does this test show places where Firefox needs fixing? Yes. Does this test show IE having better security? No. The test data was crafted explicitly for those things IE is better at. There are other things that crash it and not Firefox.
Checking for problems in HTML syntax is signifigantly simpler than data validation in the other parts of IE's glued-together add-ons. The check can occur entirely inside the parser. Therefore it is very easy to believe that it could be the same people despite the difference in security between the two. (It still probably isn't the same people, but that's more because it's a huge project and there are therefore probably people dedicated to the job of JUST writing the HTML parser.)
People who think the law is the definition of what is right scare me. "I vas only followink orders" is not a sufficient defence for doing wrong. It is possible for a law to be a bad law. And in fact, that's what this whole issue is about. If you want to speak of a government doing right or wrong, you *must* use a yardstick to measure by that was not created by the government itself. After all, in some countries, sending people to prison for political views is perfectly legal.
Re:Fixing fundamental design mistakes?
on
Linus Interviewed
·
· Score: 1
The dual extension bug (.TXT.EXE files, for example, or.DOC.EXE files) is not a problem endemic to using filename extensions. It's a problem endemic to using them in an *inconsist* broken way. Some Windows apps looked for the first thing after any dot, and saw the TXT, while others looked for the last letters after the last dot, and thus saw the EXE. That error is purely because the filetype checks were being done in dissimilar user code, isntead of in a universal library everyone uses the same way.
The 2-term limit didn't take effect until FDR was dead and thus it was not going to affect the specific case that inspired it and thus the people voting on it were thinking only of its application in a potential generic future scenario.
A hypothetical amendment to allow Ahnold to run for president would have to enacted in such a manner that it would affect the specific case that inspired it, not just generic future scenarios.
That is a very relevant difference that makes your analogy a poor one.
The thread I was respoding to was making the implied claim that Linus' Swedish heritige makes it wrong to call him Finish. That's very different from what you're talking about. It would be like claiming that it would be wrong to call someone Canadian if his parents are both Asian. That's a claim that seems very wrong to people from the New World (both Canadian and USA and elsewhere), and that wrongness is what the immediate parent to my post was complaining based on. I was just pointing out how it might not mean the same thing as how we percieve it.
Once it was obvious that you are defining "rights" to just be "those rights granted by the law" then I stopped bothering to read the rest of your post.
I'm not talking about merely legal rights. I'm talking about actual human rights. And in that context, what happened was a violtion of rights, and property was stolen. Whether the US constitution agrees with me is a purely secondary issue.
This wasn't always the case. I can remember when "lie-nux" was the more common pronounciation in the USA. It was about the time of the 1.1 linux kernel (sad that I mark time by that isntead of remembering what year it actually was...)
Re:he is actually Swedish...
on
Linus Interviewed
·
· Score: 3, Informative
There is an attitude in Europe that we Americans often don't grok - people's percieved nationality sticks with them long after they emigrate, and even extends to their offspring. Hence a person who grew up in Finland, is a native-born citizen of Finland, is still often called a Swede if his parents are Swedish, or his parents' parents were all Swedish, and so on. Although here in the US we often talk of being from a nationality of our ancestors, we don't really mean it in the same way.
Conan O'Brian might call himself "Irish" on TV, but he and his audience know that that's not really true in any signifigant way - in all ways that matter he's an American first. This is a bit different than the attitude in Europe.
One concern I see with this is that if and when such an amendment proposal comes up for vote (and nothing short of an amendment can do it), everyone will know for whom the amendment is being proposed. It will be "This is the Arnie for President amendment" in most people's minds, and thus their decision will be based on their political leanings for or against Arnold (or whomever this ends up being for if it ever happens).
I don't like the idea of a constitutional amendment being determined based only on how it would affect one specific temporary case. It should be determined based on whether or not it is appropriate for all generic instances. For this case, that just isn't going to happen."
My personal take on it is that the duration of citizenship should be fairly long (to make darn sure the candidate sees the US as being "home", and not just "where I'm living for now"), but that birth here should not be mandatory anymore. In today's changing world, waiting an entire generation for eligibility "feels" longer than it did when the Constitution was written. Schwarzenegger has, in my opinion, been a US citizen long enough to be allowed to run. I still wouldn't ever vote for him, but in the interest of fair play that shouldn't influence my opinion on whether or not he should be eligible.
