Did you read the SF post by the guy who actually wrote the code?
Since you obviously didn't, let me quote some of it for you:
6) Pointless rants
It appears that the overall quality of code, and more importantly, the
amount of QA, on various browsers touted as "secure", is not up to par
with MSIE; the type of a test I performed requires no human interaction
and involves nearly no effort. Only MSIE appears to be able to
consistently handle [*] malformed input well, suggesting this is the
only program that underwent rudimentary security QA testing with a
similar fuzz utility.
This is of course not to say MSIE is more secure; it does have a number
of problems, mostly related to its security architecture and various
features absent in other browsers. But the quality of core code appears
to be far better than of its "secure" competitors.
[*] Over the course of about 2 hours; I cannot rule out it would
exhibit problems in a longer run.
You are correct, that point was poorly worded. I hope you'll find other comments I have made in this article more in line with my point.
And you're correct, the point is strengthening the browser, and has little to nothing to do with IE's "success". I was just getting tired of the retaliation of the fandom here.
When I needed RAM, I first went to Cruical, but the RAM they gave me was crap. They took it back, but I wasn't going to wait for a cross-ship. I went down to Circuit City that day, nabbed a stick for about half the price of Crucial's, which was significantly less than Apple's.
That RAM is in this system and still works like a charm. The ram in Powerbooks at least is standard SDRAM. (although the small, Laptop version that I can't remember the acro for, but it's the same for most modern laptops)
What's sad is that fact-twisters like the GP ruin both Mac advocacy. The Mac is a good system - sadly people that think it's some kind of religious crusade ruin it for a lot of other people with less drive to try it. It kept me away for a long time.
If you're interested in doing day to day things better, the Mac might be something that you find a good idea. It is quite different and takes adjustment, but after a few weeks to a month, it fits like a glove. The killer isn't in the hardware, but the software that controls it. The hardware just makes it easier for Apple to make the software that much easier to deal with (think drivers).
Sadly enough, I find the problem with most unix geeks that "hate the mac" is not that they hate it, they just know jack squat about it and will never admit it.
That said, the stats you rattle off are subjective at best, FSB speed doesn't account for much if the proc can't fill it, and 2.5ghz doesn't mean squat (low or high) in the processor world. PCI-X is about the only constant you have on there, and that's just an interface standard, which amounts to, you guessed it, almost nothing without driver support.
Then again, I don't use my mac because of its speed. I have a G4 1.25 Powerbook and it does more than what I need. When I need beef for practical projects I have servers, and when I need beef for games I have a nice x86 wintendo.
Don't get me wrong, I don't like what some of these big chains do in the HR department either, but that doesn't mean you have to stoop to their level. After all, if you really wanted to get them where it hurt, you just wouldn't shop there. But then you wouldn't get anything at dirt cheap prices at the cost of those mom and pops, either.
Good point, but in reality CS is the exception to the rule only because it is still highly popular (unfortunately, among teenagers that use language that would make a sailor blush).
To add insult to injury, I hope you never get selected for jury duty. One could only hope that the lawyers are honest enough to not let you through with the way you factor argument.
Please, look into getting that soft skull of your examined. How can you even compare this to a benchmark?
FireFox breaks when fed invalid input. It's not something you can argue with - if you read the post, there are links to files which will prove this to you. Since you don't seem to get it yet, there is no way you can argue against this.
Yet you choose to turn a blind eye to the real issue and use it for a platform (or a soapbox, if you will) to make your assumptions. Who are you trying to deceieve, me, or yourself?
Christ, it's not a fucking conspiracy theory. Heck, even if it was, you are going to get a better browser out of it.
So please folks, everyone trying to apologize for everything !IE kindly put a sock in it and be happy this happened. You guys sound like a preacher on a downtown street corner.
No argument there, but unfortunately the Slashdot article blends the two like they are one and the same.
I would go to say this is a bigger problem then bad integration. After all, Firefox runs on many platforms, and so does Opera. Whether or not that VB layer exists is insignificant, and with the number of UNIX clones (read: these days, pretty much anything but microsoft), that VB layer really doesn't matter if I can wipe out your whole home directory. Do you run your web browser on your server, or your workstation which is loaded with a good portion of your electronic life stored in $HOME? Hope to god you're not using NFS.
Yeah, I'm borderlining on scare tactics but this is a big problem, and really has little to nothing to do with IE.
I understand exactly what you're saying. I can count several projects at my last job where months were spent developing requirements and designing, only to find out during integration that they were flawed.
Project management is voodoo science at best. Leading a programming team (not managing, leading) is a nigh-impossible task. The computer may not be fallible, but the humans will always be. And I don't have to quote Darwin or any other Biologist to indicate where that leads.
