That was a deliberate decision in order to avoid the monster mistake Bjarne made with C++ templates. Java 1.5 introduces generics[...]
I'm quite aware of the new features (hence "nearly a decade") but, believe it or not, C++ was not the origin of parametric polymorphism... in fact, the real lesson to learn from C++ is that this should be a core part of the type system, and dealt with as first class by the compiler and linker, from the inception of a language, not grafted on later!
Java is a strongly typed language therefore you have to tell the compiler exactly what you intend to use. And if you make a mistake in the way you use it, the compiler has the guts to tell you that you were wrong. Too much chaperoning?
The problem with most Java code is that there was (for nearly a decade, despite this being a well-established feature of type systems) no parametric polymorphism, therefore using the containers collection meant throwing away the typing information and casting... and, no, the compiler doesn't tell you when you're wrong, not even the static type checker does, the dynamic type checking fails at run time! That's not cool!
I think the guy needs to learn something about modern programming languages before sitting down to write...
Well, Michelangelo's strictly a PC-style DOS virus (http://en.wikipedia.org/wiki/'Michelangelo'_compu ter_virus) and Monkey B (Simian B) a real virus (perhaps I'm missing something;) but there were floppy disk (bootsector)-based viruses on Z80B-based machines...
Thanks, dude. I'm never posting Sunday morning again - the moderators have issues!
(I'd like to think it's because they've been out for a heavy Saturday night and their judgement's still impaired, but it seems more likely that they're just jealous that someone else might have...)
Now I've two points as informative, the post I contradicted has another (!) and my original post remains 'flamebait'.
You can moderate this post however you like but I'll chuck in something (which I forgot in the parent) so that it's not redundant: the processor in the 49g+ runs at 75MHz (hence my comment).
No, the Saturn has an external word size of 4 bits, but 64 bit registers and instructions.
At three to seven (the actual comparison) times the 4MHz 48g speed, there is far less than a gap of >>30 between the speed of the emulated processor and the physical one so I stand by (for now) my speculation that there is surely an algorithmic difference between the built-in (example?) one and the new 'native' one...
(But what do I know, I'm just flamebait... apparently...)
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
"Your argument" - I'd check your original post.
As far as trying to claim I've been wrong more than conceded, you're simply putting words in my mouth and then refuting them. I'm not prepared to waste more time discussing this, but I'd just point out the difference (apparently absent in your head) between the concept of an operating system (and its roles) and what is implemented in Windows! I stand by (and your argument that hardware support can be added merely reinforces the point):
the operating system controls what's data and what's executable in memory - it's laudible to explore how a requirement for user interaction can be used to control the latter
What the hell is the point of a disposable digital camera?
Well one use (I could sell these by the dozen in the UK) is for nightclubs... you want the convenience of digital (instant review, quick uploading the morning after) but don't want to have hundreds of quids worth of equipment lost, stolen, trampled or dropped in a beer!
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
Obviously YANAH. Are you even a programmer at all?
Twice you've been wrong and this is how you come back? Petty, man!...
Yes, a virus could click the "yes" button, that doesn't require downloading a separate VNC server. How do you think the VNC server does it?
Yes, that is a good point. You can see I've not programmed at the system call level for a long time... All the same (changing my argument, I admit), the system could simply refuse you a handle on that window (though how that would play out with terminal server or third party VNC s/w, given your point, isn't clear).
No, you were making the point that cmd allowed users to easily bypass the protection and run a downloaded exe
Sorry, my fault - you're quite right, I didn't write that (or rather deleted it from what I was posting since it didn't support my point - feel free to not believe me on this)
and I was refuting it by pointing out that it really wasn't so easy for users
Well indeed, but you were visibly incorrect in how you expressed that (twice over) and, what's more, we were looking at the initial warning - I'm quite sure there are some more advanced exploits to come than the mock-up in the article (at the very least a scripting exploit - based either on an unpatched mail client or a new vulnerability - could surely invoke the command line).
But there's nothing MS can do to prevent a running virus from downloading and executing whatever it likes
I just can't agree with that: the operating system controls what's data and what's executable in memory - it's laudible to explore how a requirement for user interaction can be used to control the latter (imho).
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
[...]requires users to type in two places (granted, they're not typing arguments), requires users to save the executable and locate it afterwards, and requires users to correctly manage the input focus between several windows (users are likely to simply drag the file from Explorer to the cmd window, which leaves the focus on the executable's icon in Explorer, meaning that pressing Enter will display the warning dialog as usual. An extra click is required to focus cmd before pressing Enter, but this is non-obvious).
Type? You seem to have conceded the point that typing arguments is not necessary, but then you keep digging! None of this requires typing!