I'd like to see him be allowed to make the attempt, and then be voted down, rather than see him not be allowed to try.
1 - Portland and Redmond are not very close to each other at all, by east-coast standards. They only seem close in our minds because there aren't intervening urban areas.
2 - Mt St Helens is not midway between them. It's much closer to Portland.
Re:Fixing fundamental design mistakes?
on
Linus Interviewed
·
· Score: 1
Any program that can only tell a file type by its extension is poorly written.
Although I think the unix design is almost always better than the Windows design, this is one area where I disagree with the unix way of doing things. In order to detect file type via the magic number system, you have to open the file and read the first few bytes. In order to detect the file type via extension, you don't have to open the file - just look at the filename in the directory. Thus when you are trying to do things like "sort this directory by type of file", it is much more efficient to do it using file extensions than magic numbers, because with extensions you only need to read through the directory and look at the filenames, instead of having to open each and every file.
Re:Fixing fundamental design mistakes?
on
Linus Interviewed
·
· Score: 1
that the really important stuff is under $HOME; what's under/bin is easily replaceable.
Yes, but for a virus to effectively *SPREAD*, it's not enough to just muck with a single user's files. As a damanging payload, erasing a person's own files is effective, but a payload does not a virus make.
the biggest obstacle to viruses is the lack of standardization.
Which is why attacking some files in $HOME isn't particularly useful if your want your virus to propigate. My $HOME doesn't contain the same things to try to exploit as your $HOME.
You set the bar quite hign, it seems, on what it takes for something to be "amazing". Some college kid writing an OS kernel (even if it was a functional clone of something that had been done before) that ends up being embraced and expanded by such a large group of volunteers and becoming a system that even works *at all* is already pretty amazing right there. Even if Linux had stopped where it was over 13 years ago, at just being a lackluster text-console system, that by itself would still have been a prettty amazing thing.
Draw out the Venn diagrams and it is trivial to see that the set of people familiar with linux in general is a superset of the set of people familiar with just one particular distribution of linux.
Slashdot Mirror
OF course I still have a point - a point that the original author agrees with, as shown by the quote you yourself chose to include - that while this does show a problem in firefox (and other browsers), this does not show IE to be more secure. It does the kind of test IE is good at - not crashing on random HTML. It avoids the kind of test IE is bad at - abuse of its specialized features.
The point wasn't about user experience - it was about whether it is better to follow HTML standards or be lenient. If the standards were followed, the users wouldn't be seeing those broken pages because the page authors wouldn't write them that way in the first place. They get written that way because there exist browsers that allow it to work that way. You're acting like the browsers are written to deal with the HTML that people write. It's the other way around. People write the HTML that works with the browsers people use. Therefore the end-user is blissfully ignorant of which way around the web-authoring and browser-authoring community is doing it.
The point is that if you declare that a mark of a bad OS, you've just damned all that major players in the OS market - they all have problems with that scenario. (It won't lead to a crash, but it will render the system so slow and unusable that it takes less time to reboot and check the disk than it does to actually kill the offending program.)
My fear is that the sort of problems these are going to cause in the meantime might make the very concept of elections themselves rather obsolete, once the wrong people use this flawed system to get into power.
IE didn't just match Netscape's overly tolerant HTML parsing and stop. They did the same thing back, and the two duked it out. They are both responsible.
*crashing* on malicious code is *BAD*
So, every compiler out there is bad, then?
I think you meant invalid INPUT, not invalid CODE.
NO, no, no, no!! It is a BAD thing, because at the very minimum it's a sign of non-existent exception handling. You should never get a runtime error from bad input. In some cases, you create an infinite loop-- is there any excuse for that?