Are you familiar with XSS attacks? As a guy who writes web backends, I am. As a result, I have to make sure that every bit of content that comes to me and is subsequently displayed (which can get fun, especially if you have a database with 20M customers before you get started) needs to have no HTML tags, or even worse, allowable HTML tags. This can get very slow when processing a lot of content. If you have a templating language which uses different tag endings than an HTML tag, you've got another set of content to scan for. This is the reason things like mod_security were invented. Thing about a bulletin board or a "product review" system and how much content is availble to be sent straight to the database by one person and echoed right back to another.
SQL injection. While good database API's solve this, some systems don't (ahem... PHP's raw API). This is easily solved by something like DBI or PEAR's DB abstraction layer (which the name of escapes me), but once you're up to your knees in mud, it becomes a whole new nightmare. With the new mysql GRANT vulnerability (especially since, last I checked, mysql doesn't support binding at the client API level), SQL injection becomes something that can not only effect your live app, but something much more dire indeed. I won't even get into sql procedures that perform admin tasks.
The fact that IE passes a test, while other's don't, that it was made to pass, that says somethign positive about IE's security, and is not to be blown off. After all, I can inject some of that "wonderful" content right here and it might crash your browser, because there's nothing stopping me from doing it in slashdot's code. If I had the fingernail clipping of that guy's knowledge, I might be able to do something worse.
Of course, if you were running IE, you wouldn't have that problem. Do you understand now?
Obviously you haven't spent a lot of time integrating an RSS reader into your workflow.
How many sites do you check each day that have no new content? I can say mine clearly: 0. And that's even for bob in iowa's blog, who only writes when it's a full moon in january.
The parent is asking a good question, he should be modded up so everyone can see it.
I get a lot of mail generated by CVS commits. A *lot* of mail.
Now, I can either read that mail or I can ignore it. Regardless of the effect, it appears in my mailbox, and I have to write several filters to keep it from obscuring my mother's wonderful chain letters telling me how much she loves me.
90% of the time, I don't care what's in that diff, where it's applied, or anything.
But I spent a good deal of time writing a small script to generate those emails. Sounds like something pretty counter-productive, especially when I can use the CVS tools or something like cvsweb to look at those diffs, right? Not really. As I'm sure you know, having the ability to use my mail client's search tool to scan through those makes it easy.
Enter cvs2rss. Instead of generating emails that get pushed to my mailbox every commit, it generates a RSS file on the server, which points to the cvsweb stuff. What does this mean?
Instead of getting 40 emails a day and ignoring 39 of them, I configure my reader to scan the rss file once a day. It doesn't interfere with my mail checking, nothing else, as a matter of fact. And when I *do* want to check out something, I can go to cvsweb, where I can do a lot more than just stare at the diff - which is nice if I want to annotate. And our mail administrator is happy because I don't have an IMAP box crammed with every patch since the inception of the project.
If you want to take this further, imagine slashdot's email load, which pushes emails when stories come out. Now, I may not care about the latest story, nor do I want to read slashdot as often as they send out emails. So I configure my RSS reader to check slashdot every 4 hours. Result? The only time I visit slashdot now is to (like right now), reply to comments that have been made to mine. And it's like this for every site that uses RSS. BBC, Slashdot. CSMonitor, they all have the same interface, my RSS reader NewsFire, which is much better suited to giving me a pile of links and descriptions than my email client is.
This is a simple, nearly infallible rule of detecting exploits, to the point where I even know it.:)
If you can get a program to write past the end of it's allocated memory segment, you can overwrite all sorts of fun stuff with things like shellcode and anything else you want to throw in the executable stack.
The program (I read the SF post yesterday) generates standard things that would confuse a program in HTML - Null (ASCII 0) characters, overly large integers (Opera, IIRC, brought his system to a halt with a giant colspan="" element), things that need to be checked pre-emptively.
Regardless of his "bias", this is a problem. In fact, sometimes the people with the most to gain do a great job giving the others the opportunity to gain instead. Either way, he just upped the bar for browser security, which benefits us all.
If you use a Mac, please check out NewsFire. Really, I haven't found a program so useful and unobtrusive in such a long time. Nowadays, I just hit my RSS reader when I have time to read things. I don't even bother going to sites anymore.
It solves all 3 of these problems very elegantly.
Of course, I wrote an article about how it annoys me that people who provide feeds don't include the full articles. It's really rather silly. They could include ads too, and I would embrace it.
Slashdot Mirror
Did you read the SF post by the guy who actually wrote the code?
Since you obviously didn't, let me quote some of it for you:
6) Pointless rants
It appears that the overall quality of code, and more importantly, the
amount of QA, on various browsers touted as "secure", is not up to par
with MSIE; the type of a test I performed requires no human interaction
and involves nearly no effort. Only MSIE appears to be able to
consistently handle [*] malformed input well, suggesting this is the
only program that underwent rudimentary security QA testing with a
similar fuzz utility.