As far as your assertion:
The virus could press the "yes" button on the security dialog automatically before the user sees it
That would seem (as far as I've understood recent stories on/. - IANAH, so to speak) to require the transfer of a VNC server, which itself should (not that I'm saying the implementation is right yet) be 'Internet zone' executable code and subject to the same check... hence circularilty and no progress... no?
It could remove the NTFS stream that marks the executable as downloaded from the Internet
Could it? So using this is not built into the command shell, but manipulating it is?...
It could use the same system call "cmd" uses to run the code without the warning dialog
That's rather the point I was making...
It could read the code directly into memory and execute it in its own process, bypassing any Windows restrictions on executable files
As I concede above, this may be possible, but clearly that ought to be subject to the same restriction...
As I said on other threads, I'm quite sure the implementation of this idea is not yet thorough... but that doesn't mean that the idea is wrong. Firstly, one has to admit, no operating system has arrived at a good security mechanism getting it right first time. Secondly, while one might disagree with this kind of thing being tested on the whole user base (or, at least, those who keep up with OS versions and their SPs), at least it hasn't made the situation worse - even if there are ways to bypass this (which will take time to learn), the effect of the bypass is no worse than would be the absence of the mechanism.
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
Didn't you even notice the "sample email worm" given by heise?
This one?
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&drop the file into the new window and hit
return. cmd will descramble the file for you.
Which bit, exactly, has them typing in "several arguments"?
This bit:
cmd/c evil.exe
executes the file evil.exe without warning, regardless of its ZoneID. Even worse: If an executable file is saved as evil.gif, the command
cmd/c evil.gif
Is not intended to be an exploit.
As for:
Once the machine is compromised, the game is already over, because the virus can run whatever code it wants regardless of WinXP's new security features.
Perhaps I've misunderstood, but I completely disagree with you. As far as I understand it, it's quite a common thing to do to transfer an executable to a compromised machine in order to run it. If such a thing cannot be done without visible user interaction that would be significant.
Even a million inter-linked websites criticising the current government would have presence thanks to Pagerank... unfortunately these asshats have very little to say! (Probably less than a pagefull...)
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
The only really good security is via capabilities (see eros)
By which I assume you mean this:
EROS is a pure capability system. A capability uniquely identifies an object and a set of access rights. Processes holding a capability can perform the operations permitted by those access rights on the named object. Holding a capability is a necessary and sufficient condition for accessing the associated object with the authority granted by that capability. There is no other way to perform operations on an object.
One advantage to the capability approach is that the EROS kernel does not need to support any notion of user identity. The login agent hands each user their initial authorities, from which they can access whatever objects are (transitively) reachable.
Most capabilities can be rescinded. For example, a process holding access to a terminal port loses its authority on that port each time the system is restarted. This is necessary to ensure that connections are re-established when appropriate.
A common confusion about capabilities is that they are incompatible with more conventional protection models. While the EROS kernel knows nothing about capabilities, user domains (processes) are free to implement whatever authentication mechanisms they wish. The EROS unix emulator, for example, implements the customary unix semantics based on user identity.
But, clever as that may be (and subject, one hopes, to a thorough implementation in Eros and possibly in Linux via rsbac), it doesn't clarify how one goes about gaining the capability to run a new file downloaded from the Internet.
In that regard (unless I've missed something) it's orthogonal to Microsoft's approach (or, rather, this aspect of it)...
Re:Mod article down
on
Latest SP2 News
·
· Score: 4, Informative
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 1
Does anyone use/trust these things anymore?
If people here don't, is it really a problem of flaws in the initial implementation (which is usually the case with any new idea) or is it just plain 'not invented here' syndrome?...
Re:'Flaws' Not that big of a deal
on
Latest SP2 News
·
· Score: 2, Informative
Telling people to open a command line and run a command with several arguments
Sorry, who's telling people to do that?
The point made was, rather, that compromised machines can still be made to bypass this mechanism since it's not been built into the command line interface.
Slashdot Mirror
I think the guy needs to learn something about modern programming languages before sitting down to write...
Well, Michelangelo's strictly a PC-style DOS virus (http://en.wikipedia.org/wiki/'Michelangelo'_compu ter_virus) and Monkey B (Simian B) a real virus (perhaps I'm missing something ;) but there were floppy disk (bootsector)-based viruses on Z80B-based machines...
In a word - copyleft (BSD has none, Mozilla is 'in between' - http://www.mozilla.org/MPL/mpl-faq.html)
Remember Microsoft's viral arguments? Even if this isn't their real issue it's become part of the politics...