Yes. There is a perfect excuse for that - to fix it you have to solve the unsolvable halting problem from computer science which I assume you are already aware of. Can a C compiler determine if the C code it is running will loop forever? No. Can an interpreted language like the Bourne shell figure out if the input shell script it is processing will result in an infinite loop? No - being an interpreted instead of compiled language doesn't let you fix the halting problem. Looked at this way, the HTML engine inside a browser is in fact actually a program interpreter, with HTML as the source code. Thus the only way to catch the halting problem is to deny possibly valid runs, as we all learned in CompSci. In this case, that's probably exactly what IE is doing (for example, in theory rendering a table of 10,000 columns is a finishable task and not an infinite loop, andtherefore it would be wrong for an interpreter to deny the program the ability to do it. But in the case of a rendering engine for viewable content, it can safely assume that such a task would never work anyway, and cut it off at a max cap.)
And considering the nature of the crashes (one of the links caused Firefox 1.0PR to die with a windows memory error, shutting down ALL instances of firefox) this means that some memory was accessed that shouldn't have been,
This is not necessarily true. When some kinds of input trigger a crash when others don't, the cause MIGHT be a case where the input can stuff values into buffer overruns, but it doesn't have to be. The unusual input could trigger a conditional branch that is not normally run, and has a bug in it that crashes. The unusual input could case a variable initialization to be skipped because of such a conditional check (such that it did cause a variable to be altered, but not in a way that the input could control). The unusual input could simply be a case of picking a bigger number than the program was expecting to have to handle, and thus causing a hardcoded loop somewhere to process too far through an array (in which case there is a buffer overflow, but not one that lets the user stuff whatever he likes into that overflow.) It could be a case of the program not being able to handle the large amount of memory it would need to (validly) perform the request (as in, "try to render this 100,000 column table."), and the crash could just be the result of such a thing leading to a failed malloc().
Those millions have no opinion becasue they don't even know what the hell is going on. Do you actually think they sit around going, "gosh, I wish this rendered table HTML this way instead of that way when it encounters the such-and-such tag."
Since you don't seem to get it yet, there is no way you can argue against this.
Speaking of not getting it, the person you are arguing with never once argued against this. Does this test show places where Firefox needs fixing? Yes. Does this test show IE having better security? No. The test data was crafted explicitly for those things IE is better at. There are other things that crash it and not Firefox.
Checking for problems in HTML syntax is signifigantly simpler than data validation in the other parts of IE's glued-together add-ons. The check can occur entirely inside the parser. Therefore it is very easy to believe that it could be the same people despite the difference in security between the two. (It still probably isn't the same people, but that's more because it's a huge project and there are therefore probably people dedicated to the job of JUST writing the HTML parser.)
You said:
"there's nothing stopping me from doing it in slashdot's code."
What about that bit at the bottom of the "Post Comment" form that always says:
Allowed HTML <B> <I> <P> <A> <LI> <OL> <UL> <EM> <BR> <TT> <STRONG> <BLOCKQUOTE> <DIV> <ECODE> <DL> <DT> <DD> (Use "ECODE" instead of "PRE" or "CODE".)
People who think the law is the definition of what is right scare me. "I vas only followink orders" is not a sufficient defence for doing wrong. It is possible for a law to be a bad law. And in fact, that's what this whole issue is about. If you want to speak of a government doing right or wrong, you *must* use a yardstick to measure by that was not created by the government itself. After all, in some countries, sending people to prison for political views is perfectly legal.
The dual extension bug (.TXT.EXE files, for example, or .DOC.EXE files) is not a problem endemic to using filename extensions. It's a problem endemic to using them in an *inconsist* broken way. Some Windows apps looked for the first thing after any dot, and saw the TXT, while others looked for the last letters after the last dot, and thus saw the EXE. That error is purely because the filetype checks were being done in dissimilar user code, isntead of in a universal library everyone uses the same way.
The 2-term limit didn't take effect until FDR was dead and thus it was not going to affect the specific case that inspired it and thus the people voting on it were thinking only of its application in a potential generic future scenario.
A hypothetical amendment to allow Ahnold to run for president would have to enacted in such a manner that it would affect the specific case that inspired it, not just generic future scenarios.
That is a very relevant difference that makes your analogy a poor one.
The thread I was respoding to was making the implied claim that Linus' Swedish heritige makes it wrong to call him Finish. That's very different from what you're talking about. It would be like claiming that it would be wrong to call someone Canadian if his parents are both Asian. That's a claim that seems very wrong to people from the New World (both Canadian and USA and elsewhere), and that wrongness is what the immediate parent to my post was complaining based on. I was just pointing out how it might not mean the same thing as how we percieve it.
