You misunderstood my point, and then went on to suggest that the "old way" won't work; inadvertently falling into the trap I was pointing out.
My "solution" (which really, it wasn't a solution per se) is not "more of the same." It is the realization that previous knowledge or practices may not be obsolete, and that we shouldn't try to find new ways to do things for the mere sake of being new.
A lot, though not all, of the security problems encountered in modern applications have been known and addressed in the past, to various degrees of success. We should embrace this experience and apply it, not shunt it as antiquated.
Whether you want to admit it or not, lack of input validation and understanding of data encoding at the various transport layers, is the source of most security issues. We should acknowledge this and address it directly.
You are right, a lot can be done to build solutions into our tools to ease their implementation. However, technology itself won't solve the problem of developers not understanding the risks or why they happen.
What does not help at all is to hand-wave or diminish this particular problem and blame the tools for not doing our due diligence. Or worse, ignore experience and history and mark it as a new problem, only solvable by more technology.
I'm actually not a big fan of validating inputs. I find proper escaping is a much more effective tool, and validation typically leads to both arbitrary restrictions of what your fields can hold and a false sense of security.
OK, fair point. How about if we expand the concept of "validating input" to include canonicalization and sanitation as well? Oh, it already does. Go figure.
Reducing it to a mere reg-exp is missing the point. Proper canonicalization (and proper understanding of the underlying standards and protocols, but that's another argument) would allow you to use a plus-sign in an e-mail address field.
But this won't happen as long as every kid fresh out of college wants to roll their own because they known The One True Way to fix it, this time For Real. As long as they keep ignoring everything learned before because, you know, it's old stuff and this is the new technology of The Web, where everything old does not count at all; nothing will change.
A multi-pronged approach is best, and input validation certainly has its place (ensuring that the user-supplied data conforms to the data type's domain, not trying to protect your output), but the first and primary line of defense should be making it harder to do it wrong than it is to do it right.
"MOAR TECH!!!1" and over-wrought protocols are no silver-bullet against ignorance, naivety, and hubris.
Not only that, but Samsung were very insistent that the results of the Best Buy customer returns poll suggested that the high incidence of returns was not due because of confusion, but because of defects.
Dude, that's not programming changing the way you think. You're just an antisocial freak-o. I'll bet that, prior to being a programmer, you were just as clueless in social situations, just just didn't have a convenient sub-cultural stereotype to take comfort in.
Sorry, but it's true. Being a programmer does not impair or impact your interpersonal skills, if you had any, that is.
Perhaps not "the cloud" in general, but a service that has privileged access to bank accounts and other sensitive information is inherently less secure than one that is primarily concerned with finding restaurants and traffic routes, for it is a much more attractive target.
You should read some history then, because the examples you mentioned are a lot more nuanced than what you are suggesting.
In the case of Apple vs. Microsoft, they didn't lose because "look and feel" is not protectable, they lost because they had given an overly permissive license to Microsoft, and the latter successfully argued that it covered most of the claims. And even that is just a small part of the outcome.
Oh, you must be a hoot at parties! I bet you also are one of those that responds to annoyed friends with "that's not what I said..." and follows with a pedantic description of the technical and semantic nuances between words.
So the images are not binary equivalent--do you really think that's what a court will consider?
That's not what he meant. He was talking of Mozilla's integration of Java, JavaScript, and XUL to create a platform for executing applications, that are not dependent on the underlying OS.
The innovators were companies like Xerox and others, who actually the developed the technology that goes into these devices. </blockquote>
Ah, I see you are one of those that thinks Apple engineers took Xerox PARC's ideas verbatim and applied them to the Mac OS, fully formed.
Did you know that the Xerox Alto did not have drag and drop? Did you know that it also did not have overlapped clipped windows that updated their display (only the active window could update, even while moving across other objects)? Did you further know that it did not have a "spatially-oriented" file system?
How about a truly document-oriented paradigm where objects react against each other? Xerox's system was command-driven and "modal," which required the user to engage a keyboard or menu command to execute any action. It also required an entire training regimen in order to be used effectively. Granted, it was a huge system, designed to integrate in all aspects of a business' productivity, but that scope just added to its complexity.
Moreover, did you know that what Apple saw was a demo? No code, no design specifications, no schematics. Just a visual presentation.
Xerox PARC showed Jobs and his team an incomplete and sometimes inconsistent system that was hard to use in many regards. However, the idea that people would manipulate objects directly, in a graphical environment, and not just type commands on a terminal, was an awe inspiring vision. However, it's a vision that predates even Xerox's attempts.
I'm not belittling Xerox's work--it was indeed innovative. I am pointing out that Apple engineers implemented an operating system, from scratch, designed to be complete for purpose--albeit narrower in scope--and used by a lay person with absolutely no training; and they did it all based purely on their recollections and impressions from a visual demonstration.
And it all ran on an 8 MHz microprocessor, and fit in a mere 64 Kb of ROM. Compare that to the Xerox Alto!
You are right, I'm sorry. I meant "Dart": Google seems to be positioning to replace GWT with Dart.
This is only speculation, but there were a lot of sessions in the I/O conference dealing with migrating code from GWT to Dart, and, I think, only one GWT-specific session. This focus, to me, seems telling.
"aw gee, the king has imposed Taxes on us without our Consent; deprived us in many cases, of the benefits of Trial by Jury; and Quartered large bodies of armed troops among us; let's declare our independence!"