Thanks, dude. I'm never posting Sunday morning again - the moderators have issues! (I'd like to think it's because they've been out for a heavy Saturday night and their judgement's still impaired, but it seems more likely that they're just jealous that someone else might have...)
Now I've two points as informative, the post I contradicted has another (!) and my original post remains 'flamebait'. You can moderate this post however you like but I'll chuck in something (which I forgot in the parent) so that it's not redundant: the processor in the 49g+ runs at 75MHz (hence my comment).
No, the Saturn has an external word size of 4 bits, but 64 bit registers and instructions.
At three to seven (the actual comparison) times the 4MHz 48g speed, there is far less than a gap of >>30 between the speed of the emulated processor and the physical one so I stand by (for now) my speculation that there is surely an algorithmic difference between the built-in (example?) one and the new 'native' one...
(But what do I know, I'm just flamebait... apparently...)
What kind of moronic algorithm is being used there?
http://www.luschny.de/math/factorial/FastFactoriaF*** you, I'm just big boned, me lady!
"Your argument" - I'd check your original post.
As far as trying to claim I've been wrong more than conceded, you're simply putting words in my mouth and then refuting them. I'm not prepared to waste more time discussing this, but I'd just point out the difference (apparently absent in your head) between the concept of an operating system (and its roles) and what is implemented in Windows! I stand by (and your argument that hardware support can be added merely reinforces the point):
Well one use (I could sell these by the dozen in the UK) is for nightclubs... you want the convenience of digital (instant review, quick uploading the morning after) but don't want to have hundreds of quids worth of equipment lost, stolen, trampled or dropped in a beer!
Twice you've been wrong and this is how you come back? Petty, man!...
Yes, that is a good point. You can see I've not programmed at the system call level for a long time... All the same (changing my argument, I admit), the system could simply refuse you a handle on that window (though how that would play out with terminal server or third party VNC s/w, given your point, isn't clear).
Sorry, my fault - you're quite right, I didn't write that (or rather deleted it from what I was posting since it didn't support my point - feel free to not believe me on this)
Well indeed, but you were visibly incorrect in how you expressed that (twice over) and, what's more, we were looking at the initial warning - I'm quite sure there are some more advanced exploits to come than the mock-up in the article (at the very least a scripting exploit - based either on an unpatched mail client or a new vulnerability - could surely invoke the command line).
I just can't agree with that: the operating system controls what's data and what's executable in memory - it's laudible to explore how a requirement for user interaction can be used to control the latter (imho).
Type? You seem to have conceded the point that typing arguments is not necessary, but then you keep digging! None of this requires typing!
As far as your assertion:
That would seem (as far as I've understood recent stories on /. - IANAH, so to speak) to require the transfer of a VNC server, which itself should (not that I'm saying the implementation is right yet) be 'Internet zone' executable code and subject to the same check... hence circularilty and no progress... no?
Could it? So using this is not built into the command shell, but manipulating it is?...
That's rather the point I was making...
As I concede above, this may be possible, but clearly that ought to be subject to the same restriction...
As I said on other threads, I'm quite sure the implementation of this idea is not yet thorough... but that doesn't mean that the idea is wrong. Firstly, one has to admit, no operating system has arrived at a good security mechanism getting it right first time. Secondly, while one might disagree with this kind of thing being tested on the whole user base (or, at least, those who keep up with OS versions and their SPs), at least it hasn't made the situation worse - even if there are ways to bypass this (which will take time to learn), the effect of the bypass is no worse than would be the absence of the mechanism.
Unreal Networks...
Like, totally!
Everybody look - I've just invented the wheel!
This one?
Which bit, exactly, has them typing in "several arguments"?
This bit:
Is not intended to be an exploit.
As for:
Perhaps I've misunderstood, but I completely disagree with you. As far as I understand it, it's quite a common thing to do to transfer an executable to a compromised machine in order to run it. If such a thing cannot be done without visible user interaction that would be significant.
Even a million inter-linked websites criticising the current government would have presence thanks to Pagerank... unfortunately these asshats have very little to say! (Probably less than a pagefull...)
16777216 would have been better for so many reasons...
Whereas I was being entirely serious and outing him!
RTFA, butt pirate!
But, clever as that may be (and subject, one hopes, to a thorough implementation in Eros and possibly in Linux via rsbac), it doesn't clarify how one goes about gaining the capability to run a new file downloaded from the Internet.
In that regard (unless I've missed something) it's orthogonal to Microsoft's approach (or, rather, this aspect of it)...
No, that's SCO's belated response to an 'old' (as you quoted!) advisory CA-2003-25 (http://www.cert.org/advisories/CA-2003-25.html)