Thats a bit of a stretch. vi can edit text and so can open office, but vi is not an office suite.
But "Web Browser" is not analogous to "office suite" in this analogy, as you imply. It's analogous to "some kind of text".
A web browser is nothing more than the client side of an HTTP conversation.
Once it was obvious that you are defining "rights" to just be "those rights granted by the law" then I stopped bothering to read the rest of your post.
I'm not talking about merely legal rights. I'm talking about actual human rights. And in that context, what happened was a violtion of rights, and property was stolen. Whether the US constitution agrees with me is a purely secondary issue.
This wasn't always the case. I can remember when "lie-nux" was the more common pronounciation in the USA. It was about the time of the 1.1 linux kernel (sad that I mark time by that isntead of remembering what year it actually was...)
There is an attitude in Europe that we Americans often don't grok - people's percieved nationality sticks with them long after they emigrate, and even extends to their offspring. Hence a person who grew up in Finland, is a native-born citizen of Finland, is still often called a Swede if his parents are Swedish, or his parents' parents were all Swedish, and so on. Although here in the US we often talk of being from a nationality of our ancestors, we don't really mean it in the same way.
Conan O'Brian might call himself "Irish" on TV, but he and his audience know that that's not really true in any signifigant way - in all ways that matter he's an American first. This is a bit different than the attitude in Europe.
One concern I see with this is that if and when such an amendment proposal comes up for vote (and nothing short of an amendment can do it), everyone will know for whom the amendment is being proposed. It will be "This is the Arnie for President amendment" in most people's minds, and thus their decision will be based on their political leanings for or against Arnold (or whomever this ends up being for if it ever happens).
I don't like the idea of a constitutional amendment being determined based only on how it would affect one specific temporary case. It should be determined based on whether or not it is appropriate for all generic instances. For this case, that just isn't going to happen."
My personal take on it is that the duration of citizenship should be fairly long (to make darn sure the candidate sees the US as being "home", and not just "where I'm living for now"), but that birth here should not be mandatory anymore. In today's changing world, waiting an entire generation for eligibility "feels" longer than it did when the Constitution was written. Schwarzenegger has, in my opinion, been a US citizen long enough to be allowed to run. I still wouldn't ever vote for him, but in the interest of fair play that shouldn't influence my opinion on whether or not he should be eligible.
I'd like to see him be allowed to make the attempt, and then be voted down, rather than see him not be allowed to try.
1 - Portland and Redmond are not very close to each other at all, by east-coast standards. They only seem close in our minds because there aren't intervening urban areas.
2 - Mt St Helens is not midway between them. It's much closer to Portland.
Any program that can only tell a file type by its extension is poorly written.
Although I think the unix design is almost always better than the Windows design, this is one area where I disagree with the unix way of doing things. In order to detect file type via the magic number system, you have to open the file and read the first few bytes. In order to detect the file type via extension, you don't have to open the file - just look at the filename in the directory. Thus when you are trying to do things like "sort this directory by type of file", it is much more efficient to do it using file extensions than magic numbers, because with extensions you only need to read through the directory and look at the filenames, instead of having to open each and every file.
that the really important stuff is under $HOME; what's under
Yes, but for a virus to effectively *SPREAD*, it's not enough to just muck with a single user's files. As a damanging payload, erasing a person's own files is effective, but a payload does not a virus make.
the biggest obstacle to viruses is the lack of standardization.
Which is why attacking some files in $HOME isn't particularly useful if your want your virus to propigate. My $HOME doesn't contain the same things to try to exploit as your $HOME.
You set the bar quite hign, it seems, on what it takes for something to be "amazing". Some college kid writing an OS kernel (even if it was a functional clone of something that had been done before) that ends up being embraced and expanded by such a large group of volunteers and becoming a system that even works *at all* is already pretty amazing right there. Even if Linux had stopped where it was over 13 years ago, at just being a lackluster text-console system, that by itself would still have been a prettty amazing thing.
Draw out the Venn diagrams and it is trivial to see that the set of people familiar with linux in general is a superset of the set of people familiar with just one particular distribution of linux.