"Marketing desing"? I think you underestimate their involvement. The actual engineering design was done in concert by both companies. Apple owns some of the patents involved in the materials and the processes.
Slashdot Mirror
You misunderstood my point, and then went on to suggest that the "old way" won't work; inadvertently falling into the trap I was pointing out.
My "solution" (which really, it wasn't a solution per se) is not "more of the same." It is the realization that previous knowledge or practices may not be obsolete, and that we shouldn't try to find new ways to do things for the mere sake of being new.
A lot, though not all, of the security problems encountered in modern applications have been known and addressed in the past, to various degrees of success. We should embrace this experience and apply it, not shunt it as antiquated.
Whether you want to admit it or not, lack of input validation and understanding of data encoding at the various transport layers, is the source of most security issues. We should acknowledge this and address it directly.
You are right, a lot can be done to build solutions into our tools to ease their implementation. However, technology itself won't solve the problem of developers not understanding the risks or why they happen.
What does not help at all is to hand-wave or diminish this particular problem and blame the tools for not doing our due diligence. Or worse, ignore experience and history and mark it as a new problem, only solvable by more technology.
dZ.
OK, fair point. How about if we expand the concept of "validating input" to include canonicalization and sanitation as well? Oh, it already does. Go figure.
Reducing it to a mere reg-exp is missing the point. Proper canonicalization (and proper understanding of the underlying standards and protocols, but that's another argument) would allow you to use a plus-sign in an e-mail address field.
But this won't happen as long as every kid fresh out of college wants to roll their own because they known The One True Way to fix it, this time For Real. As long as they keep ignoring everything learned before because, you know, it's old stuff and this is the new technology of The Web, where everything old does not count at all; nothing will change.
"MOAR TECH!!!1" and over-wrought protocols are no silver-bullet against ignorance, naivety, and hubris.
-dZ.
Not only that, but Samsung were very insistent that the results of the Best Buy customer returns poll suggested that the high incidence of returns was not due because of confusion, but because of defects.
It's like a double whammy!
Dude, that's not programming changing the way you think. You're just an antisocial freak-o. I'll bet that, prior to being a programmer, you were just as clueless in social situations, just just didn't have a convenient sub-cultural stereotype to take comfort in.
Sorry, but it's true. Being a programmer does not impair or impact your interpersonal skills, if you had any, that is.
Perhaps not "the cloud" in general, but a service that has privileged access to bank accounts and other sensitive information is inherently less secure than one that is primarily concerned with finding restaurants and traffic routes, for it is a much more attractive target.
I predict that, 25 years from now, this prediction will be proven inaccurate.
You should read some history then, because the examples you mentioned are a lot more nuanced than what you are suggesting.
In the case of Apple vs. Microsoft, they didn't lose because "look and feel" is not protectable, they lost because they had given an overly permissive license to Microsoft, and the latter successfully argued that it covered most of the claims. And even that is just a small part of the outcome.
dZ.
Your story sounds vaguely familiar... Are there also Nizguls and Ring Wreaths, and a damned creature called Goellum? Because I think I've read it!
Oh, you must be a hoot at parties! I bet you also are one of those that responds to annoyed friends with "that's not what I said..." and follows with a pedantic description of the technical and semantic nuances between words.
So the images are not binary equivalent--do you really think that's what a court will consider?
dZ.
And by Mozilla, I meant Netscape. DOH!
That's not what he meant. He was talking of Mozilla's integration of Java, JavaScript, and XUL to create a platform for executing applications, that are not dependent on the underlying OS.
It is not incorrectual, it lacks correctivitudeness.
Also, quit saying "preventative"! There is no such word. You take preventive measures to prevent an event from happening.
If you were to preventate, then you could take preventative measures. However there is no such verb, is there?
You are right, I'm sorry. I meant "Dart": Google seems to be positioning to replace GWT with Dart.
This is only speculation, but there were a lot of sessions in the I/O conference dealing with migrating code from GWT to Dart, and, I think, only one GWT-specific session. This focus, to me, seems telling.
-dZ.
Have you heard that Google is phasing out GWT in favor of AppEngine?
dZ.
Wow! I was modded "Insightful"?
I was aiming for "Funny," I also would have expected "Troll."
It is a sad state of affairs when making a throw-away joke about a completely fictional catastrophe is deemed insightful.
That's weird, even in Slashdot.
-dZ.
Cool, so even rednecks can buy trendy clothes! What's the pain in that?
...said the lonely bachelor.
Wow! Really?? I better be careful now, I don't want to wake up one morning in a strange land.
How about WoW? Is it safer to be proficient in Warcraft? I mean, do I get to stay in the USA?
dZ.
I guess mine is going to be a rather lonely life when the Zombie Apocalypse comes.
"aw gee, the king has imposed Taxes on us without our Consent; deprived us in many cases, of the benefits of Trial by Jury; and Quartered large bodies of armed troops among us; let's declare our independence!"
Sometimes, that's all you can do.
It doesn't make sense to hand the whole thing to Google and a handful of other CDN companies.
dZ.
Rest in peace, Mr. Bradbury.
-dZ.
"Marketing desing"? I think you underestimate their involvement. The actual engineering design was done in concert by both companies. Apple owns some of the patents involved in the materials and the processes.
-dZ.