This is of course not to say MSIE is more secure; it does have a number
of problems, mostly related to its security architecture and various
features absent in other browsers. But the quality of core code appears
to be far better than of its "secure" competitors.
[*] Over the course of about 2 hours; I cannot rule out it would
exhibit problems in a longer run.
Still feel like you have a point?
You are correct, that point was poorly worded. I hope you'll find other comments I have made in this article more in line with my point.
And you're correct, the point is strengthening the browser, and has little to nothing to do with IE's "success". I was just getting tired of the retaliation of the fandom here.
I do understand that you were trying to spell 'come on', but come on, this is a site for nerds. You have to expect some nerdly correction.... :)
When I needed RAM, I first went to Cruical, but the RAM they gave me was crap. They took it back, but I wasn't going to wait for a cross-ship. I went down to Circuit City that day, nabbed a stick for about half the price of Crucial's, which was significantly less than Apple's.
That RAM is in this system and still works like a charm. The ram in Powerbooks at least is standard SDRAM. (although the small, Laptop version that I can't remember the acro for, but it's the same for most modern laptops)
What's sad is that fact-twisters like the GP ruin both Mac advocacy. The Mac is a good system - sadly people that think it's some kind of religious crusade ruin it for a lot of other people with less drive to try it. It kept me away for a long time.
If you're interested in doing day to day things better, the Mac might be something that you find a good idea. It is quite different and takes adjustment, but after a few weeks to a month, it fits like a glove. The killer isn't in the hardware, but the software that controls it. The hardware just makes it easier for Apple to make the software that much easier to deal with (think drivers).
Sadly enough, I find the problem with most unix geeks that "hate the mac" is not that they hate it, they just know jack squat about it and will never admit it.
That said, the stats you rattle off are subjective at best, FSB speed doesn't account for much if the proc can't fill it, and 2.5ghz doesn't mean squat (low or high) in the processor world. PCI-X is about the only constant you have on there, and that's just an interface standard, which amounts to, you guessed it, almost nothing without driver support.
Then again, I don't use my mac because of its speed. I have a G4 1.25 Powerbook and it does more than what I need. When I need beef for practical projects I have servers, and when I need beef for games I have a nice x86 wintendo.
AMD64 Laptop? I apologize, but does that thing still drain the battery dead when it's running on AC?
There are more important things than processor speed and/or processing power when using a laptop.
Situational Advantage == Crime of Opportunity.
Don't get me wrong, I don't like what some of these big chains do in the HR department either, but that doesn't mean you have to stoop to their level. After all, if you really wanted to get them where it hurt, you just wouldn't shop there. But then you wouldn't get anything at dirt cheap prices at the cost of those mom and pops, either.
Uh... How about I inject a null, or a div with a really, really long style attribute.
I think you're missing the point.
Good point, but in reality CS is the exception to the rule only because it is still highly popular (unfortunately, among teenagers that use language that would make a sailor blush).
That said, I do understand your point.
Good players with a bad DM will always equate to a bad game. It's like trying to multiply against 0 and get a positive result.
To add insult to injury, I hope you never get selected for jury duty. One could only hope that the lawyers are honest enough to not let you through with the way you factor argument.
Please, look into getting that soft skull of your examined. How can you even compare this to a benchmark?
FireFox breaks when fed invalid input. It's not something you can argue with - if you read the post, there are links to files which will prove this to you. Since you don't seem to get it yet, there is no way you can argue against this.
Yet you choose to turn a blind eye to the real issue and use it for a platform (or a soapbox, if you will) to make your assumptions. Who are you trying to deceieve, me, or yourself?
The tinfoil on your RJ45 is causing it.
Christ, it's not a fucking conspiracy theory. Heck, even if it was, you are going to get a better browser out of it.
So please folks, everyone trying to apologize for everything !IE kindly put a sock in it and be happy this happened. You guys sound like a preacher on a downtown street corner.
No argument there, but unfortunately the Slashdot article blends the two like they are one and the same.
I would go to say this is a bigger problem then bad integration. After all, Firefox runs on many platforms, and so does Opera. Whether or not that VB layer exists is insignificant, and with the number of UNIX clones (read: these days, pretty much anything but microsoft), that VB layer really doesn't matter if I can wipe out your whole home directory. Do you run your web browser on your server, or your workstation which is loaded with a good portion of your electronic life stored in $HOME? Hope to god you're not using NFS.
Yeah, I'm borderlining on scare tactics but this is a big problem, and really has little to nothing to do with IE.
I understand exactly what you're saying. I can count several projects at my last job where months were spent developing requirements and designing, only to find out during integration that they were flawed.
Project management is voodoo science at best. Leading a programming team (not managing, leading) is a nigh-impossible task. The computer may not be fallible, but the humans will always be. And I don't have to quote Darwin or any other Biologist to indicate where that leads.
Actually, it is a large facet of security.
Are you familiar with XSS attacks? As a guy who writes web backends, I am. As a result, I have to make sure that every bit of content that comes to me and is subsequently displayed (which can get fun, especially if you have a database with 20M customers before you get started) needs to have no HTML tags, or even worse, allowable HTML tags. This can get very slow when processing a lot of content. If you have a templating language which uses different tag endings than an HTML tag, you've got another set of content to scan for. This is the reason things like mod_security were invented. Thing about a bulletin board or a "product review" system and how much content is availble to be sent straight to the database by one person and echoed right back to another.
SQL injection. While good database API's solve this, some systems don't (ahem... PHP's raw API). This is easily solved by something like DBI or PEAR's DB abstraction layer (which the name of escapes me), but once you're up to your knees in mud, it becomes a whole new nightmare. With the new mysql GRANT vulnerability (especially since, last I checked, mysql doesn't support binding at the client API level), SQL injection becomes something that can not only effect your live app, but something much more dire indeed. I won't even get into sql procedures that perform admin tasks.
The fact that IE passes a test, while other's don't, that it was made to pass, that says somethign positive about IE's security, and is not to be blown off. After all, I can inject some of that "wonderful" content right here and it might crash your browser, because there's nothing stopping me from doing it in slashdot's code. If I had the fingernail clipping of that guy's knowledge, I might be able to do something worse.
Of course, if you were running IE, you wouldn't have that problem. Do you understand now?
Obviously you haven't spent a lot of time integrating an RSS reader into your workflow.
How many sites do you check each day that have no new content? I can say mine clearly: 0. And that's even for bob in iowa's blog, who only writes when it's a full moon in january.
The parent is asking a good question, he should be modded up so everyone can see it.
Ok, I'll put it this way:
I get a lot of mail generated by CVS commits. A *lot* of mail.
Now, I can either read that mail or I can ignore it. Regardless of the effect, it appears in my mailbox, and I have to write several filters to keep it from obscuring my mother's wonderful chain letters telling me how much she loves me.
90% of the time, I don't care what's in that diff, where it's applied, or anything.
But I spent a good deal of time writing a small script to generate those emails. Sounds like something pretty counter-productive, especially when I can use the CVS tools or something like cvsweb to look at those diffs, right? Not really. As I'm sure you know, having the ability to use my mail client's search tool to scan through those makes it easy.
Enter cvs2rss. Instead of generating emails that get pushed to my mailbox every commit, it generates a RSS file on the server, which points to the cvsweb stuff. What does this mean?
Instead of getting 40 emails a day and ignoring 39 of them, I configure my reader to scan the rss file once a day. It doesn't interfere with my mail checking, nothing else, as a matter of fact. And when I *do* want to check out something, I can go to cvsweb, where I can do a lot more than just stare at the diff - which is nice if I want to annotate. And our mail administrator is happy because I don't have an IMAP box crammed with every patch since the inception of the project.
If you want to take this further, imagine slashdot's email load, which pushes emails when stories come out. Now, I may not care about the latest story, nor do I want to read slashdot as often as they send out emails. So I configure my RSS reader to check slashdot every 4 hours. Result? The only time I visit slashdot now is to (like right now), reply to comments that have been made to mine. And it's like this for every site that uses RSS. BBC, Slashdot. CSMonitor, they all have the same interface, my RSS reader NewsFire, which is much better suited to giving me a pile of links and descriptions than my email client is.
This is a simple, nearly infallible rule of detecting exploits, to the point where I even know it. :)
If you can get a program to write past the end of it's allocated memory segment, you can overwrite all sorts of fun stuff with things like shellcode and anything else you want to throw in the executable stack.
The program (I read the SF post yesterday) generates standard things that would confuse a program in HTML - Null (ASCII 0) characters, overly large integers (Opera, IIRC, brought his system to a halt with a giant colspan="" element), things that need to be checked pre-emptively.
Regardless of his "bias", this is a problem. In fact, sometimes the people with the most to gain do a great job giving the others the opportunity to gain instead. Either way, he just upped the bar for browser security, which benefits us all.
Don't just blow him off.
Cheeky Italian Mob Bosses want as many aggrevators as they can get.
Please keep RSS as far away from my browser as possible.
The app I use, NewsFire, is light and fast. By comparison, even FireFox or Opera are giant beasts.
If you use a Mac, please check out NewsFire. Really, I haven't found a program so useful and unobtrusive in such a long time. Nowadays, I just hit my RSS reader when I have time to read things. I don't even bother going to sites anymore.
It solves all 3 of these problems very elegantly.
Of course, I wrote an article about how it annoys me that people who provide feeds don't include the full articles. It's really rather silly. They could include ads too, and I would embrace it.
To put it bluntly, RSS means that I don't have to subscribe to your crappy flash interface to read your worthwhile content.